Securing the Branch Network with SD-Security and NFV
February 23, 2016
Industry analysts have noted that branch offices are increasingly becoming a targeted point of entry into corporate networks, with attack volume growing more than 500 percent over the last three years. This is due in large part to three major trends/issues: the increasing adoption of cloud- vs. data center-hosted apps, the adding of Internet circuits as additional (and lower cost) connectivity for branch offices, and the largely unchanged and static architecture of branch office networks.
The latter point is compounded by the need to deploy a multitude of siloed security appliances and/or software packages to enforce any kind of defense-in-depth plan, forcing a range of separate data security and gateway services to co-exist and work seamlessly together — a tall order that rarely delivers (especially when there is a breach and it needs to be diagnosed in real-time) additional info.
While the above challenges with branch security (and operating managed services for them) are very real, technology advances in the last few years can offset many of these. Specifically, network function virtualization (NFV) is a rapidly growing telecom industry trend ($11.6B in 2019; IHS/Infonetics) that evolves hardware-centric network and security functions into much more integrated software-based solutions. To address growing branch office vulnerabilities, both service providers (through managed service offerings) and enterprise IT/CISO teams need to apply NFV to evolve branch security infrastructure from legacy point appliances to a more agile and software-defined approach.
Software-defined security (SD-Security) introduces simplicity to the world of network security. In this model, protection is based on network-wide logical policies and monitoring that are not tied to a specialized (and siloed) security appliance or function. This is further empowered by the fact that SD-Security created through NFV de-couples security functions from proprietary hardware, enabling security functions to run in software that can operate on commodity x86 servers and appliances.
In the report “The Impact of Software-Defined Data Centers on Information Security,” Gartner said “In Phase 3, information security itself will evolve to become software-defined, where, like SDN, the management model for security services is abstracted from being managed one box at a time to a policy-based, network-wide view.”
To give a real-world example, imagine an enterprise with 400 branch offices that needs to refresh or increase its branch security. Instead of scheduling new unified threat management (UTM) or next-generation firewall (NGFW) appliances to be shipped to branch sites at the rate 20 per month (an aggressive schedule that factors one installation per business day) and a project schedule of over 1.6 years, an enterprise or managed service provider could deploy SD-Security and ship commodity white box appliances to 100 branches per month and simultaneously activate and test 25 devices per week remotely, for a total project time of 4 months.
Another key aspect of SD-Security using NFV is the ability to leverage service chaining to easily achieve multi-layer security. For example, a service provider could service chain an NGFW and secure web gateway to easily and quickly provide security for direct Internet access. As the traffic flow has been service-chained centrally, each branch office can be upgraded using a centralized orchestration tool.
Additional advantages to creating a managed SD-Security service or enterprise deployment include:
- Elasticity: When deploying branch security through a software-defined and NFV-based model, capacity can easily and dynamically be scaled up or down without having to replace proprietary security appliances
- Flexible and distributed service architecture: With the advent of NFV, service providers and large enterprise have the capability (and flexibility) to decide where to run each layer of required security – either on-premises in the branch office or centrally in the data center or provider point-of-presence (PoP)
- Centralized, automated operations: A software-defined and NFV-based approach to security also provides a way to deliver services from a single point of control, avoiding the need skilled onsite personal. With this approach, services can be deployed, increased in capacity and enhanced with additional functions, all without requiring any onsite presence, hardware refreshes or manual provisioning. Also, if a particular customer site(s) requires a different set of security functions, it can be serviced individually from a single management portal within a few minutes instead of hours or days.
In summary, deploying SD-Security for the branch office involves adding additional (software-based) layers of security for better defense-in-depth while reducing deployment times, operation complexity and capital/operating costs.