🥊The Misleading Narrative of "Secure" SD-WAN provided by using Firewalls🤼

Ronald BartelsRonald Bartels
5 min read

I want to address a growing concern within our industry: the pervasive and misleading claim that SD-WAN solutions are inherently "secure" simply because they include a firewall. This is yet another example of Silicon Valley's questionable marketing tactics, particularly when it comes to information technology, and more dangerously, information security.

Humans have the Biggest Impact on Security

First, let's consider the foundation of any IT solution, including security: People, Process, and Technology (PPT). These three elements must work in unison to create a genuinely secure environment. In fact, people and processes are the most significant attack vectors in any business, often targeted through social engineering and, broadly speaking, human error. Yet, no technology alone—neither SD-WAN nor a bolted-on firewall—can address these critical vulnerabilities in isolation. At best firewalls will receive a 30% security score.

The Flawed Technology Focus

When we drill down into the technology itself, we see the root of the issue: many vendors misrepresent site-to-site VPNs as SD-WAN by attaching a firewall, creating a false sense of security. It's like calling a backroad with stop streets, traffic lights, and roundabouts "secure" simply because it's slower and more congested notwithstanding that it has many more traffic enforcement points. An autobahn, in contrast, has fewer accidents and serves a different purpose—efficient, uninterrupted flow. I put it to you that the autobahn would in essence be more secure and not less secure.

In the same way, SD-WAN is designed to be an autobahn for telecommunications—fast, reliable, and efficient. Yet, Silicon Valley's bloated firewalls are choking that efficiency, promoting congested "city streets" as the industry standard via their spaghetti VPNs.

Spaghetti VPNs | The WAN Equivalent of Data Center Cable Mess

Just as tangled cables in a data center can lead to operational inefficiency, confusion, and increased downtime, site-to-site VPNs using firewalls create a similar mess—but this time, across the wide area network (WAN). The concept of spaghetti VPNs mirrors the chaotic wiring found in disorganized data centers, where connections overlap without clear structure or management.

In a traditional site-to-site VPN setup, every remote site requires individual VPN configurations, which often result in a tangled web of VPN tunnels. As more locations are added, the complexity grows exponentially, leading to a management nightmare. Each firewall at every site has to be manually configured and maintained, often requiring unique policies, routes, and security rules. This hodgepodge of connections resembles the spaghetti cable mess we dread in physical infrastructure—except now, it’s invisible and harder to troubleshoot across the WAN.

Here are some key characteristics of spaghetti VPNs:

  • Increased complexity: As new sites are added, VPN tunnels crisscross between them, creating an unmanageable network that becomes fragile and error-prone.

  • High maintenance: Each VPN tunnel needs constant attention for updates, security patches, and policy changes, which can quickly become overwhelming.

  • Scalability issues: The more tunnels you add, the more the system struggles to scale. New connections lead to performance degradation and potential points of failure.

  • Lack of flexibility: Static site-to-site VPNs offer little flexibility to dynamically manage or prioritize traffic, making it difficult to optimize the network for performance or security.

When deploying firewalls as VPN endpoints in a sprawling WAN environment, businesses end up with spaghetti WANs—a chaotic, fragile, and difficult-to-manage mess. Unlike the streamlined, intelligent traffic management capabilities of SD-WAN, this spaghetti architecture fails to provide the flexibility, visibility, and control needed to maintain a reliable and secure network in today’s complex environments.

A well-designed SD-WAN eliminates the need for these redundant, hard-to-manage VPNs, providing a simplified, unified overlay across the entire network. Rather than weaving more complexity into the network, SD-WAN intelligently manages traffic, ensuring that performance and security are both maintained without turning the WAN into a bowl of spaghetti.

The CIA Triad & Silicon Valley's Narrow Focus

In the realm of Information Security, the key pillars are Confidentiality, Integrity, and Availability (CIA). Silicon Valley’s marketing often focuses exclusively on the Confidentiality (C) aspect, thanks to firewalls, while ignoring Integrity (I) and Availability (A). This tunnel vision is problematic because availability failures can lead to some of the most devastating security incidents.

A prime example is the "Clownstrike" debacle, the largest cybersecurity incident in world history, which was fundamentally a failure of availability. Despite this, it's often dismissed as a "non-security incident" because confidentiality wasn't compromised—an absurd misrepresentation of what security truly means.

https://hubandspoke.amastelek.com/clownstrike-the-largest-it-outage-in-world-history-triggered-by-crowdstrike

True SD-WAN Prioritizes Integrity & Availability

Unlike firewalls, true SD-WAN solutions prioritize both integrity and availability alongside confidentiality. The autobahn approach of SD-WAN makes a business inherently more secure, as it prevents traffic from being "mugged" on congested backroads. Once that traffic reaches its destination zone, there is a natural choke point where security hygiene can be enforced, ensuring end-to-end protection.

Wrapping up, it's time we stop promoting firewalls as the ultimate answer to SD-WAN security. A hybrid approach that covers the full spectrum of CIA—not just confidentiality—along with the autobahn architecture of SD-WAN, is the only way to create a secure, reliable, and efficient network infrastructure.

Let's advocate for solutions that solve real-world problems instead of buying into Silicon Valley's hype. Taking the CIA model into account our initial security score for firewalls at 30% was optimistic, as in reality its only 10%.

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa. Learn more about the best SD-WAN in the world: 👉Contact Fusion🚀

https://hubandspoke.amastelek.com/discover-fusion
0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pptinformation securityFirewallsSDWANcia

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa