Driving Synergies between SD-WAN Reliability and Application Security


Modern branch offices don’t always have access to sufficient bandwidth for reliable and secure application availability, despite the spread of hybrid clouds with a mix of MPLS, LTE and broadband links that all need to be optimized for the last mile. Plus, with corporate network traffic increasingly traversing the public Internet at the edge, their WAN architectures often don’t address the many new security considerations this shift creates for applications and services, as well as the WAN as a whole.

Enter the failsafe software defined WAN. A 2017 report from P&S Market Research projected a 59 percent compound annual growth rate from 2014 to 2022 in the market for SD-WANs, which provide link aggregation as well as protection from cyberattacks and other triggers of network outages. As such, they can deliver a high-quality experience from the data center to the branch.

The ideal setup is an SD-WAN integrated with security devices such as NGFWs, a combination which offers several major benefits:

  • Protection against a broad spectrum of cyberattacks, from routine intrusion attempts to more advanced campaigns.
  • Greater utilization of Internet links for real-time apps, without subtracting from application/data safety.
  • Overall simplification of WAN infrastructure, e.g. by reducing the number of legacy devices required in remote locations in which ‘zero-touch’ management is preferable.

“What is a next-generation firewall?”

Benefits to the Integration of SD-WANs and NGFWs

“What is a next-generation firewall?” is still a useful question, since not all solutions labeled as NGFWs actually provide superior functionality to traditional firewalls. True NGFWs, such as the Palo Alto Networks ones that can be integrated with a Talari SD-WAN deployment, classify traffic based on applications rather than ports, ensuring that they catch any threats that exploit techniques such as port-hopping to hide from detection.

NGFWs allow for much more granular and tenable network security policies, thanks to their application awareness and ability to identify traffic flows. Alongside an SD-WAN, an NGFW can be set up in a few specific ways to secure traffic:

  1.  In-line with the SD-WAN appliance: This is the most common setup for many NGFWs, under which they protect private networks from public Internet threats as well as provide inspection of, and network address translation for, traffic to and from the WAN.
  2. Out-of-path virtual deployment: This option entails all LAN traffic going to the NGFW, which serves as its default gateway. NAT is performed on Internet-bound traffic, while traffic to the private WAN is sent to the SD-WAN appliance.
  3. NGFW as a guest application on a kernel-based virtual machine: Also out-of-path, this approach requires the NGFW to inspect all data from the LAN before it is transmitted via Internet or MPLS links.

With a wide range of possibilities for implementing an NGFW within an SD-WAN, branch office personnel have great flexibility in shielding their networks from today’s biggest threats.

Improving Encryption Within the SD-WAN

An SD-WAN can also protect traffic via encryption. Data sent over public connections can be shielded with 128- or 256-bit AES encryption and/or have its sessions split across multiple links to prevent unwanted interpretation and re-assembly. Additional protection is available via per-protocol sequence numbers and cipher block chaining.

Discrete security zones can be set up by the SD-WAN to account for the different security characteristics of its common link types and establish trusted and untrusted WAN links. For example, it would routinely encrypt traffic for links such as cable and DSL, but not necessarily do the same for MPLS and IPsec VPNs, which are designed to be secure.

SD-WAN also simplifies the long-term management of encryption and other security infrastructure:

  • Specific encryption keys can be regenerated to mitigate the risk of a data breach.
  • Virtual routing and forwarding can automatically segment traffic by implementing multiple routing tables in the same physical router.
  • IPsec tunnels can be terminated to reduce the amount of dedicated hardware for inter-site connectivity.

Find an SD-WAN today that can help secure your branch offices. Request a demo or contact Talari directly for more information.

Categories: Software Defined WAN (SD-WAN), WAN to Cloud, Network Reliability, Internet as WAN (MPLS Alternatives)