The four tiers of network and security convergence

By moving towards a simpler infrastructure with fewer point solutions, we reduce the costs and complexity plaguing our current IT environments.

The IT infrastructure landscape is in the middle of a massive change. The proliferation of point security and networking appliances continues to drive up IT cost structures. Cloud adoption and the shift to a mobile workforce has made connectivity between entities other than physical offices ever more critical. Buying more point-solution or continuing to running networks separately only adds more complexity and cost. 

Instead we’re starting to see the convergence of IT.  By moving towards a simpler infrastructure with fewer point solutions, we reduce the costs and complexity plaguing our current IT environments. This trend is playing out across four IT tiers: networks, appliances, services, and management. 

Network convergence 

Many companies currently connect office users with MPLS services or internet VPNs, and mobile users through VPNs over WiFi and 4G/LTE networks. Cloud resources have required extending these networks further to cloud infrastructure providers (Amazon AWS and Microsoft Azure) and cloud access service brokers (CASBs). This makes for an extremely complex environment. Network convergence collapses all of these networks into one reliable, cost-effective resource for all users and endpoints. 

Software-defined wide area networks (SD-WANs) are a first step towards network convergence. They consolidate our provisioning, configuration and application control around the ways we normally connect our offices, internet access and MPLS services. 

But SD-WANs don’t go far enough. Converging MPLS and internet using edge nodes requires the continued use of costly MPLS links to run latency-sensitive apps.  SD-WANs also become far more complicated to deploy when connecting into the cloud, if it’s possible at all. Customers need to determine location of data repositories, map subnets for configuration purposes, and negotiate cloud access. And no SD-WAN incorporates mobile users, forcing companies to maintain separate infrastructure for users to “VPN” into the corporate network. 

Comprehensive network convergence would consolidate all enterprise networks, including mobility and cloud, into one cost-effective and efficient network. It would be global, connecting all users and resources, regardless of their physical or virtual location. 

Appliance convergence 

Appliance convergence consolidates the stacks of security appliances currently protecting the network - including next generation firewalls (NGFW), secure web gateways (SWGs) and more - into a single instance. 

For years, we’ve tried to reduce our branch office footprint with “servers in a box.” So called branch office in a box (BoB) typified this trend.  Similarly, network functions virtualisation (NFV) has provided a standard for decoupling software functions from hardware devices, allowing them to run as standalone or collections of virtual machines, called virtualised network functions (VNFs). Combining virtual appliances or VNFs into one hardware appliance reduces capital costs and simplifies deployment. Power, space and cooling requirements decrease, making installation and physical management that much simpler. 

Yet, while virtual appliances and NFV eliminate excess hardware, they continue to perpetuate the hard boundaries between networking and security functions. The appliances run as discrete instances maintaining their own code base, policies and management platforms. Scalability and redundancy still need to be planned for each virtual appliance whether the appliance runs on the customer premises or in the service provider cloud. 

Attempts to integrate functions on the customer premises also force tough tradeoffs. Unified threat management (UTM) appliances aim to simplify security for small to medium enterprises (SMEs), for example, by combining security services such as firewall, intrusion prevention system (IPS) and anti-malware into a single appliance. But UTMs exacerbate scalability and manageability challenges due to their restricted capacity and limited security capabilities. 

A comprehensive appliance convergence would eliminate as many appliances as possible in a way that eliminates not only “the boxes” but also the costs and fragmented management associated with them. 

Services convergence 

Services convergence is fundamentally different than simply hosting physical appliances in the cloud. With appliance hosting, the problems of physical appliances persist, shifting to the service provider. Customers in the end though still suffer. 

Coverage, uptime and capacity become major problems as services are tied to the appliance. Customers may be able to login in some regions but not others. Service availability will also be regionally dependent. Entering a new market, for example, depends on deploying new appliances in that region. 

The same issues of appliance capacity and redundancy that plagued enterprises are simply transferred to service providers. Organisations pay for those problems through higher fee and lower uptime. 

True services convergence is driving a disruptive transformation that breaks away from the crippling limitations of appliance-based point solutions. The service is delivered as a distributed software, not a set of resource-bound appliances. Scaling and redundancy are built by design to the service architecture as distributed instances can seamlessly failover while maintaining the customer network context intact. Expanding geographic coverage is simply a matter of spinning up a new software instance in the region that immediately becomes part of the global service footprint. There are no appliances to ship and install; software interdependencies are eliminated. Patching, upgrades, scaling and managing the service resources is the service provider’s responsibility. The shared service, as part of a global cloud, is ubiquitous. 

Cloud-based secure web gateways are a good example of software-based cloud architecture. They break the appliance form factor to deliver a ubiquitous, network security service. This technology, though, only covers part of the security stack and fails to address the first tier, network convergence. 

A comprehensive services convergence would collapse multiple networking and security physical appliances, virtual appliances, or cloud services into a single cloud-based service.

Management convergence

Management convergence is all about streamlining the final layer of complexity. By unifying all network and security functions into a single cloud service, fragmented multi-product management can be reduced to a single policy. 

Most existing converged management solutions simply put “lipstick on a pig” without addressing the root cause of complexity - the explosion of point solutions. SIEMs consolidate raw data from numerous point solutions looking for a needle in the haystack. Other cross platform management and orchestration solutions try to abstract policies for all products. 

They all add one more product to the mix and may not be effective, relying on third parties to expose the right data at the right time. Customers are still forced to maintain the knowledge and control of the underlying point products. 

Ultimately, the effectiveness of management convergence is highly dependent on the convergence of the three other tiers. 

The way forward: Fully converged network and security 

In a world of converged network and security infrastructure we achieve much more than simplification and cost reduction. By combining policy, traffic visibility, security events and forensics, we’re able to better protect and enable our business. Security teams can more effectively spot the seeds of attacks by detecting malicious traffic patterns. Networking teams can deploy network resources quickly and easily knowing they are inherently secure, everywhere. 

We will always have security and networking specialists, but with a fully converged, inherently secure IT architecture, we’ll be able to create a far more agile and efficient IT. 

Gur Shatz, co-founder and CTO, Cato Networks
Image source: Shutterstock/hywards