When comparing WAN connectivity solutions, cost, performance, reliability, and configuration & maintenance are important to consider. Let’s see how the SD-WAN vs VPN debate stacks up in those categories.
SD-WAN vs VPN: Cost
Both Internet-based VPN and SD-WAN enable enterprises to leverage affordable public-Internet bandwidth. In small deployments, VPN can be an inexpensive solution for a few sites and simple WAN topology. For example, a simple site-to-site connection can be achieved using commodity servers and open source software like Openswan. However, as we saw with BioIVT, the complexity and bottlenecks created by the scaling VPN-based networks can outweigh upfront cost savings by a wide margin.
SD-WAN vs VPN: Performance
Internet-based VPN is inherently tied to the public Internet from a performance perspective. Beyond spikes in congestion impacting performance, traversing long geographical distances generally comes with significant latency on VPN-based WANs.
Further, VPN lacks performance optimization features like dynamic path selection, QoS (Quality of Service), and application-aware routing that help ensure applications like VoIP and telepresence deliver the required levels of performance. SD-WAN delivers these features, and with cloud-based SD-WAN, latency over significant geographical distances becomes a non-issue. Cato’s SLA-backed global private backbone consists of over 45 PoPs (Points of Presence) around the world. As traffic is routed to the nearest PoP and over Cato’s high-speed backbone, the performance issues associated with the public Internet in the middle-mile are averted.
SD-WAN vs VPN: Reliability
Before the dust settled on the SD-WAN vs MPLS debate, a common argument against both appliance-based SD-WAN and VPN was the lack of an SLA with the public Internet. Enterprises demand predictable, reliable performance. VPN is still reliant upon the public-Internet, but Cato’s SLA-backed global backbone is connected by multiple Tier-1 providers across the globe. This enables the Cato Cloud to deliver predictable service and reliability at levels that meet or exceed MPLS.
SD-WAN vs VPN: Configuration & Maintenance
VPN configuration often entails extensive manual work. IPsec tunneling, IKE (Internet Key Exchange), and NAT-T (Network Address Translation Traversal) require a high level of expertise to configure securely and scale. As more and more sites are added to a WAN, maintaining the network becomes increasingly difficult. This, in turn, leads to performance issues and a disjointed WAN infrastructure.
Paysafe Financial Services experienced the issues associated with scaling VPN first-hand. After multiple mergers and acquisitions, Paysafe was left with a backbone made up of MPLS circuits and Internet-based VPN connections. To create a truly meshed network using Internet-based VPN, Paysafe would have required 210 VPN tunnels, a massive investment of time and resources. According to Stuart Gall, then Infrastructure Architect at Payscale, VPN, in particular, was a pain point on their WAN. In regards to their VPN connectivity, Gall said, “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.”
The solution Paysafe found for their challenges? Cato Cloud. With Cato, Payscale was able to benefit from automatic, scalable, policy-based configurations and the scalability of a cloud-based service model. As a result, Paysafe was able to streamline WAN configurations and provisioning time and reduce latency by 45% when compared to VPN. Just how much faster was configuration with Cato? According to Gall, “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.”
Additionally, while Paysafe adopted discrete security solutions before switching to Cato, the enterprise-grade security features built-in to the Cato network helped to ensure secure scalability without the need to configure additional security appliances like NGFWs (next-generation firewalls).