The Darker Side of SD-WAN Service Insertion
When deploying an SD-WAN solution, an organization must take a close look at how security will be handled.
One benefit of software-defined networking (SDN) is that we finally have a way to seamlessly and painlessly insert new networking services, such as firewalling or load balancing, into the forwarding path of our traffic.
But there’s a darker side to service insertion when it’s applied to SD-WANs, one that can continue to lock organizations into the same inflexible and inefficient architecture that contributed to the demise of MPLS services. (To learn about software-defined data centers, see The Software-Defined Data Center: What's Real and What's Not.)
Service Insertion and Security
As SDN principles became embodied in the WAN design, some SD-WAN vendors adopted SDN-like service insertion to share resources in one location with the rest of the overlay. Policies implemented at the SD-WAN edge identify and steer the requisite traffic to the service (or services, in the case of service chaining).
The most popular use cases for SD-WAN service insertion have involved securing branch offices. Some of the biggest selling points of SD-WANs versus MPLS services – reduced monthly bandwidth spend and improved quality of experience for cloud and internet applications – are only possible by using inexpensive, direct internet access connections.
But to use direct internet access, SD-WAN vendors must also explain how they secure those internet connections and internet-bound traffic. Deploying firewalls, malware protection and URL filtering at every office with internet access isn’t feasible: it significantly increases the capital expenditures and ongoing operational costs associated with the SD-WAN project.
Service insertion would seem to provide an easy answer. Instead of implementing a full security stack of services at each office, service insertion allows internet traffic to be brought to the security appliances for inspection before forwarding onto the destination.
Poor Cloud Performance
But used in this way, SD-WAN service insertion effectively deprives many organizations of the improved cloud performance promised by SD-WANs. The centralized internet access typifying hub-and-spoke MPLS implementations forced internet-bound traffic to be backhauled to the central location before being sent onto the internet.
Relying on service insertion and centralizing security appliances incurs the same problem with SD-WANs. Users in a remote office in Georgia, for example, must still send traffic back to the headquarters in California only so that it can be placed back on the internet to reach a destination in Virginia. Once again traffic backhaul may add unnecessary latency to cloud applications. The only difference being that we replaced virtual private networks (VPNs) and the internet with MPLS links.
Of course, the network engineering here is critical. Some applications are more tolerant of latency than others and may not be impacted by the “trombone” effect. If service insertion occurs near the user, in path to the destination (or near the destination), there may be little impact on the user experience. A smart (or even a reasonably intelligent) network engineer should recognize that backhauling Virginia traffic to California may cause problems.
Relying on service insertion and security appliances also fails to address the other challenges enterprises face with security appliances. Our penchant for deploying point solutions to address every conceivable security problem has created a dense forest through which organizations cannot see. “Our security works in silos,” said David Ulevitch, the founder of OpenDNS and VP of Cisco’s Security Business Group, in his keynote at the recent RSA show, “We have 50 security devices in our network and that’s causing complexity.” Service insertion and security appliances perpetuate that problem.
This architecture also fails to address the other operational challenges related to appliances. Appliances need to be bought, deployed, maintained, upgraded and retired. As traffic volumes increase or new features are enabled, organizations must upgrade appliances. Software updates also often lag because they are high risk and complex, exposing companies to new threats.
Precisely for these reasons, small- and medium-sized enterprises (SMEs), particularly without limited security staff, are looking at cloud security services. Ironically, many SD-WAN vendors partner with cloud security providers to secure branch offices and avoid the backhaul problems. (For more on small business, see The Different Types of Virtualization That Benefit Small Businesses.)
But whether you couple SD-WANs with security appliances or cloud security services, you still maintain the “complexity” of separate networking and security domains. IT still lacks the visibility to identify threats. Operations are still complicated by forcing policy configuration and management for both security and networking.The right approach is to integrate security into the SD-WAN. Enable the SD-WAN itself to perform all network security functions needed to secure the traffic. This way you eliminate latency of SD-WAN backhaul, the complexity of maintaining security appliances, and the limited visibility created by maintaining separate security and networking environments.