Macquarie Telecom Toggle Search

Home SD-WAN Integrating SD-WAN into your network: Managed Security and Cloud

This content is password-protected. To view it, please enter the password below.

Secure Cloud Delivered SD-WAN

As the business market moves away from traditional MPLS WAN networks to modern SDWAN networks we see many new considerations in the design to both ensure cost effectiveness and also to most effectively leverage the improved technology and visibility.  I thought I would summarise our learnings and perspective on some of these topics to trigger discussion and perhaps assist CIO’s in their evaluation and design of SDWAN networks.  Having rolled out 400 SDWAN networks we have made our fair share of mistakes along the way and certainly learned what a clean design looks like. 

 

The two big considerations for an SDWAN network compared to an MPLS network for security.

  1. How will you manage security (firewall and encryption specifically)?
  2. How will users interact with cloud based services?

With SDWAN the trend is to include inexpensive internet bandwidth as a transport mechanism to support bandwidth intensive cloud-based applications. Public internet links are generally best effort performance and susceptible to security attacks.

 

In this article we will address the security of the network in terms of firewall and encryption.  Overall most SDWAN solutions provide a level of encryption across the links and tunnels and while there are differences in how this is done, the threat is mitigated. With respect to firewalls however there are a number of different ways to architect the firewall security solution:

  1. Dedicated centralised Firewall at head office or datacentre
  2. Network Managed Firewall provided by internet or networking provider
  3. Distributed Firewall at branch either as part of the WAN Edge, Virtual Network Function (vnf) on the WAN edge or separate Firewall device
  4. Cloud based firewall solution where security policy enforcement occurs in the cloud

Use Case #1 – Dedicated Centralised Firewall

This is a great option if you already have a sunk investment. This option requires skilled resource allocation from your team to maintain and manage the firewall policies. Internet traffic is routed via a central security perimeter. SDWAN can also be used to tunnel trusted traffic directly to SaaS services such as Office365.

 

Use Case #2 – Managed Network Firewall

This approach differs from Use Case #1 only in terms of reducing effort in your IT team by outsourcing to a managed service provider opex cost model.  Arguably engaging a managed service will improve threat management and security but if you’re running a central firewall yourself you probably feel you can run it better in house!  My personal view is that the role of IT is transforming and managing a firewall policy is low value activity for your high value resources in your IT team.  

 

Use Case #3 – Distributed Firewall at Branch

There are so many ways to deploy a firewall at the branch. Whether it’s configuration on the WAN Edge or a VNF on uCPE or another box entirely, its still another thing that needs to be managed. Its complex running a VNF firewall on a WAN edge device. Just because it can be done according to the solution brief doesn’t mean that it’s the right solution for most. In all my 20 years in telco, one thing I can guarantee is that complexity equals problems.  Having a separate firewall device or firewall as part of the SDWAN solution simplifies the design and enables cloud destined traffic to be securely managed via single central policies.

 

Use Case #4 – Cloud Based Firewall

There is a lot of discussion about this approach and in my view, this is likely to become the dominant approach in coming years.  This brings the value prop of a Managed Network Firewall and direct to internet distribution of traffic in one approach.  Having said that it is not a cheap approach at the moment and arguably has little merit in a geography like Australia where all traffic is destined for Sydney but it’s tough to beat for managing international sites and a spread public cloud AZ design across those countries.  This approach gives you one policy control and event management portal for a globally distributed network without funnelling data through a central point.

 

In summary, which firewall solution is right for you? We think the key considerations for SDWAN deployments are as follows:

  1. How will you manage security (firewall and encryption specifically)?

If you are a DIY shop, then Use Case#1 might appeal. If not and you want to leverage a Managed Service, then Use Cases #2-4 provides a better option.

 

  1. How will users interact with cloud-based services?

If you are a multi-national company with sites in Europe or North America then a local internet breakout and security at edge actually matters. The user traffic will go direct to the cloud service and be secured by a Firewall solution such as Use Cases #3 or #4. If you are an Australian company, then it’s likely that all of the cloud services are hosted in Sydney anyway. Use Case #2 will then become more cost effective and provide the same performance as you only need 1 instance to manage.

I hope this has been useful, for the record we have leaned into Use Case #2 – Managed Network Firewall as an approach for our customers.  At this stage, for most of our Australia customers this provides the best balance of a managed solution and proximity of users to cloud services for performance.