As organizations grow and evolve, so do their networks. Digital transformation efforts – including the move to the cloud and adoption of mobile devices – and the growth of the multinational business have changed how the modern enterprise network is designed and used.
In many cases, global wide-area networking (WAN) is implemented through a combination of multiprotocol label switching (MPLS) links and Internet-based virtual private networks (VPNs). Each of these solutions is intended to achieve certain networking and security goals, like high-performance, reliable networking, and secure communication links between sites.
(Guide) With a Converged WAN Platform, Granular Network Visibility is Simple & Scalable
However, this mess of MPLS and VPN-based networks have a significant impact on an organization’s ability to achieve full network visibility. The majority of cyber threats travel over the network, and any malicious content that an organization’s security infrastructure doesn’t see can’t be identified or blocked by it. As the use of cloud-based and mobile computing moves traffic off of the enterprise network, organizations must adopt a solution that provides both high network performance and the visibility needed for security.
Visibility Challenges of MPLS & Internet-Based VPNs –
Many organizations are reliant upon some combination of MPLS links and Internet-based VPNs for their enterprise WAN. While these solutions may enable an organization to achieve its networking goals, they present significant challenges for an organization attempting to achieve full visibility of their corporate network.
Varied Transport Architecture:
One of the greatest challenges of maintaining visibility across an organization’s network is the fact that network traffic doesn’t all flow over the same channels. A need for reliable, low-latency connections is an argument for MPLS, but MPLS is expensive. Internet-based VPNs can provide privacy but can have widely variable reliability and performance due to their reliance upon the public Internet for transport. For many organizations, achieving visibility into MPLS connections “checks the box” for network visibility; however, a great deal of traffic flowing over the network is overlooked.
A Security Information and Event Management (SIEM) system can help with this problem since it is capable of aggregating data from multiple forms of transport media. As a result, an organization can achieve visibility into MPLS links and Internet-based VPNs in a single dashboard.
However, this only works for traffic that flows over transport media under the organization’s control. With the growth of the cloud and mobile devices, users now often directly connect to an organization’s cloud-based resources. Forcing these connections to flow through the headquarters network for scanning is infeasible due to the resulting impact on connection latency and performance.
Fragmented Infrastructure:
If an organization cannot achieve visibility on all transport media that traffic uses to reach the endpoints within their network, they can compensate by deploying monitoring solutions on the endpoints themselves. In the past, this could have been a workable solution. However, the same network evolution that makes visibility on transport media difficult also makes deploying monitoring solutions on all of an organization’s endpoints difficult. Most endpoint sensors cannot run on mobile devices. With 85% of businesses embracing BYOD policies, this leaves a significant visibility gap for the organization.
However, the issue is not confined to mobile devices. 81% of organizations have a multi-cloud deployment. Since security settings and visibility controls vary from provider to provider, this means that deploying consistent monitoring solutions across all environments may be difficult or impossible.
Appliance-Based Security:
Traditionally, network visibility is achieved through deploying a set of standalone security appliances that all traffic would pass through for inspection. At a minimum, this would include the deployment of a next-generation firewall (NGFW), secure web gateway (SWG), and unified threat management (UTM) solution.
The cost of acquiring, deploying, and maintaining all of these standalone appliances at the headquarters network is already significant, but even that is not enough. Hauling all traffic back to the headquarters network for inspection dramatically increases latency and decreases network performance. Deploying these solutions at every one of the organization’s network endpoints (enterprise network, cloud deployments, etc.) is likely financially unfeasible, not scalable. It may not even be possible in some environments.
Achieving Network Visibility with Cloud-Based SD-WAN –
Achieving full visibility over the organization’s network requires the ability to inspect traffic as it flows over the network links. Doing so without having a significant negative impact on network performance means that an organization needs a WAN with many, globally-distributed points of presence (PoPs) connected by reliable, high-performance network links.
Cloud-based software-defined WAN (SD-WAN) is the ideal solution to this problem. By leveraging cloud computing, an organization can deploy geographically distributed PoPs, minimizing the additional latency caused by forcing cloud and mobile traffic to use a PoP to enter the protected network. Connecting these cloud-based PoPs with Tier-1, dedicated lines from several different ISPs provide performance guarantees rivaling that of MPLS. Finally, using SD-WAN to optimize network usage ensures that application traffic is routed optimally from source to destination PoP and that failover occurs seamlessly if a transport medium becomes unavailable.
While cloud-based SD-WAN provides the networking capabilities needed by the modern enterprise, it also provides a platform for achieving full network visibility. A cloud-based SD-WAN solution with integrated security can perform monitoring and threat detection as traffic flows over the SD-WAN network. The integration of security functionality into the SD-WAN appliances at each PoP also eliminates the overhead associated with deploying, maintaining, and monitoring multiple standalone security appliances. With cloud-based SD-WAN, it is possible to route all traffic over a single, high-performance network with integrated security and global visibility.
