Infosec thought leaders

Lessons Learned When Moving to the Cloud

Moving to the Cloud Lessons At Leostream, we work with organizations around the globe that are moving workloads to the cloud. These organizations span a wide range of industries, vary in company size, and typically have very different motivations for why they chose to move
/
Ajay Malik

The Quest to Bring Computers to People – Personal Computing

The quest to bring computers to people,' rather than people to computers" resulted in the invention of Personal Computer The world changed its direction a dozen years ago when Steve Jobs introduced a revolutionary new product to the world: the first Apple iPhone. And, today,
/

The Benefits of Virtualizing SD-WAN and Security

Benefits of Virtualizing SD-WAN

As more companies adopt SD-WAN technology to enhance the agility of their networking architecture, they must give strong consideration to how and where to apply security across the network. There’s no “one strategy fits all” in terms of which SD-WAN product to implement, and what security model to adopt. In this article, I’ll talk about the approach of consolidating SD-WAN and security as virtual instances within the same hardware.

This approach is only viable for companies that don’t want to implement security in a central location but prefer to distribute it to the branches. For example, retailers with a lot of store locations can benefit from virtualized SD-WAN and security. Companies that fit this model typically have key applications that run at a centralized data center. They use internet VPNs at the branches to connect back to the mothership to access these applications. In addition, they need local access to the public internet in order to offer services such as guest access to the internet. With these requirements in mind, there needs to be some kind of security parameter at all the remote sites.

Benefits of Virtualizing SD-WAN

For companies that fall into this architectural model, SD-WAN provides the ability to direct traffic over split tunnels to accommodate the security needs. Traffic going from a remote site to the data center, or from one branch to another, is directed over an IPsec tunnel to ensure end to end security. Guest traffic at a branch location can go direct to the public internet via another tunnel for things like Facebook or YouTube with minimal application of security.

But to go to the public internet, SD-WAN only provides certain security features. It can do things similar to an access control list (ACL), but there are a lot of limitations to what SD-WAN can do. So, when a security parameter (like a firewall) is added at every location, it’s easy to over-complicate things. Now, every single policy is specific to a site. Consequently, it’s easy to end up with policy mismatches between sites because there are completely separate security devices at every one of these locations. What’s more, the cost of hardware and managing physical devices grows with each new branch.

An alternative to local devices is the full virtual security that is natively integrated with an SD-WAN. Versa, for example, allows customers to run a Palo Alto, Check Point or Fortinet virtual firewall on the same hardware device as the SD-WAN. The big value in consolidating to just one device is the ability to manage the two environments – the SD-WAN and the security environment – out of a single platform. Now, the management of security as well as the management of SD-WAN is fully centralized.

Virtualization increases agility

Virtualizing security makes it possible to move from a configuration-based security model to a templatized security model. The organization can build a template with all its ACLs and security policies and then push it to the entire network environment. Every time there is an update, it can be done on the central platform and simply be pushed out to the branches. This eliminates the mismatch between locations’ security policies as well as the complicated nature of physically logging into firewalls at every location to make changes.

When the SD-WAN and security are both software-defined, the underlying hardware can be an x86 white box. At that point, the hardware is an investment that can be reused to run anything. This provides the flexibility for the organization to change its SD-WAN, or its security, without having to pay for new hardware. Of course, in the scheme of things, the software licenses tend to be the more expensive part of the equation; not the hardware. Nevertheless, there’s a bit of a cost benefit from commoditizing the underlying hardware.

Virtualization increases agility for companies that need to turn up or turn down sites often. For example, think about engineering or construction companies that need to support an office or showroom at a project site. The office might only be needed for six months to a year. It must be connected to the WAN for that short time period, then disconnected when the project is done. The company can have a runbook where temporary locations get a plain server and the virtualized SD-WAN and security licenses are migrated onto that server for the short time needed. The site can be turned up quickly without having to pack and ship a physical firewall, which would have to be packed up and shipped out once again at the end of the project.

There’s another aspect to the split tunneling mentioned earlier. Many companies are increasing their use of cloud services like Office 365 which come with their own security features. For people in the branches who use such applications, the traffic going between the branch and the application service is encrypted, so the company doesn’t necessarily need to apply a lot of security measures. Some may choose to deploy a CASB, or cloud-based security. Deploying the security parameter at the SD-WAN device and having the ability to run a CASB-type of license at the edge adds a lot of value.

Virtualization provides significant benefits to companies that host a large percentage of their applications across different regions in the cloud. Consider the global company that has critical business applications on AWS in North America, Asia Pacific and Europe. Virtual edge SD-WAN devices and virtual security platforms can be deployed on these AWS instances such that they become an actual part of the company’s WAN rather than being an outside resource. This approach greatly increases cloud application performance while maintaining a consistent way to enforce security on enterprise applications.

To sum it up, companies with a lot of branches can benefit from virtualizing their SD-WAN and security in one device and using templates to push security to each location. This model reduces hardware costs, simplifies security management, and increases flexibility for the entire organization.

By Hamza Seqqat

Hamza Seqqat

Hamza Seqqat, Director of Solutions Architecture, Apcela

Leading Apcela’s solutions architecture efforts, Hamza is responsible for collaborating with customers to design cloud-ready, next-gen solutions. While his core responsibility is supporting a team of solutions consultants and working closely with enterprise customers, he also works with Apcela’s product team to develop new offerings. Prior to joining Apcela, Hamza designed and deployed the core network infrastructure for large carriers including: Time Warner Cable, Charter and Windstream. Additionally, he designed and deployed DukeNet’s first 100G core network.

View Website
Load Testing Tools

Load Testing Tools

LOAD TESTING TOOLS SMARTBEAR LoadComplete is software that simulates users and creates realistic load tests. No coding is required. Users can generate traffic via the ...
Work In The Cloud Era: Are We Ready For Virtual Teams?

Work In The Cloud Era: Are We Ready For Virtual Teams?

Getting Ready For Virtual Teams Technological developments are ushering in a new era of work. Cloud computing has changed not only the way we collaborate, ...
Managed Cloud Wordpress Hosting Services

20 Leading Cloud CMS WordPress Alternatives

CLOUD CMS WORDPRESS ALTERNATIVES Content management systems (CMS) have grown exponentially in recent years. Their number and features have exploded. There are now dozens of ...
Big Data Trends

Ringing The Alarm Bells – Preparing For The Potential Dark Future of A.I

The Future of A.I On Friday 21st October, the world witnessed the largest cyber-attack in history. The attack set a new precedent for the size, ...
Cisco News

New Crosswork APIs Help Service Providers Automate Network Operations

/
Due to changes in customer preferences, and technological evolutions such as 5G, Service Providers (SPs) are expected to face massive traffic growth and increased operational complexities. To make the most ...
BBC Tech

Lancaster University students’ data stolen by cyber-thieves

/
Students' personal data has been stolen in a "sophisticated and malicious" phishing attack at Lancaster University. Officials said the information had been used to send bogus invoices to applicants. "A ...
ZDnet

Google to clamp down on Incognito Mode detection

/
Company also triples maximum baseline reward for security bugs. Google has chosen to remove a method websites could use to detect visitors that used Chrome's Incognito Mode when on a ...