This blog was originally published to the 128 Technology website – in 2020, Juniper Networks acquired 128 Technology. Learn more about the acquisition here.
This explainer on SD-WAN vs. VPN is a complement to our blog post comparing SD-WAN vs. MPLS. Here, we’ll take a look at the relationship between Software-Defined Wide Area Networking (SD-WAN) and Virtual Private Network (VPN) technologies, and unpack several benefits of a new form of VPN-free SD-WAN that is taking center stage.
Virtual Private Networks typically establish virtual point-to-point connections using a tunneling protocol such as IPsec (Internet Protocol Security) to handle traffic securely between the two endpoints. This approach is less expensive to implement than Multiprotocol Label Switching (MPLS), but there are trade-offs. Generally MPLS is positioned as the premium price-per-megabit connectivity option to pick when every microsecond counts.
By contrast, Software-Defined Wide Area Networking achieves high reliability, low latency, and excellent quality of service (QoS) at low cost. SD-WAN takes a programmatic approach to managing connectivity over heterogeneous networks. It supports the unique needs of disparate types of WAN traffic by leveraging two or more connectivity methods such as MPLS, Internet broadband, 4G/LTE, and satellite.
Until recently, most SD-WAN deployments have used IPsec VPNs for transmitting traffic over any connection—but that’s changing. Here’s why.
SD-WAN vs. VPN in a Battle for Better Deployments
To secure data that travels over VPNs, the IPsec protocol suite authenticates and encrypts packets flowing between pairs of devices (hosts and/or security gateways). When IPsec VPNs are overlaid onto existing networks, they add overhead to every packet and increase network complexity in the process. This overhead can consume up to forty percent of available network bandwidth, depending on factors such as the type of protocols used, encryption state, and packet length.
IPsec overlays are also notoriously difficult to scale due to the fact that each router or firewall must maintain state information and encrypt the traffic. As a network grows, maintaining thousands of IPsec tunnels consumes significant resources and operational cycles.
Other problems for VPN overlays include obscuring the data they transmit, which denies network operators full control over, or visibility into, the traffic within the IPsec tunnel. Because tunnels set up slowly, applications may drop connections during failovers, increasing the fragility of the network.
Finally, IPsec overlays are static. They cannot adapt when network congestion and other events dynamically occur.
SD-WAN without IPsec VPNs: Routing Sessions, Not Packets
SD-WANs do not have to virtually replicate traditional networking paradigms. When we replace reliance on IPsec VPN overlays with session-oriented routing, the intrinsic advantages of SD-WANs are amplified and the value proposition skyrockets.
Unlike IPsec VPNs, session-based routing such as Session Smart™ from 128 Technology does not add upfront addressing and sequencing overhead to every packet. Instead, it recognizes the first packet of a session and controls the session based on information in that packet. Session-oriented routing can provide intelligent native load balancing, Zero Trust Security, network control, and many other capabilities that traditional routing cannot. These integrated features create a much tighter alignment between the network and the applications it supports. When layer three of the network speaks the language of applications and services, it can adapt automatically to the requirements of individual sessions and user segments.
Session-aware, software-based routers also simplify the network. Gone are complicated, hard-wired (or virtual) tunnels and legacy middleboxes in favor of a software-based routing fabric with native security/encryption, centralized orchestration, QoS and session optimization, and load balancing built into the routers themselves.
Intelligent, VPN-free SD-WANs using secure, session-based routing can achieve greater simplicity, lower costs, superior agility, end-to-end visibility, sub-second failovers, and dramatically lower bandwidth consumption. These advantages are becoming must-haves in the eyes of many networking teams.
