To support access to cloud-based applications and better serve end users in remote locations, companies are expanding their wide area networking infrastructure. Given the open nature of the Internet the challenge of securing application traffic has become more complex.
The more a network expands to the cloud, the more vulnerabilities are created, leaving it susceptible to attack. For wide area networks (WANs) serving users around the globe, securing application resources is crucial and needs to be made easy to implement. These techniques and best-of-breed practices can help to ensure network integrity and improve data security.
Best Practices for Enabling Security
The best practices for enabling security across the WAN start with a thorough examination of how devices and links are protected and the associated security services that need to be applied. As they access applications over the Internet, organizations are moving beyond their reliable Multiprotocol Label Switching (MPLS) connections and have integrated broadband links for direct access and needed bandwidth.
The ever-increasing amount of enterprise traffic driven by access to public cloud resources and software-as-a-service (SaaS) applications has increased the number of attack vectors and a multi-layer security approach is needed to keep pace. A comprehensive, strategic security approach can counter the numerous threats to your network. Let’s look at some of the best practices of such an approach.
Contain the Network
Software defined wide area networks (SD-WAN) that use the public internet for access to the cloud provide the ability to layer on security services and to determine which paths your traffic will take, and who will have access to which applications. SD-WAN can be configured to provide a secure, global network, across any link type that creates a private overlay.
To ensure that your critical data traffic is secure and isolated, segmentation is used to create secure tunnels to keep regulated traffic, such as PCI from mixing with the traffic from non-critical applications. Segmentation allows for line of business separation by departments for security/audit and user data separation, such as guest from employee traffic, and other things.
With segmentation you can reduce the number of physical network devices needing to be managed and monitored. You can get high availability through clustering devices that appear as one, increasing uptime. You can get end-to-end continuity from server-to-campus-to-WAN.
Integrating multiple layers of security delivered is the best way to mitigate the vulnerabilities when protecting branch offices, wide area networks and applications. Making this method effective requires the use of a solution that allows you to implement and manage all security layers efficiently and presents a single pane view of your security posture.
Traffic Monitoring: Keeping Tabs on Network Usage
Odd traffic spikes or multiple connections from an unexpected endpoint are indicators of nefarious activity that demand closer inspection. Therefore, the ability to monitor your global network is essential to ensuring network security.
Traffic monitoring capabilities with the ability to drill down enables you to identify threats and quarantine traffic to prevent the spread of an attack. SD-WAN is a platform to deliver multi-layered security services and offers the option to incorporate the security layers needed to protect your global network.
Consuming excessive bandwidth and exceeding your historical application usage is a clue that a malicious actor has infiltrated your network. Ensuring that you can spot these clues and take action to limit the application’s impact is essential to network integrity and data security.
To stay ahead of problematic malware, an SD-WAN orchestrator can be used to monitor overall network utilization and enforce prioritization of business-critical applications. Then you will see how each network path functions and whether there are any deviations from the baseline.
Internet connections like MPLS and frame relay are vulnerable to network surveillance and data theft, and enterprises cannot assume that links are safe from snooping and data interception. Encryption is essential when connecting resources over the Internet.
IP security (IPsec) encryption can be configured to create virtual private networks (VPNs) to provide comprehensive protection and guard data traffic over public internet circuits. Encryption also helps to maintain compliance for sensitive assets by using secure VPN over broadband, with the ability to report on traffic flows.
Stay Up to Date
The sheer number of threats to your network means that WAN admins cannot afford to fall behind on updates to network devices. To mitigate risks to information security, WAN admins should regularly update and patch software and firmware. This can be difficult to do for infrastructure such as servers, switches, routers and firewalls. Some organizations use automated monitoring solutions to help keep tabs on patch status or to enable admins to perform manual checks.
With cloud-delivered SD-WAN the major components such as the orchestrator and gateways are delivered as a cloud hosted service, and branch office devices are on a subscription, so all updating and patching is done by the SD-WAN vendor, eliminating this burdensome task for the enterprise admins.
Virtual Network Functions (VNF)
Typically, new network functions are manually installed and configured with their dedicated hardware devices. In a multi-layered security approach, you will want to link certain functions to enable a desired service. This is easier if you don’t need a dedicated device that has to be physically wired together.
SD-WAN provides the ability to host select virtual network functions (VNFs) to provide these services, thereby eliminating the need for specific hardware, and enabling security functions to be deployed quickly as virtual appliances. VNFs also increase network scalability since they can be clustered and agility since they are implemented as software under a management system.
In many cases you won’t want to deploy security services locally. Increasingly, security services are available hosted in the cloud. With the service chaining capability in SD-WAN you can transparently forward select traffic to a cloud-based security service based on business-policy definition without any branch-by-branch or application-based configuration. The SD-WAN solution provides for service chaining with the following options:
- Using an NFV infrastructure for service delivery, where traffic can be sent from one virtual appliance to another and then out to its destination.
- With cloud security providers, including secure web gateway (SWG) and cloud access security broker (CASB) providers
- Backhauling to a central firewall in the data center
How to Determine the Best Option for Your Business
SD-WAN provides numerous options to implement security either on-premises or in the cloud (or a combination of both) to address an evolving threat landscape. Hold the line and protect your global network and your business-critical data with SD-WAN. To learn more about how VMware SD-WAN addresses security, check out one of our VMworld sessions: