June 02, 2021
BTEX 2021: How SD-WAN Helps Networks Manage the New Perimeter
When we have a new SD-WAN device connecting to the network, that device must be authenticated and validated before it is allowed to connect to the network.
This last year has been challenging, but the ITindustry has really stepped up to ensure that users are able to work remotelysafely, and everyone should be proud of what's been accomplished so far, saysReid Nilson, Senior Field Security Architect, speaking at CDW's BTEX 2021virtual event. However, with users working remotely, it's driven home the factthat the traditional security platform is changing.
It's 10 p.m. do you know where your users are?
If you think about where our users and applicationsare today, they could be anywhere, says Nilson. Users may be at an officelocation, or they could be working from home. Applications may be in the datacentre, or they could be hosted on software as a service (SaaS). That's whyit's time to examine how the remote network branch edge can be built to supportthis changing security perimeter.
Drivers fornetwork branch edge modernization
In discussions with customers across Canada, they'reall in different spots in their IT journey, says Nilson. Some were earlyadopters of SaaS applications like Office 365, Salesforce or G Suite, andothers are just beginning the cloud journey. For many clients, this journeystarts with a hybrid environment, where they have a mix of on-prem and cloudapplications.
Another change has been the evolution of new,as-a-service offerings, such as virtual desktop infrastructure (VDI) or baremetal. These new services are forcing the network connectivity layer to be ableto connect to these new applications. Remote branch sites are typicallyconnected using private MPLS circuit, MPLS in combination with IPsec VPN, or aninternet connection with a VPN tunnel.
These solutions tend to be static, says Nilson. ForMPLS sites, new sites could be added to the MPLS private network, but thiswould require engaging the service provider, and they would build out a newconnection, that typically takes months. Other challenges for MPLS is that connectionsmay be constrained to the region that the service provider is active in, or theavailable bandwidth from that particular connection isn't enough.
IPsec VPN is more flexible to add tunnels, but itdoes require that both sides of the connection be configured, and for full meshor large networks, this just isn't scalable.
Challengeswith legacy solutions
When we look at how these solutions operate, theytypically rely on the routing table to make decisions about how to steertraffic, says Nilson. If the site has a single internet or MPLS connection,this is easy, because the traffic only has one way to go. But if the remotesite has multiple connections, then it gets a bit trickier. Legacy solutionswill generally have features for load balancing or prioritization of the links,but this still relies on the routing table and can get complex. The branchnetwork device will only be aware of the status of directly connectedinterfaces. If there are problems upstream, in the provider network, it may notbe able to detect those problems, such as latency or packet loss, and willcontinue to use that link.
The network branch device may also have a limitedawareness of application traffic. Using quality of service (QoS) in the past tomark traffic properly is tough, and having application awareness built in,without marking, with QoS, makes it a lot easier to prioritize traffic.
When I talk to customers that have these challenges,I would talk to them about SD-WAN. And there are a lot of SD-WAN vendors outthere.
3 must-havefeatures for SD-WAN solutions
- Centralizedmanagement console: For SD-WAN solutions built from the ground up, thiswill typically be a SaaS offering that's including with the licensing for theoverall solution. Other vendors will have a management appliance that thecustomer is responsible for deploying, either in the data centre or in an IaaSprovider in the cloud.
- Zero-touchdeployment: When an appliance is connected to the managementsolution, it will be assigned to the customer portal based on serial number orother identifiable information, and will be available for the customer toclaim. Once it's been claimed in the console, the device can be configuredremotely. When you have a large number of sites, it's a lot easier to have the vendorship the device right to the site rather than bringing it pre-configured to acentral site, shipping it out, and hoping that it works.
- Analytics:Each SD-WAN vendor will have a number of reports built in to the managementconsole, including top applications and utilization, and may include userinformation, depending on the integration with the customer environment.
All of these features put together make it a reallycompelling solution, even if the sites only have one internet connection, saysNilson.
Networksecurity considerations for SD-WAN
Any organization must have security as a coreconsideration, says Nilson. When we have a new SD-WAN device connecting to thenetwork, and it dials home, that device must be authenticated and validatedbefore it is allowed to connect to the network.
Each SD-WAN solution will offer some type ofsegmentation at the branch level. Use cases for this segmentation would becreation of a dedicated, internet-only zone for a guest wireless network, or anisolated network that can only reach a data centre for PCI compliance.
However, inter-zone communication can vary betweenSD-WAN solutions. Generally, solutions that are SD-WAN from the ground up willhave basic firewall functionality, but firewalls with SD-WAN add-on licenceswill have complete NGFW features like threat and sandboxing. When consideringzoning at the site, the main consideration is what kind of east-west trafficthere is, and what inspection is needed. For Guest and PCI zones, there wouldbe no east-west traffic, as they are isolated from everything else in thebranch.
If the branch solution we're looking at is meant toaddress backhauling internet traffic to a hub location, we still have toconsider some type of URL filtering, and possibly sandboxing, at the site,says Nilson. For some solutions, you would be looking at a secure accessservices edge (SASE) solution, which could provide those features like URLfiltering, in combination with an SD-WAN appliance.
Using SD-WANsolutions for applications in the cloud
If you're looking at deploying a new cloud solutionin infrastructure as a service (IaaS), then you can deploy SD-WAN appliances tothat particular cloud provider and then build tunnels to that application fromyour hub site, says Nilson. When we're talking about applications, it'sreally important that SD-WAN has that application awareness, especially ifwe're looking at sites with multiple transport connections.
When it comes to transport, it could be LTE, internetor MPLS, and we may have preferences on where particular applications go.Within the SD-WAN solution, we're able to build out policies through themanagement console to have one of those links serve as the first option for anapplication like VoIP. If we retain our MPLS solution, because we're able toget really good quality from our provider, we're able to steer that VoIPtraffic onto that connection and keep it there.
But if we encounter problems, we have enoughinformation coming from the network, and that SD-WAN appliance has enoughintelligence to make a decision that this link isn't healthy anymore, and Ineed to switch over to another one, Nilson says. With SD-WAN, we wouldtypically have a device at the remote network, and one at the data centre, andthey're able to exchange information about their pathing as well.
Adding all these things together with the managementconsole allows the administrator to define policy centrally, so instead ofgoing to every single device, they're able to go to one spot, and push thispolicy to all devices. This is really a big advantage for large-scalenetworks.
Make sure to bookmark this page for more coverage of BTEX 2021.