Why security and cost are the deciding issues when evaluating MPLS vs. SD-WAN

If you work at any level of IT management, from front line supervisor to CIO, keeping costs down and maintaining security are two of the most important objectives you have. If you spend too much, operations aren’t profitable. If your infrastructure isn’t secure enough, operations don’t happen at all.

It should come as no surprise then, that two of the biggest drivers in the MPLS vs SD-WAN debate are cost and security. There has been a paradigm shift in WAN connectivity over the past 5 years. Usage of bandwidth and cloud apps have continued to skyrocket. What was “good enough” from MPLS in the early 2000s is now cause for concern. MPLS bandwidth isn’t cheap, and MPLS’s take on security covers isolation, but not much more.

In this piece, we’ll review some of the cost and security challenges associated with MPLS use in the modern enterprise, and review how premium SDWaaS (SD-WAN as a Service) solutions help address them.


The old MPLS approach to security

MPLS circuits are considered private lines. They generally don’t go Internet-facing and are logically isolated. This was fine when most enterprise WAN traffic happened between client PCs in corporate offices and apps running on corporate servers. While MPLS is not encrypted by default, organizations often didn’t feel they need to encrypt or inspect MPLS connections, because they were isolated and generally only used within the corporate WAN.

This began to fell apart as the popularity of cloud computing skyrocketed. With SaaS apps like G-Suite & Office 365 and IaaS products like AWS & Microsoft Azure chewing up tons of bandwidth, there was now a surge of traffic that needed to leave the corporate WAN and traverse the public Internet. Not only did this lead for a need to add complexity to the WAN by way of security appliances, VPNs, enhanced security policies, and InfoSec technology, it also created performance issues.

With the surge in traffic to and from the network, there was a need to backhaul data through a specific location (e.g. a corporate datacenter) for inspection and auditing prior to routing it on to its destination, leading to what is known as the “trombone routing” problem. In addition to the inherent addition of complexity, trombone routing can add a non-trivial amount of latency to traffic.

Even with security measures in place, the MPLS paradigm is conducive to holes. If the WAN infrastructure and security mechanisms are centralized, but the user’s workloads are dispersed across the Internet, there is a possibility for the user to be compromised by malware or other threats from the Internet.

Full network security stacks with SDWaaS

Admittedly, legacy SD-WAN solutions did little to address the security challenges associated with MPLS and focused mostly on getting Policy-based Routing (PbR) right. However, premium, cloud-based SDWaaS does address WAN security in a way that is both robust and flexible. With a premium SDWaaS not only is traffic encrypted using TLS, a suite of security solutions is built into the WAN infrastructure, meaning any user that connects is inherently protected. In addition to encryption, premium SDWaaS offers advanced security features like Next-generation Firewall (NGFW), Intrusion Protection System (IPS), threat detection, human threat verification, and more. Not only is this holistic approach to security an effective way to tackle the challenges of modern IT, it removes a significant amount of complexity from customer networks and allows IT staff to focus on core business tasks.

RecommendedNetwork Monitoring Tools & Software for Network Performance Monitoring

The cost challenges associated with MPLS

It’s no secret that MPLS bandwidth is one of the more expensive ways to connect your equipment from a “dollar per bit” standpoint. Additionally, after our review of the security challenges associated with MPLS, some of the cost challenges may already be clear. With the trombone routing problem, you’re effectively paying for bandwidth twice. Further, the additional investment in security solutions and complexity in provisioning and maintaining them drives up both capex and opex. In short, the same surge in cloud-bound traffic that exposed some of the security and performance challenges with MPLS also pushed the cost issues to a critical mass for many organizations.

How SDWaaS enables affordable, high-performance WANs

Again, it’s no secret that MPLS bandwidth is expensive, and since SDWaaS is connection agnostic, it enables enterprises to leverage more economical transport methods (e.g. a cable Internet connection).

This, plus solving the trombone routing problem may be enough to make a business case for some organizations, but there is an even bigger, but oft overlooked, cost benefit to SDWaaS: reduction in complexity. By abstracting away much of the complexity of the WAN infrastructure, SD-WaaS enables significant capex and opex savings.

To help conceptualize the potential for savings consider the hardware, software, and provisioning costs of deploying a full security stack for a WAN across all the locations within an enterprise. Now add to that the maintenance and replacement costs over time. SDWaaS has that built in. Additionally, SDWaaS is able to get new sites off the ground much quicker than a similar deployment with MPLS. This means not only are you dedicating less resources to provisioning the site, the site may be able to become productive quicker.

SDWaaS is a secure, cost effective, and modern WAN solution

The cloud changed the way traffic traverses WANs across the globe and exposed a number of holes in the old MPLS approach. SDWaaS has since emerged as a WAN solution capable of not only solving the problems of MPLS, but also enhancing WAN performance while reducing costs. This enables enterprises that adopt SDWaaS to benefit not only in terms of dollar cost and security, but also performance and scalability.

Related Post: