Benefits of Virtualizing SD-WAN
As more companies adopt SD-WAN technology to enhance the agility of their networking architecture, they must give strong consideration to how and where to apply security across the network. There’s no “one strategy fits all” in terms of which SD-WAN product to implement, and what security model to adopt. In this article, I’ll talk about the approach of consolidating SD-WAN and security as virtual instances within the same hardware.
This approach is only viable for companies that don’t want to implement security in a central location but prefer to distribute it to the branches. For example, retailers with a lot of store locations can benefit from virtualized SD-WAN and security. Companies that fit this model typically have key applications that run at a centralized data center. They use internet VPNs at the branches to connect back to the mothership to access these applications. In addition, they need local access to the public internet in order to offer services such as guest access to the internet. With these requirements in mind, there needs to be some kind of security parameter at all the remote sites.
For companies that fall into this architectural model, SD-WAN provides the ability to direct traffic over split tunnels to accommodate the security needs. Traffic going from a remote site to the data center, or from one branch to another, is directed over an IPsec tunnel to ensure end to end security. Guest traffic at a branch location can go direct to the public internet via another tunnel for things like Facebook or YouTube with minimal application of security.
But to go to the public internet, SD-WAN only provides certain security features. It can do things similar to an access control list (ACL), but there are a lot of limitations to what SD-WAN can do. So, when a security parameter (like a firewall) is added at every location, it’s easy to over-complicate things. Now, every single policy is specific to a site. Consequently, it’s easy to end up with policy mismatches between sites because there are completely separate security devices at every one of these locations. What’s more, the cost of hardware and managing physical devices grows with each new branch.
An alternative to local devices is the full virtual security that is natively integrated with an SD-WAN. Versa, for example, allows customers to run a Palo Alto, Check Point or Fortinet virtual firewall on the same hardware device as the SD-WAN. The big value in consolidating to just one device is the ability to manage the two environments – the SD-WAN and the security environment – out of a single platform. Now, the management of security as well as the management of SD-WAN is fully centralized.
Virtualization increases agility
Virtualizing security makes it possible to move from a configuration-based security model to a templatized security model. The organization can build a template with all its ACLs and security policies and then push it to the entire network environment. Every time there is an update, it can be done on the central platform and simply be pushed out to the branches. This eliminates the mismatch between locations’ security policies as well as the complicated nature of physically logging into firewalls at every location to make changes.
When the SD-WAN and security are both software-defined, the underlying hardware can be an x86 white box. At that point, the hardware is an investment that can be reused to run anything. This provides the flexibility for the organization to change its SD-WAN, or its security, without having to pay for new hardware. Of course, in the scheme of things, the software licenses tend to be the more expensive part of the equation; not the hardware. Nevertheless, there’s a bit of a cost benefit from commoditizing the underlying hardware.
Virtualization increases agility for companies that need to turn up or turn down sites often. For example, think about engineering or construction companies that need to support an office or showroom at a project site. The office might only be needed for six months to a year. It must be connected to the WAN for that short time period, then disconnected when the project is done. The company can have a runbook where temporary locations get a plain server and the virtualized SD-WAN and security licenses are migrated onto that server for the short time needed. The site can be turned up quickly without having to pack and ship a physical firewall, which would have to be packed up and shipped out once again at the end of the project.
There’s another aspect to the split tunneling mentioned earlier. Many companies are increasing their use of cloud services like Office 365 which come with their own security features. For people in the branches who use such applications, the traffic going between the branch and the application service is encrypted, so the company doesn’t necessarily need to apply a lot of security measures. Some may choose to deploy a CASB, or cloud-based security. Deploying the security parameter at the SD-WAN device and having the ability to run a CASB-type of license at the edge adds a lot of value.
Virtualization provides significant benefits to companies that host a large percentage of their applications across different regions in the cloud. Consider the global company that has critical business applications on AWS in North America, Asia Pacific and Europe. Virtual edge SD-WAN devices and virtual security platforms can be deployed on these AWS instances such that they become an actual part of the company’s WAN rather than being an outside resource. This approach greatly increases cloud application performance while maintaining a consistent way to enforce security on enterprise applications.
To sum it up, companies with a lot of branches can benefit from virtualizing their SD-WAN and security in one device and using templates to push security to each location. This model reduces hardware costs, simplifies security management, and increases flexibility for the entire organization.
By Hamza Seqqat