Six tips for secure SD-WAN deployment
Enterprises are increasingly turning to SD-WAN to replace their Multiprotocol Label Switching (MPLS) lines. However, as they do so, it is also important to implement new security controls for all remote sites. Six core requirements for secure SD-WAN deployment.
Companies whose sites are distributed across the country or the world often connect them via MPLS (Multiprotocol Label Switching) lines. However, the increasing use of cloud technologies has made this architecture obsolete. Users, data and applications are now widely dispersed, with employees working from anywhere and using a variety of devices. Prior to this evolution, implementing security controls was relatively simple in that a defined perimeter existed around all of an organization's assets that needed protection. This allowed IT teams to deploy a variety of security technologies centrally. Remote sites were included in this security perimeter by redirecting all traffic via MPLS to a large central firewall that provided traffic regulation and security policy enforcement.
A series of challenges
The network edge dissolves as applications and users move beyond it. This makes implementing security controls with existing tools more complex. In addition, applications that used to be hosted in the data center have migrated to the cloud in some way (either through SaaS or public cloud). These applications can lose performance when running at remote sites, mainly due to the latency caused by all the MPLS circuits that take care of returning traffic to the main site.
Take Office 365, for example, which used to be an Exchange server in the data center. Often, enterprises experience a poor user experience or sluggish performance because they pull traffic to corporate headquarters via MPLS and then send it to the Internet. To solve this problem, remote sites need direct connectivity to the cloud. That's exactly what SD-WAN. However, it is important to introduce new security controls for all remote sites as well. Such solutions are typically cost-effective to implement and easily scalable, and as applications move to the cloud, the security solution should also regulate traffic to and from cloud applications. Enterprises can optimize the user experience with this approach while reducing their operational and capital expenditures.
Six core requirements for a secure SD-WAN deployment
1. zero touch deployment: If a company has 50, 100, 1000 or more remote sites, it is unrealistic to want to visit each of these sites individually for SD-WAN deployment. With zero touch deployment and centralized management, all it takes is one on-site employee to get the solution up and running with the push of a button.
2. WAN optimization: Compression and deduplication are two ways to optimize data traffic and improve bandwidth, respectively. Data packets can be identified using hash values. This means that content that has already been transmitted can be cached or compressed on the appliance so that only the much smaller hash value needs to be transmitted. Deduplication reduces the repetitive or parallel transmission of the same data across the WAN. Frequently requested information is cached locally or identical content is merged. Ultimately, the solution deployed determines which methods are used for WAN optimization.
3. advanced firewalling: To be as well secured at remote sites as at the main site, it requires a firewall that is designed for distributed environments and leverages centralized policies and management on a large scale. This includes application and user controls, IDS/IPS, web filtering, and routing capabilities.
4. advanced threat protection: This ensures that users, applications and data are protected from all the threats the Internet has to offer. Many organizations have implemented this with a centralized sandbox, but for a distributed architecture where backhauling needs to be minimized, cloud-based Advanced Threat Protection is the ideal solution.
5. centralized management: This should include centralized management of all firewall functions regardless of the configuration of security, content, traffic management, network, access policies or software updates. This can reduce security and lifecycle management costs. All while providing troubleshooting and connectivity capabilities.
6. cloud integration: As one of the drivers for SD-WAN, migrating workloads to the cloud is as much about ensuring high application performance as it is about secure access to the workloads. A VPN can do this job, but once enterprises are in the cloud, new challenges arise: There are not only the workload requirements, but also requirements for security controls, deployment methods and smooth licensing. Important for this is a firewall/SD-WAN device that is not only tightly integrated with cloud platforms, but also meets the use cases in the cloud.
When enterprises are exploring their SD-WAN rollout, there is a lot to consider, but with a well-thought-out approach up front, they can create the right security for their distributed network and provide a solid migration path to the cloud. Integrating the above features into the SD-WAN deployment can greatly simplify the network architecture, increase security, optimize uptime and reduce costs.
By Hatem Naguib, Barracuda Networks