As enterprises migrate to hybrid WANs, they also need to rethink security and monitoring.
A panel of experts offered their advice on these issues at April’s WAN Summit New York in a session titled WAN Monitoring and Security: Utilizing WAN Acceleration/Optimization, Cloud Security and Performance Data in the New Hybrid WAN.
Derek Granath, vice president of product marketing for software defined wide area network (SD-WAN) vendor Silver Peak, succinctly summed up hybrid WAN security challenges. Traditionally, WAN security issues were addressed by backhauling traffic eventually destined for the internet to headquarters, where powerful firewall and intrusion detection and information protection (IDS/IPS) traffic screening could be applied. That approach, however, wasted bandwidth and added latency—two issues addressed by the hybrid WAN approach, which directs some traffic directly from individual enterprise sites to the internet.
"Policies are great, but you need to know if they’re working."
So how should enterprises adapt their security approach in these environments?
Silver Peak’s suggestion is to classify traffic into several different types, including trusted web traffic like that destined for the Salesforce or Office 365 clouds; “work-at-home” traffic such as YouTube or Netflix content; and suspicious traffic such as Bit Torrent or traffic from countries in which an enterprise does not do business.
Trusted web traffic may be sent directly to the internet for best performance, while work-at-home traffic may be sent to a secure web gateway such as Zscaler. Suspicious traffic would be sent to the corporate firewall, Granath explained.
Regardless of traffic type, enterprises need to establish automated and granular security policies that are enforced at each branch site.
Dan Greer, systems engineer manager for ExtraHop Networks, a provider of hybrid WAN visibility solutions took a bit of a different approach. “Policies are great, but you need to know if they’re working.”
Dan noted, for example, that a common security practice is to control where people go on the internet by using a proxy and the domain name system (DNS) for control. A potential problem with that approach, however, is that a “power user” may use his own DNS. By using a visibility solution, “it’s very easy to find that stuff,” Greer said.
Andy Weiss, vice president of sales for Open Systems of Switzerland, a managed service provider with a focus on SD-WAN security, advised a holistic approach to hybrid WAN security that encompasses availability and visibility. Enterprises need end-to-end visibility and the ability to encrypt on any layer and prioritize applications, as well as the ability to “enforce security defined centrally to every branch,” he said.
One of the key reasons some enterprises move to a hybrid WAN is to improve network performance. But those responsible for the hybrid WAN should also recognize that—depending how the network is constructed—it also has the potential to negatively impact performance, particularly when the cloud is involved.
When it comes to the cloud, “tromboning is really key,” said Jim Sabey, head of BT Connect and compute sales specialist for British Telecom. Latency increases when traffic goes to the cloud and back to its point of origination, which can be a problem for certain applications. Enterprises should test how applications will perform before doing a “lift and shift” to the cloud, Sabey advised.
“We’re seeing a re-definition of what’s considered WAN optimization.”
Another concern about the cloud is that it can become a “blind spot,” said Greer. Cloud providers generally aren’t providing performance monitoring tools, he said. However, he added that enterprises can use an instance of ExtraHop’s visibility solution in a specific cloud like the Amazon cloud. The offering sends data to another instance within the cloud and as Greer explained, “the data is moving sideways so there is no billing effect.”
The rise of the hybrid WAN has decreased but not eliminated the need for WAN optimization, WAN Summit New York panelists agreed.
“We’re seeing a re-definition of what’s considered WAN optimization,” observed Geoff Bloss, chief information officer for technology solutions provider BCM One.
In an SD-WAN environment, “the need for WAN optimization at the branch is diminished,” noted Granath. He added, “there are still some chatty applications out there” that are impacted significantly by latency and can still benefit from traditional WAN optimization even when an organization has implemented SD-WAN.
He noted that some providers now sell WAN optimization “by the drip.” Users “can put it where and when it’s needed” and pay for it on that basis, he explained.
When it comes to optimizing WAN performance, “local caching is key”–especially for international traffic, noted Sabey.
Here, too, it’s important to know what type of traffic is going over the WAN, Greer observed.
Sabey agreed. “Every day we talk to customers who say ‘We turned that application off three years ago,” he said.
A few key lessons from the hybrid WAN security and performance monitoring panel stand out:
1. Having a consistent security policy that is automatically applied to individual branches is critical in a hybrid environment in which some traffic that traditionally would have been routed through a headquarter location goes directly to the internet. Enterprises should consider an approach that routes trusted traffic directly from the branch to the internet, while “work-at-home” traffic is sent to a web gateway and suspicious traffic is routed to the corporate firewall.
2. Implementation of the hybrid WAN often goes hand-in-hand with the adoption of cloud services, but before implementing a cloud/hybrid WAN solution, enterprises should confirm added latency will not impact application performance. When an application moves to the cloud, enterprises run the risk that performance within the cloud could become a blind spot, but may be avoided by using performance monitoring offerings designed to address that issue.
3. Using a hybrid WAN approach reduces, but may not eliminate, the need for WAN optimization, particularly for “chatty” applications or for international traffic. Enterprises may be able to minimize costs by using a provider that sells WAN optimization on an as-needed, where-needed basis.
Senior Analyst Brianna Boudreau joined TeleGeography in 2008. She specializes in pricing and market analysis for wholesale and enterprise network services with a regional focus on Asia and Oceania. While at TeleGeography, Brianna has helped develop and launch several new lines of research, including our Cloud and WAN Infrastructure service and the SD-WAN Research Service.