With the escalating adoption of bandwidth-hungry SaaS applications, VPs of networking are having to rethink their wide area networking (WAN) strategies. Instead of accommodating increasing and variable demand with costly, inflexible WAN connections, more network leaders are looking to implement a software-defined wide area network (SD-WAN). SD-WAN is attractive not only because it provides more efficient and cost-effective bandwidth allocation, but also because it improves WAN performance, agility, and operational flexibility.
As network leaders assess their SD-WAN options, however, what is often missing from their deliberations is how to adequately address security risks. SD-WAN vendors are increasingly embedding security features into their offerings, but these tend to be basic, Layer 3 network controls and not the robust security functions that these environments require. Considering the current cyber-threat environment, should security embedded in an SD-WAN-enabled appliance be relegated to perfunctory specs, subjugated to SD-WAN’s greater mission of pushing packets through pipes as seamlessly as possible? Because that is exactly the problem with most of today’s SD-WAN-plus-security offerings.
Why Divide and Conquer Isn’t the Answer
Embedded security may seem like a moot point for many enterprises in which security and networking are handled by different functions in the organization. The networking team deploys an SD-WANsolution, and the security team is responsible for deploying a next-generation firewall (NGFW) as a gatekeeper for the SD-WAN-enabled appliance. But if implementing SD-WAN involves two teams, managing two types of products, using separate management consoles, the TCO of the solution may become more than what the CIO bargained for.
What’s more, lack of integration between SD-WAN and NGFW products also heightens risk due to potential gaps between the disparate technologies that cybercriminals are highly motivated to exploit. Finally, and perhaps more importantly for some, network performance bottlenecks are almost guaranteed to ensue. For example, increasing SSL-encrypted enterprise traffic, which now comprises over 50% of all network traffic, must be thoroughly checked for hidden malware, a CPU-intensive process that result in significant overhead for many traditional NGFW solutions
Will the Real Integrated SD-WAN/NGFW Solution Please Stand Up?
In an attempt to address this challenge, a number of vendors have begun to offer advanced firewall features embedded into their SD-WAN appliances. It sounds promising, until you realize they’re not really integrated: You must still manage separate security and networking domains, which hampers IT visibility and control.
So, what’s left? As is often the case, the answer is revealed through a change in perspective: Rather than trying to find an SD-WAN solution with security features, you might be better served by seeking to create a secure environment for implementing SD-WAN. One of the best ways of doing so, that is available today, is an SD-WAN-enabled next-generation firewall.
For enterprises with high security requirements, an NGFW is essential to provide Layer 3 through Layer 7 protection. But what about SD-WAN functionality? Lest “SD-WAN-enabled NGFW” become a euphemism for SD-WAN compromise, candidate NGFWs claiming to provide SD-WAN functions should be assessed for several key capabilities:
- Application and Path Awareness. As an SD-WAN-enabled appliance, the NGFW must have path awareness intelligence, automatically routing packets from each application according to application-level SLAs, prioritizing them by criticality, time of the day, and so on. It should also be application aware, enabling network admins to monitor the changing traffic patterns of the applications traversing the WAN so they can modify policies accordingly.
- Integrated Security and Compliance. This secure environment should not only include key security features, such as high-throughput IPsec VPN and SSL inspection, but also compliance tracking and reporting. With applications dispersing packets across multiple WAN pathways in an SD-WAN, you don’t want to spend hours retracing the routes of suspect packets by toggling between multiple apps.
Automation. Advanced NGFW hardware design is key to ensuring that firewall functions do not compromise WAN path routing. Otherwise, the performance gains promised by SD-WAN may be negated by security-based latencies.
- Multi-Broadband Support. Rather than relying on erratic 4G/3G network as the only failover for multiprotocol label switching (MPLS) lines, the firewall should also be able to leverage the public internet in order to maximize WAN availability.
- TCO-Reducing Features. Consolidated management almost goes without saying. It doesn’t pay to use an integrated solution if it needs to be managed through two different consoles. And furthermore, an SD-WAN-enabled firewall that offers zero-touch deployment will also relieve much of the burden associated with SD-WAN implementation.
Who Maintains It—Networking or Security?
That’s up to you. A fully integrated secure SD-WAN solution should integrate both networking and security functions for simplified management through a single pane of glass. This not only reduces finger pointing and wasted time, but also increases your flexibility in allocating FTE resources. A secure and/or Managed SD-WAN can help you lower TCO all around, and it’s a straightforward path to creating one that meets the needs of both your networking and security teams, if you know what to look for.
Nirav Shah, Fortinet - 8 March 2018
Fortinet provides top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric.