Prior to SD-WAN, multi-location enterprise networks needed to rely solely on local protection at the branch office level from a data security perspective. This typically meant point security appliances at the network boundary in the branch office, which combine functionality including firewalls and unified threat management for local use (content filters, data loss protection, data encryption services, etc.). Moving to SD-WAN introduces new options for taking on typical multi-office network security challenges. Following is a summary of those challenges, and an explanation of how SD-WAN, along with other security solutions, can help mitigate them.
SD-WAN faces multiple branch office security challenges
Most distributed enterprises manage their security infrastructure internally or work with a managed security service provider (MSSP). Despite these best efforts, they face a variety of complex challenges when using multi-point solutions to provide comprehensive security at branch offices, including:
How SD-WAN can help boost branch security
Software defined technology introduces the concept of network function virtualization (NFV). This includes security functions and service chaining, which enables multiple functions to be linked together for servicing-specific network connections. Thus, software defined technologies can deliver seamless security across branch offices in a way that is painlessly managed within a centralized approach by a service provider, or from the data center. This allows virtualized network and security functions to migrate away from hardware point solutions to their virtualized software-based counterparts, improving security integrity across all locations. This makes them easier to define, deploy, and manage at the branch, and to update, upgrade, or replace when changes are required. Using data centers at the network core makes it easier and more affordable to update branch office security models.
This introduces a potential cloud-based approach to security, featuring a high-function, next gen virtualized firewall (NGFW) that runs at the network core. Once configured and tuned for the specific apps used in the enterprise, this NGFW can be serviced-chained into SD-WAN connections to as many branch offices as desired. Such core-based solutions may pose some of the latency issues noted in the preceding “enterprise challenges,” so IT must be selective about how and when they’re used.
SD-WAN and “security classes”
For example, in a location where the application and traffic includes both A) customer records and transactions, and B) guest or visitor WiFi, it makes sense to differentiate the traffic by “security classes.” More sensitive customer records and transactions would be routed through the service chained NGFW functions to ensure the highest level of security, while less sensitive traffic in the “guest WiFi class” could make use of local security appliances.
This kind of configuration would require an enterprise to carefully consider and evaluate “security classes” for branch office traffic, and impose policy and technical controls to ensure traffic and apps are treated appropriately by “security class.” Service providers can help by describing hosted security options, and demonstrate how customers can segment traffic to use or bypass the various security functions they provide.
Using SD-WAN, customers can maintain communication confidentiality through encrypted tunnels between branch offices, improving the Integrity of security and business policies by having centralized policy management. They can also improve network availability, by seamlessly utilizing multiple access paths, and path condition to avoid service interruptions. Providing confidentiality, integrity and availability are the three main factors for developing and maintaining a secure network.
Much of this may be new to many people, so feel free to bring your thoughts and questions to our team at Windstream Enterprise anytime so we can add further explanation about what SD-WAN can do to enhance security.
Mike Frane is Vice President for SD-WAN at Windstream Enterprise, with responsibility for the company’s overall SD-WAN strategy, as well as the network and security service portfolios. Since joining the organization in 2008, he’s overseen the launch and lifecycle of services including LTE wireless, Ethernet and MPLS IPsec access elements, Secure WiFi & Analytics, Application Performance Optimization, IPsec VPN and Unified Communications. Prior to Windstream’s acquisition of EarthLink, Mike led the launch of EarthLink’s SD-WAN service; their most successful product introduction in over a decade. Mike has a BS in Genetics and Cellular Biology from the University of Minnesota and was involved in gene therapy research at the Institute of Human Genetics before entering the telecommunications industry.