Are You Compromising on Security for SD-WAN Connectivity?

0
262

The Gartner SD-WAN forecast predicts that by 2025, 65% of enterprises will have implemented SD-WAN—up from 30% in 2020[1]. SD-WANs enable organizations to connect branch locations to the main data center, to each other, and to the cloud more easily and cost-effectively than by extending traditional MPLS networks. Users in branch locations can access cloud assets directly from local internet links, without requiring network traffic to be backhauled to a data center first. Direct access also improves application performance and reduces cost.

The trade-off is security. More locations, users, and connections increase an organization’s attack surface. Although traffic avoids backhaul to a centralized data center, it also bypasses centralized data center security and makes it difficult for IT and security teams to have visibility into suspicious activity at branch locations. Although most SD-WAN vendors include basic security, organizations have to patch together disparate solutions to fill the gaps. A better approach is industry-leading security protection integrated with the SD-WAN. Look for an integrated solution that provides

            • Reliable, secure connectivity for every path

            • Full, enterprise-grade security embedded into the wide-area branch network

            • Simple deployment and management

Reliable, Secure Connectivity

An integrated SD-WAN security solution reliably secures both incoming and outgoing branch traffic. It connects branch offices with on-premises and cloud data centers using a secure, resilient overlay (VPN) network. 

Figure 1    A secure overlay network connects locations and traffic

Support Multiple Links

The overlay network must support MPLS, 4G LTE and 5G wireless, and broadband internet links. Combining links delivers more bandwidth and enables efficient path selection based on application, performance requirements, link cost, or other attributes.

Monitor Link Health

Look for a solution with continuous monitoring to detect burnouts or failures, dynamically select the next best paths, and automate link swapping.

Aggregate Bandwidth

Dynamic bandwidth aggregation avoids the need to designate redundant tunnels that sit idle in active/standby mode until needed.

Enable a Self-Healing WAN

A self-healing WAN is designed to dynamically compensate for routing or packet forwarding errors and prevent network outages from affecting application performance. The network must be able to alert teams about issues while adapting devices, services, and traffic patterns to avoid disruption.

Steer Traffic Automatically

Look for an integrated SD-WAN security solution that intelligently identifies applications, users, and WAN links to determine the best route and steer traffic accordingly.

Enterprise-Grade Security Services

Organizations should never have to compromise on security for SD-WANs.

Deploy a Full Security Stack

Look for outstanding inspection, advanced threat prevention and a full enterprise security stack for branches. These features include next-generation firewall, application control, URL filtering, antivirus, threat emulation and extraction, DLP, and anti-bot features. In addition, SSL inspection delivers visibility into encrypted traffic.

Essential Threat Prevention

Prevention includes industry-leading attack detection and fast blocking of attackers. The best protection will be powered by big-data global threat intelligence and an AI engine to continuously catch known and zero-day threats.

Simplified Management

Look for an integrated solution that is easy to configure, deploy, and scale as needed.

Ensure Consistency Everywhere

Unified management features are non-negotiable. Teams need fine-grained visibility across data centers, branch offices, remote users, links, cloud assets, and applications. Customizing policy should be easy and intuitive. Centralized visibility ensures that security defenses and policy enforcement are consistent everywhere.

Unify Steering Policy

The solution should enable teams to set steering policy for applications, users, devices, and networks on the overlay and local breakout networks. Customization should be as simple as defining the source (users, groups, devices, or networks) and assigning the relevant steering behavior.

Look for Advanced Monitoring

Teams need live monitoring of link SLAs, analytics on link swaps, and overall network health. Advanced monitoring lets them respond quickly to issues that can affect branch connectivity and application performance.

Establish SLA Thresholds

The solution should monitor application traffic, bandwidth, and link utilization to calculate packet loss, latency and jitter on all the paths to traffic destinations. With this information, teams can define Service Level Agreement (SLA) classes for application and user-aware traffic.

About the author:

Harish Kumar GS is the Head of Sales, India and SAARC at Check Point Software Technologies.