🦖The Architectural Flaws of Monolithic Firewall-Based SD-WAN: Why It's Not the Real McCoy 🤖

🦖The Architectural Flaws of Monolithic Firewall-Based SD-WAN: Why It's Not the Real McCoy 🤖

🚨In today's fast-paced digital landscape, some so-called "SD-WAN" solutions are nothing more than glorified VPNs hidden within monolithic firewall stacks🚀📈


5 min read

In the world of modern networking, SD-WAN (Software-Defined Wide Area Networking) is hailed as a revolutionary technology designed to optimize and secure enterprise connectivity. However, a significant number of so-called SD-WAN solutions are, at their core, nothing more than glorified VPNs embedded within monolithic firewall stacks. This flawed architectural approach introduces a multitude of vulnerabilities and inefficiencies, making it a far cry from the genuine promise of SD-WAN. Let’s dive into the reasons why this architecture is fundamentally flawed and how it compromises both security and performance.

A VPN by Another Name

At the essence of these so-called SD-WAN solutions embedded in firewalls lies a simple truth: they are merely VPNs (Virtual Private Networks) with a new label. While VPNs have their place in network security, they are not synonymous with SD-WAN. The key difference lies in the functionality and architecture:

  • VPN Limitations: Traditional VPNs are designed to create secure connections over the internet. They lack the sophisticated traffic management, optimization, and application-aware routing capabilities that true SD-WAN solutions offer.

  • SD-WAN Capabilities: Genuine SD-WAN solutions provide advanced features like dynamic path selection, WAN optimization, last-mile packet loss mitigation, and seamless failover. These are absent in mere VPN setups.

The Highly Compromised VPN Engines

One of the most glaring issues with embedding SD-WAN within firewalls is the inherent vulnerability of VPN engines:

  • Compromise Risks: VPN engines within firewalls are often the most targeted and compromised parts of network infrastructure. Each day brings new stories of firewall breaches, exposing critical vulnerabilities.

  • Security Breaches: A compromised VPN engine within a firewall stack can lead to devastating security breaches, exposing sensitive data and network resources.

The Architectural Flaw: No Segmentation

The fundamental architectural flaw of embedding SD-WAN within a monolithic firewall stack is the lack of segmentation between WAN and LAN:

  • Single Point of Compromise: In a monolithic stack, a single compromise can grant an attacker access to both WAN and LAN environments. This lack of segmentation makes it easier for attackers to move laterally within the network.

  • Segmentation is Key: Effective network security requires segmentation. The WAN (or SD-WAN) component should be in a separate instance from the LAN, ensuring that a compromise in one does not automatically jeopardize the other.

The Need for Multiple Instances

To mitigate these risks, it is essential to separate the WAN (SD-WAN) component into different instances, rather than consolidating everything into a single firewall:

  • Isolated Termination Points: The termination point for SD-WAN can be in various security zones. Practically, this means deploying multiple firewalls, each handling distinct functions, to ensure robust security and performance.

  • Separation of Duties: By isolating the SD-WAN functionality from the main firewall, businesses can reduce the attack surface and improve the overall security posture.

The Fallacy of Single Vendor Solutions

The idea of relying on a single vendor for all security solutions is another flawed concept propagated by some analysts and vendors:

  • Vendor Lock-In Risks: Betting the farm on one vendor means that businesses are vulnerable to that vendor's weaknesses and limitations. If a critical vulnerability is discovered in that vendor’s products, the entire network could be at risk.

  • Diverse Solutions for Robust Security: A diverse, multi-vendor approach ensures that no single point of failure can compromise the entire network. It allows businesses to leverage the strengths of different technologies and vendors, creating a more resilient security infrastructure.

In South Africa we all know what happens when when decided to exclusively rely on Eskom Holdings SOC Ltd for electricity. Everyone has rushed to ensure alternative power solutions. In essence, the reason for not relying solely on Eskom would be true for not relying solely on a singular firewall vendor. However, good luck on having the salesman see the logic in that.

Rusty and dated

Did you know that many firewall vendors are still using outdated forks of Linux in their stacks? Some might even be based on BSD. These vendors often claim that because they pay their developers, their code is superior to open-source alternatives. However, the high number of vulnerabilities found in these firewalls tells a different story. The assumption that paid developers produce inherently better code simply doesn't hold up against the evidence.

These firewalls stacks which are running on dated versions of Linux or BSD, lacking the advancements and optimizations present in modern open-source systems. Significant improvements in networking and computing within the Linux ecosystem are often missing in these firewall stacks, leaving them lagging behind in performance and security. An example below.


As businesses strive for robust and secure networking solutions, it's crucial to look beyond the marketing claims and examine the underlying technology. Opt for solutions that leverage the latest advancements and prioritize security through a proactive, transparent approach.

The architecture of embedding SD-WAN within a monolithic firewall stack is fundamentally flawed. It transforms what should be a sophisticated, segmented, and secure solution into a compromised, one-size-fits-all approach that fails to deliver the true benefits of SD-WAN. By recognizing these flaws and adopting a segmented, multi-vendor strategy, businesses can achieve the robust, dynamic, and secure connectivity that true SD-WAN promises. Remember, a business cannot bet the farm on one vendor – it's time to embrace the real McCoy of SD-WAN solutions.

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized Last Mile SD-WAN provider in South Africa. 👉 Contact Fusion