This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
A SASE Strategy for Security, SD-WAN
Existing network approaches don’t provide the levels of security and access control many digital enterprises require. Enterprises today also demand immediate access for their users, no matter where they are located or which device they are on, in a way that meets all their security requirements. For too long, network routing and security have been separate entities. However, merging them creates synergies beyond stacking the two together with network function virtualization. Zero trust networking and Secure Access Service Edge (SASE), Gartner’s latest buzzword, are both gaining importance, and many are interested in how to incorporate these concepts into their SD-WAN solution.
One advantage of SASE is modularity, which means using only the security components that are required instead of the entire security stack that comes with today’s next-generation firewalls. For instance, an enterprise can provide internet off-load at a campus location and create a policy that if the site is on the whitelist of approved sites, and the application is TLS authenticated and encrypted with a validated certificate, then the user can route directly to an application like Office365 or Webex. All other traffic will then be directed to a more robust security stack that provides web filtering, sandboxing, DNS security, credential theft prevention, data loss prevention, and next-generation firewall policies.
One of my pet peeves (I have many) is that security rules are binary; they only allow or deny access. Good security is intelligent, dynamic, and continuous. One way SD-WAN and SASE empowers this is moving from security rules that aren’t just on the link, but one for every network session that connects users and devices to services, applications, and data. Zero trust networking at its core is the 1:1 micro-segmentation between these users, devices, services, applications, and data. Zero trust is also creating a whitelist of where traffic is allowed to go versus a blacklist of where traffic is not allowed.
SD-WAN routing and security capabilities enable:
- Flexibility — Using what is required versus a full, bloated software stack.
- Cost savings — Instead of buying and managing multiple point products, utilizing a single platform will dramatically reduce your costs and IT resources.
- Increased security — A Zero Trust approach to the cloud removes trust assumptions when users, devices, and applications connect. A SASE solution provides complete session protection, regardless of whether a user is on or off the corporate network.
- Data protection — Implementing data protection policies within a SASE framework helps prevent unauthorized access and abuse of sensitive data.
SD-WANs are built on overlays such as IPsec to get an IP packet to route across a path that the native/original IP header can't, along with providing path security via encryption. VxLAN is another overlay used by some SD-WAN vendors to provide segmentation and encapsulation over and above what one can do with a standard IP packet.
VxLAN offers a hierarchal, end-to-end method to segment network traffic to provide the performance and security controls that digital enterprises demand. While there is no overall SD-WAN protocol standard, VxLAN is an industry-standard that can be used in data centers, cloud providers, campus, branch-office, and VPN solutions.
Why is VxLAN important? Because of two things:
- Scalability — Traditional VLANs only scale to 4,096 unique networks within a domain. With Zero Trust requiring 1:1 micro-segmentation between users, devices, services, applications, and data, traditional VLANs don’t scale. Security these days isn’t just about north/south segmentation but east/west micro-segmentation. VxLAN scales to 16 million unique networks within a domain.
- Blending virtual & physical networks — The VXLAN VTEP can be implemented in both virtual and physical switches, allowing the virtual network to map to physical resources and network services. VXLAN tunnel end-points (VTEP) perform the encapsulation/de-encapsulation.
The “secret sauce” in utilizing VxLAN to provide a ZTN/SASE is mapping identity and access management (IAM) directories to VxLAN. Directory enabled networking (DEN) has been around for decades but has never taken off, in part because of scalability challenges, which is the same reason routers don’t manage session states as firewalls do. But as networking and routing move to all software and platforms can scale horizontally, scalability is no longer an issue. Thus, the merging of identity and network perimeters.