Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

SD-WAN vs. VPN: How do they compare?

When it comes to comparing SD-WAN vs. VPN services, enterprises choosing between the technologies should consider factors like cost, cloud usage and application awareness.

With software-defined WAN sometimes marketed as an upgraded version of a virtual private network over the internet,...

many IT teams wonder about the fundamental differences and similarities of SD-WAN vs. VPN services.

While the preferred connectivity option for SD-WAN platforms is indeed based on the internet -- or public IP, to be specific -- the technology is connectivity-agnostic. SD-WAN marketing teams might want users to believe internet connectivity is the primary option for SD-WAN, but the original concept for software-based networks was -- and still is -- to support multiple interfaces.

In order to choose the right option for their organizations, enterprise IT teams are looking to cut through the hype surrounding SD-WAN by comparing all aspects of SD-WAN vs. VPN.

A look at VPNs

For decades, the fundamental mission of basic IPsec VPN has been to drop packets that aren't from authenticated endpoints. All traffic in between endpoints is encrypted at the highest level, which forms the basis of a VPN over the internet. VPNs can be simple and cost-effective, but they can also be problematic in terms of guaranteeing network performance.

How VPN works
Traffic is encrypted as it passes from point A to point B.

At their most basic level, VPNs can prioritize applications and traffic before they are encrypted. The value in doing so is limited, however. Once traffic travels within an encrypted tunnel, it cannot be prioritized from the provider network perspective, as the header is encrypted and can't be viewed. What's left is a best-effort network that supports traffic at a reasonable performance level.

A typical VPN is fine for small businesses running their operations over a single IP backbone. For larger businesses with multiple locations, however, an IPsec VPN often causes issues with voice and video applications due to high latency or congestion on the network.

Below are some of the pros and cons of VPNs that enterprises should consider when evaluating SD-WAN vs. VPN:

  • Standard VPNs offer simple WAN using an authenticated tunnel and encryption.
  • VPN services are simple, generally low cost and easy to deploy.
  • Delay-sensitive applications require more functionality than VPN offers with encryption and authentication.
  • Cloud-based services require internet connectivity with optimization and advanced next-generation security, which VPNs can't always provide.

A look at SD-WAN

SD-WAN technology starts to make sense once enterprises adopt and rely on cloud services or require application awareness, remote access and granular security. While SD-WAN doesn't have end-to-end quality of service (QoS) like a Layer 3 MPLS VPN, SD-WAN meets the challenge by providing the capability to sense network conditions and locally prioritize applications. SD-WAN's local QoS is far more advanced than basic internet VPN services due to its granular level of support, as well as capabilities like caching or application acceleration.

When organizations require cloud services, they should consider security and application awareness. SD-WAN appliances and clients are typically more comprehensive in terms of feature sets that align with current working practices, like working from home, coffee shops or hotels. With SD-WAN's increased control, IT teams or providers can restrict and secure traffic based on user profile and traffic types.

In many cases, simplified self-management with easy-to-use GUIs is driving SD-WAN adoption. While traditional Cisco IOS VPN configuration required expertise and accreditation, SD-WAN configuration is based on the point-and-click approach.

The promise of SD-WAN is to support any type of network connectivity, from MPLS to virtual private LAN service (VPLS) and, of course, internet VPN. With SD-WAN's application-based routing capabilities, it can make use of multiple paths, like internet, 4G or MPLS. Currently, though, it still costs less to deploy simple IPsec devices to create standard VPN connectivity.

SD-WAN architecture
SD-WAN can use multiple types of connectivity.

In the meantime, SD-WAN appliances and clients will offer everything in one basic, easy-to-use capability. The original promise of SD-WAN will start to become reality when every device or client is simply a fast conduit to a centralized management server. In other words, businesses will be able to consume the most basic SD-WAN services or the more complex elements -- depending on their overall need or on a site-by-site basis -- essentially using cloud network functions virtualization capability.

SD-WAN technology isn't quite there yet, as the majority of providers are pushing cost savings by using low-cost internet connectivity with hardware that is still programmable on an individual basis. It does take configuration from a server, though.

The disadvantages of SD-WAN

While it might appear difficult to pinpoint any SD-WAN disadvantages with such a significantly rich technology, it does have its share of drawbacks that may be helpful to consider.

  1. Using the internet as WAN connectivity can reduce fix times and service levels. Jumping from MPLS to an internet-based WAN with SD-WAN is often a shock when issues occur, such as an outage. The corporate network operation centers responsible for MPLS provisioning and ongoing support have significant expertise and response service levels. I'm not suggesting every internet provider will offer decreased levels of support, but IT teams should consider service-level agreement (SLA) requirements and determine how to support the business should a major problem occur.
  2. Using multiple internet providers will create an unpredictable environment. Many SD-WAN providers advocate the use of multiple ISP backbones to save money. This strategy makes sense until your business encounters latency and jitter issues across applications due to traffic routing across multiple service providers. With national deployments, multiple ISPs may not be an issue, but global enterprise customers should think carefully about deploying their WAN using the lowest-cost providers within their region.
  3. No end-to-end QoS. One of the key drivers behind MPLS is end-to-end QoS. SD-WAN counters MPLS with sophisticated path selection, application segregation sensing and granular local prioritization. The fact remains, though, MPLS is still the only option to maintain an application SLA on an end-to-end basis. The result is often a per-application SLA, which can be delivered back to the business.
  4. Cost savings are not always achievable. Whether or not you achieve SD-WAN cost savings is dependent on several factors, but perhaps the most significant is connectivity. Within the U.K., for example, the cost of internet is somewhat comparable to MPLS, which could result in an overall higher commercial model when sophisticated SD-WAN appliances and services are added to the connectivity. The U.S. market is different, as internet often comes at a much lower cost when compared with MPLS. IT teams need to commercially analyze the market within each country.
  5. Researching SD-WAN providers is often a significant task. One of the downsides when selecting an SD-WAN provider is the significant amount of marketing noise that often results in a difficult decision-making process. Many providers and vendors promote significant cost-saving benefits and advanced features, making it difficult for enterprises to gain the clarity required to conduct comparison.

The differences between SD-WAN and VPN

The main difference between a standard IPsec VPN and SD-WAN is firmly based within the features of software-defined networking (SDN), upon which SD-WAN technology is based. SDN consolidates options into a single platform available as hardware, virtualized or client access. Likewise, SD-WAN is a collection of different aspects of WAN features consolidated into a single platform with ease of management.

VPN offers authenticated WAN security between two or more endpoints to secure headquarter and branch office communication. End-to-end VPN encryption is only a small component of overall security, as IT teams are responsible for supporting users with remote cloud-based working, partners, productivity applications and more.

Both ends of the VPN transport need to secure traffic, reduce access based on permissions, conduct WAN optimization and select the best path. Standard VPNs generally don't include the intelligence that can route traffic based on the best path with optimization and security. That said, some enterprises still need to deploy VPN services without SD-WAN functionality, like for temporary office deployments or locations that have simple requirements.

Does SD-WAN replace VPN?

Enterprises replace VPN with SD-WAN due to business needs or when they see a clear benefit for adoption. Many enterprises find that SD-WAN offers significantly more than the WAN connectivity associated with MPLS or IPsec VPN.

SD-WAN has the capability to manage and report both on the network and user level, which enables enterprises to support and facilitate application access via a single interface in a way that isn't possible with vanilla VPN services. SD-WAN can also consolidate the LAN, WAN, users, security and application performance into a single platform, which results in business transformation and not just another VPN service.

Although SD-WAN can act as a savior for these larger networks, enterprises still face end-to-end traffic concerns, especially on an international basis. So, why would a business select an IPsec VPN instead of SD-WAN?

Enterprises comparing SD-WAN vs. VPN should base their decisions on a sound alignment of business processes, applications and strategy

Essentially, enterprises comparing SD-WAN vs. VPN should base their decisions on a sound alignment of business processes, applications and strategy. In basic terms, they should consider the following questions:

  • Does your business need to guarantee application performance, or is best effort acceptable?
  • Does your business use the cloud and support remote, unsecured networks?
  • Does your business want to manage its own WAN?

For businesses looking to implement cost-effective, best-effort VPN services, using a traditional VPN appliance with a simplified feature set, a simple router or client with IPsec functionality is acceptable. The cost of deploying such a service is typically minimal. Some companies deploy VPN services with broadband for less than $100 per month.

SD-WAN vs. VPNs: How to decide

While it's difficult to predict the future, businesses will no doubt look for the best network performance, security and flexibility for relatively low cost.

The objective of SD-WAN is to take business elements and map them into business enablement. With SD-WAN, the network becomes more granular, enabling better reporting, security and application performance. Unlike a standard internet VPN, SD-WAN can sense network conditions to ensure a predictable level of performance, no matter where clients connect.

When comparing SD-WAN vs. VPN over the internet, SD-WAN is far more comprehensive. SD-WAN technology has the potential to enable basic internet VPNs and to terminate global MPLS and VPLS networks.

But when considering any networking technology, enterprises need to be wary of marketing hype that can lead them down a path of buying SD-WAN with the wrap of a particular service provider offering, which can lack key components.

As IT teams move forward, technology acceleration and product features will continue, ultimately resulting in simple VPNs becoming a thing of the past. Enterprises will need to secure and treat application traffic with a more focused approach to avoid hacking threats or poor allocation performance -- all of which affect business.

This was last published in September 2019

Dig Deeper on WAN technologies and services

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

What would drive your organization to replace VPN services with SD-WAN?
Cancel
Robert,
I understand where you're coming from and also the motivation to adopt SD-WAN compared to traditional IPSec based VPNs.

However, I want to raise a point regarding QoS markings for packets that are to be encrypted.

For the majority of QoS designs, classification is performed based on DSCP markings in the ToS byte of the IP packet. However, when an IP packet is encrypted through IPSec, the original ToS byte values also are encrypted and, thus, unusable by QoS mechanisms that process the packet (post encryption).

To overcome this predicament, the IPSec protocol standards inherently have provisioned the capability to preserve the ToS byte information of the original IP header by copying it to the IP headers added by the tunneling and encryption process.

If its GRE-over-IPSec, the original IP ToS byte values are copied initially to the IP header added by the GRE encapsulation. Then these values are copied again to the IP header added by IPSec encryption.

This process compensates for the fact that the original IP header (including the ToS byte) is actually unreadable (because of encryption) and allows the packet to be processed by (post encryption) QoS mechanisms in the same manner as any other packet.

Additionally, this process underscores the importance of ensuring that the encrypted traffic is marked properly (at Layer 3) before encryption.

Saying all this, I do understand that if the ISP queues any kind of internet traffic coming from the site into a best effort queue, copying of all these markings is pointless but some providers offering business internet do value these markings.

Regards
Cancel

-ADS BY GOOGLE

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close