A change in technology is imminent. Most IT managers have started to implement software-defined networks (SDN). The traditional wide area network is increasingly being replaced by its software-defined younger brother, so that we are on the cusp of a significant shift in favor of software-controlled flow control within WAN technology. Responsible for this change in technology towards SD-WAN is the increased use of the cloud, but also general performance cost aspects.
Right now, however, most enterprise WANs still share the same architecture that was in place over a decade ago. Regardless of the fact that as a result of the upheavals there is already a sustainable hybrid situation, according to which a company with several locations usually connects them via so-called multiprotocol label switching, better known as MPLS. MPLS connections are undoubtedly reliable and highly secure, but they can be very costly and resource intensive.
Data evacuation in the data center
So far, so good: But only as long as all applications are in the data center. With the increasing use of cloud services such as Office 365 and the networking of global locations, the data is now moving from the data center to the cloud. The traditional model of IT infrastructure is becoming increasingly irrelevant. The physical data center as we knew it is being evacuated.
The entire cloud data traffic is fed back to the central firewall on site via MPLS circuits, also in the case of cloud applications. Such a backhauling structure is on the one hand very secure, but it slows down the network, contributes to latency problems and complicates the infrastructural architecture.
The network is simply supposed to ensure that the data is safely transferred from the respective location to the cloud. After all applications are in the cloud and the data center is virtually empty of data, the question arises: Why continue to use expensive MPLS circuits?
The transition to the cloud requires a new architecture. One that embraces cloud technology and application migration to the public cloud: SD-WAN allows software-based control over traditional WAN links. SD-WAN technology simplifies the management and operation of a WAN by decoupling the network hardware from its control mechanism. It "virtualizes" the WAN to configure the network and route traffic while ignoring proprietary hardware connections.
SD-WAN requires new security rules
The change from the backhaul architecture to centralized IT security requires the same security level that previously existed at the central location and was guaranteed for all distributed locations.
Since a single, central firewall is no longer a viable solution for multiple breakouts, the early SD-WAN products have security either through a service chain with existing NextGen firewalls by outsourcing the security control to the cloud or even by providing a basic on -Board firewall and IPS security guaranteed. Unfortunately, all of these approaches either do not provide sufficient security or contradict the critical requirement of centralized management of the entire network.
To address these shortcomings, Secure SD-WAN was born, which combines the benefits of full SD-WAN connectivity with full firewall security, including extensive application control and detection, and the ability to add cloud-based advanced threat protection use. In addition, these products include centralized management for all network, routing, and security settings, making WAN management much simpler and easier.
Secure SD-WAN should include the following functionalities:
1. SD-WAN termination - The aggregation of several inexpensive lines
2. WAN Optimization - To make the most of bandwidth
3. Routing - redirect traffic
4. Firewall - At each location to emulate the branch office environment
5. Advanced protection against Internet threats - such as sandboxing technology
Crucial to the security of SD-WAN is that there is no longer a single huge centralized firewall through which all traffic was routed. But no firewall also means that every user within the network is exposed to malware and other cyber attacks without protection. The same level of security that was previously provided by a central firewall can now be achieved through many smaller firewalls at each individual location. Connected to the SD-WAN, inexpensive local connections to the network of the respective cloud service provider can be used instead of the expensive MPLS.
Cloud sandboxing instead of centralized sandbox
A centralized firewall is usually supported by a centralized sandbox that cleans up downloaded data and then forwards it on its way back through the backhaul cycle.
However, a centralized sandbox structure is rather unrealistic: As soon as a user starts downloading a file, this file has to be routed back to the centralized sandbox and finally made available to the user again. In fact, the sandbox is now isolated, as IT hardly wants to afford to install a sandbox at every location. In order to secure data traffic and avoid cyber attacks, the locations would have to be connected via a tunnel. The more effective solution is cloud-based sandboxing. With SD-WAN, information can be sent to a sandbox in the cloud. At the same time, the data traffic is optimized in order to prioritize the important information.
This combination of processes offers significantly better security than classic centralized procedures. And since IT security is also in the cloud, the network can be accessed from anywhere, so users who work remotely are protected.
Zero-touch provisioning (ZTP) saves time and money
A tip: Wherever possible, zero-touch provisioning (ZTP) should be sought. That saves time and money. With zero-touch provisioning, an appliance can be sent directly to the end location and configured from the cloud. After commissioning, the configuration is then automatically transferred to the device.
Since it is surely only a matter of time when attacks also target SD-WAN environments, IT security teams should implement security measures specially developed for their software-defined environment in good time and continuously.
More at Barracuda.com
[starboxid=5]