🤯SD-WAN Behind a Firewall | The Brainfart You Should Avoid🧱🔥
The Downside of Antipodean Syndrome, combining SD-WAN with External Firewalls in Corporate Networks instead of Internal Firewalls
In the corporate world, decisions around networking often stem from habit rather than rationality. One particularly baffling practice is deploying SD-WAN behind a third-party firewall. While this may seem like a way to "enhance security," it is, in fact, a brainfart of epic proportions that adds complexity, reduces performance, and undermines the very purpose of SD-WAN.
The architecture of putting the firewall before the SD-WAN instead putting the firewall behind the SD-WAN is known as the Antipodean Syndrome. Let’s dive into why this Syndrome is a mistake and how a true SD-WAN solution like Fusion’s eliminates the need for such counterproductive setups.
The Core of the Problem
SD-WAN Is Designed to Stand Alone
SD-WAN solutions are engineered with robust security mechanisms that rival those of cloud providers. They’re built to operate directly on the Internet, utilising advanced encryption, zero-trust architecture, and dynamic security policies to protect data and traffic flows.
Unlike traditional firewalls, which frequently appear on vulnerability and exploit lists, SD-WAN solutions are inherently secure and resilient. Placing a firewall in front of SD-WAN not only adds unnecessary layers but also exposes your network to the vulnerabilities of those firewalls.
Breaking the Design Philosophy
SD-WAN’s power lies in its ability to intelligently route traffic, apply QoS, and secure communications autonomously. Firewalls in front of SD-WAN disrupt this flow by:
Adding Latency: Firewalls introduce inspection delays that reduce the speed and performance SD-WAN is designed to deliver.
Complicating Troubleshooting: Issues in this setup often involve determining which device—firewall or SD-WAN—is causing the problem, leading to longer resolution times.
Creating Redundancy Conflicts: SD-WAN already secures and segments traffic. Adding a firewall duplicates these efforts in an inefficient and counterproductive way.
Why Businesses Default to Firewalls
Many businesses cling to outdated practices, deploying firewalls as a reflex rather than a necessity. This stems from:
Legacy Thinking: Firewalls have been the go-to security measure for decades, and IT teams are often reluctant to trust newer technologies.
Fear of the Internet: Despite SD-WAN’s robust security, many organisations feel compelled to shield it with a firewall, unaware that SD-WAN is built for the "wild" Internet.
Vendor Misinformation: Some vendors recommend firewalls as a blanket solution, ignoring the unique architecture and capabilities of SD-WAN.
The Architectural Nightmare of SD-WAN Behind Firewalls
Cumbersome Deployments
Configuring SD-WAN behind a firewall is a headache. You must ensure:
Proper NAT rules for outgoing traffic.
Exceptions for dynamic SD-WAN control and telemetry channels.
Coordination between disparate security policies, which often leads to conflicts.
Difficult Troubleshooting
When something goes wrong, isolating the root cause is an ordeal. Is the issue with the firewall’s policy enforcement or the SD-WAN’s routing decisions? This finger-pointing delays resolution, affecting uptime and productivity.
Reduced Agility
One of SD-WAN’s greatest strengths is its flexibility to adapt to changing traffic patterns and requirements. Firewalls act as bottlenecks, restricting this agility with rigid policies and static configurations.
The Brainfart of Using a Firewall as SD-WAN
Architecturally, deploying a firewall as an SD-WAN solution is just as flawed. While some firewalls claim to offer SD-WAN capabilities, these are often bolted-on features that fail to deliver:
True QoS: Firewall-based SD-WAN lacks advanced traffic-shaping and prioritisation mechanisms.
Dynamic Path Selection: These solutions often struggle with real-time failover and optimisation.
Cloud Integration: Firewall-based SD-WAN is clunky and inefficient for multi-cloud or SaaS environments.
The Fusion SD-WAN Difference
Fusion SD-WAN eliminates the need for unnecessary firewalls by delivering a secure, standalone solution designed for today’s Internet-centric world.
Service Chain Agnostic
Fusion’s SD-WAN supports any downstream NFV or physical firewall, allowing businesses to integrate additional security measures only where needed—without disrupting the SD-WAN’s functionality.
Robust Security Built In
Fusion’s SD-WAN uses cloud-grade encryption and dynamic security measures to protect traffic, negating the need for third-party firewalls. It’s secure enough to face the Internet directly, with no compromises.
Simplified Management
With Fusion, there’s no need for cumbersome NAT rules or conflicting policies. Its intelligent management and automation capabilities streamline operations, reducing errors and improving efficiency.
No Brainfarts, Just Results
Fusion’s SD-WAN "just works." It’s easy to deploy, scales effortlessly, and delivers unmatched performance without the architectural headaches of firewalls.
Wrap
Putting an SD-WAN solution behind a third-party firewall—or worse, using a firewall as SD-WAN—is a costly, inefficient, and downright irrational decision. SD-WAN is designed to operate securely and autonomously, without the need for additional barriers that hinder performance and create complexity.
Fusion’s SD-WAN stands as a robust, secure, and agile solution that eliminates the need for outdated practices. By trusting in its architecture, businesses can achieve greater network performance, resilience, and simplicity—no brainfarts required.
It’s time to embrace modern networking without clinging to legacy habits. Choose Fusion SD-WAN and leave the firewalls where they belong: out of the way.