Securing the software-defined wide-area network – Six critical functions


As the network perimeter dissolves, implementing security controls is more complex, by Hatem Naguib.

If you have a multisite organization spread throughout the country or across the globe, there’s a good chance that you’re connecting those locations together over MPLS. It’s likely been that way for years, perhaps even decades, but it’s an architecture that’s becoming dated, due largely to your adoption of cloud-based technologies. As your applications move to the cloud, your WAN infrastructure is on its way to becoming less than optimal from a price and/or performance perspective.

So, what changed? Quite a lot actually, but there’s one theme that stands out—your users, data, and applications are dispersing—all over the place. Your users now operate from anywhere (home, airports, and coffee shops), and they demand and consume data from seemingly everywhere on a wide variety of devices.

Before this dispersion, the implementation of security controls was relatively straight forward from the perspective that there was a well-defined perimeter around all of your assets. This enabled you to centrally deploy a variety of security technologies to protect users from all that the internet has to offer—the good the bad and the ugly. Remote locations were included in this perimeter as all the traffic was backhauled over MPLS to a large central firewall which provided traffic regulation and security policies.

Dispersion brings a number of challenges

The network perimeter is dissolving as applications and users move beyond it, which makes implementing security controls with existing tools more complex. Additionally, applications that used to work when they were hosted in your data center have now migrated to the cloud in some way (either SaaS or Public Cloud). During the process, theses apps may have become sluggish in performance at remote locations largely due to the latency introduced by all of those MPLS circuits that were designed to backhaul the traffic.

Take for example Office 365, which used to sit as an Exchange server in your data center. It’s not uncommon for organizations to experience poor user experience or sluggish performance because they’re backhauling traffic to HQ and then out to the internet. The way to resolve this is to get the traffic out to the internet as quickly as possible. In short, you need branch-to-cloud connectivity.

This is exactly the promise of SD-WAN; however, it’s still important to implement new security controls for all of your remote locations. The solution can actually be cost effective to deploy and manage at scale, and because your applications are moving to the cloud, you’ll want the solution to regulate the traffic to and from your cloud applications. By taking this approach, you’ll be sure to achieve a greater user experience, while helping out the budget on your OPEX and CAPEX.  Where to begin? Let’s start by going through the core requirements for a secure SD-WAN deployment:

Centralized management

This should mean central management of all firewall functions regardless of configuration of security, content, traffic management, networking, access policies, or software updates, which helps reduce the cost associated with security and lifecycle management—all while providing troubleshooting and connectivity functionality.

WAN optimization

Consumer-grade bandwidth is much more affordable than MPLS, so you can likely buy much more of it for the same price; however, optimizing that traffic by compressing and de-duplicating it is still a good practice and will help improve performance.

Zero touch deployment

When you have 50, 100, 1000 or more sites to deploy, the last thing you want to do is visit all of them. In fact, you should never have to see the SD-WAN device at all. It should be shipped directly to the site. At most, you’ll have to ask an office manager to power up the solution.

Advanced firewalling

This is a critical component. Would it be fair to say that you would want as good if not better security at your remote locations than you have at your central location—just without the cost or the complexity? This requires a firewall that is designed for distributed environments and leverages centralized policy and management at great scale. This would include application and user regulation controls, IDS/IPS, web filtering, and routing capabilities.

Advanced threat

This ensures that your users, applications, and data remain safe from all the threats that the internet has to offer. Most organizations accomplished this with a centralized sandbox, but remember, we’re moving to a distributed architecture and one that minimizes backhauling. The solution here is cloud based Advanced Threat Protection.

Cloud integration

As one of the drivers for SD-WAN, the migration of workloads to the cloud is as much about ensuring great application performance as it is about accessing those workloads securely. A VPN is going to take care of that, but once you’re in the cloud there are sure to be a whole new set of requirements. This wouldn’t just be workload requirements, but in terms of security controls, deployment methodologies and friction-free licensing as well. You’ll want to look for a firewall / SD-WAN device that is not only tightly integrated with cloud platforms, but also satisfies use cases in the cloud.

Including these six functions in your SD-WAN deployment can greatly simplify and optimize your network, boost security, improve uptime, and drive savings. As you explore the options for your SD-WAN rollout, there’s a lot to consider, but by thinking everything through up front, you’ll ultimately slash costs, create the correct security posture for your dispersed network, and provide a solid migration path to the cloud now and down the road. 

Hatem Naguib is SVP and GM at Barracuda Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.