Damon Ennis, SVP of products, Silver Peak
With cloud and digital transformation initiatives now commonplace across enterprises today, organisations are increasingly looking at rearchitecting their wide area networks (WANs) to align to their changing business requirements. As a result, there has been a rapid adoption of software-defined WAN (SD-WAN) technology and modern organisations are experiencing the biggest transformation in the WAN since the introduction of multiprotocol label switching (MPLS) networks back in the late 90s.
However, one of the biggest challenges for key enterprise decision makers is navigating through the mixed marketing messages from security and SD-WAN vendors – should the focus on the WAN be security-first or networking-first?
Looking beyond the SD-WAN marketing hype
With International Data Corporation (IDC) predicting that the SD-WAN market to reach $5.35 billion by 2023, there is a lot of hype and a stampede of companies looking to capitalise on this new technology category. At last count, there were about 70 companies with marketing messages all vying to hop on the SD-WAN bandwagon.
Marketing messages from different vendors vary widely depending on the heritage of the company and the capabilities – or limitations – of their offerings. Some focus their messaging around security, while others focus just on networking technology – and there are only a few that focus on enabling a modern WAN edge infrastructure solution.
This leads to a lot of confusion and frustration for organisations trying to sift through the details in order to make a sound, strategic decision on how to best rearchitect their WAN edge to advance their cloud and digital transformation initiatives. One of the key areas of confusion and a key decision factor for customers: Is it the Wide Area Network first and security second? Or is it security first and the WAN second?
The reality is that it’s both.
It is useful to begin by considering what security is needed at an office branch. At a minimum, a basic Layer 3/Layer 4 firewall to block incoming threats. However, more sophisticated capabilities are desirable at the branch, including advanced segmentation that spans the LAN-WAN-Data Centre and the LAN-WAN-Cloud.
For example, a retail organisation might define a network segment for Point of Sale (POS) traffic, one for guest Wi-Fi, and another to prioritise real-time voice traffic (for QoS reasons, not necessarily for security purposes). This type of zone-based micro-segmentation enables the organisation to meet Payment Card Industry (PCI) compliance requirements by isolating this traffic on the network to secure the organisation from threats that might arise from guest use of the network and ensure high quality voice services.
A key benefit enabled by a modern SD-WAN is the ability to connect users to cloud applications directly from the branch using the internet. Known as ‘local internet breakout,’ this delivers the highest cloud application quality of experience. However, using the internet for transporting enterprise application traffic increases exposure to vulnerabilities, broadens the attack surface at the branch and, ultimately, exposes the entire enterprise to greater risk.
As with the WAN, delivering the best cloud application user experience also requires a modern approach to security. This new approach requires unified security functions delivered by the branch SD-WAN platform, including automated service chaining to cloud-delivered security services for more advanced inspection.
Another dynamic that is transforming network and security requirements is the explosion of network endpoints – the definition of a “site” is expanding. Besides branch locations, a site might be an ATM machine, a railroad car, a wind turbine or even a medical backpack used by first responders to transmit real-time patient medical data from the field back to a hospital.
Network architects now need to think about scaling not to a thousand sites, but to tens of thousands of endpoints – and many of these endpoints may be located far away from physical enterprise locations. This places additional requirements on how security must be delivered. Instead of the security perimeter being defined by branch locations, it is now everywhere the business has an endpoint. To deliver the right security services at the right place – as close to the endpoint as possible – and the right time requires a distributed security enforcement model.
SD-WAN and cloud-delivered security go hand-in-hand
With cloud-delivered security services, they shift the entire security stack and locate it in the cloud, instead of on dedicated, expensive security appliances at each branch location. The security stack not only includes next-generation firewall services, but also IDS/IPS, URL filtering, UTM, antivirus protection, sandboxing and more. In addition, automated daily security and threat updates ensure always-up-to-date security and consistent policy enforcement across the enterprise.
Delivering optimal, cloud-delivered security requires an advanced SD-WAN that can identify, classify and automatically steer traffic on the first packet by applying and enforcing business-driven security policies. Implementing cloud-delivered security services requires establishing primary and backup secure tunnels between branch sites and the closest and next-closest cloud-security PoPs. It requires configuring, monitoring and managing two or more tunnels from every branch site, a time-consuming task if performed manually.
Automation is also key when it comes to the orchestration of cloud-delivered security services. What was traditionally a manual, time-consuming and potentially error-prone process now happens in minutes via tight integration with modern APIs. Ultimately, best-of-breed SD-WAN and best-of-breed cloud-delivered security go hand-in-hand for today’s cloud-first enterprises. After all, organisations should not have to compromise WAN performance or security in architecting a modern WAN edge.