By Dimi Sandu, Head of Solutions Engineering (EMEA)
In a previous article (Next generation WAN), we discussed the changes in the way employees and businesses utilize computer networks, and how the increase in traffic and adoption of cloud based applications (especially real time multimedia ones) pushed the redesign of the WAN. Moving away from a rigid hub & spoke architecture, based on expensive private lines, and embracing the Internet, the next generation SD-WAN networks are utilizing a mix of wired and wireless public connections to route traffic based on company policies, protecting and prioritizing business critical applications.
But there is another angle that has to be explored and carefully evaluated by designers and administrators: that of security. Previously, a business would have one or a few breakout points, all from their data centers (called central breakout), and most of the traffic was flowing either between the branches, or between branches and the main data center (where the customer maintained on-premise servers reside). This meant that, with a small security perimeter, it was somewhat easy to deploy firewalls/UTMs, in order to secure the trusted local infrastructure and filter employee traffic (if you want to read more about how a firewall/UTM works, check this article).
But the whole point of SD-WAN and its proposed architecture is to embrace local breakout and bring one or more wired or wireless public links at each branch. The router can smartly route between sites taking into account not only admin set policies (policy based routing), but the real time health of the links (e.g. prioritizing cheaper transport, if it can sustain the requirements of a certain application - performance based routing).
Security challenges when transitioning to local breakout
With the ‘untrusted’ Internet now touching each branch, and the security perimeter increasing exponentially, an admin must implement a security strategy to block attacks that could use these remote locations as a way into the main infrastructure, possibly compromising the entire infrastructure.
A simple solution is to deploy new physical firewalls at each location, but, as you can imagine, it can become very complex and costly, depending on the number of sites. Some routers can act as firewalls, however activating advanced security functions besides a basic allow/deny (think of Intrusion Detection/Prevention, Anti-Malware, Sandboxing, Content Filtering, etc.) incurs a heavy cost, resulting in degraded performance and low throughput.
And, with almost 95% of Internet traffic being encrypted (using HTTPS), it is hard, if not impossible, for the firewall to correctly identify the traffic and filter it. Without specialized hardware add-ons, regular UTMs will struggle to perform SSL decryption (needed to ‘peek’ inside HTTPS traffic), and one would require additional devices to perform sandboxing (running unknown files in a virtual environment, checking if this results in malicious activity) or RBI (Remote Browser Isolation - a process of opening web pages in a remote browser, any resulting problems being isolated from the actual employee device).
To complicate matters, BYOD (Bring Your Own Device) policies could potentially compromise the network from the inside, with hacked personal devices bypassing the perimeter security and allowing for direct access into the LAN when accessing it via client VPN.
SSE to the rescue
To address all the above issues, a new set of technologies and solutions emerged, grouped together under the term SSE (Security Service Edge). It relies on vendors providing security from the cloud, through localized PoPs (Points of Presence). These nodes are strategically placed, in order to minimize the route between the customer Internet traffic and their online destinations.
A customer would still require branch routers, however, all the Internet bound traffic would be tunneled to the closest PoP for inspection and filtering. This is advantageous from a customer perspective, not only because it minimizes the CAPEX of installing UTMs everywhere, but also because the system is ‘infinitely’ scalable. All the admin has to do is turn on the desired security function, making sure the bandwidth for each site is sufficient, and the cloud security vendor will do the rest, billing based on the usage volumes.
Any enterprise grade SSE solution should have:
- Firewall-as-a-service: allow/deny traffic based on source/destination/application type, depending on the company policies.
- Secure web gateway: use web and DNS filtering to stop malicious activity, and keep users’ online activity within the company policies (content filtering).
- Cloud access security broker: discovers and secures data transfers between end users and their resources, whether they are still placed on-premise, or in the cloud (SaaS).
- Zero trust network access: a new way to allow remote users only access to the information and applications they need, constantly monitoring their posture and blocking their connections if their behavior becomes suspicious; as these devices do not have access or visibility into the greater network, the impact of a compromised one becomes minimal.
To sum up, with the new trends in exchanging information, a network administrator has to consider not only the way traffic is routed across the estate, but also if any changes impact the overall security posture. SSE technologies can help when it comes to the risks posed by local Internet breakout, in an easy and scalable way.
Note: SSE and SD-WAN go hand in hand, with most vendors offering both; the term for this mix of security & routing is SASE (Secure Access Service Edge)
For more videos on physical security & networking, follow Dimi on his YouTube channel: https://www.youtube.com/c/DimitrieSanduTech