How secure SD-WAN can replace traditional Branch Firewalls
Fact: SD-WAN solutions now incorporate firewall capabilities that enable organisations to perform quick deployments without compromising security.
By Mandy Duncan, Aruba Country Manager South Africa
Originally created primarily to support WAN virtualisation, SD-WAN capabilities have evolved to manage more aspects of the network—including security. Today, secure SD-WAN solutions have also enabled IT teams to eliminate branch firewalls in favour of a simplified branch WAN infrastructure.
There are many reasons why. As network architecture continues to shift to the cloud, branch offices must now tackle new security challenges as the network grows more complex as more users connect outside the traditional security perimeter. At the same time, enterprises want additional flexibility to cope with the growing number of cloud applications, the ability to open new branches faster or host new applications more quickly. The traditional network structure, built on MPLS, routers, and firewalls, simply cannot handle the flexibility enterprises need, due to the cost, complexity, and rigidity this hardware demands…especially as it was never designed to be part of the emerging cloud infrastructure of today.
In response, secure SD-WAN solutions now incorporate firewall capabilities that empower organisations to perform simple and quick deployments without compromising security. By taking advantage of the flexibility of SD-WAN virtual overlays combined with firewall capabilities, organisations can simplify the security function across the LAN, the WAN, and the cloud.
With these secure solutions, network administrators can enjoy the following benefits and more:
· Create zones and restrict access between zones to segment the network based on identity and/or role
· Detect and prevent intrusions, including DDoS attacks
· Perform deep packet inspection and filter packets based on the application
· Monitor the full slate of active network connections
· Secure connections through data encryption
· Tightly integrate with security functions in the cloud such as SWG, CASB, and ZTNA
· Log security events
There are four specific reasons to replace branch firewalls with a secure SD-WAN, the key to fully embracing the cloud-first era with modernised network and security architectures.
1. Delivering all-encompassing security services via secure SD-WAN
Secure SD-WAN solutions incorporate next-generation capabilities such as deep packet inspection, intrusion prevention, DDoS protection, application and access control through identity-based policies, and event logging.
Furthermore, secure SD-WAN can combine heterogeneous links such as MPLS, internet, and 5G. However, unlike MPLS, internet and 5G links are not secure. To secure these links, a secure SD-WAN solution builds IPsec tunnels using AES 256-bit encryption across the entire SD-WAN fabric, protecting branch offices from potential data breaches. When SD-WAN virtual appliances are deployed in public clouds, IPsec tunnels are also created, extending corporate security policies to the cloud.
Finally, a secure SD-WAN enforces security policies across the entire fabric by automatically propagating policy changes to branch offices through central orchestration.
Unlike branch firewalls, a secure SD-WAN solution provides additional threat protection while securing untrusted links and seamlessly enforcing security policies across branch offices.
2. Streamline local operations via secure SD-WAN
In the pre-cloud era, branch environments suffered from equipment sprawl and planned obsolescence issues with traditional firewalls, routers, and MPLS. They also required specific IT expertise to install and maintain the equipment, increasing costs, time, and complexity.
Secure SD-WAN solutions integrate the latest firewall technology in addition to offering WAN capabilities such as routing and WAN optimisation so that organisations can consolidate equipment into one single appliance. By reducing equipment sprawl and management, IT can more easily control the network and its security capabilities within a single console instead of supporting multiple disparate management tools.
Furthermore, secure SD-WAN offers zero-touch provisioning, meaning the branch does not need experienced IT personnel on the ground to configure it as security policies are automatically provided to the branch. Organisations can quickly and easily set up new branch environments or update potentially thousands of existing branches where security policy changes can be automatically distributed.
Utilising a thin branch model, secure SD-WAN solutions reduce the burden on branch environments by virtue of easy deployments without sacrificing flexibility or security.
3. Secure SD-WAN smooths the path to the cloud
With most organisations moving critical applications to the cloud, sending the traffic back to the data centre no longer makes sense as it impacts application performance and ultimately the end-user experience. A secure SD-WAN helps eliminate the need to backhaul traffic to the data centre.
By automatically steering traffic to the internet based on pre-determined policies, thanks to the ability to identify applications, network administrators can greatly improve performance and experience through secure SD-WAN. A trusted cloud application such as Microsoft 365, Salesforce, or RingCentral, as defined by the organization’s security policies, can be sent directly to the cloud while untrusted applications can be directed first to a cloud-delivered security service before forwarding to the SaaS provider.
Going further, advanced secure SD-WAN tightly integrates with multiple cloud-security vendors offering the organisation the freedom of choice to select the best security service and build a best-of-breed SASE architecture. With the offerings available today, choosing a single SASE vendor solution can’t deliver both best-in-class network and security technologies.
Secure SD-WAN solutions support cloud-first organisations by improving performance and security while enabling a best-of-breed SASE architecture approach.
4. Securing IoT devices via micro-segmentation through a secure SD-WAN
Organisations are witnessing an exponential rise in IoT devices connecting to the network, dramatically increasing the attack surface area while posing major cybersecurity challenges. IoT devices, based on simple architectures, cannot run security agents. Therefore, organisations require a different security approach for IoT devices to protect networks from potential vulnerabilities.
An advanced secure SD-WAN solution includes the ability to extend security beyond the SASE architecture with its next-generation firewall capabilities. It can implement zero trust network segmentation, based on identity and role-based access control, ensuring that users and IoT devices alike can only reach network destinations consistent with the respective roles within the business.
As SD-WAN uses virtual overlays that are mapped to firewall zones, organizations can provide each zone with security policies that limit connectivity with other zones. In essence, a policy may allow only outgoing traffic, or allow incoming traffic only from approved applications and services while blocking all traffic from less secure zones.
Comments
Post a Comment