There are plenty of good reasons for deploying software-defined WAN (SD-WAN). Reductions in bandwidth spending, improved application performance and increased visibility into the WAN are just a few. But none of those are as likely to protect your job as being able to segment traffic crossing the wide area network (WAN).
All SD-WANs protect data inflight with a secure overlay (marketing’s way of saying a mesh of IPsec tunnels between SD-WAN nodes), but traffic can still be sent in a common tunnel across the WAN. Network segmentation goes a step further and provides end-to-end isolation between services (or more likely, groups of services) within the SD-WAN. Without SD-WAN, enterprises would need to use a protocol, such as Virtual Route Forwarding-lite (VRF-lite), which is difficult to scale in large enterprises, requiring the participation of every intervening router in a path.
As a result, many enterprises tunnel site-to-site traffic together, but that increases risk. Threat actors can attack critical systems by penetrating less protected ones. In 2014, for example, attackers entered Target’s network via a HVAC contractor, infected the company’s point-of-sale (PoS) system, and siphoned off some 40 million payment card account numbers. The attack led to the CEO’s resignation.
The importance of network segmentation was further driven home me during the recent Open Networking User Group (ONUG) conference when I had the chance to chat with Snehal Patel, network architect at Gap, Inc. The Gap is in the middle of rolling out a Viptela SD-WAN across its 1,200 stores; 860 stores have so far been connected to date. The conversation turned to the challenges retailers face and can address with SD-WANs and he pointed to the challenges of delivering guest WiFi services to their stores.
Many if not most enterprises today, I would imagine, offer guest WiFi services, but it’s probably not a particularly critical service. For retailers, though, guest WiFi is an important part of their business strategy. Retailers are looking to go “omnichannel,” integrating their online, mobile, and in-store shopping experiences. Once store visitors register for guest WiFi access, retailers can monitor their online browsing habits, push coupons and advertising to their mobile devices, gather data from their movements to improve store layout.
Delivering guest WiFi services presents a challenge for architects like Patel. Many retailers prefer to consolidate Internet access in regional locations, but that would mean guest WiFi would need to be delivered from across the WAN with all the security risks that are implied. SD-WAN, though, allows architects to isolate guest WiFi services in their own network segment, protecting the rest of the network.
The same is true for any service or application. Segmentation allows retailers, in this case, to deliver video surveillance traffic, PCI traffic, and more over a common network without compromising on security or performance. Since network segments need to carry a diverse range of traffic, they should be able to be configured independently with all the properties of a WAN.
While writing the The Ultimate WAN RFP I found that SD-WAN vendors vary on this point. Some won’t support multicast traffic across network segments; others limit the number of segments that can be created across the overlay. Policies configuring segments should allow IT to define unique network topologies (hub-and-spoke, full mesh etc.) and IP addressing. Threshold metrics – such as loss, latency, jitter and bandwidth – should be able to configured for each network segment. Policies should then be able to use these metrics for SLAs, and determining when to failover and failback.
By being able to segment network traffic, SD-WAN solutions make it possible for retailers and any enterprise to consolidate their services securely and affordably onto one WAN. This leads to operational and security improvements. Is there a better way to protect a job?