Shadow It

Four Reasons Why CIOs Must Transform IT Into ITaaS To Survive

By Marc Malizia | May 13, 2015

CIOs Must Transform IT The emergence of the Cloud and its three delivery models of Infrastructure as a Service (IaaS),

Tech Crunch

DigitalOcean is laying off staff, sources say 30-50 affected

By Cloud Syndicate | January 17, 2020

After appointing a new CEO and CFO last summer, cloud infrastructure provider DigitalOcean is embarking on a wider reorganisation: the

The Benefits of Virtualizing SD-WAN and Security

Benefits of Virtualizing SD-WAN

As more companies adopt SD-WAN technology to enhance the agility of their networking architecture, they must give strong consideration to how and where to apply security across the network. There’s no “one strategy fits all” in terms of which SD-WAN product to implement, and what security model to adopt. In this article, I’ll talk about the approach of consolidating SD-WAN and security as virtual instances within the same hardware.

This approach is only viable for companies that don’t want to implement security in a central location but prefer to distribute it to the branches. For example, retailers with a lot of store locations can benefit from virtualized SD-WAN and security. Companies that fit this model typically have key applications that run at a centralized data center. They use internet VPNs at the branches to connect back to the mothership to access these applications. In addition, they need local access to the public internet in order to offer services such as guest access to the internet. With these requirements in mind, there needs to be some kind of security parameter at all the remote sites.

For companies that fall into this architectural model, SD-WAN provides the ability to direct traffic over split tunnels to accommodate the security needs. Traffic going from a remote site to the data center, or from one branch to another, is directed over an IPsec tunnel to ensure end to end security. Guest traffic at a branch location can go direct to the public internet via another tunnel for things like Facebook or YouTube with minimal application of security.

But to go to the public internet, SD-WAN only provides certain security features. It can do things similar to an access control list (ACL), but there are a lot of limitations to what SD-WAN can do. So, when a security parameter (like a firewall) is added at every location, it’s easy to over-complicate things. Now, every single policy is specific to a site. Consequently, it’s easy to end up with policy mismatches between sites because there are completely separate security devices at every one of these locations. What’s more, the cost of hardware and managing physical devices grows with each new branch.

An alternative to local devices is the full virtual security that is natively integrated with an SD-WAN. Versa, for example, allows customers to run a Palo Alto, Check Point or Fortinet virtual firewall on the same hardware device as the SD-WAN. The big value in consolidating to just one device is the ability to manage the two environments – the SD-WAN and the security environment – out of a single platform. Now, the management of security as well as the management of SD-WAN is fully centralized.

Virtualization increases agility

Virtualizing security makes it possible to move from a configuration-based security model to a templatized security model. The organization can build a template with all its ACLs and security policies and then push it to the entire network environment. Every time there is an update, it can be done on the central platform and simply be pushed out to the branches. This eliminates the mismatch between locations’ security policies as well as the complicated nature of physically logging into firewalls at every location to make changes.

When the SD-WAN and security are both software-defined, the underlying hardware can be an x86 white box. At that point, the hardware is an investment that can be reused to run anything. This provides the flexibility for the organization to change its SD-WAN, or its security, without having to pay for new hardware. Of course, in the scheme of things, the software licenses tend to be the more expensive part of the equation; not the hardware. Nevertheless, there’s a bit of a cost benefit from commoditizing the underlying hardware.

Virtualization increases agility for companies that need to turn up or turn down sites often. For example, think about engineering or construction companies that need to support an office or showroom at a project site. The office might only be needed for six months to a year. It must be connected to the WAN for that short time period, then disconnected when the project is done. The company can have a runbook where temporary locations get a plain server and the virtualized SD-WAN and security licenses are migrated onto that server for the short time needed. The site can be turned up quickly without having to pack and ship a physical firewall, which would have to be packed up and shipped out once again at the end of the project.

There’s another aspect to the split tunneling mentioned earlier. Many companies are increasing their use of cloud services like Office 365 which come with their own security features. For people in the branches who use such applications, the traffic going between the branch and the application service is encrypted, so the company doesn’t necessarily need to apply a lot of security measures. Some may choose to deploy a CASB, or cloud-based security. Deploying the security parameter at the SD-WAN device and having the ability to run a CASB-type of license at the edge adds a lot of value.

Virtualization provides significant benefits to companies that host a large percentage of their applications across different regions in the cloud. Consider the global company that has critical business applications on AWS in North America, Asia Pacific and Europe. Virtual edge SD-WAN devices and virtual security platforms can be deployed on these AWS instances such that they become an actual part of the company’s WAN rather than being an outside resource. This approach greatly increases cloud application performance while maintaining a consistent way to enforce security on enterprise applications.

To sum it up, companies with a lot of branches can benefit from virtualizing their SD-WAN and security in one device and using templates to push security to each location. This model reduces hardware costs, simplifies security management, and increases flexibility for the entire organization.

By Hamza Seqqat

THOUGHT LEADERS

Ariel

3 Challenges of Network Deployment in Hyperconverged Infrastructure

Hyperconverged Infrastructure In this article, we’ll explore three challenges that are associated with network deployment in a hyperconverged private cloud environment,

Crop Nicholas Lee Of Fujitsu

Multi-Cloud Integration Has Arrived

Multi-Cloud Integration Speed, flexibility, and innovation require multiple cloud services As businesses seek new paths to innovation, racing to market

Louis Columbus

Predicting How AI Will Improve Talent Management In 2020

73% of U.S. CEOs and CHROs plan to use more AI in the next three years to improve talent management.