Cisco Piles Into SD-WAN Security Trend


By: R. Scott Raynovich

It's been clear that security applications and features have become a key part of the SD-WAN story. Now Cisco has a plan to ride the wave by bundling security features and services into its SD-WAN products, which include the Viptela SD-WAN software purchased last year.

The main thrust of Cisco's announcements today, made at the Cisco Partner Summit in Las Vegas, is the integration of an application-aware enterprise firewall, intrusion prevention, URL filtering, and advanced security features into Cisco's SD-WAN devices. This includes Talos, Cisco's cyber-threat intelligence solution.

Is Cisco SD-WAN Affordable?

One of the key questions that customers will be asking about Cisco's approach is this: How much does it cost? Futuriom research with end users indicates one of their main concerns about using Cisco's SD-WAN solutions is they tend to be expensive relative to the competition, as Cisco layers in subscription fees.

Indeed, the announcement does look like part of Cisco's strategy to boost recurring subscription software revenue. In today's announcement, Cisco said these new SD-WAN security features will be embedded in some routing devices and can be enabled in others, but they will require a subscription license, with recurring fees based on service bandwidth.

That approach could be painful for some customers, who say the cost of Cisco routers is already high. And it also seems to run counter to the value proposition of SD-WAN in general, which is to lower the cost of hardware with a commercial off-the-shelf (COTS) box and then layer software on top of that. With Cisco products customers are often paying the tax of the additional cost of Cisco's proprietary routing hardware and software.

Startups Led the Security Wave

Is all of this enough for Cisco to get ahead of the curve in the SD-WAN market? Several startups have been leaders in pushing security as part of the SD-WAN story, notably most Cato Networks, which offers built-in security on its own SD-WAN network, called the Cato Cloud, and Versa Networks, which integrates a suite of security services including a next-generation firewall, into its SD-WAN platform.

There's also an argument to be made that SD-WAN can be used as a platform to deliver best-of-breed security solutions. For example, Silver Peak has an integrated firewall but partners with security firms Checkpoint, Fortinet, Palo Alto Networks, and Zscaler to service-chain firewalls and security features into its SD-WAN platform. Aryaka recently launched its PASSPORT program to build security partners into its SD-WAN network. Many other SD-WAN players are also taking this approach, saying they want to give the customer the choice in which security applications it chooses.

And then there is yet another approach. The firewall vendors, eyeing the success of the SD-WAN model, are building SD-WAN features into their firewall devices. Fortinet has been a leader in this approach.

So, Cisco's announcement is not a breakthrough, but it is a ratification of the existing trend that makes SD-WAN a powerful security approach for enterprises. It's clear that SD-WAN can be used as a model to combine the functions and applications of many edge devices: Firewalls, routers, security, and WAN optimization. And security features will be a key battleground for SD-WAN going forward.