With the beginning of the new year, it’s popular to opine on what the new year might bring in terms of technology advances. My predictions for the WAN in 2018 have been covered in several publications here, here and here. In this blog, I’m going to expand on one of my predictions: how the new WAN edge enables improved security architectures. I believe there are three primary ways the new WAN edge will enable improved security architectures for enterprises building an SD-WAN.
First, there is no question that the amount of data and application traffic between the branch and the internet is on the rise, sometimes driven by personal activity, but most importantly driven by the adoption of SaaS services. For years now enterprises have been hamstrung, forced to compromise by choosing between backhauling all internet-destined traffic across their MPLS network to a central firewall deployed in a data center, or by deploying a firewall at every branch site. In 2018, the new WAN edge will empower enterprises to make these decisions on an application-by-application basis. For instance, with an advanced SD-WAN solution network administrators can easily configure network policies to:
- Breakout guest WiFi and trusted SaaS applications directly to the internet locally at the branch
- Divert known personal-use applications to a cloud-based firewall service (sometimes called a web services gateway)
- Backhaul any unknown or suspicious traffic to a full security stack deployed at the data center
Of course, this is just one example of how network policies can be implemented. The real power of SD-WAN orchestrated breakout is due to the ability to centrally define and manage the network policies that make the most business sense for each enterprise. Policies enable network administrators to selectively apply advanced UTM processing to the traffic which warrants it, without having to deploy and manage expensive UTM technology at every branch. It also lets them test the waters and adopt cloud-based firewall services for a subset of their traffic. And, of course, it provides an elegant way of mixing and matching different security vendors’ technology by business unit or in some cases, by individual application.
Second, an SD-WAN can also improve an enterprise’s security posture by extending traffic segmentation across the WAN and into the branch. Micro-segmentation or zero-trust networking is fast becoming best practice in the data center. Rather than letting any VM talk to any other VM, data center micro-segmentation relies on policy to establish which VMs can talk to one another. As a result, if any VM is compromised, the damage and exposure is contained. In the same way, we expect that enterprises will use advanced SD-WAN solutions to separate traffic into segments at the branch (e.g. PCI credit card data, IoT traffic, internal web applications, external applications). This segmentation can be extended across the WAN and controlled via central orchestration. By adopting a segmented SD-WAN architecture, enterprises are able to isolate the impact of any security breach, effectively augmenting their existing security stack with new network-level countermeasures.
A third way an SD-WAN solution can fortify security is by enforcing consistency across all remote locations. In traditional networks, administrators have CLI access to individual routers and firewalls, and often find themselves forced to make manual configuration changes to individual devices. Over time, the sum of all quick fixes made to individual devices conspire and lead to configuration drift – a situation where devices have configurations that appear the same superficially, but in fact have many small, easily overlooked differences that lead to pernicious issues and security holes that sap IT resources and require per-site debugging. In contrast, with an advanced SD-WAN solution there is no need to touch individual devices. Policy and intent are established at the network level and automatically enforced by a central orchestrator. This eliminates error-prone device-by-device manual configuration and ensures that the network remains in compliance with policy.
In conclusion, if you are asked “How secure is your SD-WAN?”, it’s not about the number of UTM features or the number of exploits blocked by the SD-WAN device itself. Rather it’s about:
- How well the solution enables an enterprise to orchestrate the appropriate combination of local, cloud and data center located security services based on each application’s requirements
- Whether the solution can support policy-based segmentation of traffic and maintain that segmentation across the network
- How well the solution enforces consistent application of network and security policies across the WAN
At Silver Peak, we are excited about our partnerships with leading security vendors including Check Point, Fortinet, Palo Alto Networks and Zscaler, and remain committed to augmenting enterprise security with an orchestrated SD-WAN architecture that complements offerings from our partners.