SD-WAN Fit Points: Security December 06, 2019 Nick Coval Jeff Bradbury SD-WAN Networking Managed Security false Purchasing SD-WAN is not an off-the-shelf buy, you have to take your enterprise’s proper measurements, just as you would take a suit to the tailor, to ensure you’re getting the right fit SD-WAN for your business. In a series of blog posts, we will explore how to help you define the proper fit points you should be measuring as you explore your SD-WAN solution. We’ll begin with SD-WAN security, because security is central to any successful SD-WAN deployment. In fact, it’s why we refer to our solution as Managed Secure SD-WAN. When looking into what level of security your enterprise needs for protection, begin with the comparison of a stateful firewall or a next generation firewall. A stateful firewall tracks the operating state and characteristics of your network’s connections, limiting its effectiveness to previously known and defined connections to pass through. This limited protection may be adequate to protect, but there are still other threats that can pass through this level of security. WANsform Your Enterprise Before you can transform customer experience, you must WANsform your enterprise. Learn how Hughes Managed SD-WAN is enabling digital transformation and achieving real results. MPLS vs. SD-WAN Why SD-WAN? WiFi Analytics: Insight Every Step of the Way Digital Signage Solutions: Engagement Starts Here SD-WAN Appliance: 4860 is SD-WAN transformation in a box A stateful firewall can be adequate to protect and isolate communications between devices within a closed, private network, but once devices on that network can gain internet access, or public users begin accessing the network to employ loyalty or other in-store applications, filtering the access becomes critical to managing the potential attack surface and protecting against those threats that bypass stateful firewall protections. A next generation firewall (NGFW) combines the port and protocol inspection and blocking of stateful firewalls with increased application-level inspection and filtering, intrusion detection and prevention (IDS/IPS), and bringing intelligence from outside the firewall to update security measures like white/black lists, application signatures, and virus/malware definitions. The NGFW’s ability to filter packets based on applications gives you greater control and visibility on what applications can access and transit your network, and help prevent unwanted or dangerous applications from gaining access. That give you control over individual application performance. Most current SD-WAN solutions come with a stateful firewall, but very few come with proven integrated NGFW’s. We believe all of our customers need the protection afforded by a NGFW. With the advent of the Cloud and SaaS/XaaS services, very few businesses run 100% within a closed private network. Especially if you’re providing Guest Wi-Fi services, there is even more need for the added protection of web and content filtering from a solution. A Managed SD-WAN from Hughes will ensure your enterprise has the security solution and protection your business needs. NGFWs protect your employees and customers from the ‘big bad’ Internet and allow you to provide amenity services to consumers such as web browsing, email and social media without exposing users to the entire internet or dark web. The next step of ensuring you are ready for an SD-WAN transformation is knowing the security architecture needed. In the event a customer has legacy applications that require the filtering of east/west traffic within the branch, the deployment of an NGFW at the edge is essential, and the question of security architecture is answered. The reason for this is that to fully protect devices that are within PCI scope to communicate directly with those that are out of scope, there has to be strong edge security at the branch location to meet PCI standards. The location of security enforcement is critical because enforcing security policies can be resource intensive. Deploying IPS/IDS at the edge comes at the cost of computing resources and possible throughput constraints. But if the majority of the risky traffic you’re trying to protect is funneled through an aggregation point, like a data center or cloud POP for example, it makes more sense to deploy enforcement where resources are more readily available. A third security architecture to be considered is the Secure Web Gateway (SWG). The SWG is a distributed cloud-based series of checkpoints that all traffic flows through to keep unauthorized users and traffic from entering your network. This architecture, because it relies on user access instead of device access, allows for the adoption of Zero Trust security architecture for SD-WAN deployments if companies have already implemented this approach or want to transition to it. In most enterprise cases, the riskiest traffic is traffic going straight from specific store or branch locations to the internet. To effectively mitigate risks from traffic going direct to the Internet requires either advanced edge based policy management or a SWG approach managing policies at the internet cloud POP. The good news is that both approaches are available to you in a Managed SD-WAN solution from Hughes. Protecting your customers’ payment information is another crucial reason to assess your security concerns. Do you need a partner that can perform network scans, facilitate the PCI audit process and provide mandated employee training? Do you need threat management features to protect from advanced attacks that cause data breaches such as ransomware or phishing attacks targeted at your employees? Unless you have a highly trained security operations team, it is unlikely that you have the resources readily available in-house to internalize and react to all threat feeds and alerts that may arise. A Management, Detection, and Response (MDR) service from a trusted managed network service provider like Hughes can provide the specialized resources and tools to vastly improve your SD-WAN security. To learn more about other SD-WAN fit points, check out our next blog post on bandwidth and cost. About the Authors Nick Coval is a seasoned Enterprise Architect who builds complex enterprise-class network solutions for large organizations with distributed locations. He is a passionate technologist with a progressive vision for developing solutions with the customer and end-user objectives in mind. Follow Nick Coval on LinkedIn and Twitter @NickCoval. Jeff Bradbury works across markets to help distributed organizations identify trends that are driving digital transformation and adopt technologies critical to connecting their customers, employees, and locations. Follow Jeff Bradbury on LinkedIn and Twitter @TechXformation. Categories See All SD-WAN (48) Networking (17) Retail Technology (15) Managed Security (11) EMV (7) Conference (7) Digital Media (5) SASE (5) WiFi Analytics (4) Edge Computing (3) Managed Services (3) SCS (1) Popular Blogs 5 Steps to Prepare for the EMV Liability ShiftOct 7, 2020 Hughes Network Systems “Innovation Day” Highlights Edge Computing PossibilitiesAug 4, 2020 MNSP: Preparing for C-store Digital TransformationAug 11, 2020 Two Strategies to Address Top CIO ConcernsAug 25, 2020 Who Can You Trust? Enterprise Security and Zero-Trust ApproachesSep 3, 2020 Related Posts See All Why Not Test Drive a Managed SD-WAN Solution? September 10, 2020 Who Can You Trust? Enterprise Security and Zero-Trust Approaches September 03, 2020 Demystifying Secure SD-WAN Shahid Javed July 16, 2020 SD-WAN Fit Points: Service Levels and Partnerships Jeff Bradbury Nick Coval June 11, 2020 Mobile Apps: Not Just for Take-Out Mike Tippets, Vice President, Enterprise Marketing May 21, 2020 ENJOY THIS POST? This blog was featured in the September edition of our newsletter. Provide your email below to receive a monthly round-up of what’s happening in the world of connectivity! First Name Last Name Email Company Campaign ID CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.