Under a strategic partnership announced on April 11, SecureOps’ security services will be added to Expereo managed services offerings, which include SD-WAN. The offering includes security infrastructure management, threat monitoring and response and vulnerability life-cycle management.
The Expereo and SecureOps strategic partnership for security and network service management is enhanced by vulnerability lifecycle management services. Enterprises will be able to easily integrate SecureOps’ flexible MSSP services into their network, bolstering Expereo connectivity with robust security. Expereo will offer the following Managed Security services:
- Security infrastructure management
- Secured, monitored internet break-out services via on-premises devices or secure cloud gateways across a number of security offerings, including security information and event management (SIEM), firewall management for SD-WAN, intrusion defense and prevention systems (IDS and IPS), universal threat managers (UTM) and more.
- Threat monitoring and response
- Dedicated, 24/7 triage and incident handling and customer environment monitoring for potential threats, powered by a multi-layer detection process.
- Vulnerability lifecycle management
- Enterprise WAN vulnerability management. Proactive scanning and analysis of customer infrastructure for threat determination and reporting, backed by assessment and remediation.
In addition, customers will also receive access to security consultancy services such as security audits, customer requirement facilitation, host protection and more.
The firms clearly “get” that for SD-WAN to succeed, security is paramount. It’s not a new idea, as any regular reader of this blog probably knows. I’ve been discussing the importance of SD-WAN security for sometime.
To fulfill SD-WAN’s promise of better cloud performance and lower costs, branch offices need to access the public Internet directly whether through broadband or direct Internet access (DIA). But while SD-WAN creates a “secure network,” and by that we mean it encrypts traffic between sites, alone most SD-WAN appliances lack sufficient firewall capabilities to protect the branch.
Branch Office Appliances are Not the Answer
The obvious solution is to simply put a security appliance and related tools at each branch. This solution likely is a non-starter for three reasons. One is easy to identify: Outfitting each branch office with security appliances is expensive, perhaps prohibitively so.
The second challenge — as the Expereo/SecureOps announcement suggests – is that deploying security appliances at the branch introduces a level of complexity and hands-on involvement that is a reach for most organizations. Do you or your IT team really have the time to sort through the dozens of security apps and tools that are out there, select the right ones and then configure, integrate and maintain them at each branch? Probably not. Very often we at SASE Experts find users spending $20,000 for new security tools and training, but then fail to spend the resources to maintain the tool.
The third challenge is that keeping security and networking domains distinct complicates troubleshooting. A network engineer seeing a problem in Zscaler, for example, would naturally want to gather data on where the attack is concentrated and other data from the SD-WAN. If security and networking are not integrated, this requires jockeying back and forth between two consoles. This is time-consuming, awkward and may lead to the bypassing of valuable data.
Deeper Integration is the Key
Clearly, branch office security requires deeper integration with the network. There are three places this kind of integration can happen: at the appliance, as a managed service, and in the cloud.
SD-WAN Security at the Appliance
Creating an SD-WAN/security appliance can be done as virtual network functions (VNFs) in an NFV environment. Multiple VNFs can run on a vCPE deployed by the service provider.
There are a number of issues here, not the least of which are the scaling challenges of appliances. As we’ve seen with UTM appliances, increases in traffic and heavier processing demands from the security applications can overwhelm an appliance. Processing power requirements grow over time.
The same is true with SD-WAN. As one engineer told me, he was reluctant to enable the antivirus function available for one SD-WAN appliance because the lack of processing power would degrade SD-WAN performance.
SD-WAN Security as a Managed Service
The managed service model faces the same issues. After all, it’s simply a different iteration on the same appliance-based approach. Adding compute-intensive functions to an inherently limited platform risks undermining overall packet processing performance. Upgrading the hardware is a possible, but expensive solution.
The caveat, of course, with a managed service is that the service provider is responsible for the appliance. Look for your SD-WAN service contract to include free hardware upgrades if upgrades need greater processing power (anyone own an older Ipad?) to accommodate precisely these concerns. You might pay more, but you won’t have to worry about maxing out the appliance, which makes this an attractive option. But you need to define performance!
SD-WAN Security in The Cloud
Moving security and SD-WAN processing into the cloud eliminates the complexities and impracticalities of running full security platforms at each branch office. So called SD-WAN-as-a-service avoids the problems of the appliance. At the same time, it requires the cloud provider to have not only a sufficiently robust security and SD-WAN software platform, but one that’s globally available.
How to securely and efficiently incorporate branch offices in an SD-WAN is vital and complicated. Solutions still are evolving. Other important issues, such as proactively assessing the security of open source-based micro-services and combating social and physical exploits, also must be addressed by the SD-WAN ecosystem.
It’s certainly a lot to think about, and SASE Experts can help. Contact us today for a free consultation.
