Today’s business is distributed and you’re responsible for bringing up new branches quickly. That’s why you adopt digital innovation that requires high-speed reliable bandwidth for voice, video, and internet applications so people can interact with your business anytime, anywhere. But, you’re also responsible for ensuring security in the case of an expanding attack surface.
Adding these new technologies to an MPLS infrastructure, especially while adding more branches, creates a new set of problems.
This increased traffic over an MPLS WAN creates bottlenecks. Take for example a SaaS application like Office 365. It was purposely built and designed by Microsoft to access the Internet directly, not be backhauled across a private circuit, then to a data center, and then out to the user.
Take the increased traffic from more devices such as Internet-of-Things (IoT), personal devices, and application bottlenecks and combine it with no way to distinguish the traffic priority, and critical business data gets stuck in a queue behind non-critical data. The joke is that someone in the break room watching a cat video on YouTube is probably keeping the executive from downloading a report.
Most companies have invested heavily in a single security stack in their data center or headquarters, which is why they backhaul everything to a central location.
What you can do now is go direct to the Internet from your locations with cheaper bandwidth and not compromise the security.
This is why we’re seeing so many network engineering and operations leaders looking to replace their WAN infrastructures with some form of software-defined wide-area networking (SD-WAN).
The good news is that you can create a secure SD-WAN using the infrastructure (routing, switches, and firewalls) already needed within your WAN.
What is SD-WAN and how does it solve my problems?
SD-WAN offers the ability to use available WAN services more effectively and economically—giving users across distributed organizations the freedom to better engage customers, optimize business processes, and innovate.
What does that look like?
A lot of you are not going to dump all the MPLS circuits because it’s reliable and there are certain things you need to control.
One of the biggest benefits of SD-WAN is that you will have an automated path diversity. You can decide and automate which data is the priority and goes through specific circuits and which goes direct Internet, removing those bottlenecks creating slow connectivity.
You get the additional performance by having multiple circuits and the segmentation to where you can restrict certain people to use certain circuits or certain devices.
For example, you may want to offload internet traffic from one expensive circuit to a different circuit, but use this different circuit if the primary one fails. Because this is automated rather than having someone do it manually, the transitions are fairly seamless.
With the traditional WAN and circuit, if something goes down and you don’t have failover (or even if you do), it’s a manual process where one person knows how to remotely access a router over a different circuit and change the route. Or, use routing protocols to switch everything over. You don’t have to do that anymore. You can designate certain applications and individual users to use one path and then certain applications use the other. For example, we want to make sure executives always have the fastest bandwidth regardless of what office or branch they are located in.
Because you can choose which data goes through your data center and leverages your MPLS network, and which leverages the Internet, you can start taking the full advantage of cloud on-ramping of Software-as-a-Service (SaaS) applications and Infrastructure-as-a-Service (IaaS) that drive revenue and efficiency.
What is the downside to SD-WAN?
Most SD-WAN solutions do not have an inherent security component. That means more infrastructure and expertise is needed.
While selecting the right SD-WAN solution for a specific implementation may require a few compromises, security should not be one of them.
How do I build a secure, software-defined WAN?
The goal is to reduce complexity while increasing elasticity and security. That’s why we’re sharing how to use routing, switching, and firewalls together as a secure, SD-WAN solution. It’s not an additional solution because you already need these components.
While the process and steps will differ based on the unique needs of the business, these high-level steps apply to most.
Take Inventory and Review Refresh
What is currently in your network and when is the refresh? This will help when reviewing vendors.
When your refresh comes, you want to purchase the switches, routers, and firewalls that include software-defined networking capabilities.
Look at the fine details of what these vendors offer because it can make a big difference in the total cost of ownership (TCO), operational expense (OPEX), and security.
For example, we’re seeing as high as 92 percent of internet traffic is encrypted. If you’re not decrypting, you’re only seeing eight percent of what comes out of your network.
The FortiGate can do SSL decryption so you can decrypt the traffic and look at it to determine the paths it should take. Someone wants to download a file from Dropbox, automatically send them to the circuit that’s 200 megs down. Another person wants to upload a file, send them to the circuit that is 50 up. You can steer based on the direction because you can see inside the encrypted stream. Now your user experience skyrockets. Most vendors only do traffic steering. That’s just one example.
Many vendors require additional management since they require more appliances and multiple management consoles. This not only puts pressure on people’s resources but increases your TCO and the overhead costs of implementing these solutions. This brings us to…
Some equipment is going to be able to do more with less, allowing you to consolidate your infrastructure. Reduce your number of SKEWS, have it all managed in a single application or pane of glass, and now your help desk can start managing it instead of a system engineer (SE).
For example, you can replace separate WAN routers, WAN optimization, and security devices such as firewalls and secure web gateways (SWGs) with a single FortiGate NGFW.
From a security standpoint, what we like about Fortinet is the packaged threat protection, including firewall, antivirus, intrusion prevention system (IPS), and application control. The web filtering to enforce internet security doesn’t require a separate secure web gateway (SWG) device.
Strategically Turn Off Circuits
It’s understandable why you don’t want all your applications going through the internet, but not all are mission-critical and sensitive. It’s dependent on the vertical and business. I can’t say that I have seen oil and gas jump all over the idea of dropping the expensive circuits.
As you adopt this secure, SD-WAN solution, you’re going to strategically turn off circuits and reduce your costs.
We have a lot of conversations about turning off expensive circuits at certain facilities, almost like a staging type of approach. They start testing with data and applications that are not necessarily mission-critical. Once tested and comfortable, you can have a more informed discussion when the circuit comes up for renewal.
Look at Total Cost of Ownership
The move to public broadband means that expensive MPLS connections can be replaced with more cost-effective options. With the Fortinet transport-agnostic solution, enterprises can use the entire available bandwidth by using a combination of MPLS circuits and the Internet.
We’ve provided a high-level look at what adopting SD-WAN looks like. As you can see, it’s easy, affordable, and improves overall network performance.
If you’re interested in taking steps for your unique business, reach out to EdgeTeam. We’re happy to have a conversation on how you can use SD-WAN to secure and automate complexity out of your distributed network.
This article is brought to you by Fortinet. Fortinet Secure SD-WAN enables organizations to solve the secure communications problem for distributed locations quickly and easily. Fortinet is the only vendor with a custom-designed ASIC to provide the fastest application identification and steering in the industry, while providing connectivity and advanced security capabilities 10 times faster than the competition. Fortinet is the market-share leader in providing security solutions to the distributed organization.