Remote worker security

Extended Edge security with SD-WAN: the lowdown

Zabrina Doerck
Nov. 23 2020

In recent weeks, I’ve been on something of a blogger’s hobby horse with talk of SD-WAN and its innate security credentials. Please bear with me because I haven’t quite finished.

In the first part of a rolling four-part series, we established what secure SD-WAN actually is, before expanding on the theme, diving into topics such as the cloud.

We went into quite some detail with those two blog posts, producing this handy eBook off the back of them. So, can there really be much left to say?

Well, yes. A lot more. But if you’re responsible for delivering security for your systems and workforce, particularly one that might now comprise a growing proportion of remote workers, the discussion that followers here will be very welcome.

In this blog post and a follow-up piece we’ll publish next month, we’ll continue our exploration. Focusing this week on security of the Extended Edge, a concept we introduced in our first blog post in this series, we’ll cover:

  • An overview of WSGs and FWaaS
  • A note on cloud security vendors
  • WSGs in more depth

A quick recap

In our introductory blog post, we talked about the intrinsic properties of SD-WAN. From a security perspective, they hinge on your orchestration policies. Let’s remind ourselves of the basics.

By orchestrating dynamic traffic steering specified by policy as well as application traffic visibility and prioritization, you build security right into your WAN management console and network traffic control practices and processes.

SD-WAN capabilities are what make security ‘intrinsic’ to SD-WAN. It works like this:

  • You take your security policies;
  • You translate them into rules governing network traffic and application usage;
  • You program them into your orchestrator;
  • Your orchestrator automatically pushes out the policies and governs traffic based on those rules; and
  • It does it dynamically, meaning that it’s constantly responding in real-time to changing network conditions.

We went on to discuss a variety of security capabilities beyond orchestration, specifically:

  • Zone-based firewalls (ZBF);
  • Web security gateways (WSG);
  • Next-generation firewalls;
  • Firewalls as a service (FWaaS); and
  • Cloud service-chaining.

An introduction to WSGs and FWaaS: cloud security for the remote worker, Extended Edge and more

There are virtues to all these approaches, but as we concluded last time, WSG, FWaaS are where it’s going to be at, and this basically boils down to the superiority of cloud delivery.

With that in mind, let’s take a deep dive into WSG and FWaaS, and building security – particularly Extended Edge security – with a network-first mindset.

We’ve established that WSG and FWaaS are our preferred security solution, particularly when it comes to remote worker security, but why is this? The overarching reason is, as we’ve stated a few times now, because they’re cloud-delivered. Let’s look at why cloud-delivered everything is better in our opinion, both for delivering digital services generally and ensuring that they’re secure. The cloud offers these clear benefits:

  • It’s always up-to-date;
  • It enables zero-touch provisioning (easier, faster, more efficient);
  • It turns CapEx into OpEx, hooray!
  • It provides a guaranteed service-level agreement (SLA);
  • It’s both agile and scalable;
  • Applications that are designed in the cloud and for the cloud are optimized to protect cloud resources best; and
  • It lets you capitalize on the deep expertise of cloud security specialists.

A note on working with expert cloud security vendors

As an aside, it’s worth expanding on that last point.

There are lots of SD-WAN vendors out there, and anyone in the biz can tell you that it’s a major challenge to agree on a standard feature-set that should define SD-WAN. Sure, there have been attempts by various analyst firms as well as the vendors themselves, but ask any 10 of them and you’re likely to get 10 different responses. Why is this?

Well, some vendors started out doing something else and retrofitted their services to be able to cash in on the hype, back when SD-WAN as a concept began to gather significant traction.

Some did start out as SD-WAN vendors but started rolling out other network services to differentiate themselves from the competition.

Some started as specialists in specific services that form the basis of SD-WAN, and evolved their offerings to address changing market conditions. (Hint: as the world leaders and pioneers in Application Intelligence, this is where we fall on the spectrum. You could say we were doing SD-WAN before it was even a glint in Gartner’s eye.)

And of course, there are many shades in between.

At the risk of being too salesy, at Infovista our solution is designed and supported by SD-WAN specialists. It’s what we do. We specialize in networks, focusing on:

  • Granular application visibility, monitoring and control to guarantee application performance, and, ipso facto, business performance;
  • Building networks in a cost-flexible, agile way with consumption-based licensing;
  • Supporting and delivering cloud and multi-cloud versatility; and
  • All the 5G stuff that’s emerging on to the market – that’s a story for another day but in the meantime, you can read our recent blog post entitled SD-WAN and 5G: The use case for Mobile QoE.

We’re also specialists in building a pathway to a network that can evolve with your business (unlike other providers, we offer transparent hybrid WAN, which brings the immediate benefit of SD-WAN without companies having to re-engineer their networks, meaning it’s nondisruptive and can be installed at the customer’s own pace).

Furthermore, while we have built robust security capabilities into our SD-WAN with the zone-based firewall – i.e. one that centralizes and automates security and is application-aware – we also recognize that there are businesses who dedicate their existence to network security and employ some of the world’s foremost security experts.

To let us specialize and excel in what we do best, why not join forces with cloud security experts? Doing so not only lets you get the best-of-breed when it comes to security, it lets us gain economies of scale and pass on the savings and innovations to our customers and our service provider partners.

That was quite an aside!

Time to look out how it actually works, as we focus in this installment on WSGs.

Ensuring security for remote workers

A deep dive into web security gateways, essential for Extended Edge security

As we explained before, a WSG is a network security suite delivered by a security vendor that sits between your users and the internet. A WSG inspects web traffic and compares it to your policies, monitoring for malicious or suspicious behavior.

Focusing on web traffic, some of the features that WSGs provide include:

  • Anti-DDoS (DDoS = distributed denial of service; DDoS protection is a huge benefit of a WSG as it’s not available in per-site deployments, but more on this in our next blog);
  • Application-level control;
  • Antivirus software;
  • Data leakage prevention;
  • Data loss prevention (DLP);
  • Identity awareness;
  • Intrusion prevention systems (IPS);
  • Outbound firewalling;
  • Physical firewalls;
  • Virtual firewalls for public and private cloud (by the way, cloud security depends heavily on how you implement it; in our case, we focus specifically on site security);
  • Virtual private networks (VPN);
  • Virus and malware code detection;
  • Unified security management (aka unified threat management); and
  • URL filtering.

Yep, that’s a crazily long list, and I get tired just thinking about writing about it, but THERE’S NO SLEEPING IN CYBER SECURITY!

But seriously, there are hackers who spend every waking second (and more waking seconds than you because they’re all amped up on Red Bull and candy) looking for ways to compromise the security of your systems, which are particularly vulnerable in today’s era of remote home workers.

And by the way, did you know that cyber-crime is classified by experts in GENERATIONS?!

To be fair, if we’re talking about a fifth-generation cyber-criminal, we’re probably not talking about a teenager in a hoodie drinking energy drinks, as I joked in the previous paragraph. Those kids were typical of Cyber-Crime Gen 1 through 3. When it comes to Gen 5-6, cyber-crime has now evolved into basically an organized crime syndicate, with a whole supply chain and everything. The situation is so complex that cyber criminals even have vertical specialties and can be segmented.

Nevertheless, don’t get depressed. While cyber-crime is a major threat with grave implications, innovations in cyber security are evolving just as quickly. In our next and last installment, we’ll discuss key countermeasures including items in the above list and other elements of Extended Edge security.

Until then, take a look at our introductory eBook.

Read about Ipanema SD-WAN.