A core element of an SD-WAN approach is giving branch offices direct access to the internet. Doing so makes WANs far more agile and improves cloud performance. The problem is that doing so makes each branch office a potential entry point for viruses, malware and other internet-borne threats. Relying on security appliances alone does not scale, and cloud-based secure web gateways (SWGs) come with numerous problems. Managed edge services offer a way forward.
Fixing what’s wrong at the edge
The managed edge combines the best elements of SWGs and branch-based security. In this approach, security and networking functions run as virtual appliances on common edge hardware. Rather than losing visibility and control by sending traffic to external SWG for inspection, the inspection is done on the managed edge.
Popular approaches to edge architectures involve network functions virtualization (NFV). A provider runs SD-WAN, firewalling, SWG, IDS/IPS and more on a single appliance (a vCPE) as virtual network functions (VNFs). Such an approach eliminates the facility (real estate, electrical, shipping and more) costs of running multiple hardware appliances.
At the same time, though, VNFs are still discrete and, depending on implementation, may not be well integrated with another. What’s more, appliances are inherently limited in their processing capabilities, often preventing edge architectures from being unable to apply all features on all traffic.
What to look for in a managed edge service
A managed-edge service solves the limitations of edge architectures by wrapping world-class service delivery and integration with the appliances. The service provider becomes responsible for integrating virtual functions running on the branch appliances. The service provider is also responsible for scaling the appliance to meet customer requirements.
At Open Systems we have spent years thinking about the managed edge, and deeply believe any managed-edge service should deliver on seven attributes:
Scaling: The managed-edge should grow with company needs. A more powerful machine should be delivered to the customer, at no additional cost, when processing requirements grow beyond the installed capacity.
24x7 management: Around-the-clock monitoring and management should be a given. At Open Systems, our Mission Control services provide a worldwide network of 24x7 monitoring services. Though the service is fully managed, customers still retain complete visibility. Everything seen at Mission Control is visible to the customer's IT staff. Co-management approaches are also available.
Efficient debugging: Security should be integrated into the SD-WAN stack, simplifying debugging. This makes addressing security issues dramatically easier and faster to solve than complex cloud proxy approaches.
Priority support: Support should start at level 3. The person who will resolve the issue takes it from the start. Level-1 and level-2 personnel – those who generally escalate issues to level 3 – are skipped.
All traffic assessed: All traffic traversing the LAN and the WAN should be monitored and made visible. This enables a holistic view and proper prioritization of sensitive applications and services.
Stopping lateral attacks: If an attack succeeds in entering the network, the fear is that the virus, malware or whatever else the attack is based on will quickly spread laterally through the network. The managed approach should detect and address these incidents very quickly to avoid such widespread damage. Also, a global zoning concept ensures that attacks cannot cross zone barriers from e.g. client networks to server networks.
Edge-based SSL decryption and scanning: Secure socket layer (SSL) decryption and scanning at the edge enables correlation with IDS/IPS results from the rest of the organization. The managed service should employ machine learning to correlate with other customer sites and independent security databases. This increases the chances that risks are eliminated and network attacks prevented.
The key challenge for any security approach is balancing security with performance and availability. The cloud proxy approach works against this by placing a management wall between the corporate LAN and the security logs, adding complexity and increasing management overhead. This is not the case with Open Systems, which deeply links the networking and security functions while taking operational control from the organization.
Managed security services have a tremendous story to tell, and we'd love to tell it to you.