One of the hottest enterprise networking services is SD-WAN. In its first iteration, it was adopted by many enterprises for branch connectivity, especially where IP-MPLS leased line services were scarce or too expensive. It continued to evolve as enterprises embraced the cloud and SaaS. SD-WAN is increasingly used to connect public and hybrid cloud services to the enterprise network and support multi-edge computing and mobility. A crucial impact of SD-WAN is the changing needs for security in this more distributed, open relationship between the LAN, WAN, and cloud.
Traditionally, branch offices connected to the open Internet and public clouds by passing through the enterprise network to one or more centralized, controlled Internet access points. Trying to protect every branch office, each with its own vulnerabilities, consistently, is complicated and expensive. With SD-WAN, public cloud, and SaaS, there’s a growing need for branches to directly “break out” to the Internet to access business applications.
As it turns out, distributing the centralized, one-gate, one-drawbridge approach to security is relatively straightforward in an SDN. SD-WAN can distribute central security functions to any endpoint with relative ease using policies. Just as early-day SD-WAN virtualized the branch connection over any kind of transport, the next-generation can use that same platform to implement virtualized network functions (VNFs), such as firewalls and NACs, with greater awareness of local user behavior.
Generally, this approach to security is referred to as the secure access service edge (
SASE). Over the next decade, Gartner argues that the WAN edge and network security markets will converge into one, driven by enterprise digital transformation and the embrace of cloud services. Edge cloud computing for automation and the need for ultra-low latencies for distributed points of presence (POPs) will be key drivers as well.
In this view, any endpoint is equal to another. It could be an enterprise campus, a branch office, or a multi-edge computing (MEC) function that supports localized AI, machine learning (ML), or analytics functions in support of an automated process. Security policies for a specific service instance can be spun up at any single or multiple WAN access points using appropriate security functions.
Another reason for the shift to a SASE model is the availability of enhanced capabilities to protect a network from known threats and that can also identify new threats in real or near-real-time. In traditional perimeter security models, enterprises relied on databases of identified threats to configure firewalls and NACs. Practices show certain kinds of attacks, like DDoS, can infect machines inside and outside the network from malicious insiders, unknowing suppliers, or sloppy IoT device manufacturers. Once inside, perimeter security will never see them.
Newer models of security use AI/ML to spot anomalies, which constructs a model for normal behavior on the network, as well as the WAN connection. Deviance from the norm triggers an alert requiring investigation by a human being; if the anomaly is identified as normal, AI/ML security analytics ‘learns’ to ignore it. Otherwise, it’s treated as a threat.
This makes the security system more sensitive to context. The model of normal behavior for a branch might be different from head office, a data center, or a MEC running a local IoT network. SD-WAN can virtualize, distribute, and run these analytics functions, providing embedded security for any endpoint.
Ideally, local enterprise anomaly detection is integrated with SECaaS to track globally known threats, while monitoring the WAN for anomalies based on behavior models in the larger network. Anomalous behavior picked up on an enterprise endpoint can be correlated to awareness at a global level of a current DDoS attack, which can then direct the appropriate enterprise SASE function to remove infected traffic in real-time at the edge.
These new security models are in the works with efforts on multiple fronts. The bets at this point are on SASE eventually spelling the end of traditional perimeter security implemented in a separate firewall appliance. As we move to 5G, with WAN’s fully virtualized core architecture and network slicing, the traditional demarcation between LAN and WAN is virtually disappearing.
Enterprises considering SD-WAN should be thinking beyond branch connectivity and cost savings. What is emerging is a much more fluid notion of what constitutes the enterprise network and the WAN. As cloud technologies such as SDN and virtualization break out of the data center, next-generation SD-WAN services should enable enterprises to manage their digital transformation and their user, network, and application security with much greater simplicity, scalability, and flexibility.
