The days of a branch office relying on a fixed MPLS connection to backhaul all internet traffic, data, and workflows back to the core network are over. To compete in today’s digital economy, today’s branch offices need to be an integral part of the network, rather than functioning an add-on attached through some dangling WAN connection.
Instead, organizations need next-gen offices that can utilize cloud-based resources and global collaboration applications, such as VoIP and videoconferencing, which require highly scalable bandwidth. Traditionally, this was provided with MPLS, but because today’s networks, cloud-based resources, and data are constantly shifting and relocating, they have rendered those rigid connections traditionally obsolete.
In fact, as the datacenter becomes increasingly virtualized and distributed, workers and resources become more mobile, and edge computing further redistributes resources, the strategy of having a core network that functions as a hub for multiple branch office spokes is collapsing. It is being replaced with a meshed network that blends together network edge environments: cloud platforms and applications, mobile users and smart devices, IoT, 5G and edge computing, and the new WAN edge.
For the SD-Branch to realize its potential, it not only needs real-time access to data and resources—wherever they are located. It also needs to use critical business applications that not only require reliable and high-performance bandwidth, but that can be seamlessly interconnected to other offices and users, including mobile workers.
SD-WAN uses the public internet to securely interconnect branch offices with distributed resources while ensuring high performance for latency-sensitive and business-critical applications. However, SD-WAN is much more than a connectivity replacement. SD-WAN also needs to seamlessly interconnect with local branch functions. The SD-Branch combines software-defined networking and virtualization with local access to internet and cloud resources, as well as LAN/Wi-Fi functions for local devices, to enable digital transformation to the WAN edge.
An effective SD-WAN solution supports these capabilities through flexible and reliable connectivity, the extension of advanced routing functionality and load-balancing across the organization’s meshed VPN overlay, as well as providing a full suite of integrated security that can secure data and transactions end to end.
As the potential attack surface grows, opportunities for breach, data loss, and compromised information come with every new device, application, and connection. Which is why SD-WAN experts and industry analysts have emphasized that an optimal enterprise SD-WAN solution needs to not only support WAN performance requirements, but also address security priorities. However, a consistent critical SD-WAN challenge has been the inability of most solutions on the market to establish an effective and consistent security strategy that can dynamically span and adapt to the demands of digital transformation.
This leaves many organizations attempting to build an ad hoc security solution using the legacy security tools they already have in place. But the increased performance demands of today’s digital networks, compounded by the distributed nature of network resources, undermine the effectiveness of traditional cybersecurity tools. Security tools that struggle to keep up with today’s increasing speed and bandwidth requirements are unlikely to provide the protection digital networks require without becoming a serious bottleneck.
The challenge is that because SD-WAN has become such a hot market, a large number of vendors have jumped into the market. And as with other early markets, many of these solutions fail to provide a full solution. Organizations looking to adopt an SD-WAN solution as part of their digital transformation strategy need to consider four critical elements when evaluating a solution:
- Support for Business-Critical Applications: The most critical function provided by SD-WAN is the breadth of its connectivity solution. SD-WAN needs to dynamically recognize and support business applications, map business functionsto WAN resources, then select the most efficient WAN connections for routing those applications, while simultaneously supplying adequate performance and bandwidth. This includes prioritizing applications based on business criticality, including the ability set separate policies for sub-applications.
- Dynamically Adaptable Policies: Any SD-WAN solution under consideration also needs to be able to modify WAN policies based on things like application criticality and performance requirements—including security policies—that automatically adapt as network configurations and resources change. Automated multipath intelligence, therefore, is a critical service for any SD-WAN solution to provide—both for business applications and security. It enables the ability to track granular WAN path information (such as latency, jitter, and packet loss) to select the most efficient route for business-critical traffic. And if that WAN path should degrade below policy-based thresholds, it should then be able to automatically and seamlessly switch to the next best available link without impacting application performance.
- Fully Integrated Security: Because SD-WAN dynamically adjusts connections to ensure consistent performance, applying protection using traditionally static security tools, especially when deployed as an overlay solution, is problematic. SD-WAN not only requires traditional threat protection—including NGFW, anti-virus/anti-malware, and intrusion prevention (IPS). It also requires high-performance SSL and IPSec VPN overlay controls, deep inspection of encrypted traffic at network speeds, web filtering, and advanced threat protection (ATP) such as sandboxing. In addition, these security tools need to be able to be seamlessly and fully integrated into the rest of the distributed network, from edge to cloud.
- Centralized Management: One of the most often overlooked requirements of SD-WAN is that it cannot be separated from the rest of the network. To realize the potential of real digital transformation, the new network edges need to function as a single, integrated system. And that includes establishing a centralized visibility and control strategy that spans the distributed network.
Organizations can no longer afford for their networks to function as a collection of isolated segments, which means that all networking and security functions need to exist on the same pane-of-glass management solution. By selecting an SD-WAN solution that supports centralized management, configuration, and monitoring tools for both WAN and security solutions increases management efficiency and effectiveness. while significantly reducing the cost of deployment and management. And that management strategy then needs to extend to the rest of the distributed network.
Key Takeaways
The digital transformation of business needs to occur without a disproportionate expansion of the global cybersecurity attack surface. This can only happen if we see our network and security systems as a single, holistic solution. SD-WAN solutions for the expanding WAN edge, like solutions being applied at any of the other emerging network edge environments, need to not only provide broad flexibility and high performance functionality and services, but also operate as part of a collective whole. And as organizations work toward deploying a comprehensive digital transformation, correlating network and security intelligence must be a top priority, because cybercriminals are just as motivated to take advantage of these network environments as the organizations that are building them.
For more details on the comprehensive Fortinet Secure SD-WAN solution, download a copy of our new e-book, “Upgrade Branch Infrastructures with Fortinet Secure SD-WAN” available here.
Find out more about Fortinet's Secure SD-WAN Solutions and our new SD-WAN ASIC chip.
Read more about the Fortinet Security Fabric and how Fortinet is delivering solutions for the Third Generation of Network Security.