Connected Security and SASE
Security is about risk. In a world of borderless and accelerating digital threats, organizations strive to protect their assets, services, and staff. Increasingly digital security impacts safety. The risks related to intentional attacks have also begun to impact other elements of operations. The more digital connectivity and control there is, the wider the digital attack surface that requires protection.
Security architectures have long sought to limit and partition failure domains against the propagation of failures, but there is a real struggle on how to do so without adversely impacting the smooth running of workflows and processes. SASE (Secure Access Service Edge) offers a combination of security functions delivered at trusted boundaries that limit the traditional overheads associated with remote-access solutions.
When SD-WAN is understood as a conceptual delivery model for services, it can then be understood as underpinning many security best practices. It’s not a matter of SD-WAN vs. SASE but the knowledge that SD-WAN delivers the foundational building blocks of SASE. The network is still one of the best places for many security controls. The WAN edge creates an efficient and effective policy enforcement point, and one that also provides the means for better observing and controlling zone boundaries and related security requirements. With ZTNA (Zero Trust Network Access), the coin firmly lands on “default deny” posture being the most advantageous and robust compared to less secure “default permit.”
What does SD-WAN mean?
SD-WAN means a wide-area network with its fundamental functions abstracted. It’s centrally controlled by an intelligent software platform rather than being wholly distributed, decentralized, and reliant upon discrete network operating systems. This concept provides a more programmable control plane with increased observability, responsiveness, and controllability.
What does SD-WAN solve?
SD-WAN solves many of the challenges of traditional WANs, such as operational complexity, limited controllability, coarse metrics, service brittleness, and suboptimal capacity management. Additionally, greater security and more fine-grained business policies can be embedded while reducing operational costs.
How does SD-WAN work?
As an abstraction layer, SD-WAN provides simpler orchestration and optimized operations. At the architecture layer, there are different approaches, but SD-WAN usually becomes an overlay on a physical network. The control plane is centralized while additional features and functionality can be rapidly layered on. SD-WAN then allows for unified logic with centralized workflows and APIs.
Is SD-WAN a router?
SD-WAN is not a single router but can encompass and perform the role of many routers. Different approaches involve augmenting physical or logical routers, while other solutions replace existing nodes completely.
Does SD-WAN replace a router?
It depends on the solution. Some SD-WAN offerings replace routers and other nodes completely. Lower-friction approaches augment existing nodes or provide new logical gateways.
Is SD-WAN a routing protocol?
SD-WAN is a concept and abstraction layer that, once instantiated, can incorporate new routing protocols but often leverages existing ones. Commonly, SD-WAN provides an overlay to an existing underlay network and then delivers additional value across all services and operations.
What is the difference between SD-WAN and WAN?
An SD-WAN is an enhanced WAN that offers additional features over and above basic reachability and traffic engineering. A traditional WAN is composed of routers, each running a network operating system with its own control plane based upon local configuration and state information. An SD-WAN typically centralizes the control plane and shares state across all nodes.
What are the advantages of SD-WAN as compared to a traditional WAN solution?
SD-WAN offerings can improve security posture, lower operational costs, and enable more fine-grained and intelligent decision-making, especially for performance and capacity. User experience and operator experience can be significantly improved, while superior scalability and elasticity can be achieved using global and local views of WAN conditions.
How does SD-WAN improve network performance and make WANs agile?
SD-WANs use additional telemetry to increase the overall observability of a WAN. This can include individual session and flow metrics that impact user experience. With more holistic and fine-grained traffic engineering comes the ability to rapidly influence and control performance using smarter logic and intelligent policy. Additionally, orchestration and lifecycle management are simplified due to centralized platform logic, which increasingly incorporates artificial intelligence (AI).
What is SD-WAN dynamic routing?
Although most WANs rely on dynamic routing, the metrics used can be considered coarse and concerned only with reachability. SD-WANs can interact with the underlay routing (if so desired) but build overlays using enhanced dynamic routing that takes advantage of intelligent insights into the over-the-top (OTT) services provided to end-users.
Is SD-WAN better than MPLS?
SD-WAN is not a specific protocol or standardized architecture but can leverage and enhance existing services provided by an MPLS footprint. SD-WAN also allows for a wider selection of lower-cost transport technologies and media (not just MPLS-related) depending on an organization’s business and technical requirements
Does SD-WAN replace VPN?
Different SD-WAN offerings form their own type of site-to-site virtual private network (VPN) and can integrate with or sit behind remote-access VPNs. Some SD-WAN offerings solve security challenges in different ways while improving the integrity, availability, and performance of the WAN.
Does SD-WAN replace DMVPN?
Depending upon requirements, SD-WAN may replace some dynamic multipoint VPN (DMVPN) footprints by providing a secure and scalable transport that requires little to no orchestration (such as those that use zero-touch provisioning). Usage is highly dependent on the SD-WAN offering and use case, but one of the goals of SD-WAN is to provide similar functionality to DMVPNs.
Does SD-WAN use IPsec?
Most SD-WAN solutions and vendors use standards-based protocols, while some have created their own proprietary protocols. An SD-WAN may enhance or replace an existing WAN and VPN, which will dictate whether an SD-WAN offering must integrate with or use IPsec.
What are some of the weaknesses of SD-WAN?
Moving from a distributed to a centralized control plane may be seen by some as a weakness, though there is often already some form of centralized operations, orchestration, and governance in WAN management. SD-WANs seek to reduce operational errors and common-mode failures while providing a more robust overlay, even when traditional underlays and routing are still in play.
Is SD-WAN a private network?
SD-WAN can be a wholly private network or multitenanted, depending on the specific use case, service offering, and network intent. SD-WAN may offer different levels of privacy and can be dedicated to a single organization; it can also be part of a managed service offering or customer-administered as part of a cloud offering.
Is SD-WAN a VPN?
SD-WAN could be thought of as a type of VPN, though the concept of SD-WAN is more about the abstraction, programmability, and flexibility of the WAN than it is about security. An SD-WAN can share similar goals and provide similar services to a VPN, but not all SD-WANs are VPNs.
Is SD-WAN secure?
SD-WANs adhere to fundamental security tenets such as confidentiality, integrity, and availability. They’re generally built to be secure by default and provide protection from intentional harm while preventing unintentional failures. As always, and irrespective of technology, protocol, or configuration, operational security is an ongoing process that requires management, oversight, and maintenance.
How does SD-WAN improve security?
SD-WAN can more readily implement and enforce strategies such as defense-In-depth and zero trust access control, in part due to its centralized command and control structure. Fine-grained policy enforcement and orchestration facilitate consistent “least privilege” controls and ensure that deny-by-default is mandated across the board rather than the more permissive permit-by-default of traditional WANs. By leveraging secure protocols and increased telemetry for better visibility into the network, SD-WAN can observe, identify, control, and mitigate threats faster than individual point solutions located at boundary points. Security can be embedded throughout the whole WAN.
Do you need a firewall with SD-WAN?
Depending on your security posture and existing policy enforcement points, you may not need additional security layers when deploying an SD-WAN. Modern SD-WAN offerings include a range of network- and application-level security capabilities. Many of these features obviate the need for certain functions of firewalls. Enhancing your security posture on the WAN at both network and application layers can be hugely beneficial to an organization’s security posture, particularly when adopting zero trust strategies.
Who buys SD-WAN?
SD-WAN is a concept and abstraction that organizations can choose to build from the ground up, buy from a trusted vendor, or consume as a managed service delivered by a cloud or service provider. Those without the necessary development expertise, budget, time, and resources to build their own will buy and implement vendor SD-WAN offerings or use a managed service. This option allows small, medium-sized, and large organizations to focus on their core competencies while benefitting from the product development, support, and maintenance offered by vendors, cloud, and service providers.
How can I improve my SD-WAN?
There are many approaches to developing and improving SD-WAN solutions. If you don’t use an AI-driven SD-WAN, traditional operational tasks usually remain cumbersome. These includes constant monitoring, performance management, refinement of traffic and security policies, and ongoing lifecycle management. There are many areas where improvement may be warranted but reducing overall operational toil using AI and automation is key to freeing up human time to focus on higher-impact initiatives.
How much does SD-WAN cost?
There’s no specific price for an SD-WAN as there are multiple approaches and vendor offerings. SD-WAN should, however, lower circuit costs and operational overhead. It should dramatically reduce the time to deploy new sites and topologies while improving user and operator experiences.
What is ZTP in SD-WAN?
ZTP, or zero-touch provisioning, means there is no requirement to bootstrap and locally configure SD-WAN nodes. These tasks are taken care of centrally and are automated. Typically, only non-default templates or profiles must be selected at a central location, while all other provisioning is automated.
What is the primary distinction between the SD-WAN use case and the hybrid WAN use case?
A hybrid WAN makes use of multiple transport and connection types. Hybrid WAN leverages different layers and technologies such as MPLS, leased lines, VPLS Ethernet, and broadband direct Internet access (DIA). SD-WAN is an overlay technology that typically runs on top of these physical networks. SD-WAN is more focused on overlay reachability, traffic engineering, and value-added services riding on top the physical WAN.
What are the components of SD-WAN?
SD-WAN normally comprises a highly available central controller and orchestration function that programs and manages edge nodes. These edge nodes can also provide a range of services to the SD-WAN as dictated by the SD-WAN offering. The controller typically provides all orchestration, management, and reporting functions while using the context gained from the edge nodes to make better global routing, policy, security, and service enhancement decisions.
Does SASE need SD-WAN?
Secure access service edge (SASE) is an evolution and complement to SD-WAN that delivers comprehensive security functions, including identity-related services, throughout the WAN. SASE relies on a cloud-based set of security functions, referred to as the secure service edge (SSE). SASE, then, can be thought of as SD-WAN plus SSE. SSE is typically cloud-based and can be supplied by a specific vendor, whereas SD-WAN can be physical, logical, and/or cloud-based while integrating laterally with other providers.
Should I use a managed service provider for SD-WAN?
The answer depends on multiple criteria. These include how complex your WAN is, team resources and competencies, and budget.
Who provides SD-WAN services?
SD-WAN services may be provided by the vendor that sells the solution, by cloud services companies, or by managed service providers specializing in SD-WAN. Professional services such as design, deployment, and operation are also available from most vendors to cover your day-0, day-1, and ongoing needs.
What is DIY SD-WAN?
Do it yourself (DIY) SD-WAN means building all facets of an SD-WAN solution yourself. The project involves writing all the software for both the controller and SD-WAN edge nodes and taking responsibility for all aspects of the software and system lifecycle management. Building a DIY SD-WAN is a complex undertaking that’s embraced mostly by hyperscale cloud providers with vast IT resources and budget available to them.
Who Does SD-WAN Benefit?
SD-WAN benefits large-scale network operators, smaller players, and everyone in between. SD-WAN is not just about enhancing orchestration, operations, and security, but also about enhancing service delivery and improving the quality of user experience.