# 🥊The Misleading Narrative of "Secure" SD-WAN provided by using Firewalls🤼

I want to address a growing concern within our industry: the pervasive and misleading claim that SD-WAN solutions are inherently "secure" simply because they include a firewall. This is yet another example of Silicon Valley's questionable marketing tactics, particularly when it comes to information technology, and more dangerously, information security.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1727162169223/00e2f3b6-b272-4425-8306-64d12858bed0.jpeg align="center")

### Humans have the Biggest Impact on Security

First, let's consider the foundation of any IT solution, including security: **People, Process, and Technology (PPT)**. These three elements must work in unison to create a genuinely secure environment. In fact, **people and processes** are the most significant attack vectors in any business, often targeted through **social engineering** and, broadly speaking, **human error**. Yet, no technology alone—neither SD-WAN nor a bolted-on firewall—can address these critical vulnerabilities in isolation. At best firewalls will receive a 30% security score.

### The Flawed Technology Focus

When we drill down into the technology itself, we see the root of the issue: many vendors misrepresent site-to-site VPNs as SD-WAN by attaching a firewall, creating a false sense of security. It's like calling a **backroad with stop streets, traffic lights, and roundabouts "secure"** simply because it's slower and more congested notwithstanding that it has many more traffic enforcement points. An **autobahn**, in contrast, has fewer accidents and serves a different purpose—efficient, uninterrupted flow. I put it to you that the autobahn would in essence be more secure and not less secure.

In the same way, **SD-WAN** is designed to be an autobahn for telecommunications—fast, reliable, and efficient. Yet, **Silicon Valley's bloated firewalls are choking that efficiency**, promoting congested "city streets" as the industry standard via their spaghetti VPNs.

### **Spaghetti VPNs | The WAN Equivalent of Data Center Cable Mess**

Just as tangled cables in a data center can lead to operational inefficiency, confusion, and increased downtime, **site-to-site VPNs using firewalls** create a similar mess—but this time, across the wide area network (WAN). The concept of **spaghetti VPNs** mirrors the chaotic wiring found in disorganized data centers, where connections overlap without clear structure or management.

In a traditional **site-to-site VPN setup**, every remote site requires individual VPN configurations, which often result in a tangled web of VPN tunnels. As more locations are added, the complexity grows exponentially, leading to a management nightmare. Each firewall at every site has to be manually configured and maintained, often requiring unique policies, routes, and security rules. This hodgepodge of connections resembles the **spaghetti cable mess** we dread in physical infrastructure—except now, it’s invisible and harder to troubleshoot across the WAN.

Here are some key characteristics of **spaghetti VPNs**:

* **Increased complexity**: As new sites are added, VPN tunnels crisscross between them, creating an unmanageable network that becomes fragile and error-prone.
    
* **High maintenance**: Each VPN tunnel needs constant attention for updates, security patches, and policy changes, which can quickly become overwhelming.
    
* **Scalability issues**: The more tunnels you add, the more the system struggles to scale. New connections lead to performance degradation and potential points of failure.
    
* **Lack of flexibility**: Static site-to-site VPNs offer little flexibility to dynamically manage or prioritize traffic, making it difficult to optimize the network for performance or security.
    

When deploying firewalls as VPN endpoints in a sprawling WAN environment, businesses end up with **spaghetti WANs**—a chaotic, fragile, and difficult-to-manage mess. Unlike the streamlined, intelligent traffic management capabilities of **SD-WAN**, this spaghetti architecture fails to provide the flexibility, visibility, and control needed to maintain a reliable and secure network in today’s complex environments.

A **well-designed SD-WAN** eliminates the need for these redundant, hard-to-manage VPNs, providing a **simplified, unified overlay** across the entire network. Rather than weaving more complexity into the network, SD-WAN intelligently manages traffic, ensuring that performance and security are both maintained without turning the WAN into a bowl of spaghetti.

### The CIA Triad & Silicon Valley's Narrow Focus

In the realm of **Information Security**, the key pillars are **Confidentiality, Integrity, and Availability (CIA)**. Silicon Valley’s marketing often focuses exclusively on the **Confidentiality (C)** aspect, thanks to firewalls, while ignoring **Integrity (I)** and **Availability (A)**. This tunnel vision is problematic because **availability failures** can lead to some of the most devastating security incidents.

A prime example is the **"Clownstrike" debacle**, the largest cybersecurity incident in world history, which was fundamentally a failure of **availability**. Despite this, it's often dismissed as a "non-security incident" because confidentiality wasn't compromised—an absurd misrepresentation of what security truly means.

%[https://hubandspoke.amastelek.com/clownstrike-the-largest-it-outage-in-world-history-triggered-by-crowdstrike] 

### True SD-WAN Prioritizes Integrity & Availability

Unlike firewalls, **true SD-WAN solutions prioritize both integrity and availability** alongside confidentiality. The autobahn approach of SD-WAN makes a business inherently more secure, as it **prevents traffic from being "mugged" on congested backroads**. Once that traffic reaches its destination zone, there is a natural choke point where security hygiene can be enforced, ensuring **end-to-end protection**.

Wrapping up, it's time we stop promoting firewalls as the ultimate answer to SD-WAN security. A hybrid approach that covers the full spectrum of **CIA**—not just confidentiality—along with the **autobahn architecture of SD-WAN**, is the only way to create a secure, reliable, and efficient network infrastructure.

Let's advocate for solutions that solve real-world problems instead of buying into Silicon Valley's hype. Taking the CIA model into account our initial security score for firewalls at 30% was optimistic, as in reality its only 10%.

---

[Ronald Bartels](https://www.linkedin.com/in/ronaldxbartels/) ensures that Internet inhabiting things are connected reliably online at [Nepean Networks](https://www.linkedin.com/company/fusion-broadband-south-africa/) - the leading specialized SD-WAN provider in South Africa. Learn more about the best SD-WAN in the world: 👉[Contact Nepean](https://nepeannetworks.com/company/contact-us/)🚀

---

%[https://hubandspoke.amastelek.com/discover-fusion] 

---

%[https://bsky.app/profile/mastelek.bsky.social/post/3lu665oesas2z]
