Skip to main content

Modernising network security with SD-WAN and secure web gateways

(Image credit: Image source: Shutterstock/ Supphachai Salaeman)

As organisations have become more mobile and geographically dispersed, the traditional centralised Wide Area Networking (WAN) model that once served them so well has started to break down. The remote user - once the exception - has increasingly become the norm, with many working from smaller branch offices across several time zones, from home, or while on the move. And, given the recent pandemic of COVID-19, many organisations large and small have been forced to close offices and make working from home the new norm, and so remote working has taken on a whole new meaning.

Amplifying this business decentralisation has been the move to software as a service (SaaS) offerings such as Office 365 and the migration of applications to cloud service platforms including Amazon AWS and Microsoft Azure. These SaaS offerings turn software, storage and computing resources into a service which exist on servers beyond the traditional network perimeter.

This has created challenges for teams tasked with optimising, managing and protecting the infrastructure. Legacy networks, which were designed for a centralised world, are not sufficient to handle the amount of traffic that cloud-based applications create. And although traditional firewalls protect against traffic flowing into the data centre or other physical locations, they cannot provide visibility or security for remote users that connect directly to the Internet or cloud-based resources.

Another limitation of firewalls is that although many claim to have deep packet inspection functionality, utilising this feature negatively affects the performance of the device so greatly that many choose to leave it disabled. The result is a substantial security blind spot, especially when taking into account that the majority of web traffic is now encrypted.

Secure Web Gateways (SWGs) have emerged to address these issues and accelerate digital transformation as companies move workloads and applications to the cloud. Essentially, these allow a mobile and remote workforce to access the Internet directly without having to route traffic via data centres, giving security teams the ability to perform basic tasks such as URL filtering and to protect their users against web-based threats. They can also perform additional important security tasks, such as HTTPS (encrypted) traffic inspection, and in some cases, data loss prevention (DLP), cloud access security broker (CASB) functions, or even implement protections against zero-day attacks using sandboxing technology.

Because the nature of the technology invites comparisons with traditional anti-virus software on endpoints, as well as security devices such as stateful or next generation firewalls (NGFW) and intrusion prevention systems (IPS), buyers can become confused about whether secure web gateways are intended to be complimentary or act as a replacement. To address these questions, we first need to examine the pressures that that have helped shape their evolution and put their emergence and use cases into context.

WAN 2.0

Traditionally, WANs have been used to connect branch offices and remote users back to their central datacentres using dedicated MPLS circuits. The emergence of cloud-based applications has put this design under pressure because it requires remote traffic to connect to datacentres before being routed out to the cloud and back.

In this new world, the centralised hub-and-spoke network quickly becomes a choke point that impacts latency and user experience. Even conventional solutions to this such as WAN optimisation can become ineffective. On top of this has come a growing security sprawl, encompassing traditional firewalls, specialised security appliances distributed in locations across the WAN, as well as an explosion of remote PCs, mobile devices and Internet of Things (IoT) infrastructure that are constantly being probed by attackers at the network edge.

The effect of decentralisation for all-important cloud access is an issue that can quickly become untenable, increasing latency that erodes even more for users and offices geographically remote from the datacentre. Because today’s organisations have become reliant on cloud-based applications, the risk of being locked out of the very thing on which their business depends is increased. Many organisations are attempting to address this performance issue and add resiliency to their network by connecting their branch offices and remote users directly to the internet utilising multiple network circuits and SD-WAN, bypassing the data centre altogether when accessing cloud-based applications.

The rise of SD-WAN

A modern approach called Software Defined Wide Area Network (SD-WAN) utilises an architecture which turns different types of WAN connectivity into a single virtual entity to offer a wide range of benefits. With SD-WAN, organisations can augment their MPLS lines with less expensive commodity internet such as broadband, fibre, and LTE, allowing the organisation to quickly add additional bandwidth at a lower cost than if they were to implement additional dedicated circuits. Having multiple network links that are supported by different technologies is also an investment in network resiliency and business continuity. If inclement weather or a construction crew were to sever one of the network links, SD-WAN can route traffic virtually seamlessly to the viable circuits until service is restored.

SD-WAN’s quality of service (QoS) feature allows businesses to prioritise network bandwidth according to what is most important to their operations. For example, video conferencing or VoIP calls that are often used to communicate with customers may be deemed mission-critical and will get routed to the highest performance links, where video streaming or social media traffic may be assigned to a lower bandwidth circuit. What’s more, SD-WAN makes it easier to partition and manage networks centrally, with views of all network circuits across locations using one pane-of-glass.

But deploying SD-WAN in order to connect branch and remote users directly to the internet does have some repercussions; most notably for security. In the legacy hub-and-spoke architecture, there was one way in and one way out of the network. But with the new model, there are now many network breakouts; sometimes even hundreds or thousands across a wide geographical area. Each of these connections to the internet represents an avenue for attack, and therefore, must be secured.

Security consolidation

Cloud-based SWGs offer administrators a way of applying unified security policies across all of their users, virtually anywhere that they conduct business and provide centralised visibility so they can remain informed about what activities are taking place on their network. Together with SD-WAN, this overcomes the traditional woe that users suffer lower performance and weaker security simply because they are farther from the network’s core. SWGs protect users against web-based threats by restricting what content can be accessed. They also offer a solution for organisations to perform deep packet inspection of encrypted web traffic with minimal effect on network performance. A cloud-based architecture also scales more easily because capacity can be added without the need to buy expensive security equipment as businesses expand, whether that be adding new offices, integrating company acquisitions, or conducting mergers.

In time, many organisations find that SWGs can replace elements of their current security infrastructure such as SSL/TLS inspection appliances, intrusion prevention systems (IPS), and firewalls for some branch office locations. In some instances, SWGs may have overlapping capabilities with other technologies, but should be understood as complimentary rather than direct replacement. For example, although SWGs can perform web filtering, deep-packet inspection, and protect against web-based malware, they are not intended to replace endpoint security. They should also not be confused with web application firewalls (WAFs) which are designed specifically to highly protect web servers from external attacks, such as Distributed-Denial-of-Service (DDoS) floods.

Conclusion

In today’s digital business environment, businesses have become more decentralised and mobile to fulfil business objectives and remain competitive. This has given rise to a new type of virtualised WAN in which the data centre is a resource but no longer the centre of the network. Although many networks still retain elements of this legacy architecture, the future belongs to flatter, more dynamic and adaptable topologies that prioritise employee productivity over technological hierarchy. SWGs and SD-WAN are complimentary elements that can help organisations modernise their network and security so they can scale to support the new initiatives.

Mary Blackowiak, lead product marketing manager, AT&T Cybersecurity