While software-defined WAN is currently the hot technology in the IT networking field, not everyone can take advantage...
of it. IPsec tunnels and dynamic multipoint virtual private networks, or DMVPNs, still have a place in the enterprise in 2018 and will continue to be viable options for years to come.
That said, IT leaders should figure out which remote connectivity options are optimal for each individual use case. Let's look at SD-WAN vs. DMVPN vs. IPsec tunnels and go over the pros and cons of each.
SD-WAN is touted as a cost-saving technology for connecting to remote sites that require ultra-reliable connectivity for low-latency and business-critical applications. SD-WAN requires two or more methods of connectivity between locations. This connectivity commonly consists of MPLS, internet broadband or both. The goal is to stretch the use of lower-cost connectivity, while meeting the same latency and throughput requirements.
So, if you have remote sites that require low-latency connectivity, yet can benefit from WAN connectivity cost savings, SD-WAN might be a good fit. Keep in mind, however, that SD-WAN often requires specialized hardware, software and licensing to operate.
DMVPN can be thought of as an evolution of the standard IPsec tunnel. While IPsec VPN tunnels are hardcoded and essentially nailed-up between two locations, DMVPN builds tunnels between locations as needed. DMVPN tunnels are designed as a mesh network, as opposed to hub and spoke. That means DMVPN can take a direct route from one remote site to another when transporting data, as opposed to being forced to route traffic through a hub location first.
This type of WAN design is ideal when you want to build transport efficiencies between remote locations, yet don't truly need the low-latency advancements found in SD-WAN. Note, however, that DMVPN uses dynamic routing protocols as its routing mechanism. Incorrect use of dynamic routing protocols can cause serious security and reliability risks when not managed properly. As a result, it's not advisable to build DMVPN tunnels to networks you don't fully manage.
IPsec VPN tunnels used to dominate remote site connectivity. Because network managers could build tunnels across low-cost broadband internet links, IPsec tunnels were incredibly cheap compared to private WAN connectivity options like MPLS. They're also easy to set up, and nearly everyone can acquire the capability to build an IPsec tunnel, even low-cost firewalls and routers.
Technologies like DMVPN and SD-WAN are taking over remote site connectivity because they provide more efficient paths and lower latency between locations -- as long as you control both sides of the WAN. If you need to connect your network to untrusted or temporary locations, however, IPsec tunnels are still the way to go. This includes connectivity from your corporate network to third-party vendors and infrastructure-as-a-service and platform-as-a-service cloud providers, for example. IPsec tunnels are universal, and you can build one to virtually anywhere. The same cannot be said for DMVPN or SD-WAN.
Dig Deeper on WAN technologies and services
Related Q&A from Andrew Froehlich
A zero-day vulnerability isn't the same as a zero-day exploit. Learn the difference between these two zero-day terms, as well as why they should be ... Continue Reading
Borderless networks present new challenges for security pros. Andrew Froehlich explains how this trend makes patch management even more important. Continue Reading
Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.