The benefits of SD-WAN are apparent: more bandwidth, local breakouts, flexibility, etc. That being said, the larger attack surface makes it vital for security to be at the forefront of any modern deployment.
Gate Gourmet, an airline services company out of northern Virginia, has been working with SD-WAN since 2014. As an early adopter of the technology, Director of Global IT Infrastructure Barry Bonson-Bruce has watched the solution evolve and transform the way his company works.
Gate Gourmet has specifically seen how important it is to integrate security into SD-WAN. In fact, Bonson-Bruce thinks of their approach as a security-empowered one. “You get all these features, you get all these capabilities and later you realize that security is an issue,” he said. “It should not be an afterthought. It should be first and foremost.”
The Company and Their Network
Here are the basics: Gate Gourmet’s network serves a multinational company headquartered in Zurich. (Gate Gourmet is operational in over 60 countries and serve more than 700 million passengers a year.) We’re talking 200 operating units and 43,000 employees. And approximately 10,000-11,000 of those employees are actively using the network.
Gate Gourmet transitioned to SD-WAN from an MPLS solution. Today, they boast 221 hosts across 132 sites in 33 countries. According to Bonson-Bruce, the network continues to transform alongside their business.
“We have internet breakouts, we have redundancy from diverse carriers, but what [SD-WAN] allowed us to do was increase bandwidth, push out more features, and have the flexibility to adopt things like the cloud,” said Bonson-Bruce. “It’s agile. It’s a beautiful way for us to adapt.”
Security Must-Haves
Drilling down further into Gate Gourmet’s network, Bonson-Bruce lists five features that are critical to his network security.
Gate Gourmet’s network is a managed SD-WAN solution coordinated with Open Systems. They opted for this managed collaboration in large part because of Bonson-Bruce’s first critical security feature: the managed firewall.
This centrally-managed firewall with a global policy gives the Gate Gourmet team the ability to establish local rules. The team pushes out a global policy to all of their sites, but retains the ability to customize locally.
Secondly, the team appreciates the secure web gateway that they’re afforded by this solution. This is basically a managed proxy with SSL scan. “Firewall obviously provides the protection; this is actually a next gen firewall,” Bonson-Bruce explained. “But then you also have the proxy. It allows us to monitor traffic. We see where people are going and if it’s deliberate or if you have malware—you have that visibility.”
This level of monitoring has been key to Gate Gourmet’s success within their security-empowered configuration.
Further, Gate Gourmet also uses network security monitoring as an additional service from Open Systems. This monitors network activity, again providing the Gate Gourmet team with invaluable visibility into the sites people are visiting, destination traffic, anything potentially malicious, etc.
Additionally, the team uses an endpoint detection product that’s deployed on their host. “It ties in beautifully,” said Bonson-Bruce. “You have a feature on the endpoint. You’re looking at the network. The network is security-enabled. You have the gateways with the firewall and proxy. And it’s all integrated. That’s a key piece.”
When you think about security, tools are one thing, but the support behind those tools is just as critical. This is why Bonson-Bruce credits Open Systems’ “Mission Control Experience” as his final security must-have. “You can get great products and deploy them, but how well does the product really run?” he said. “You have all of these tools. You get all of these alerts. But it’s critical that you have someone taking action when things happen.”
“You call into a support team that is knowledgable, they have knowledge of security trends, they understand your network.”
Gate Gourmet has had a positive experience with this support concept. “You call into a support team that is knowledgable, they have knowledge of security trends, they understand your network.”
Lessons Learned
1. Understand the Change and Plan Accordingly. “We don’t love the fact that we go from a centrally managed system—something that was closed, something that was more controlled—to something that is open,” said Bonson-Bruce. “That’s why you need to look into the security components.”
2. Integrate Security into the Solution. Security can’t be an afterthought. It needs to be part of your deployment from day one.
3. Ensure that Your Solution Supports Additional Layers of Security. This means choosing a partner that understands security, will manage and monitor your SD-WAN solution 24/7, and has the right tools for your needs.
Brianna Boudreau
Senior Research Manager Brianna Boudreau joined TeleGeography in 2008. She specializes in pricing and market analysis for wholesale and enterprise network services with a regional focus on Asia and Oceania. While at TeleGeography, Brianna has helped develop and launch several new lines of research, including our Cloud and WAN Research Service.