Backgrounder Businesses relying on hybrid clouds need to be especially mindful of how they protect the sensitive data that flows between their on- and off-premises systems. Employees can be anywhere, using multiple devices (sometimes simultaneously) and any type of network (including public Wi-Fi) to access cloud services, all of which need to be secured against malware, unauthorized access and eavesdropping.
Virtual private networks (VPNs) have traditionally handled the protection of data in transit, particularly on the wide area network (WAN) links that most enterprises use to provide employees with access to the web and other corporate sites and resources.
But the emergence of software defined WAN (SD-WAN) has changed the game when it comes to implementing, managing and paying for those VPNs. IT departments need to think carefully about how they can exploit this new technology to improve on the way they protect end user traffic, particularly when it comes to maintaining secure access to distributed cloud workloads.
Where SD-WAN wins and loses
Like other forms of virtualisation, SD-WAN separates core functions, control and management processes from the underlying hardware and makes them available as virtual software instances that can be more easily configured and deployed. As such, the technology offers IT departments the opportunity to quickly provision and scale WAN bandwidth up or down on demand using cloud-hosted software functions and "white box" routers (or virtual/universal CPE) rather than proprietary hardware, reducing capex, deployment times and management costs.
The flexibility to combine multiple network transport technologies – multi-protocol label switched (MPLS), leased line, Ethernet, fibre broadband, digital subscriber line (DSL), cellular 3G/4G and/or Wi-Fi – is another key attraction for organisations, particularly those that need to securely connect multiple sites with different types of connectivity, either to each other, the internet, a centralised company headquarters or the cloud.
Various on- and off-premise deployment models – vCPE/uCPE, cloud-hosted virtual machines, downloadable virtual network functions (VNFs), dedicated hardware appliances – can be tailored to individual requirements and budgets while support for virtual security and performance acceleration applications and services and detailed network monitoring and analytics is another draw for many.
That is not to say that SD-WAN will suit every organisation. The benefits are most obvious in distributed environments where the cost and complexity of connecting multiple sites and offices is high. Lack of familiarity with virtual networking can also be a problem in some environments, where the old way of provisioning and maintaining WAN connectivity using dedicated hardware continue is considered less complex and easier to understand.
Even so, analysts predict widespread adoption of the technology. IDC’s Software-Defined WAN Survey published in April this year estimates that 95 per cent of enterprises expect to use the technology within the next two years, with almost 40 per cent having already deployed it in some form.
Legacy IPSec and SSL approaches
One of the security applications that SD-WAN makes easier to deploy and manage is the virtual private network (VPN). It’s not a direct replacement per se, but SD-WAN does provide an underlying platform upon which new virtualised VPNs can be set up relatively quickly and easily without the need to install dedicated hardware at each end of the secure link.
“While it doesn’t cure all the evils in wide-area networking, and isn’t a fit for all branch scenarios, it’s still pretty cool. Compared to VPN, SD-WAN represents a simplified and cost-effective way to WAN, and that is important because most enterprise hate their WANs,” wrote Andrew Lerner, research vice president at Gartner.
The traditional approach to VPN tended to involve building a direct link between two sites, usually based on the IP Security (IPSec) protocol which provides authentication, encryption and compression at the Layer 3 network level implemented in hardware at either end. These site-to-site VPNs often formed a secure tunnel within the public Internet because a direct, dedicated network link between the two locations was too expensive to implement and maintain over time.
Another method involves implementing a VPN based on either the secure sockets layer (SSL) or transport sockets layer (TLS) protocol to connect end user devices to either the Internet or corporate Intranet resources. SSL VPNs are implemented via a VPN server embedded in a dedicated next generation firewall or threat management appliance, with web browser requests routed through the server and then out onto the Internet.
Rather than having separate IPSec hardware or SSL clients to handle network security, SD-WAN systems effectively package the same type of VPN functionality into a single virtual security stack that can also include firewall, web content filtering, deep packet inspection, access controls etc alongside authentication and encryption.
As ever, there are trade-offs. SD-WAN doesn’t deliver the same end to end quality of service (QoS) guarantees on offer from multi-protocol label switched (MPLS) VPNs for example, though traffic prioritization and application acceleration at the local level go some way to providing the same performance guarantees. And while they provide data encryption in transit and often come with basic, firewall capabilities, most SD-WAN solutions won’t implement Layer 7 security needed for effective protection at every site either.
Network security not architected for the cloud
Where legacy approaches to VPNs tend to fall short is how they handle secure connectivity to cloud hosted applications and infrastructure which end users tend to access directly from any device. Traditional WANs were not architected for the cloud either and are also poorly suited to the security requirements associated with distributed and cloud-based applications, said IDC.
The analyst firm’s Software-Defined WAN Survey IDC’s survey calculated 75 per cent of enterprises saw their SaaS/cloud usage a key driver in their choice of WAN deployment for example, with security requirements relating to web, cloud services and internet applications highlighted as one of the three most important WAN challenges they faced by a third. “Considering cloud usage is a key driver of WAN technology choice, and the top challenges faced by enterprises today, the WAN is demanding a new architecture. SD-WAN fills that void in the market,” IDC concluded.
Simplifying VPN provisioning and management
For big companies, managing and configuring multiple VPNs to handle large numbers of sites and volumes of user traffic is not only a serious management burden – it can also lead to serious degradation in cloud application performance. That was the case for Platform Speciality Products (PSPs), a global chemicals company that grew through acquisition to cover more than 190 sites worldwide. It found itself needing to simultaneously secure traffic from remote and mobile knowledge workers that made up 40 per cent of its employees, which it did by using multiple VPN concentrator appliances to establish and configure tunnels, authenticate users, assign IP addresses and encrypt/decrypt data.
“VPNs in general are something we have used to securely connect our workforce to various assets whether they were managed in the cloud, on-premises, etc,” said PSP vice president of global infrastructure services Dustin Collins. “But at one point we realized that we have a mish-mash of 50 VPN concentrators – and security and performance were at stake.”
Rather than reducing its considerable network security management overhead by standardizing on single vendor VPN hardware, in 2017 PSP opted to deploy a global SD-WAN solution that provisioned a virtualised SSL VPN to connect employees to SaaS applications like Office365, Oracle, SAP and WebEx. Even through all traffic is now securely routed through one globally available URL, load balanced across four nodes in two US locations, network performance didn’t degrade – in fact, it sped up through integrated application acceleration. The company also estimates cost savings of around US$100,000 per year on hardware support and maintenance costs.
Key SD-WAN considerations
Ultimately, virtual VPN provision will be dictated by what the SD-WAN offering or the service provider can offer in terms of security applications and services.
IT departments need to decide whether to own, lease and maintain on-premise hardware at some or all of their locations rather than go completely down the cloud-hosted, virtual software route. Few are likely to replace all of their existing appliances with an SD-WAN platform, so interoperability and integration with legacy hardware (and management software) should also be top of mind.
You should also carefully consider whether you actually need site-to-site VPN connectivity or if you can live solely with SSL/TSL. The answer to this question can be found by looking at your cloud-usage requirements and the location of the end users who need to connect.
Different SD-WAN suppliers provide multiple options when it comes to delivering additional levels of security embedded in their solutions like firewalls, web filtering and threat detection. But equally, they should be able to support integration with the defenses already has in place otherwise the implementation can become unnecessarily expensive.
Cloud applications are already sensitive to latency, jitter and other network performance issues – problems which can be exacerbated by the processing overhead involved in VPN authentication and encryption of the network link.
There’s a reason why many SD-WAN providers deliver network traffic prioritization and application acceleration as part of the deal and businesses may have to make sure security processes don’t have any adverse performance impact by delivering network traffic prioritization and application acceleration in tandem.
SD-WAN offerings also lend themselves well to delivery by managed security service providers (MSSPs), some of which also offer VPN as a service (VPNaaS) options. Outsourcing may be the best method of delivery for businesses without the manpower to expertise to manage and maintain network security in-house.
Enterprise IT is changing, becoming virtualised, software-defined and spanning hybrid cloud. This wide-area footprint presents new challenges for those charged with securing data traffic and who’d have once relied on VPNs. Based on its flexibility and price, SD-WAN has emerged as popular answer – just make sure you evaluate your service options and pay attention to the fundamentals of bandwidth and traffic prioritization.
Supported by SonicWall.