The power of Secure SD-WAN: Harnessing the benefits of integrated networking and security

Barracuda research on the state of network security revealed that a majority of companies have deployed or are planning to deploy a software-defined wide area network (SD-WAN). This type of networking is a popular solution to performance, security, and other challenges that come with dispersed networks. The most basic definition of SD-WAN is that it is a software-based approach to networking that simplifies the management of wide-area networks.

SD-WAN basics

The original intention of SD-WAN was to connect branch offices inexpensively to the company headquarters or server resources in a data center, which were often located in the same building. SD-WAN allowed companies to replace expensive and often slow MPLS connections with simple internet connections and still achieve a higher level of security and reliability than the companies had with leased lines. This was possible due to some specific software-based features:

• Encryption in site-to-site VPN connections allowed for cost-effective and highly secured internet connections. It was not necessary to use an expensive dedicated line for security with this capability, though expensive leased lines might remain in place for remote desktop connections and other applications that require very low latency.
• Redundancy could be achieved by configuring multiple providers in combination with fallback mechanisms like mobile phone networks. Multiple public internet connections were often less expensive than leased lines.
• Application-based routing with Quality of Service allows administrators to make the most of network bandwidth. With proper configuration, an SD-WAN can ensure that the most important network traffic gets the bandwidth it needs.  

Early SD-WAN configurations are no longer sufficient for most companies. Changing requirements over the past few years make it necessary to completely rethink software-based networks. Branch location connectivity is still a valid use case, but the VPN traffic between locations has been significantly reduced. Software-as-a-service applications like Slack, Microsoft 365, Salesforce, etc., have moved most internal company communication into the public cloud. Many companies are prioritizing access to external resources more than other company locations.

This shift to external applications required a shift in security awareness. While traditional SD-WAN secures site-to-site VPN connections, it often lacks other security features. The solution here is found in a new model known as Secure SD-WAN. This is a solution that combines multiple use cases. The benefits of unified management with a focus on intuitive operation and user-friendliness are overwhelming. Traditional isolated solutions will soon disappear.

SASE and Secure SD-WAN

Secure SD-WAN  is included in the cloud-native Secure Access Service Edge (SASE) architecture defined by Gartner in 2019.  SASE (pronounced “sassy”) combines software-based networking with network security services to provide dynamic secure access to company resources. The additional security features give us Secure SD-WAN.

With the adoption of SaaS applications and remote work, companies require agile networks that can support secure access to dispersed resources. Users and devices need to connect from any location to resources that are mostly in the cloud but could also be deployed on-premises. This type of hybridity means that a networking solution designed specifically for site-to-site connectivity is no longer sufficient. SaaS applications and other cloud workloads must be securely connected to the corporate network. Secure SD-WAN can be extended to different public clouds to meet this need.

Firewall-as-a-service and Zero Trust Network Access

The security components in the SASE architectural concept include Firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). Each can work with or independently of other solutions.

FWaaS is just like it sounds — it is a network firewall that operates in the cloud as a service. The seamless integration into the rest of the network is one of the primary benefits of this solution.

An independent FWaaS deployment may provide the necessary security, but combining it with an SD-WAN offers significant advantages. The combination of the solution components in the cloud and on-premises creates a powerful and easy-to-manage deployment variant with unique selling points. In this way, all company locations are securely connected to the cloud, even if they are not publicly accessible. Whether that’s a direct connection from the location or traffic being backhauled to a central hub depends on the use case.

Secure networking doesn’t stop with a firewall and secure site-to-site connections. Many network users work remotely, sometimes using public wireless or other insecure networks. A complete security solution enables secure user access to private resources in the cloud or on-premises from any location with an internet connection. The best way to provide secure access to these users is with ZTNA.

ZTNA is an access control solution for users and devices. Zero Trust authentication is founded on the principle of ‘never trust, always verify.’ Unlike a VPN connection, a Zero Trust connection repeatedly authenticates the user and device each time the user requests something on the network. While a VPN relies on a credential set to establish trust, Zero Trust relies on credentials, device, time, and other parameters configured by administrators. Zero Trust also establishes and enforces the Principle of Least Privilege.

Together with SD-WAN, this is an integral part of a modern SASE approach and ideally works fully integrated with automatic detection of the best path to the desired resource. However, the combination of Secure SD-WAN and remote access for users also offers the advantage that the security features can be extended to the endpoint. At the same time, by implementing security on the device and additionally inspecting suspicious or endangered network traffic on the SD-WAN device or in the cloud, a significantly increased security level is achieved.

On-premises Secure SD-WAN

Despite the advantages of cloud solutions, there are valid use cases for on-premises deployments. The cost factor of cloud traffic must also be considered. In the case of SD-WAN, the underlying idea was cost savings by replacing MPLS. Companies that use both SaaS applications and on-premises application servers might not need to route all traffic through the cloud. Hybrid networks like this will benefit from intent-based routing available with SD-WAN. The best solution connects cloud resources securely but also determines the best and shortest route based on the traffic in an intelligent manner.

The combination makes the difference

The real advantage of a mix-and-match solution comes with its flexibility to meet requirements in an organization’s existing deployment. Industry trends clearly show that certain products have turned into features of a bigger platform solution.

Barracuda offers a comprehensive Secure SD-WAN solution that can be fully integrated with Firewall-as-a-Service and Zero Trust Access. Our experts can answer your questions and take you through a demo of these solutions, or help you deploy a free trial in your own environment. Visit our website to get started.