Enterprises that are widely dispersed, geographically speaking, are rapidly moving to embrace software-defined wide area networks (SD-WANs).

This is because SD-WANs dramatically lower costs, reduce complexity and make branch communications more secure, while also, in the process, assisting businesses to become more agile and responsive.

Marcel Fouché, networking and storage GM at Silver Peak distributor Networks Unlimited Africa, comments: “SD-WAN technology is designed to connect enterprise network locations, including branch offices and data centres, over large geographic distances.

“It allows enterprises that operate across different sites to reduce the number of physical devices required in their networks, with a resulting decrease in costs. Additionally, the technology also lowers the costs associated with maintaining technology deployed in remote locations.

“An SD-WAN solution enables business processes by letting companies use multiple forms of connectivity, including lower-cost broadband internet services, which delivers significant capex and opex savings, while improving performance across the WAN.”

Additionally, says Fouché, SD-WAN technology offers advantages in the small to medium enterprise (SME) business environment, where its use offers the ability to leverage the cloud in a more secure and cost-effective manner. But he notes that it takes the right SD-WAN solution to make broadband internet services secure enough for the enterprise, adding that Silver Peak offers six ways to use a secure SD-WAN solution to improve network security and compliance.

Safely use broadband internet services for cost-effective transport

The right SD-WAN solution makes internet connections secure and reliable by creating encrypted tunnels between every site in the SD-WAN (for interbranch and branch-to-headquarters traffic), while taking advantage of secure sockets layer (SSL) security provided by the software-as-a-service (SaaS) application for traffic going from the branch to the application directly using the internet.

This hardens the internet with the security of a virtual private network (VPN), but without the complexity of provisioning and configuring a VPN. With edge-to-edge, encrypted tunnels and a stateful firewall, a secure SD-WAN solution can prevent unauthorised outside traffic from entering the branch.

 

Apply micro-segmentation for highly granular security

Micro-segmentation (segmenting traffic based on application characteristics, performance requirements and security policies) is a best practice approach to security, but traditionally difficult to apply in WAN environments. However, with the right SD-WAN solution, granular security controls can be applied to a very small group of resources, for example, defining a specific set of policies for a particular branch location’s use of critical applications such as a customer relationship management (CRM) system; cloud-based applications such as Microsoft Office 365; and realtime traffic such as voice over IP (VoIP).

With micro-segmentation, you can improve security by:

* Segmenting and applying distinct policies for each application or group of applications;

* Responding quickly to threats to contain and isolate them from other segments;

* Automating policy enforcement;

* Reducing the attack surface by isolating applications; and

* Gaining greater control and manageability.

 

Securely connect branches directly to internet applications

With multiple application intelligence techniques, including first-packet identification, you gain the ability to granularly direct traffic based on policy: for example, directly to the internet for trusted traffic; to a secure web gateway for other traffic such as YouTube streaming; or to a headquarters-based next-generation firewall for unknown or suspicious traffic.

You can mitigate security risks while enabling the SD-WAN to adapt automatically to changing conditions. In addition to first-packet identification, the SD-WAN solution should also have a built-in, stateful firewall to ensure that no unauthorised outside traffic can enter the branch, while branch-initiated sessions are allowed.

 

Make zero-touch provisioning secure

Moving to an SD-WAN solution allows for zero-touch provisioning, which lets the network operator bring a new branch or remote location online in a matter of minutes, with no specialised IT expertise required at the branch.

Zero-touch provisioning also minimises the risk of human error because a policy is defined once, then is automatically distributed to all devices in the SD-WAN. However, zero-touch provisioning also requires comprehensive security measures.

The right SD-WAN solution will offer:

* A chain of trust enforced through a controller, orchestrator or certificate authority to authenticate branch devices;

* Strong encryption that creates a secure channel to enforce the chain of trust;

* Centralised approval and revocation of devices;

* Two-factor authentication for greater protection; and

* The ability to take unauthorised or rogue devices out of the network by dropping all traffic and preventing the download of configuration information.

 

Easily orchestrate application-driven security policies

To achieve the highest levels of security possible, networking and security technologies need to complement each other. One way to do this is service chaining, which links the SD-WAN with best-of-breed, third-party security solutions. For maximum ease of use to create a service chain, choose an SD-WAN solution with:

* Centralised orchestration and management tools for easy service chaining for local, headquarters, or cloud-based application protection;

* Partnerships and technology integrations with leading vendors for comprehensive security solutions; and

* Complete automation with a choice of service chaining over multiple links that can balance loads or work in active-backup mode.

 

Meet compliance mandates

To improve compliance, look for an SD-WAN solution that offers:

* Data plane security with encrypted overlays and micro-segmentation to segment traffic for greater control and reduction of compliance scope;

* Control and management-plane security that provides system security including role-based access control, alarms, threshold-crossing alerts and more; and

* User authentication, passwords, password controls, roles, and audit logs for change management.