SD-WAN without a cloud firewall? Don’t even think about it!
It’s no mystery why SD-WAN deployments have been climbing sharply. Organizations—tired of dealing with the spiraling costs of private networks and facing the reality of rising internet-bound traffic—have finally found a simpler solution for connecting users in branch offices to the applications and data they need. Even so, the size of the SD-WAN market is eye-opening. According to IDC, it could reach $4.5 billion by 2022, a figure that underscores the widespread frustration with network complexity, high costs, and lack of visibility.
SD-WAN vendors offer a variety of solutions, with something to fit every organization’s needs, and Zscaler partners with the leaders. At its core, SD-WAN is about simplifying connectivity by automating the way traffic is routed at branch sites. With SD-WAN, customers can use inexpensive broadband, 4G/5G, and other transports to connect users directly to the internet, which offers the dual advantages of cost-effective application delivery and a much better user experience. While direct-to-internet connections are touted as the best way to connect to cloud apps, the reliance on unsecured internet connectivity presents a problem. SD-WAN expands the network attack surface and exposes branch offices to additional risk. As a result, branch security is a key concern for many enterprises considering SD-WAN.
Most SD-WAN solutions offer basic access control and minimal security, such as a simple stateful firewall that delivers Layer 3 network controls, enabling you to restrict access based upon IP addresses and ports. But in the face of expanding cyberthreats, this alone is insufficient to protect organizations connecting directly to the internet and SaaS. Organizations, no longer wanting to send internet-bound traffic through a central or regional gateway, need a way to deliver Layer 4 through Layer 7 protections to all locations.
In a perfect world, the branch office would have the same security protections as the headquarters or regional offices. But it’s not feasible to outfit each branch with a secure web gateway that includes a next-generation firewall (NGFW) with intrusion prevention, DNS security, web filtering, data protection, and anti-malware protection. Deploying such a stack in each office would be exorbitant.
Furthermore, with SSL-encrypted traffic now the majority of all internet traffic, it’s critical to decrypt and inspect all encrypted traffic. If a malicious user gains unauthorized access to a branch, it becomes a stepping stone to move laterally, undetected, into the organization's main locations and expose them to attacks or data breaches. How do you inspect the encrypted traffic for all users without expensive hardware?
Here’s what you need for a secure SD-WAN deployment:
- The complete gateway security stack delivered as a cloud service to protect all users without the cost of deploying security appliances
- Coverage for all ports and protocols, including SSL/TLS
- Local DNS resolution as close to the user as possible to optimize application performance and user experience, while providing security for DNS-based attacks
- Identical protection and policy enforcement for all users, whether they are connecting from corporate headquarters or a branch office on the other side of the world
The leaders in SD-WAN recognize these needs and are partnering with Zscaler to deliver all these capabilities from the cloud. Organizations like Silver Peak have taken this ability a step further, leveraging Zscaler APIs for integrations that automate the creation of IPsec tunnels to Zscaler. These integrations make deployment fast and simple, so customers can instantly begin routing traffic to Zscaler to secure it en route to the internet.
SD-WAN is great. Secure SD-WAN is better.
It’s easy to integrate SD-WAN solutions with Zscaler through a GRE or IPsec tunnel to provide comprehensive security, visibility, control, and data protection for employees going directly to the internet. With a solution that combines SD-WAN with Zscaler cloud security, enterprise branch offices can manage the surge of cloud and internet traffic without backhauling to the centralized DMZ in the data center, using an agile hybrid WAN architecture for network transformation along with robust security.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Naresh Kumar is a principal product manager at Zscaler.