When SD-WANs first began to be discussed, the focus of the discussion was on the potential cost savings that would result from incorporating more cost-effective broadband connectivity into the WAN. Reducing cost is clearly an important goal, but achieving that goal is only meaningful if the WAN is also providing all the requisite functionality. This blog will discuss the importance of WAN functionality such as security and the ability to effectively support cloud computing. This blog will also identify the key characteristics of a secure SD-WAN.
Required WAN Functionality
The functionality that WANs must provide was identified in the 2018 Guide to WAN Architecture and Design. That guide presented the results of a survey in which the respondents were presented with fifteen factors and asked to choose the top three factors that would likely have the most impact on their WAN over the next twelve months. The factors that were the most important are shown in Figure 1.
As could be expected, reducing cost remains the primary factor impacting the WAN. However, Figure 1 shows that the WAN must also provide a range of functionality, including providing access to public cloud computing services and Figure 1 also shows that no functionality is more important than increasing security.
The 2018 Guide to WAN Architecture and Design also highlighted that the need to support a range of functionality is impacting how enterprise network IT organizations evaluate SD-WAN solutions. The guide presented the results of a survey in which the respondents were asked to indicate their level of interest in acquiring SD-WAN solutions that supported L4-L7 functionality. By a wide margin, the most common response was that the solution they adopt must support a wide range of security and optimization functionality.
The Components of a Secure SD-WAN
Providing traditional security functionality in a much easier and more efficient manner is both part of the challenge and part of the opportunity that is associated with an SD-WAN. For example, in a conventional WAN it’s technically possible to manually script and manage granular security policies. However, the amount of time and work that this approach requires means that it isn’t feasible for any but the smallest of networks. In a secure SD-WAN it must be easy for network administrators to centrally define and orchestrate granular security policies and to configure and manage secure end-to-end zones across any combination of users, application groups and virtual overlays.
In response to the ever-increasing sophistication of security attacks, many organizations are attempting to adopt both a micro-segmented network security architecture and a zero-trust approach whereby they verify everything inside or outside of their networks before granting access. Implementing network segmentation within a LAN is easily done using VLANs. However, in a traditional router-centric WAN, segmenting the WAN has been a manually-intensive, device-by-device task that required the use of arcane CLIs. In a secure SD-WAN it must be possible for network administrators to quickly and easily orchestrate and manage granular zone-based security policies, to segment and assign applications to zones and to segment end-to-end zones across the LAN and WAN. To improve control and increase availability, network administrators must also be able to define a transport topology and fail-over policies for each zone.
There is a huge range of security functionality available in the market including next generation firewalls, intrusion detection and prevention, Web gateways, anti-malware, authentication and authorization, threat intelligence and behavioral analytics. In the current environment this functionality can be implemented in a variety of locations. For example, in some instances, security functionality is implemented on site. However, in a large and growing number of instances security functionality is implemented offsite, either in the cloud or at an enterprise’s regional hub or data center. The fact that security functionality can be located in a variety of places means that network organizations should choose an SD-WAN solution that can identify and classify application and web traffic using just the first packet of the flow and can automatically steer traffic based on centrally defined security policies.ow
It isn’t reasonable to expect that any SD-WAN provider will provide all the necessary security functionality. A better approach is to look for SD-WAN providers that have a broad range of security partners that provide the full array of leading edge security functionality. However, having a broad range of partners is only effective if the SD-WAN solution supports the standards-based IPsec WAN connectivity that is necessary to integrate with cloud-based security services. The solution must also provide a seamless way to service chain all the appropriate security functionality regardless of where that functionality is implemented.
All companies, whether or not they have adopted a cloud-first approach, are making increased use of cloud services. This fact combined with the large and growing importance of security means that when companies are evaluating SD-WAN solutions they need to consider the ability of that solution to provide both effective access to cloud resources and effective security. For example, the SD-WAN solution must support functionality such as end-to-end micro-segmentation.
Since it isn’t possible for an SD-WAN vendor to provide all the necessary security functionality, a key component of a secure SD-WAN solution is that the solution integrates with the broadest array of security providers. The solution must also be capable of identifying, classifying and steering applications based on security policies and combine that capability with the ability to service chain to either next generation security infrastructure or cloud-based security services.