A software-defined wide area network (SD-WAN) connects local area networks (LANs) across large distances using controlling software that works with a variety of networking hardware.
After reading this article you will be able to:
Copy article link
A wide area network (WAN) is a network that connects local area networks (LANs) across long distances. Large organizations often use a WAN to connect their various branch offices and locations to the central corporate network. In traditional WANs, the software that defines how traffic flows in the network is tightly integrated with the hardware that actually directs the traffic. Typically this software/hardware combination is purchased from a single networking vendor.
A software-defined WAN (SD-WAN) is a more flexible WAN architecture that can take advantage of multiple hardware platforms and connectivity options. The controlling software works with any networking hardware. An organization can set up an SD-WAN using off-the-shelf hardware rather than specialized hardware. This makes SD-WANs cheaper, more flexible, and more scalable than traditional WANs.
Think about the difference between a desktop computer that runs a proprietary operating system and a desktop computer that runs an operating system that works with a variety of computers, for instance Linux. For the first desktop computer, the software and the hardware are tightly integrated. The operating system and the hardware on which it runs must be purchased together. In contrast, Linux operating systems can run on many types of desktop computers from various vendors. Someone who wants a computer that runs Linux can choose from a wide range of computers, from cheaper models to expensive high-end gaming computers, or they can build their own computer from off-the-shelf hardware components.
While the pros and cons associated with this choice in desktop computers are not related to the pros and cons associated with traditional WANs versus SD-WANs, a similar principle applies: as with Linux operating systems, SD-WAN software is decoupled from the underlying hardware, giving organizations more choices for what hardware they will use.
SD-WANs are made possible by separating the control plane from the data plane. In networking, the control plane refers to all elements that direct where data goes. The data plane forwards data as directed by the control plane.
Historically, the control plane and the data plane were coupled tightly using vendor-specific hardware appliances. SD-WANs separate the software-based control plane from the hardware-based data plane, enabling routing to occur in software that runs on commodity hardware rather than in specialized hardware routers.
Software-defined networking (SDN) refers to a category of technologies that make it possible to manage a network and adjust network topology via software. SD-WANs are one of the ways that the principles of SDN can be applied. All SD-WANs use SDN; not all networks constructed with SDN are SD-WANs.
Network-as-a-service (NaaS) is a model in which networking services are purchased from a cloud provider, as opposed to an organization configuring their own network.
For NaaS, an organization only needs Internet connectivity to configure and use their internal network. Depending on how the service is configured, NaaS may offer greater flexibility and more cost savings compared to SD-WANs, just as other cloud service models like SaaS and IaaS do compared to traditional on-premise computing.
Cloudflare Magic WAN is one example of the NaaS model. Magic WAN is designed to replace hardware appliances and expensive, proprietary circuits with the Cloudflare global network. Learn more about Magic WAN, or about NaaS.
With potentially multiple connectivity methods used in an SD-WAN, traffic may flow in directions not anticipated by traditional security measures that assume they are placed on the edge of a network and are defending that network's perimeter. SD-WAN implementations may also increase the attack surface due to using a wider range of hardware and wider types of connections involved.
For these reasons, traditional security measures may be ill-suited to defend SD-WANs against attacks. Zero Trust security, in contrast, is designed to verify legitimate traffic and block malicious traffic no matter its origin. Zero Trust security requires strict identity verification for anything trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. While classic IT network security trusts anything inside the network, a Zero Trust architecture implicitly trusts no one.
An SD-WAN and Zero Trust integration is therefore often desirable for organizations that want flexible connectivity combined with strict security. Rather than knitting together two disparate solutions, ideally an SD-WAN provider natively includes Zero Trust security measures. Learn how such a deployment works.
About the Network Layer
Learning Center Navigation