If you’re in the market for a reasonably priced SD WAN, with a no-compromise feature-rich security combination, then Cisco Meraki and Zscaler Internet Access is the perfect marriage – delivering a highly competitive business case bundle for large branch networks.
Meraki is emerging as a leading choice for SD WAN, and Zscaler has been the undisputed leader in cloud security for the last eight years. In this article, we cover why this combination works well for large network deployments, and unpack why clients are choosing Zscaler as the security overlay for such deployments.
A significant driver for SD WAN adoption is network cost reduction, and very few products achieve that as well as Cisco Meraki. At almost half the cost of alternate SD WAN solutions, Meraki is gaining traction with service providers and large branch customers in sub-Saharan Africa. Some may argue that they don’t compete with the feature-rich SD WAN vendors like VeloCloud, Citrix and their sister Cisco Viptela, but many others agree that it ticks all the key requirements for an SD WAN project.
And when it comes to securing your SD WAN edge from the Internet, the question is should a Meraki customer opt for the Meraki UTM licence on the edge appliance, or Zscaler’s cloud security, which processes all security in the cloud?
We have found clear business cases where using a Meraki and Zscaler bundle was the logical choice for both security and cost, as well as cases where it was better to consider adding the Meraki UTM licence. Where large organisations have many branches with a user count less than 20 per branch, Zscaler proves to be the leader in both features and cost. And in scenarios where there were few branch office sites and high volumes of users per site, Meraki UTM makes more financial sense – albeit compromising some key security services such as SSL inspection and mobile user policy enforcement. This cost versus security trade-off is specific to the customer’s appetite for risk.
Financial business case
The main differences
There are some very clear differences between the solutions that have a lot to do with the transformation between edge and cloud security architectures.
Because Zscaler is cloud based with over 120 POPs worldwide, high availability is a part of the solution design allowing each branch, regardless of size, to connect to a primary and secondary node. With Meraki should you require high availability, which is most likely in the case of larger sites like the 30 user example, you will need to deploy a second appliance and UTM licence.
Meraki UTM does all the security processing at the edge, drawing from the resource capability of the edge appliance. In order for small appliances to be able to scale, they simply have to avoid resource-intensive security features. The entry-level devices for Meraki SD WAN seem more than capable of securing a small edge, however, their inability to deliver SSL inspection highlights the effect of limited processing power.
SSL encryption accounts for more than 85% of all Internet traffic today and security providers argue that if you can’t see what’s within the SSL session, you are actually only securing a small percentage of your Web traffic. Unlike Meraki, Zscaler does all security inspection in their cloud, providing all the elastic resources of cloud to cope with resource-intensive security scanning such as SSL inspection. This uniquely positions cloud security vendors with the ability to deliver a comprehensive security solution – normally only achievable in a DC – to a small branch or remote worker.
In addition to the UTM capability in Meraki, Zscaler delivers additional edge security that include DLP, Advanced Sandbox, Advanced Threat Protection, Bandwidth Management and Layer 7 Firewall with IPS. This full cloud security stack is applied to all users, irrespective of when they are in or outside the network.
The deployment of both is straightforward, but Zscaler requires all Internet traffic from the branch to be routed to the Zscaler cloud via an IPSEC or GRE tunnel (or TLS from mobile workstation or mobile smartphone). When using Zscaler no security processing happens at the edge keeping the Meraki SD WAN appliance lightweight, fast and theoretically evergreen. As a result, scoping an SD WAN becomes simple and buying smaller appliances without the concern of running out of resources becomes possible.
Zscaler is uniquely positioned to deliver mobile workstations or smartphones with the same level of security in the HQ, because the background applications (Z-app) route all Internet requests from the devices through the Zscaler cloud as well. Alternative solutions have a significant impact on compute resources on the devices as well as cost.
It is clear there are two polar opposite business cases when comparing the cost of security with Zscaler and Meraki UTM – the difference is almost entirely based on pricing strategy of edge versus user.
Zscaler is the clear favourite in security functionality and cost in organisations with a large volume branch network and low user count. In these cases, and if the user average is less than 20, Zscaler provides the strongest security service at the best possible price point. And because Zscaler is a cloud platform, company security policies can be enforced on users when they are inside the network, or outside.
Meraki is the price winner when you have branches with a very high volume of users as they price per edge and not user. The break-even point for Meraki to become most cost competitive at the SD WAN edge would be greater than 20 users. In these cases, users are only protected when they are inside the branch or network.
However, Zscaler highlights some significant benefits in driving security processing to the cloud by being able to deliver stronger security without compromising branch or mobile workstation performance. It’s therefore easy to assume that as users become increasingly mobile and organisations move applications to the cloud, cloud security vendors will be the best positioned to deliver enterprise security.