Digital Innovation at the Branch Requires SD-WAN
Most organizations with multiple locations are in the process of implementing a distributed networking strategy that ensure that all branch offices and users are able to take advantage of ongoing digital innovation efforts. For true cross-organizational collaboration, productivity enhancement, and improved user experience, every user needs access to essential business applications. To achieve this, they need highly flexible and scalable access to cloud-based applications and resources, direct access to the internet, and on-demand connections to other users and devices.
That’s simply not possible with traditional hub-and-spoke branch networking models built around WAN routers and a fixed MPLS connection. Business applications, especially those that deliver rich media or enable highly flexible collaboration between users and locations – such as unified communications, Office 365, and similar tools – require massive amounts of bandwidth. And in a traditional model, all of that traffic needs to be backhauled through the core network. Multiply that by scores of remote workers located in dozens of remote offices and you can quickly overwhelm internal servers, compute resources, and even security and inspection tools.
SD-WAN Requires Integrated Security that can Scale
Fortunately, SD-WAN addresses these connectivity issues. The biggest issue most organizations face is figuring out how to replace the traffic and connectivity security previously provided by the core network. But simply adding an overlay security solution to an SD-WAN device to approximates the protection previously provided can significantly – and unexpectedly – increase both capital and ongoing operational expenses.
It can also limit their ability to effectively scale their SD-WAN solutions, as adding layers of siloed security across multiple sites can exponential increase management complexity. In the case of a recent customer looking to deploy an SD-WAN connectivity and security solution to over 700 locations, this sort of scalability isn’t even possible without massive amounts of support resources in place or significant compromises in functionality and security.
A Secure SD-WAN solution resolves all of these issues, however, by adding connectivity, traffic shaping, network management, and application recognition tools to an existing next-generation firewall appliance. This not only ensures that a full range of protections are fully integrated into SD-WAN functionality by default, but that deployments can seamless scale across hundreds or even thousands of remote locations without adding implementation, management or optimization overhead.
The Unique Challenge of Interconnecting Wholly Owned Subsidiaries
Scalability and interoperability are critical requirements for many organizations. Banks and insurance companies, for example, may have hundreds or even thousands of branch offices that require scalable and flexible connectivity. Organizations that use a franchise model, where many or even all branch offices are wholly owned subsidiaries, complicates the issue even further. Connections not only need to provide scalable access to critical resources, but also maintain the privacy and integrity of the individual owners while protecting core and cloud-based resources from branch LANs that are not fully controlled by the main office.
For example, as mentioned previously, we recently had the opportunity to design and deploy a Secure SD-WAN solution for a company with over 700 locations, and to complicate things further, many of them are wholly owned subsidiaries. Their goal was to replace their traditional connectivity model with one that provided far better access to online and cloud-based resources than their expensive MPLS to private cloud connections. Their goal was to make their WAN more robust and efficient to eliminate chronic network outages, improve user experience, and simplify and streamline the ability of remote offices and franchise owners to efficiently and easily access critical business tools and resources by leveraging the application steering, connection monitoring, and management tools provided by SD-WAN.
The other part of the challenge was to also ensure that every connection enjoyed optimal security, including encrypting and inspecting traffic, firewall and IPS defenses, and even things like web filtering and sandboxing to protect individual branch offices while preventing the spread of malware between operators. They also wanted to establish and maintain policy synchronization to ensure consistent protection across the entire distributed landscape, while eliminating the threat of the “weakest link” exposing everyone else to risk.
Addressing Connectivity, Security, and Centralized Management with a Single Solution
By carefully selecting a solution from amongst four different SD-WAN candidates they were able to deploy a solution designed to address their entire set of objectives. Any full-service SD-WAN solution, such as Fortinet Secure SD-WAN, needs to be able to address the triple challenges of connectivity, security, and management:
For connectivity, an SD-WAN solution needs to provide dynamic connection scalability and traffic steering and shaping to ensure optimum performance, application recognition for fast and seamless connections to resources, and path monitoring and sub-second switchover path remediation to protect latency-sensitive applications from things like jitter and packet loss. For more complex deployments, a solution also needs to provide advanced routing methods such as multicast for the efficient distribution of one-to-many traffic. It also has to support a variety of connection options, from direct broadband and internet connections to MPLS, as well as things like LTE as a path of last resort to ensure and maintain maximum network uptime.
For security, that same solution needs to provide the same suite of tools previously provided by the core network. That includes NGFW and IPS prevention and detection, web filtering, antivirus and anti-malware, VPN encryption coupled with high speed encrypted traffic inspection, and even sandboxing to detect zero day threats. And just as importantly, that security needs to be seamlessly integrated into the networking functionality so they can respond to dynamically changing connections simultaneously. Otherwise, security will be perpetually trying to keep up with dynamic connectivity changes, creating gaps and lag times in protections that cybercriminals are prepared to exploit. And finally, that security needs to run both ways, protecting both the branch and the larger network from compromise.
The other element of this integrated approach is centralized management and analytics. To reduce the cost of deployment when there is little to no IT staff onsite, and especially when the local branch network is controlled by an independent franchise owner, any Secure SD-WAN solution under consideration also needs to include zero touch deployment. This ensures seamless implementation along with integration with the local branch network and accelerates the on-ramping of access to cloud applications and other resources.
You also can’t afford to have separate management consoles for security and networking. Policies need to be set centrally and impact both sides of the coin so that bandwidth can scale up and down, and connections can dynamically adjust to fluxuations in availability without ever leaving security behind. Further, there needs to be a single window into network and security functionality so the ramifications of adjustments made anywhere across the Secure SD-WAN process can be seen and managed. Centralized visibility can also reduce troubleshooting cycles, especially when that security can be tied back into the Branch to provide local LAN protection, as well as into a central SOC/NOC to provide a real-time unified view across the entire landscape.
Bringing it All Together
A true Secure SD-WAN solution is essential for accelerating the on-ramping of branch offices to access essential business applications and services, regardless of whether those branch offices all belong to the same organization or are separate entities. Regardless, they all need connectivity, security, and unified management to provide the best possible user experience, with the added bonus of being able to treat each branch as a separate entity when and where appropriate.
Fortinet’s Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering.
Written By Nirav Shah