Introduction

I’ve been at this a long time—long enough to be able to recall when networking consisted of tackling clunky multiplexers to serve voice and data on PSTN. Long enough to have had the Slammer worm ruin my weekend in 2003. (If you know, you know.)

And now it’s 2024, and firewalls have to do so much more than block bad traffic. If you’re a business still corralled by the view that your old-school firewall is all you need, we need to have a chat.

What is SD-WAN?

SD-WAN (Software-Defined Wide Area Networking) is the result of finally acknowledging that old-school MPLS lines have become too pricey and too inflexible for today’s networking requirements. Simply put:

• It will intelligently route traffic according to priority, application type, and security policies.
• It can handle any kind of connection—MPLS or broadband or LTE, even Starlink if you really want.
• It also reduces latency and boosts application performance.

But what really interests me, the security guy, isn’t so much its efficiency—it’s the inherent built-in security capabilities (and, ahem, its lack thereof, more below).

How SD-WAN Provides Network Security Benefits

I’ve also witnessed too many businesses get on the SD-WAN train without considering the security risks. And that’s how breaches happen.

By itself, an SD-WAN setup is not safe. And if your SD-WAN solution doesn’t have an integrated next-gen firewall, then you’re basically sending business-critical traffic over the internet without the corresponding security controls.

Security problems I’ve witnessed with bad SD-WAN installations:

• No deep packet inspection (DPI)—Okay, it routes traffic faster, but you have no visibility into potential threats.
• No built-in threat intelligence—You have no sight into changing attack patterns.
• VPN tunnels without zero-trust enforcement—May as well just leave the front door wide open.

And here’s the thing: your SD-WAN requires an enterprise-grade firewall. The difference between a network that is secure and an open invitation for an attacker is a next generation firewall (NGFW) that integrates with the SD-WAN.

How to Select a Firewall with SD-WAN

So the real question: how do you choose a firewall that helps but also secures your network without the SD-WAN that it actually supports? Here’s what I say to my clients:

1. Do Not Only Trust Built-in SD-WAN Security

Some vendors will tout built-in SD-WAN security as the answer to that problem. It isn’t—unless the security includes:

• IPS/IDS (Intrusion Prevention/Detection System)
• SSL/TLS decryption—Encrypted traffic is as risky as plain text traffic.
• Protection against application-level threats—Blocking threats at Layer 7 and not just on the network level.

2. Turn on Unified Security Posture Across Your Network

Integrate your SD-WAN firewall into your business’s overall security framework. If your firewall is not enforcing:

• Zero-trust model
• DNS security
• Live threat intelligence

Then you’re not really safe.

3. Think About Centralized Management and Automation

And trust me, doing security by hand at scale at multiple branches is a nightmare. So, look for a firewall that offers centralized management and automation for security policies to remain consistent across the enterprise environment, including all the various locations.

4. Is it a Performance vs. Security Trade-Off? No Thanks.

Many of the firewalls that advertise SD-WAN support offer them at a cost of throughput. Which means that when you do finally activate all the security features (sandboxing, threat detection, deep packet inspection), your network performance takes a nosedive.

Your firewall should support:

• Security and fast—no big performance drops.
• WAN optimization built-in.
• Scalability—No use in getting a firewall that crumbles down when your traffic request doubles.

Fortinet SD-WAN Firewalls from PJ Networks

Here at PJ Networks, I’ve assisted three banks in transforming their legacy firewalls into zero-trust architectures with Fortinet SD-WAN Firewalls—and for good reason.

Here’s why we are recommending Fortinet’s SD-WAN-enabled firewalls:

• Traffic steering—application aware and latency-sensitive.
• Built-in next-gen security: IPS, SSL decryption, sandboxing—no separate security appliances needed.
• Very efficient: Designed for SD-WAN traffic without dumpster-gloving performance.
• Zero-trust enforcement: Best-in-class against compliance requirements (those banks we protected).

I’ve just returned from DefCon, and the main topic of conversations was how enterprises should combine SD-WAN with a true zero trust model. Fortinet’s been ahead of this curve for some time—which is why it’s one of our favorite recommendations.

Short Take: Guidelines for Choosing an SD-WAN Firewall

You know, if you don’t have time, here’s the real issue:

• Next-gen firewall, not just basic security, is included in your SD-WAN.
• Search for integrated threat intelligence, deep packet inspection, and zero-trust enforcement.
• There are no performance penalties when security features are enabled.
• For multi-branch setups, centralized management is a basic requirement.
• Fednow Is One of The Top SD-WAN Firewalls Currently.

Conclusion

SD-WAN is a devil for networking, but only if you secure it. I have seen companies that install SD-WAN and think of it as a security solution on its own, how does that turn out? Messy, vulnerable networks.

Your choice of firewall matters. Choosing an SD-WAN without an enterprise-grade security firewall is akin to upgrading your car’s engine while not having brakes.

So—get it right. The security of your business depends on it.

And if you need help grasping it? That’s just what we are at PJ Networks.