🪅Revolutionizing Last Mile SD-WAN: Packet-Based Hub & Spoke Architecture vs. Legacy Flow-Based Firewalls 🧱

🪅Revolutionizing Last Mile SD-WAN: Packet-Based Hub & Spoke Architecture vs. Legacy Flow-Based Firewalls 🧱

Firewalls show their rust when used as an exclusive network overlay and not as part of a service chain


4 min read

In the ever-evolving world of technology, the old must often yield to the new. Remember the days when Token-ring technology was technically superior to Ethernet, yet Ethernet's cost-effectiveness won the day? History has a way of repeating itself, and today, MPLS finds itself in a similar predicament, eclipsed by the cost-effective prowess of SD-WAN. The undeniable financial benefits will drive companies to migrate from MPLS to exclusively embrace pure broadband connectivity, relegating MPLS to specialized use cases in data centers and ISP cores.

But not all SD-WAN solutions are created equal. Replacing rusty tin with more rusty tin is hardly a wise choice, and yet, that's precisely what many organizations unwittingly do when they opt for flow-based firewall meshes. While these solutions may have a familiar patina, they are far from the latest and greatest. More significantly, they suffer from lag, dropped calls, and corrupted transactions.

One of the key architectural decisions in preventing call drops is latency management. Calls despise latency, and any delay during a link failure can result in a dropped call. A hub and spoke architecture shines in this regard, as it can swiftly make real-time decisions, ensuring minimal failover time. Mesh architectures, on the other hand, introduce lag into the decision-making process, leading to call drops during link failures. The root cause lies in the implementation of a single-ended probe, which often waits indefinitely to determine failure. It's akin to juggling too many eggs in one basket, and when a decision is finally made, the entire basket crashes, shattering all the eggs.

In the quest for the optimal SD-WAN architecture at the edge, the hub and spoke configuration emerges as the victor. Mesh architectures come with a cost premium, as supporting 40,000 tunnels on cost-effective hardware is an impossible feat. Furthermore, an expansive mesh increases the attack surface, providing no logical choke points for mitigating security risks. It's a regressive step for enterprise security.

Now, let's address the issue of Forward Error Correction (FEC). While it may serve as a crutch in flow-based solutions, it's not a one-size-fits-all solution for VoIP problems. FEC lacks scalability for other protocols, making it inefficient in certain situations. Bandwidth may be abundant, but in constrained scenarios, it's a valuable resource. Imagine trying to force more water through a hose at full flow—it's simply not feasible.

The primary challenge with voice communication lies in dropped packets, occurring when packets arrive out of order. The solution lies in reducing out-of-order packets and proactively managing the protocol stream to mitigate congestion. Packet-based SD-WAN accomplishes this with effective QoS and bandwidth adaptation, surpassing the capabilities of FEC.

Lastly, the misconception around "Secure" SD-WAN needs to be addressed. Secure SD-WAN does not necessitate a branded firewall appliance. The majority of cloud infrastructure relies on Linux servers, leveraging the built-in firewall processes within the Linux kernel. These processes are not only secure but also frequently updated, providing security that matches or exceeds branded firewall appliances, which often derive from Linux kernels that are over a decade old. The hardening process of a branded firewall appliance doesn't necessarily exceed that of a generic Linux kernel.

Many firewall-centric solutions rely on IPSEC, a technology ill-suited for the high-performance demands of modern networks. Optimal performance is achieved by leveraging functions like AES, integrated into the Intel ecosystem.

In the realm of security, it's important to recognize that it's more than a collection of perimeter rules and firewall checkboxes. True security is a comprehensive approach that guards against losses, errors, and faults. Consider your online banking connection at home, protected by a common broadband router. It remains secure because the application itself is inherently secure.

The ideal solution is to retain your existing firewall while integrating it into a service chain that guarantees reliability, zero call drops, instantaneous failover, and unwavering security. Allow firewalls to do what they do best—protect your network—while SD-WAN takes care of the networking.

In the modern arena of SD-WAN, the battle between packet-based hub and spoke architecture and legacy flow-based firewalls is unequivocal. It's time to embrace the future and usher in a new era of networking prowess.