Fixing security gaps and bottlenecks
The ability to centralize the security stack was also previously seen as a benefit of legacy WAN architecture. Branch sites typically have a simple router for connectivity to an MPLS or other private WAN circuit. Because all flows must first traverse the WAN, it made sense to centralize advanced security capabilities at the core instead of building distributed stacks at each branch.
Unfortunately, flows failing security policy must traverse the WAN before they are inspected. As a result, infected hosts are often permitted to freely communicate throughout the enterprise network because security only exists within the datacenter, and site-to-site traffic therefore passes without inspection.
Another issue with the centralized security stack is performance. As traffic increases—especially traffic bound for the internet and cloud-based resources—security inspections can become a bottleneck, with legitimate traffic waiting in line behind traffic that may not be permitted to continue.