The Benefits of Virtualizing SD-WAN and Security

Benefits of Virtualizing SD-WAN

As more companies adopt SD-WAN technology to enhance the agility of their networking architecture, they must give strong consideration to how and where to apply security across the network. There’s no “one strategy fits all” in terms of which SD-WAN product to implement, and what security model to adopt. In this article, I’ll talk about the approach of consolidating SD-WAN and security as virtual instances within the same hardware.

This approach is only viable for companies that don’t want to implement security in a central location but prefer to distribute it to the branches. For example, retailers with a lot of store locations can benefit from virtualized SD-WAN and security. Companies that fit this model typically have key applications that run at a centralized data center. They use internet VPNs at the branches to connect back to the mothership to access these applications. In addition, they need local access to the public internet in order to offer services such as guest access to the internet. With these requirements in mind, there needs to be some kind of security parameter at all the remote sites.

For companies that fall into this architectural model, SD-WAN provides the ability to direct traffic over split tunnels to accommodate the security needs. Traffic going from a remote site to the data center, or from one branch to another, is directed over an IPsec tunnel to ensure end to end security. Guest traffic at a branch location can go direct to the public internet via another tunnel for things like Facebook or YouTube with minimal application of security.

But to go to the public internet, SD-WAN only provides certain security features. It can do things similar to an access control list (ACL), but there are a lot of limitations to what SD-WAN can do. So, when a security parameter (like a firewall) is added at every location, it’s easy to over-complicate things. Now, every single policy is specific to a site. Consequently, it’s easy to end up with policy mismatches between sites because there are completely separate security devices at every one of these locations. What’s more, the cost of hardware and managing physical devices grows with each new branch.

An alternative to local devices is the full virtual security that is natively integrated with an SD-WAN. Versa, for example, allows customers to run a Palo Alto, Check Point or Fortinet virtual firewall on the same hardware device as the SD-WAN. The big value in consolidating to just one device is the ability to manage the two environments – the SD-WAN and the security environment – out of a single platform. Now, the management of security as well as the management of SD-WAN is fully centralized.

Virtualization increases agility

Virtualizing security makes it possible to move from a configuration-based security model to a templatized security model. The organization can build a template with all its ACLs and security policies and then push it to the entire network environment. Every time there is an update, it can be done on the central platform and simply be pushed out to the branches. This eliminates the mismatch between locations’ security policies as well as the complicated nature of physically logging into firewalls at every location to make changes.

When the SD-WAN and security are both software-defined, the underlying hardware can be an x86 white box. At that point, the hardware is an investment that can be reused to run anything. This provides the flexibility for the organization to change its SD-WAN, or its security, without having to pay for new hardware. Of course, in the scheme of things, the software licenses tend to be the more expensive part of the equation; not the hardware. Nevertheless, there’s a bit of a cost benefit from commoditizing the underlying hardware.

Virtualization increases agility for companies that need to turn up or turn down sites often. For example, think about engineering or construction companies that need to support an office or showroom at a project site. The office might only be needed for six months to a year. It must be connected to the WAN for that short time period, then disconnected when the project is done. The company can have a runbook where temporary locations get a plain server and the virtualized SD-WAN and security licenses are migrated onto that server for the short time needed. The site can be turned up quickly without having to pack and ship a physical firewall, which would have to be packed up and shipped out once again at the end of the project.

There’s another aspect to the split tunneling mentioned earlier. Many companies are increasing their use of cloud services like Office 365 which come with their own security features. For people in the branches who use such applications, the traffic going between the branch and the application service is encrypted, so the company doesn’t necessarily need to apply a lot of security measures. Some may choose to deploy a CASB, or cloud-based security. Deploying the security parameter at the SD-WAN device and having the ability to run a CASB-type of license at the edge adds a lot of value.

Virtualization provides significant benefits to companies that host a large percentage of their applications across different regions in the cloud. Consider the global company that has critical business applications on AWS in North America, Asia Pacific and Europe. Virtual edge SD-WAN devices and virtual security platforms can be deployed on these AWS instances such that they become an actual part of the company’s WAN rather than being an outside resource. This approach greatly increases cloud application performance while maintaining a consistent way to enforce security on enterprise applications.

To sum it up, companies with a lot of branches can benefit from virtualizing their SD-WAN and security in one device and using templates to push security to each location. This model reduces hardware costs, simplifies security management, and increases flexibility for the entire organization.

By Hamza Seqqat

Bill Schmarzo

Master Machine and Human Learning to Win the Digital Transformation Wars

The “Economies of Learning” are more powerful than the “Economies of Scale” This may be my most powerful concept (outside of the Schmarzo Economic Digital Asset Valuation Theorem and the Big Data Business Model Maturity ...
Martin Mendelsohn

The Growth of Third Party Risk Management (TPRM) Firms

Cybersecurity and the Continued Risks Back in the day, we played cops and robbers with sticks and plastic squirt guns.  Sometimes you were pursued, at other times you were the pursuer.  There wasn’t much more ...
Gary Bernstein

How IoT (Internet of Things) Cloud Services Stack Up Against DIY

How IoT Cloud Services Stack Up Against DIY The ever-increasing mass adoption of IoT devices is leading to a consistent rise in the data generated through these devices. Large corporations are cashing on this opportunity ...
Dr. Mike Lloyd

How to Mitigate Security Risks in the Cloud

How to Mitigate Security Risks in the Cloud Enterprises continue to spend billions annually on security technology, yet cyber breaches continue to come fast and furious. So what exactly is going on here? Why are ...
Bittitan

Episode 6: Cloud Migration: Why It’s More Important Than Ever

The Importance of Cloud Migration Moving fully to the cloud is still a concern for many companies, but with millions of employees working from home, there’s an even greater need to migrate. Mark Kirstein, VP ...