Security + Network As a Service: the Better SD-WAN

March 5, 2017

We’ve been discussing the impact the dissolving perimeter has had on networking and IT. Changes in our applications (cloud migration) and where users work (mobility) are driving the shift to software defined wide area networks (SD-WANs), but they’re also forcing us to rethink how we securely connect our users, application and data and deliver a compelling quality of experience. Unless the complete picture is assessed one is liable to simply shift costs between IT domains. Rather than IT playing this kind of shell game on itself, IT should evaluate WAN architectures holistically and look at the quality of experience, availability, security, cost, agility, manageability, and extensibility of the network.

SD-WANs Aren’t Enough

Leveraging Direct Internet Access (DIA) allows SD-WANs to improve agility and reduce bandwidth costs, but fails to address, and sometimes exacerbates, other critical challenges.  As we discussed in our previous post, whereas with MPLS, networking teams had to wait weeks for new connections and days for bandwidth upgrades, SD-WAN’s use of DIA means new offices can be deployed in hours and days, and be reconfigured instantly.  DIA also means IT can reduce their monthly bandwidth spend by as much as 90 percent.

The Internet Limits Peak Performance

Applications remain constrained by Internet performance. The brownouts and unpredictability of Internet connections will continue to disrupt applications. SD-WANs try to minimize this fact by connecting to multiple services; should one path slow-down, SD-WAN nodes will steer application traffic to alternate paths based on a combination of business priorities, application requirements, and network performance. Yet, where all paths suffer, due to pervasive internet routing conditions, SD-WANs remain unable to help the application experience.

DIA Expands The Attack Surface

What’s more, the use of DIA that gives SD-WANs so much of their agility and costs benefits also increases the attack surface. Every office with DIA now requires the full range of security services including next generation firewalls, anti-malware, URL filtering, IDS/IPS, sandboxing and more. This in turn increases operational costs, with the management, patches, upgrades and capacity planning needed to keep pace with increasing traffic load and a growing threat landscape. No wonder that nearly half of the respondents (49 percent) of our recent user survey indicated that their organizations pay a premium to buy and manage security appliances and software.

Missing Mobility and Cloud

Finally, while SD-WAN vendors do a very good job connecting offices, they’re less successful extending their overlays to the rest of today’s WAN: mobile users and the cloud. Mobile users are not supported at all by SD-WANs.

Some SD-WAN vendors claim to deliver cloud instances for private cloud implementations, such as AWS. But these implementations come with inordinate complexity — whether from the nuances of how cloud providers implement cloud networking, cloud machine limitations that can only be resolved with greater cloud investments, bandwidth limitation, and more. And in all cases, companies remain subject to the variabilities of the internet connecting to the cloud provider.

One WAN For All

Rather than trying to retrofit old solutions to today’s new realities, first think as to where we’re headed. Perhaps if we had that vision then we could work backwards and figure out how best to get there.

Everyone can agree that complexity is the enemy of network engineering. With more components comes more equipment to purchase, maintain, and the increased likelihood that something will break. So as a basis we’d like to somehow create one network with one set of policies for all locations, all users (mobile and fixed), and all destinations (virtual or physical).  The network should have the agility and cost savings of SD-WAN and DIA with the performance and predictability of MPLS.

Of course, we’d like to retain control over this network. Policies should align network usage with application requirements and business priorities. Applications more critical to the business should take priority over those less critical; VoIP and real-time applications should take precedence over backup.

And we’d like our networks to be inherently secure. Once users connect into this network, they’d immediately inherit all of the necessary security services to protect themselves when working from the office, home or on the road.

Hardware, Software, or Cloud

So, that’s where we’d like to go, but what’s the best way to get there? The traffic manipulation and policy enforcement needed to make this vision a reality can occur in physical appliances, virtual appliance or software, or the cloud. Deploying an integrated security-networking appliance at each branch introduces scaling challenges, management complexity and overhead implicit in physical appliances. What’s more no physical appliance can address the needs of mobile users or the cloud.

Software appliances, such as network functions virtualization (NFV) instances, sounds like the right approach. They introduce a degree of flexibility at the edge and are certainly of help to a service provider looking to modernize their box-based ecosystem. But like hardware appliances, software appliances must still be maintained and upgraded. As traffic volumes increase, scaling is still a problem. Leveraging new capabilities also means upgrading to new software with all the risks of downtime implicit in those changes. And, a full range of high availability and failover scenarios must be defined.

Client-based software is no better. The differences between processing capacity, memory, and sheer range of platforms of devices makes deploying security and networking processing on a mobile challenging. Driving mobile users towards secure “chokepoints” compromises on quality of experience and productivity, leading to compliance violations.

Cloud capabilities, if managed and deployed correctly, represents a great choice. By moving security and networking functions into the cloud, we can provide robust security that can scale as necessary, anywhere, without the adverse impact of location-bound appliances. All new features, enhancements and counter-measures can be made available to every resource (branch, datacenter, cloud instance or a user) connecting to the cloud-based solution. This is what Networking + Security as a Service (N+SaaS) is all about.

Network+Security as a Service

N+SaaS moves all security, traffic steering and policy enforcement into a multi-tenant cloud service built on a global, privately-managed network backbone. There is no need for network security at the remote site or within mobile user’s device as all Internet traffic is sent to and received from the N+SaaS service. Users access the N+SaaS backbone by tunneling across any Internet service to the nearest Point of Presence (PoP). IPSec-enabled firewalls and routers can be configured for these purposes as can simple virtual or physical edge nodes.

As traffic enters the N+SaaS private cloud network edge, the N+SaaS provider can steer customer traffic based on application-specific policies. Traffic is inspected and protected with a full network security stack built into the cloud network fabric. IT is freed from unplanned hardware upgrades, resource-intensive software patches, and the rest of the overhead of managing security appliances, leaving that to the cloud provider. New locations and mobile users can be quickly deployed and are seamlessly protected.

SD-WAN And Cloud Security

This approach is fundamentally different from the partnerships between SD-WANs and cloud security services. In that case, SD-WANs use service chaining to divert traffic to the cloud service for inspection. At a tactical level, many such cloud security services only inspect HTTP traffic, requiring additional equipment and services to protect against attacks involving other protocols. More strategically, though, such an approach perpetuates the divide between networking and security tools, complicating deep integration between the two areas. Policy definition, where policy governs security permissions, actions, and network configuration, is a basic example of how networking and security integration can reduce overhead.  More sophisticated would be the correlation of networking and security information to reduce security alert volume, identify alerts that truly matter, and to take automatic action once identifying a threat, such as automatically terminating a session in case of an exfiltration attempt.

These efforts become major “road map efforts” and “innovations” for SD-WAN vendors partnering with cloud security services precisely because of the challenges in exchanging and correlating information siloed behind security and networking walls. With N+SaaS, such capabilities are table stakes as all of the necessary information is already available to the N+SaaS provider.

Private Backbone Is Essential

N+SaaS services are also built on privately-run backbones, which is very different from SD-WAN cloud managed offerings. The consistent, day-to-day performance of the N+SaaS backbone exceeds that of the Internet. Gone is the unpredictable latency, jitter and disruption of service that occurs on unmanaged backbones. The secure network’s performance and predictability rivals that of MPLS.

By adopting DIA, companies lose none of the agility enabled by SD-WANs. Local loop resiliency is still possible with same options used for SD-WANs. Fully redundant, dual-homed connections, such as connecting an office to xDSL and 4G Internet services, with unmanaged Internet, let alone private cloud networks, can be shown to approach or match MPLS uptime (see this blog for the math behind those availability calculations).

N+SaaS : It’s More Than Just Hosting in The Cloud

By converging security and networking into the cloud, we eliminate the silent enemy of uptime, efficiency, security, and IT operations in general – complexity. An IT infrastructure with fewer “moving parts” is one that’s easier to deploy, manage, and maintain.

As with any cloud service, CIOs and their teams will want to be sure N+SaaS providers can meet their service commitment. At a minimum, this means service level agreements (SLAs) around availability, latency, and packet delivery.

Extensibility Is Essential

But they will also want to look at the extensibility of the platform. As the provider delivers new services, how readily available are they to mobile and fixed users in new regions? Are they limited in some way, only applying to physical data centers and not the cloud, for example?

These questions are particularly critical as service providers look to mirror the capabilities delivered by N+SaaS by selling cloud services off security and networking appliances built for enterprise or regional deployment. It’s more than an issue of supporting multi-tenancy. Simply shifting security appliances into the cloud burdens the service providers by the same management and maintenance costs as the enterprise, costs that must be pushed onto their customers. Delivering services “everywhere” also becomes more difficult as customer resources are bound to specific instances within a region, putting complex management of distributed appliances right back on the table.

The Way Forward

The state of business today is expanding globally, relying on data and applications in the cloud and driven by a mobile workforce. IT needs to adapt to this new reality, and simplifying the infrastructure is a big step in the right direction. One network with one security framework for all users and all applications will make IT leaner, more agile. Converging networking and security is essential to this vision. And while SD-WANs are a valuable evolution of today’s WAN, N+SaaS goes a step further — bringing a new vision for networking and security to today’s business.

Read about network service chaining

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.