With many organisations turning to Software-Defined Wide Area Networking (SD-WAN) to support their digital transformation, many IT leaders are working out how they can tie all of their connected resources into a single cohesive network. Kalle Bjorn, Director, Systems Engineering, Fortinet, says a critical challenge of such a model is establishing an effective security strategy that can span and adapt to this expanding and evolving network.
Organisations today are facing a variety of business and technological pressures that impact their networks: The rise in the number and variety of smart devices requiring access to network and data resources; the growth of multi-cloud infrastructures and services being driven by evolving requirements of connected and highly mobile workers; demands for greater performance; the need to deploy new technologies; along with the need to comply with new standards and regulations.
Many IT leaders in the middle of multiple digital transformation projects are now wrestling with the question of how to tie all of their connected resources into a single cohesive network.
Software-defined wide area networking (SD-WAN) is increasingly becoming the approach many organisations are turning to in order to support their enterprise’s digital transformation.
SD-WAN solutions uses all available WAN services more effectively and economically, giving users across the distributed enterprise the freedom to better engage customers, empower employees, optimise business processes and innovate.
A critical challenge of such a model, however, is establishing an effective security strategy that can span and adapt to this expanding and evolving network. Which is why SD-WAN experts and industry analysts point out that an optimal enterprise SD-WAN solution needs to not only support WAN performance requirements, but also address security priorities.
As the potential attack surface grows, opportunities for breach, data loss and compromised information integrity come with every new device, application, and connection as attackers look for the weakest link in the enterprise.
At the same time, increased performance demands and distributed network resources often undermine the effectiveness of many traditional cybersecurity tools, which struggle to keep up with increasing speed and bandwidth requirements.
Another of the problems organisations face is growing security complexity. As a result of the project-oriented way in which organisations have expanded their networks, many have inadvertently created a patchwork of isolated ‘point’ products. This has led to a security architecture that’s not only hard to manage, but that actually lacks integrated, end-to-end protection.
While most SD-WAN solutions provide effective tools for managing a distributed network, many fail to provide an integrated security strategy. Instead, they rely on external legacy security systems that far too often limit visibility, restrict performance, and cannot adequately adapt to a constantly changing WAN architecture.
So if SD-WAN effectiveness and data security are both high priorities for your distributed enterprise, it is essential that you take a security-first approach to selecting an SD-WAN solution that merges integrated and automated security tools with best-of-breed SD-WAN functionality.
Such an approach will enable enterprises to reduce WAN complexity in order to meet many of their growing digital transformation requirements without sacrificing security or network performance in the process.
Here is a short list of criteria to consider when evaluating SD-WAN solutions:
Breadth and depth of application awareness
One of the main advantages of an SD-WAN strategy is its ability to improve the network user experience by routing applications over the most efficient WAN connection at any point in time.
SD-WAN enables branches to uplevel their focus from traditional packet routing to business centric applications, enabling IT teams to map WAN resources directly to business function, making the network more efficient and responsive.
As a result, customers need to understand the application landscape supported by an SD-WAN solution. This includes how many applications are supported, the prioritisation of applications based on business criticality, and the ability to look deep into individual applications in order to set different policies for sub-applications. This level of granular insight helps enterprises to better allocate resources to increase productivity and reduce business costs.
One of the challenges created by many SD-WAN solutions is the need for continual optimisation. So unless you have IT resources to spare, you need to look for solutions that have simple configurations that allow you to set WAN policies based on considerations such as application criticality, performance requirements, and security policies and a lot of automation, such as the ability to automatically adapt as network configurations and resources change.
Look for features such as automated multipath intelligence that tracks granular WAN path information, such as latency, jitter and packet loss in order to select the most efficient route for SaaS, Voice over IP (VoIP), and other business-critical traffic.
If the primary WAN path degrades below your policy-based thresholds, the SD-WAN solutions should be able to automatically fail over to the next best available link without impacting application performance. However, defining SLAs can sometimes be cumbersome, which means you need to look for solutions that make SLA configuration simple.
Likewise, any efficient SD-WAN solution also needs to be transport agnostic. This not only includes support for a variety of connectivity protocols (Ethernet, 3G/4G, VPN, etc.) but also allows you to use any two of these connections in active-active mode while load balancing traffic across both circuits simultaneously.
SD-WAN solutions typically do not include integrated security solutions, and for those that do, the security solution provided is often woefully inadequate. But at the same time, relying on traditional network security solutions to protect such an elastic and adaptive network environment is also problematic.
What is needed is an SD-WAN solution that includes complete threat protection toolsets, such as industrial grade NGFW firewall, anti-virus, intrusion prevention (IPS) and application control solutions.
It also needs to include high-throughput SSL inspection, web filtering and high-performance on-demand VPN connections to protect traffic and data confidentiality and advanced threat protection (ATP) to combat zero-day threats.
Finally, security effectiveness should be confirmed and certified using third-party validations to ensure you are getting the level of security your network requires.
Centralised provisioning, management and monitoring
One of the distinct advantages of an SD-WAN solution is its ability to be deployed and managed remotely. However, there are risks associated with shipping fully configured devices to a remote branch location.
And even once these edge devices are deployed, IT staff are usually required to manage both the WAN optimisation functions and security functions using two different interfaces. This separation of network and security operations is not only labour-intensive; it also makes it difficult to tie things like traditionally network-centric issues such as performance and functionality to critical security and data inspection. But in an SD-WAN environment, those traditionally separate functions need to work hand in hand.
Since security and SD-WAN both monitor broad and complex applications, it is critical that they exist on the same pane of glass management that provide a high-level monitoring view combined with the ability to drill down into specific details, allowing teams to act on data rather than chasing after data in order to correlate it.
When evaluating SD-WAN solutions, you need to consider things like zero-touch deployment that make it easy to set up and monitor physical and logical network topologies, link utilisation, and network and application behaviour. You should also be able to easily update and disseminate corporate WAN and security policies to all locations, as well as isolate and reconfigure individual devices for either performance or security issues.
Having centralised management, configuration and monitoring tools for both WAN and security solutions built directly into your SD-WAN environment will increase management efficiency and effectiveness while significantly reducing the cost of deploying and managing such a solution.
SD-WAN solutions are proven to improve network performance and user experience across a distributed network while keeping costs in check. But failure to deploy a solution that does not include fully integrated security leaves your network exposed to unnecessary risk. Fortinet’s secure SD-WAN solution is the market’s first offering to provide a complete and fully integrated security and SD-WAN strategy.
Based on the industry-leading FortiGate NGFW, and built around the new FortiOS 6.0 operating system, Fortinet’s secure SD-WAN replaces separate WAN routers, WAN optimisation, and security devices with a single solution that is application-aware, offers automatic multi-pathing and multi-broadband support, and is easy to deploy and monitor.
It also incorporates a growing application control database with the signatures of more than 3,000 applications, and that database is constantly being updated through its live link with FortiGuard Threat Intelligence.
Fortinet is also the only SD-WAN vendor with an NSS Labs NGFW ‘Recommended’ designation. Our security-first SD-WAN solution delivers the most robust threat protection in the industry across layers three through seven and delivers enhanced SD-WAN performance by leveraging our proprietary Security Processing Unit silicon to accelerate security and networking-specific tasks.
This optimised architecture delivers deep security analysis and inspection capabilities provided by the general-purpose CPUs that power competing products.
In conjunction with the FortiManager management console and other Fortinet Security Fabric components, the Fortinet SD-WAN solution also enables real-time threat tracking activity to facilitate risk assessment, detect potential issues and mitigate problems. Firewall rules and policies are monitored automatically to facilitate compliance audits.
Fortinet’s robust security-enabled SD-WAN solution allows you to confidently support more remote sites and users, deploy more bandwidth-sensitive applications, securely connect to and share data across new cloud services, and automatically adapt your security policies and protocols in order to meet your evolving and expanding network resource requirements.