The Control Plane

2020-09-19T18:00:00.013+05:30

Is SD-WAN Secured?

2020-09-18T16:31:00.018+05:30

Issues with traditional security:

Traditional security is discontiguous configured site by site manually. Which is complex and is not easy to manage.

Current security model is designed as per traditional architectures like on-prem Data centres services and Office users.

Enterprises are moving towards multi-cloud environment with current on-prem security has many gaps to secure SAAS/IAAS/PAAS cloud solutions.

Now customers with mobile security should not be only tagged to his machine,location or port.

Business is changing sometimes requires fast service and security rules for required couple of hours only.

This traditional security can provide some sort of security with in enterprise however when users are mobile and accessing cloud , REST API's interactions over internet.It requires new intelligent security design.

There is a need of security model with full stack intelligence,proactiveness,analytics,IPS,IDS,malware protection,Sandbox and DNS layer security.

Zero trust security model is required. Zero Trust is basically change in the traditional security best practices where inside users were considers as trusted users.

But the problem is if any organisation has hosted everything on their backbone network like MPLS they will have all security appliances and policies in place.No one can access the inside network. However despite of having all security practices in place the network can still be compromised.What if, any of the inside user is compromised then entire security will be compromised.Most of these attacks happens from the inside.From outside it not so easy to crack the private network.

As shown below in figure 1 the control plan corporation has user inside the office which are in traditional security designs considered as trusted user and users accessing the network from outside of office are untrusted users.

By chance, if internal security is compromised then it could be a disaster.

To avoid such issues Zero trust model was invented by Forrester Research Inc.Anybody on network inside or outside everybody have to follow strict security policies and check lists to access network.

And to protect the end user security MFA multi-factor authentication came into picture.As all are using BYOD (Bring your own device) accessing internet/cloud hosted application or enterprise application from their personal mobile devices.

In today's working environment, security is not restricted within the building,it is distributed everywhere.

Figure-1-Zero-Trust

Let's take an example of traditional security Bob staying in the control plane society.He visit bank whenever he needs to check his balance or withdraw amount.This was because back in early 2000 there was no such strong remote security or core banking facilities exists. Banks were only secure place for transaction and security was restricted to on-premises. Bob was wasting most of the time and money going to bank.But in today's fast moving world this model is outdated and slow.Time and security means revenue.

Figure-3-Traditional-Security

Now application are changing from desktop websites to mobile phone websites to smartphone apps.Security requirement is also changing per application based.Most of the traffic we access now a days is SSL/TLS encrypted.All the websites with https where 's' is secure are SSL/TLS encrypted websites. NSS Labs predicts that around 75 percent of total enterprise traffic will be encrypted by next year.Traditional security model always trust the SSL traffic assuming its encrypted.It means half of the traffic will pass the security uninspected which is a threat.
Below figure shows anyone is assessing the banking or any cloud websites from office or home are https and tradition security will always send SSL traffic uninspected.
SSL security can be used for attacks like intruders can build their own SSL website and launch attack if SSL inspection is not in place.
Attacker can hide the malicious data the SSl enable sites any can launch attack by bypassing the security if uninspected.

Figure-2-Encrypted-Traffic

You have got basic understanding now ,how traditional security and on prem-hardware security can not provide the complete security as per today's application and user requirement.As both are mobile not restricted to a single computer or location. SDWAN solution is application-aware and DPI (Deep packet inspection) which has list of well known ports to identify the application along with cloud SAAS application visibility as well.This features were missing in traditional WAN or security designs.

SDWAN provides in-built security features like IPS,IDS,Firewall,Advanced Malware protection,private cloud security,public cloud security fro enterprises.

In the diagram shown below you can see remote site is accessing public cloud.And could functionality extend till SDWA edges.Making easy choice for enterprises who are already using Multi-cloud functionality.Its make easy to connect IAAS,SAAS cloud applications.

Let's first take an example if traditional WAN and security were in place.When remote site will access public cloud if primary link is MPLS traffic will either back hauled to data center for accessing cloud where generally cloud peering will be establish and there will be set of high end security appliances.You need set of WAN optimization devices to optimise the MPLS traffic so that like is not over utilized. Or Cloud traffic like SAAS is allowed over backup internet link where additional security is required.Last traditional scenario is using DMVPN tunnels over internet to back haul to datacenter. This will degrade the WAN performance as those tunnels will not have QoS.

Now take SDWAN example if remote site wants to access public cloud it can use both transports.All above gaps will be overcame by SDWAN solution as both transports MPLS and internet can be used on intent basis. As now a days internet links are also improved enterprise grade. SDWAN has in-built security.For internet transport security cloud can be integrated along with baked-in SDWAN security .

There is no requirement of WAN optimizers. As traffic will be optimised on many other factors auch as quality of link, jitter,packet loss,application criticality.And even MPLS usage will be offloaded and shared among multiple internet link transports.Making SDWAN more flexible,intelligent and secure as compare to traditional networks.

Figure-4-SDWAN-Cloud-on-Ramp

SDWAN offers cloud exchange security as well where there is a cloud stack exchange deployed for multi-cloud security. Shown in figure 5.It is a cloud VNF which is a cloud exchange providing the security with NFV appliance which are virtual instanced hosted in cloud.

Figure-5-SDWAN-Cloud-Security-Stack

With SDWAN solution we are getting all the required features on a single platform rather than working on single bits and pieces on multiple vendors for multiple technologies.Which will have separate management.

VNF are virtual network functions (VNFs) that handle specific network functions like firewalls or load balancing.and Secure access service edge (SASE)services which are more focused on end.

SDWAN SASE integration will add more value to SDWAN solutoin.SASE converges the functions of network and security point solutions into a unified, global cloud-native service.

A SASE solution combines the capabilities of a WAN with comprehensive security functions, such as secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and Zero Trust network access (ZTNA) to facilitate secure network access in cloud and mobile environments.(see In picture 6).

These all feature will be integrated in a single SDWAN solution with more insight.

Figure-6-SDWAN-SASE

In above figure-6 you can see all the network services like SDWAN(software Defined Wide Area Network),Carrier, WAN optimization,Bandwidth aggeration,Network vendors,Network as a service , CDN ( content delivery network, or content distribution network) and security services like DNS(Domain Name System).
SASE with SDWAN will solve all the security and network gaps in traditional networking and security model which was actually designed for on premises solutions only.

Will SD-WAN replace MPLS?

2020-09-09T18:41:00.035+05:30

SDWAN -Software Define Wide Area Network.
MPLS - Multi-Protocol Label Switching.

As you know that there are a lot of digital transformations happening in recent years and the things have been changing with rapid pace.Starting from the desktop websites to mobile websites and then from mobile apps to cloud apps, OTT media services.But the problem was with the network, its was designed on the basis of hops,device,source and destination based with no visibility to applications.The network was not application centric.

In order to meet the current business requirement enterprise network need to be more intelligent,cost-effective and with fast WAN deployments.That's why SDWAN solution came into picture to fill-up this gap.

Let's take an example, In picture shown below you can see a car dashboard. It was late 80's or 90's design which had basic information to reach from Point A to B.You can relate this to MPLS without SDWAN. MPLS will still be there for backbone connectivity.But this design will not meet today's business requirement.

Picture-1

Now let's take an example of below picture-2 here you have all features more visibility and you have apps to show which route is best to reach from point A to point B or it can do the re-routing of path based on the path scenario using analytics with AI machine learning driven models. Different driving modes in city and off road. You can relate this with MPLS with SDWAN. At enterprise level for remote site,data center connectivity using overlay SDWAN solution will be more in demand.

Picture -2

Hope this visual comparison given you the basic idea about SDWAN and MPLS. MPLS is your engine, transmission and tyres on which your car is able to drive. So,its not MPLS vs SDWAN it is MPLS with SDWAN. MPLS provide the underlay network connectivity and SDWAN is a overlay technology (in picture 3) that runs over underlay and SDWAN will add more intelligence to MPLS or tradition WAN or even internet/4G/5G. We should understand the technology first rather than following the commercial hype between vendors to promote the things.Its a expansions and bringing intelligence to your network.

Yes definitely it will be cost effective as in traditional network if site has two link usually primary link will be active and second link will be standby.The network need to be designed accordingly.With SDWAN organisation will have flexibility to use both links with application centric routing.

Picture-3

This certainly decrease the utilization and bandwidth requirement on MPLS link and traffic can be offloaded to secondary internet/4G/5G links. Enterprises have to spend less on MPLS bandwidth upgrades for critical sites and on WAN optimization appliances.

Earlier enterprises does not have choice so they have to spend on MPLS circuit as secondary link as well and they need to keep the same bandwidth as primary and that link will be on standby.And this will be the flat calculation like if site utilization is 50 Mbps then they have to go for 100 Mbps or have to choose the plan provided by service provider.

In above picture-3 there are two available transports MPLS and Internet.Considering the traditional network , primary link will be MPLS as this has QoS with more secured private backbone connectivity to enterprise data centres. Secondary link will be internet which will be used as backup.With SDWAN we are adding intelligence to our network.With SDWAN both transport MPLS and Internet will be used to carry the traffic based on the intend or policy based application aware routing.By doing so internet overlay is also secured and have more features like QoS ,security and tcp optimization.

Now enterprises have choice to use internet link as secondary link even they can combine two internet links and create a policy based application aware routing.Keep critical sensitive or back bone traffic on MPLS link.Some of enterprises security policies will be very strict like banking or insurance sector and they do not trust on public clouds.So it depends what is enterprise requirement as well.This is not true that it will slash the cost to 90% which usually SDWAN advertisements claims.But yes cost will definitely decrease by some percentage and network will be ready to work with today's business requirements.

Over all SDWAN is still evolving day by day will have more features in future and will be in more demand. Enterprises need to determine the business case for application type,application workload and choose the right tool to fit in their requirement.Stay connected to know more about SDWAN by keeping things simple by excluding the commercial and sales things which you will find a lot everywhere.

SD-WAN

2020-09-07T13:33:00.026+05:30

What is SDWAN? SDWAN vs traditional WAN?

SDWAN

SDWAN is most advanced technology in WAN.Today there are multiple SDWAN vendors exists. However this discussion will not be vendor specific.It will be a general high level overview about SDWAN solution.

SDWAN stands for Software Defined Wide Area Network.
In SDWAN control plane ,data plane and management planes are segregated.
In addition to this we have new term in SDWAN which is orchestration plane.
Orchestration plane is policy driven segment of SD-WAN where we can push any action on sites using policies.
This action can be traffic flow,routing changes,transport change etc.
SDWAN has application aware routing functionality.Which means it can identify the applications.So,accordingly critical applications traffic engineering can be done.
SDWAN solution is transport independent.It's does't matter if you have MPLS, private cloud or Internet link.Just need reachability till controllers.
SDWAN has controllers which can be hosted on public cloud or on customer on premises data centres.
These controllers serve Management ,Orchestration and Control plane services.
The data plane reside inside the another SDWAN customer edge router device which will be installed on remote sites or Data Center.
The remote site or customer data center should have underlay reachability till controllers.
The term underlay and overlay is frequently used in SDWAN environment.
Underlay is physical connectivity and reachability of site A to site B or site A to any DC or Site A to internet.
Overlay is a logical connectivity which is build over underlay using IPSec in case of SDWAN.
All the Customer Edges SDWAN routers will connect to controllers using secured encrypted tunnels.
All the SDWAN controllers will have to exchange the encrypted keys before establishing the secure connection.
For control plane traffic there will be direct tunnels towards SDWAN which will be established after whitelisting and key exchange mechanism.
All the SDWAN edges devices will have serial number tagged to a particular organisation.
Once the control connection between controllers and SDWAN edges is established, All SDWAN edges devices will receive the information about the destination from controllers.
After getting the the destination information the SDWAN edges will establish the dynamic IPSec full mesh tunnels with all site for data plane connectivity.
These IPSec tunnel connection is more faster ,dynamic and different from tradition IPSec.
Advantage of SDWAN is if site has two WAN links either MPLS-Internet,MPLS-MPLS,Internet-Internet.Both can be utilized using policy driven routing.
Customer SDWAN edges have plug and play feature no manual intervention required.
Inbuilt traffic inspection and detection, no separate hardware required.
SDWAN will monitor the all possible underlay end to end hop connections as well.So, any issues can be reported proactively.
As SD-WAN controllers are hosted in cloud, this solution has capability of Cloud integration.
Deployment time is very less.

Traditional WAN:

In tradition WAN there is no application visibility.
For each site CPE need manual intervention and Provider dependency for routing and peering setup.
Does not have flexibility and fast enough to do application aware routing.
In traditional WAN there is a DMVPN solution to use internet as underlay however that is not much scalable and have limitations.
Control Plane lies on same CPE so have to login to each CPE for any changes.
For WAN Traffic optimization,inspection and detection separate hardware required.
Required more bandwidth and both WAN links will not be utilized optimally.
It has legacy way for cloud integration.When enterprise use multi-cloud, its difficult to manage and troubleshoot.
If any of the WAN link is highly utilized it require a manual intervention to offload the traffic to backup link.
The manual offloading is expensive if both links are MPLS as enterprise need to opt for active/active load sharing WAN connection which will increase the operational cost.
If backup link is DMVPN it has limitation voice and video traffic performance will be degraded.There is no dynamic tunnel tracking.Sometimes required a manual bounce to refresh the tunnel.
Some of the service providers use 3G/4G backup links on which performance will be very poor with unoptimized traffic flow.
Enterprises will have very less visibility at provider end.For any issue enterprises need to log a case with service provider where getting response and resolution on time is challenging.
For each WAN changes enterprise need to engage provider engineer and have to careful about prefix limits.Requires downtime and sometime failover will also not work due to many issues.
It's very expensive and time consuming.

Overall because of these advantages most of the organisations are moving towards SDWAN solutions.It is single fabric to manage all the WAN devices.Can SD-WAN replace MPLS? Follow us for upcoming blogs to know more.