WAN Transformation – Security First or Network First?

istock 1154268620

It’s an exciting time in Wide Area Networking. With the rapid adoption of software-defined wide area networking (SD-WAN) architectures, we’re experiencing the biggest transformation in the WAN since the introduction of MPLS back in the late 90s.

As with all new technologies, there is a lot of hype and a stampede of companies looking to capitalize on a hot new category. At last count, there were about 70 companies with marketing messages all vying to hop on the five letter “S-D-W-A-N” bandwagon.

Interestingly, in the newly Gartner 2019 Magic Quadrant for WAN Edge Infrastructure, there are only two companies positioned as Leaders, Silver Peak and VMware. Seventeen others are positioned across the Niche, Visionary and Challenger quadrants. Ten additional companies are listed but didn’t meet the qualification criteria for inclusion in the Magic Quadrant.

Marketing messages from different vendors vary widely depending on the heritage of the company and the capabilities – or limitations – of their offerings. Some focus their messaging around security. Others focus just on networking technology. Only a few enable a modern WAN edge infrastructure solution. This leads to a lot of confusion and frustration for organizations trying to sift through the details in order to make a sound, strategic decision on how to best rearchitect their WAN edge to support cloud and digital transformation initiatives.

I’ll focus on one of the key areas of confusion and a key decision factor for customers: Is it the Wide Area Network first and security second? Or is it security first and the WAN second?

These are not trick questions; the reality is that it’s both.

Optimizing Security Service Delivery

What security is needed at the branch? At a minimum, a basic Layer 3/Layer 4 firewall to block incoming threats. However, more sophisticated capabilities are desirable at the branch, including advanced segmentation that spans the LAN-WAN-Data Center and the LAN-WAN-Cloud. For example, a retail organization might define a network segment for Point of Sale (POS) traffic, one for Guest Wi-Fi and another to prioritize real-time voice traffic (for QoS reasons, not necessarily for security purposes). This type of zone-based micro-segmentation enables the organization to meet Payment Card Industry (PCI) compliance requirements by isolating this traffic on the network to secure the organization from threats that might arise from guest use of the network and ensure high quality voice services.

A key benefit enabled by a modern SD-WAN is the ability to connect users to cloud applications directly from the branch using the internet. Known as local internet breakout, this delivers the highest cloud application quality of experience. But, using the internet for transporting enterprise application traffic increases exposure to vulnerabilities, broadens the attack surface at the branch and, ultimately, exposes the entire enterprise to greater risk. As with the WAN, delivering the best cloud application user experience also requires a modern approach to security. This new approach requires unified security functions delivered by the branch SD-WAN platform and automated service chaining to cloud-delivered security services for more advanced inspection.

Another dynamic that is transforming network and security requirements is the explosion of network endpoints – the definition of a “site” is expanding. Besides branch locations, a site might be an ATM machine or a railroad car or a wind turbine or even a medical backpack used by first responders to transmit real-time patient medical data from the field back to a hospital. Network architects now need to think about scaling not to a thousand sites but to tens of thousands of endpoints. And many of these endpoints may be located far away from physical enterprise locations. This also places additional requirements on how security must be delivered. Instead of the security perimeter being defined by branch locations, it is now everywhere the business has an endpoint. To deliver the right security services at the right place – as close to the endpoint as possible – and the right time requires a distributed security enforcement model.

SD-WAN and Cloud-delivered Security Go Hand-in-Hand

Cloud-delivered security services shift the entire security stack and locate it in the cloud instead of on dedicated, expensive security appliances at each branch location. The security stack not only includes next-generation firewall services but also IDS/IPS, URL filtering, UTM, antivirus protection, sandboxing and more. And, automated daily security and threat updates ensure always-up-to-date security and consistent policy enforcement across the enterprise.

Delivering the optimal, cloud-delivered security requires an advanced SD-WAN that can steer traffic on the first packet by applying and enforcing business-driven security policies. For example:

  • Backhaul traffic for applications still hosted in the enterprise data center to the data center
  • Automatically identify, classify and steer trusted, whitelisted cloud-destined traffic such as that for Unified Communications applications and perhaps Office 365, directly to their providers’ respective data centers
  • Automatically steer other cloud and web traffic to the closest cloud security enforcement point of presence (PoP)
  • Automatically steer traffic from remote IoT devices/sites to the closest cloud security enforcement point of presence (PoP)

Best-of-Breed WAN + Best-of-Breed Security

Implementing cloud-delivered security services requires establishing primary and backup secure tunnels between branch sites and the closest and next-closest cloud-security PoPs. It requires configuring, monitoring and managing two or more tunnels from every branch site, a time-consuming task if performed manually.

Silver Peak has partnered with best-of-breed security providers including Zscaler and Check Point to automate the orchestration of cloud-delivered security services. What was traditionally a manual, time-consuming and potentially error-prone process now happens in minutes via tight integration with modern APIs. Best-of-breed SD-WAN and best-of-breed cloud-delivered security go hand-in-hand for cloud-first enterprises. In this sense, 1 + 1 = 3.

With the Silver Peak Unity EdgeConnect™ SD-WAN edge platform, customers don’t have to compromise WAN performance or security in architecting a modern WAN edge.


Copyright © 2020 IDG Communications, Inc.