Building a Secure Architecture for the Enterprise Edge with SD-WAN
July 24, 2018
Typically, WAN solution vendors talk about performance in terms of speeds and feeds. But, I like to think about performance as it relates to all aspects of connectivity. This includes speed, control, visibility, reliability, ease of deployment and monitoring, and of course security. I think about it in these terms because each of these areas are controllable by the right holistic SD-WAN architecture.
Unfortunately, the accumulation of multiple disparate routing and switching devices, including firewalls, intrusion detection and threat mitigation, makes it difficult to obtain network visibility and correlate real-time events that can degrade or disrupt performance.
With Secure SD-WAN, that is, fully integrated cloud, security, app and networking services in one fabric, it can be difficult to say performance and simplicity in the same sentence. But the key to enabling performance is simplicity. While a fundamental attribute of SD-WAN is to simplify, the reality is many SD-WAN solutions don’t simplify performance based on the descriptive terms I’ve used above.
However, today I’m focusing on one aspect, the main aspect – security, because it really is the cornerstone that everything else rests upon. Gartner estimates that more than 30% of advanced threats target branch offices; the first line of defense connecting to the network edge, and the most vulnerable entry point of the enterprise, which are naked Internet WAN links. Branch offices tend to be high security risks because they lack sufficient technical and engineering IT personnel to manually update OS and security patchwork. As branch offices expand, and become more distributed, the insufficient and inefficient implementation of discrete security products across locations add exponentially to the problem, as WAN infrastructure becomes increasingly complex and requires a high touch perimeter.
Enterprise IT and security teams can improve branch security and simplify operations by migrating from disparate security hardware appliances to a unified software-defined security (SD-Security) approach. One that leverages virtualized network and security functions running on commodity hardware.
A Secure SD-WAN architecture provides a broad set of software-defined security functions, such as next-generation firewalls and UTM functionality, malware protection, URL and content filtering, IPS and anti-virus, DDoS and VPN/next-generation VPN, and multi-tenant instances that allow segmentation of traffic by class of traffic (guest WiFi vs. HR vs Finance) and by class of communications or duties.
Simplify Security Operations
Software-defined WANs can dramatically simplify the complexity associated with discrete security hardware appliances. In moving away from proprietary hardware-bound devices to virtualized software instances, enterprises can leverage SD-WAN built on the concept of a virtualized network function (VNF). VNF is software or a virtualized version of a specific function. In the case of security, VNF can simplify deployment and monitoring for routing, CGNAT, next-generation firewalls and more.
SD-WAN is centrally managed and policy orchestrated, with zero-touch provisioning and service-chaining, operational tasks and overall logistics are streamlined and simplified. By decoupling layered security functions from discrete hardware devices, network and security capabilities are freed from their proprietary constraints and become more elastic in their ability to accomplish a multitude of enterprise security requirements.
Ongoing security operations are simplified through an orchestration platform, that is a single console to set policies for all security functions. This can also support capacity increases that are dynamically provisioned, as well as new security functions that are added over time.
Agility That is Secure
WANs and business are irrevocably entwined, as every business division within branch offices is dependent upon the WAN for their success and ability to gain a competitive advantage. Unfortunately, when remote offices deploy new or upgraded network services, they can experience long deployment times, and circuits that connect site-to-site may not easily support multi-cloud access. There are many reasons for this, such as provisioning of MPLS services, new hardware devices, and scheduling consultants to install, configure, integrate and test equipment.
With Secure SD-WAN, specialized security functions, like a secure web gateway, can be service-chained to the SD-WAN for secure direct Internet access from the branch. Service creation, service definition and service-chain rules can utilize templates and provide programmable, API-driven service delivery via centralized orchestration and management.
Software-defined security zero-touch provisioning enables multi-functional security deployment within a few short hours. And all security functions at branch offices are managed from a centralized, single pane of glass. This is in contrast to weeks or months required to install, configure and integrate multiple, disparate security appliances at every branch office, that are managed by different tools.
The analytics layer monitors, reports and alerts to shifting conditions in the edge security landscape with up-to-the-second granularity of events and relative severity in terms of risk to breach and degradation to performance.
Reduce Network Security Costs
A secure network infrastructure is very expensive and labor intensive. Add truck rolls, installation and support contract expenses and the costs quickly add up. There are many soft costs associated with security infrastructure, such as the security team’s time deploying and provisioning, configuration, and ongoing management, monitoring and operations.
The investment in implementing security measures to protect enterprise assets is well worth it, as the costs associated with losses caused by cyber attacks can be substantial. According to a report from the Kaspersky Lab, the global cost of a data breach for enterprises rose 11 percent in 2017, with the average cost of a cyber attack for U.S. enterprises at $1.3 million.
Secure SD-WAN can allow enterprises to eliminate the high costs of acquiring and supporting multiple, disparate hardware security appliances, and the unpredictability of evasive attacks .
Operational costs are reduced with centralized provisioning and automatic service chaining. Enterprises benefit from VNF and automation capabilities that eliminate costly hardware deployments and simplify ongoing operations, such as software updates and capacity expansion that streamline IT operations.
To compete in today’s digital economy, enterprises need a new and simplified approach to securing highly distributed network infrastructure. SD-WAN must seamlessly integrate into existing environments, and support any underlying WAN transport, including MPLS, broadband, DIA Internet and wireless connections. Internet security and control of the branch is a must-have to support the expanded consumption of SaaS apps, and to ensure a protected quality user experience.