Unified secure SD-WAN needs DPI. Why?

Sebastian Müller portrait

by Sebastian Müller
published on: 10.08.2021

Reading time: ( words)
Categories: Network security, SD-WAN

One of the greatest shifts in how enterprises have been running in the last several years is the development of the cloud. By drawing computational power, storage and network functions from servers located elsewhere over the Internet rather than maintaining this infrastructure locally, enterprises have acquired agility and flexibility that benefits their productivity and efficiency greatly. This Infrastructure as a Service (IaaS) approach has been expanded recently with corporate infrastructures being operated through a multi-cloud architecture instead of a single cloud. This allows companies to further increase their workloads and adaptability and position themselves optimally with respect to different clusters of customers.

The cloud as part of SD-WAN

A Wide Area Network (WAN) connects an enterprise’s local networks and IT assets with each other, and in doing so forms the crucial link that binds all of its IT resources, including Enterprise clouds. These span, on one hand, various offices and headquarters, and on the other hand, various layers of the corporate cloud stack: data, applications, databases, operating systems, virtual machines, physical servers and storage.

WAN has historically been operated using premium routes such as MPLS. The continuous adoption of cloud and SaaS applications, however, has necessitated the shift towards software-defined WAN or SD-WAN, which allows for flexible connectivity and intelligent traffic management with routing options now expanded to cover MPLS, 4G/5G and the Internet. With an expected CAGR of 34 % between 2020 and 2023[1], SD-WAN is poised to take up a significant share of the enterprise networking market.

Unified secure SD-WAN

By connecting multiple clouds, an SD-WAN is inherently open to various security vulnerabilities, given that the network is now populated with numerous network nodes and end points spread across different data centers and enterprise premises managed by various parties in various organizations. Any one element, whether it is a malware-infested application, a besieged cloud infrastructure, a corrupted SaaS, a compromised device or a rogue user, can wreak havoc on the entire network. Any one of these factors can easily lead to network congestion and traffic slowing down, resulting in serious performance issues and unexpected spikes in bandwidth consumption that can result in massive cost inefficiencies. Worse still, any of these disturbances could be the gateway through which other end devices, servers, clouds and applications are contaminated or taken control of.

Furthermore, applications, clouds and local networks feature disparate technologies from different providers across the SD-WAN, each with their own security setups that are not necessarily compatible with each other. For example, while Amazon Web Services has its own security mechanisms, it explicitly calls on its users to abide by a shared responsibility model wherein the customer is responsible for some security configuration and management tasks.[2]

These complexities have given rise to a new concept – ‘unified secure SD-WAN’, which is a security framework where security policies, their enforcement and control are unified across the network using cloud-native approaches such as APIs and other common communication standards to institute security functions and implement them on an end-to-end basis throughout the network in real time.

Securing the cloud network

Unified, secure SD-WAN inherently calls for in-depth visibility, one that is provided by network intelligence tools such as deep packet inspection (DPI). DPI is an advanced network technology that delivers granular, real-time data on traffic at the application, protocol and network level. Sophisticated DPI engines, such as R&S®PACE 2, classify network traffic in real-time using a comprehensive, regularly updated library, and complement the results with behavioral analysis, statistical analysis and machine learning/deep learning.

R&S®PACE 2 can classify packets by criticality (e.g. banking data), latency sensitivity (e.g. remote surgery transmissions), speed sensitivity (e.g. live broadcasts) and bandwidth intensity (e.g. video conferencing). This classification enables SD-WAN to determine optimal routes by application type, according expensive MPLS links or 5G URLLC slices to critical data while offloading less critical applications to the public Internet. This leads to lower network costs, increased efficiencies and increased traffic management effectiveness.

On the security front, R&S®PACE 2, by combining traffic classification and metadata extraction, provides cybersecurity solutions with the information that enables them to identify the types of cyber-attacks alongside the source and the nodes experiencing these attacks, even for encrypted data. This allows companies to pinpoint threats in real time – whether they are located at an endpoint of a specific branch of the company (including personal devices used by employees), a network device at the headquarters, a particular cloud or a third-party API.

When it comes to multi-cloud architectures, real-time information provided by DPI can not only help to identify when a cloud is under attack, it can also reveal exactly which layer within a cloud is at stake, such as the web server, application server, database server, or data server. Such insights are especially critical for enterprises with distributed application architectures. Even within cloud-native environments, R&S®PACE 2 enables companies to identify the actual point of attack, for example, a container or a pod. Where SaaS applications are involved, DPI is able to identify traffic anomalies and suspicious traffic patterns associated with a particular SaaS application. With this detailed, end-to-end view of the entire application environment across various architectures and types of applications, R&S®PACE 2 provides a comprehensive overview of all the traffic streams navigating the corporate SD-WAN and the connected clouds, enabling network managers to institute security functions including firewalls and IPS/IDS to respond to any threats on the network in real time.

Delivering unified visibility

DPI embedded into CPEs/gateways at the branches/headquarters of a company and its data centers/clouds thus constitutes a key component in a unified secure SD-WAN. Traffic surges, bottlenecks and threats detected at any of these CPEs/gateways are translated into red flags that alert all other points across the network. This information helps network managers to step up security measures, for example, by establishing firewalls at the more critical points across the network such as storage units with sensitive data. In a multi-cloud architecture, this would mean that threats identified in any one cloud will alert network managers to reinforce the security of their other clouds by instituting filtering and blocking of these threats at the cloud providers’ points of presence. With a unified secure SD-WAN, threat-specific remediation can be automated across every cloud, enabling standardized real-time responses to attacks irrespective of the cloud provider, its architecture or its security policies.

By delivering end-to-end monitoring and comprehensive visibility, DPI enables centralized control of the entire SD-WAN, fulfilling the principles of a truly unified secure SD-WAN. In short, as companies are diversifying their cloud usage, unified secure SD-WAN enriched with real-time, granular insights from DPI anchors each cloud firmly and securely to the rest of the corporate network and its users on the ground.

Learn in our case study why Nubewell has decided to embed R&S PACE 2 into their networking solution to ensure DPI-enhanced security across SD-WANs for cloud and branch offices.


[1] 2020 SD-WAN growth report: market poised to accelerate - Futuriom - https://www.futuriom.com/articles/news/2020-sd-wan-growth-report-sd-wan-market-likely-to-accelerate/2020/06 - 2020

[2] Shared Responsibility Model - AWS - https://aws.amazon.com/compliance/shared-responsibility-model/ - 2021

Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

Email: Seb.Mueller@rohde-schwarz.com

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque