Part 3: Assessing Your WAN Strategy: Resiliency and Security at Branch Locations

istock 911978254
NoSystem images

In part 1 of this 3-part series on how to conduct a wide-area network assessment and determine necessary updates, we looked at foundational issues including current challenges and objectives. Part 2 examined considerations around applications and bandwidth. In this third and final installment we’ll look at two issues that are critical for any organization: resiliency and security.

My source for determining what issues to examine is Mike Lawson, Manager of SD-WAN/NFV Solutions Architecture for CenturyLink. Lawson is in the trenches with network architects and customers every day; as such, he understands the issues that lead companies to upgrade their WAN services to newer technologies such as software-defined WAN (SD-WAN).

Assessing your branch resiliency

With respect to resiliency, start your assessment by examining your strategy at branch locations, Lawson says. “Do you have more than one connection to branch locations? Can you leverage them both an active state?” he says. Many times companies buy an additional MPLS circuit, for example, but use it only when the primary fails. Otherwise, the extra capacity sits idle.

That’s an instance where SD-WAN may make sense, as it allows companies to leverage more than one connection in an active state at each site. An organization might have a an MPLS link as their primary connection, for example, and use broadband Internet or 4G cellular as a backup – a much less expensive option than having multiple MPLS circuits.

The fact that the backups can also be used in an active state opens up multiple new options in an SD-WAN scenario.

Many customers employ packet replication for voice and video, for example, Lawson says. “If voice is critical at a particular location, it may make sense to leverage more than one connection,” he says. “Rather than losing the call if a service isn’t available, two or more connections are used to send duplicate packets of data, increasing survivability of the application.”

Packet striping is another SD-WAN feature that helps deliver a single data flow across disparate network links, Lawson notes. This lets a site utilize all available bandwidth for a large file transfer.

Security issues: network segmentation, firewalls

With respect to security, organizations need to look at how their security posture is evolving with the introduction of more Internet technology on the WAN. Be sure to consider how your solutions let you achieve compliance for things like PCI, and perform vulnerability scanning, Lawson says.

Guest networking is another consideration. Consider an auto dealership, for example.  “Customers often come in with the whole family. While mom and dad are talking to the salesman, the kids are on their iPhones,” Lawson says. “So, you need to provide a guest network while also protecting the corporate network.”

Doing so hinges on providing an effective hybrid network strategy. Here again, SD-WAN can be an effective solution because it lets users create multiple logical networks at the click of a button (depending on provider).

SD-WAN solutions may also come with features such as an embedded firewall, Lawson says. That enables customers to develop security policies to protect the network edge, whether it’s Internet traffic or trusted applications such as Office 365.

“With a solution that we sell, it’s technically possible to say I'm going to take centralized firewall functionality out of the data center and put them it the edge of the network,” he says. That can be a tough sell for security teams, however, so companies often take a hybrid approach, using data center firewalls to control general Internet traffic but SD-WAN security capabilities for trusted applications.

“We're seeing a kind of security journey develop with our customers,” Lawson says. “But security remains top of mind.”

Learn more about assessing your WAN strategy at CenturyLink.

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided "as is" without any warranty or condition of any kind, either express or implied. Use of this information is at the end user's own risk. CenturyLink does not warrant that the information will meet the end user's requirements or that the implementation or usage of this information will result in the desired outcome of the end user.


Copyright © 2019 IDG Communications, Inc.