April 10, 2018 | Mike Frane

How SD-WAN Can Take On Branch Office Security Challenges

Other WE Blogs
Mike Frane, VP of Product Management

Mike Frane

Mike is responsible for the company’s overall SD-WAN strategy, as well as the network and security service portfolios. Since joining WE in 2008, he’s overseen the launch of MPLS IPsec access elements, Secure WiFi & Analytics, Unified Communications and more.

Prior to SD-WAN, multi-location enterprise networks needed to rely solely on local protection at the branch office level from a data security perspective. This typically meant point security appliances at the network boundary in the branch office, which combine functionality including firewalls and unified threat management for local use (content filters, data loss protection, data encryption services, etc.). Moving to SD-WAN introduces new options for taking on typical multi-office network security challenges. Following is a summary of those challenges, and an explanation of how SD-WAN, along with other security solutions, can help mitigate them.

SD-WAN faces multiple branch office security challenges

Most distributed enterprises manage their security infrastructure internally or work with a managed security service provider (MSSP). Despite these best efforts, they face a variety of complex challenges when using multi-point solutions to provide comprehensive security at branch offices, including:

  • Latency using cloud applications and services: With applications being delivered through the cloud and via corporate data centers, security requirements can mean that cloud traffic gets routed through the data center to take advantage of deep packet inspection, content filtering and data loss protection. This introduces latency and imposes a drag on branch office applications.
  • Complexity related to network connectivity: Security needs may vary from location to location with link types or by applications accessed. Some locations may rely on different links for network access (broadband, MPLS, and/or hybrid combinations) when using security appliances to implement typical branch office security models.
  • Complexity adding to cost of ownership: The need to purchase, deploy and manage appliances for multiple layers of security at branch locations where expertise is minimal or absent altogether adds to capital and operational expenses.
  • Complexity increases security risks: Integrating multiple point security solutions and managing multi configurations always poses some risk that comprehensive coverage may not result from a combination of elements, thereby exposing the branch (and its parent organization) to a variety of security risks and vulnerabilities.
  • Lack of flexibility lengthens deployment: Deploying point security solutions can take considerable time for branch offices (purchasing and shipping hardware, arranging or scheduling staff or vendors to handle installs and testing). This can happen both during initial deployment, and every time an upgrade or change is required at the branch level.

How SD-WAN can help boost branch security

Software defined technology introduces the concept of network function virtualization (NFV). This includes security functions and service chaining, which enables multiple functions to be linked together for servicing-specific network connections. Thus, software defined technologies can deliver seamless security across branch offices in a way that is painlessly managed within a centralized approach by a service provider, or from the data center. This allows virtualized network and security functions to migrate away from hardware point solutions to their virtualized software-based counterparts, improving security integrity across all locations. This makes them easier to define, deploy, and manage at the branch, and to update, upgrade, or replace when changes are required. Using data centers at the network core makes it easier and more affordable to update branch office security models.

This introduces a potential cloud-based approach to security, featuring a high-function, next gen virtualized firewall (NGFW) that runs at the network core. Once configured and tuned for the specific apps used in the enterprise, this NGFW can be serviced-chained into SD-WAN connections to as many branch offices as desired. Such core-based solutions may pose some of the latency issues noted in the preceding “enterprise challenges,” so IT must be selective about how and when they’re used.

SD-WAN and “security classes”

For example, in a location where the application and traffic includes both A) customer records and transactions, and B) guest or visitor WiFi, it makes sense to differentiate the traffic by “security classes.” More sensitive customer records and transactions would be routed through the service chained NGFW functions to ensure the highest level of security, while less sensitive traffic in the “guest WiFi class” could make use of local security appliances.

This kind of configuration would require an enterprise to carefully consider and evaluate “security classes” for branch office traffic, and impose policy and technical controls to ensure traffic and apps are treated appropriately by “security class.” Service providers can help by describing hosted security options, and demonstrate how customers can segment traffic to use or bypass the various security functions they provide.

Using SD-WAN, customers can maintain communication confidentiality through encrypted tunnels between branch offices, improving the Integrity of security and business policies by having centralized policy management. They can also improve network availability, by seamlessly utilizing multiple access paths, and path condition to avoid service interruptions. Providing confidentiality, integrity and availability are the three main factors for developing and maintaining a secure network.

Much of this may be new to many people, so feel free to bring your thoughts and questions to our team at Windstream Enterprise anytime so we can add further explanation about what SD-WAN can do to enhance security.

VP of Product Management

Mike Frane

Mike is responsible for the company’s overall SD-WAN strategy, as well as the network and security service portfolios. Since joining WE in 2008, he’s overseen the launch of MPLS IPsec access elements, Secure WiFi & Analytics, Unified Communications and more.