Today's network admins must be proactive and build a network that is completely failsafe.
Tips For Securing Your WAN
Today’s enterprises face a wide range of security threats, from spear-phishing campaigns that attempt to lure susceptible individuals via email, to distributed denial-of-service attacks that flood their websites with meaningless traffic. Moreover, breaches such as the 2014 hacking of Sony Pictures and the 2013 theft of payment card data from Target clearly show the stakes are high for fending off such pressures by staying on top of network security. Sony Pictures had sensitive details about salaries, health care benefits and upcoming films leaked to the public Internet, while Target incurred more than a quarter of a billion dollars in costs in the wake of its incident.
In both cases, critical company applications (email for Sony Pictures, payments processing for Target) were compromised from the outside. As security teams refresh their defense strategies to protect core programs and data from a similar fate, the WAN will have to be front and center, especially now that so many organizations are extending their networks to the cloud, supporting remote sites and workers and replacing their legacy business communications tools with services like VoIP and video conferencing.
An unsecured WAN presents many potential vulnerabilities, so let’s look at a few tips and tricks for hardening it against attacks and unauthorized access. Here are three key security areas to keep in mind as you modernize your WAN:
Setting up secure, cost-effective VPNs and hybrid WAN links
VPNs are fundamental to network security, and in recent years many organizations have looked to ensure VPN reliability while at the same time moving on from costly traditional technologies such as Frame Relay, MPLS and T1 local circuits. Is it possible to strike a happy balance between performance, security and cost?
Broadband Internet-based VPNs (i.e., ones that can be implemented on IPsec routers) are an appealing alternative, since they utilize less expensive links. However, an even better option in terms of cost, flexibility and security is Adaptive Private Networking with Talari, which wraps intelligence around the WAN through mechanisms such as constant path monitoring (i.e., for jitter, packet loss, etc.) and priority enforcement during failover.
Adaptive Private Networking can be utilized over a combination of broadband Internet and MPLS and Frame Relay links. Packets that are routed over the Internet can be protected with up to 256-bit AES encryption and intranet traffic can be secured without the need for a separate VPN.
Using WAN encryption instead of simply trusting the provider
Speaking of encryption, it has become more important than ever in the last few years following the aforementioned breaches as well as other major cybersecurity events. Frame Relay, MPLS and ATM circuits managed by national carriers were once assumed to be safe from snooping, but such unwavering trust can no longer be maintained in today’s environment.
“The price premium paid to service providers for the presumption of information security is no longer applicable,” explained Greg Ferro for Network Computing. “WAN services must be discounted to more closely match Internet circuits because they are now at the same level of trust. It may be possible to stop using dedicated WAN services completely.”
Indeed, broadband Internet has become competitive with MPLS not just on price but on general acceptability as a basis for VPNs connecting main and branch offices. MPLS VPNs are increasingly seen as nothing special on the security front, opening the door for IPsec VPN, SSL VPN and APN. A few specific things to consider while implementing encryption include:
- Using public key instead of pre-shared key cryptography for tighter security.
- Tapping into virtual machines on x86 servers or cloud-managed VPN to trim endpoint costs.
- Replacing traditional WAN services with Internet connections for substantial ROI.
Closing potential security loopholes in the WAN may have not been the highest priority in the past due to the assumption of safety. Now, though, it is essential to cybersecurity.
“Broadband Internet has become competitive with MPLS for VPN.”
Protecting your data and identities across the WAN
WANs now field connections from more devices than they ever have. Phones and tablets in particular can remotely access the network just like PCs would. Bring-your-own-device initiatives have made mobile devices fixtures of the workplace as well as new security liabilities.
Network administrators fortunately have many options for keeping all of these devices in check and protecting the organization’s sensitive data and identities. For example, centrally controlled admission policies can limit unfamiliar devices to the guest Wi-Fi network so that they cannot take bandwidth away from important applications.
Other network security tools can strengthen the WAN against potential problems and prevent any WAN issues from eventually spreading to the LAN. Traffic monitoring, virus protections and anti-DDoS solutions are all good options for keeping malicious devices and applications at bay and ensuring that the WAN continues to function reliably.