2017 Prediction: Will Networking and Security Finally Merge?

[51CTO.com Quick Translation] It’s a new year again, and it’s time to make bold predictions for the next twelve months. Just like Master Yoda’s prophecy, although such predictions sometimes sound vague or exaggerated, they often do provide important guidance for future trends. In today’s article, we will focus on only one direction:

[[182205]]

Networking should be integrated with security

What does this mean? Does it mean that networking and security may replace each other in 2017? Should CIOs and CISOs prepare for this inevitable trend? How can security and network technicians prepare for this wave of impact?

Of course, we have our own ideas about this. Through the attention of many SD-WAN vendors and the inspiration brought by the development of traditional technologies,

Is the "SD" in SD-WAN a security disaster?

There is no doubt that any direct Internet connection achieved by SD-WAN represents a new attack surface. Most companies have one or more regional Internet access centers. The direct consequence of being exposed to the Internet is that everyone will encounter more threats from ransomware, phishing networks, malicious downloads, and even other hidden dangers.

Even scarier is that the level of security in our branch offices is likely even worse. Users often rely on MPLS or Internet-based IPSec VPNs, and most enterprises I see still route backhaul traffic to secure Internet access portals at central or regional hubs. There may be no firewalls, malware detection, or other security protections in place.

In fact, a recent survey released by Dimension Data mentioned exactly this issue. The survey found that 40% of enterprise branches do not have basic stateful firewalls. Half of the branches do not use next-generation firewalls (NGFWs). SD-WAN and direct Internet connections represent a double risk for branches. Not only do enterprises face a larger attack surface, they are even unable to protect it with existing tools and procedures.

Other network and security solutions

SD-WAN vendors are aware of the security challenges. They are starting to discuss network layer issues - including encryption, IPSec, authentication, etc. Network partitioning on the WAN isolates traffic in its own way, thereby protecting applications from external WAN activity. The basic idea is very similar to the isolation of virtual machine applications on the host, and many vendors have begun to build stateful firewalls into their branch devices.

But the bigger question is how to provide NGFW, malware detection, IDS/IPS, URL filtering and other application-level security mechanisms for branch offices. In this regard, we found that various vendors generally adopt one or more of the following four solutions.

Service chain and cloud security

At the basic level, some SD-WAN vendors have begun to work together to improve their security level to "industry-leading". The emergence of this service chain allows various security functions to be connected in series. Deep packet inspection (DPI) can discover and guide relevant traffic to the corresponding security device based on the edge network, without having to flow all through the central data center.

However, service chain security devices will still direct some backhaul branch traffic to some inspection location. In order to achieve direct Internet connectivity without deploying a full security device stack in the branch office, most SD-WAN vendors have jointly established cloud security services. As one example, Zscaler sends all inbound and outbound TCP, UDP and ICMP traffic to the Zscaler cloud for inspection before forwarding it to its destination.

Service chaining provides a framework to address basic security issues, but the service instances created by the enterprise involving multiple applications, user types and sites are still at risk. It is clear that enterprise WAN management can only be achieved through a highly integrated and automated strategy. SD-WAN and security parameters should be defined and delivered through a single interface. After that, the necessary tools should be able to push these policies to every corner of the infrastructure.

Many leading SD-WAN vendors have begun to provide these capabilities, but the network and security analysis mechanisms are still separate. For example, we cannot integrate security and network information to minimize the alert information received by security operators. Similarly, security devices cannot detect DDoS attacks or block the corresponding entrance to the current network partition. Although network and security logs can be exported to third-party tools, these rigorous analysis and control collaboration capabilities are still beyond the scope of cooperation between most SD-WAN vendors.

Native SD-WAN and security integration

At the internal facility level, enterprises still need to bear all management and operational complexities and are responsible for maintaining the daily operation of the security infrastructure. Firewalls, updates, patches, etc. are still quite cumbersome but necessary. At the cloud security service level, enterprises are also responsible for protecting all non-HTTP traffic. In both cases, policy integration capabilities are usually very limited, and analytical integration is difficult or even impossible.

In view of this, some SD-WAN vendors have begun to further couple security with SD-WAN functions. Versa Networks uses NFV solutions to run security functions on sites connected to SD-WAN. Cato Networks also attempts to provide routing functions based on its cloud environment.

By tightly coupling security and networking, enterprises can reap the benefits. For example, Versa can perform deeper analysis of security and network logs, reducing the event load in security operations. And by moving these functions to the cloud, Cato ensures that IT teams do not have to bear the operating costs of separate parts of the infrastructure.

So are there any drawbacks to this approach? The biggest problem is that it forces enterprise customers to turn from "best in class" giants to solution providers with relatively short histories. In addition, although Versa has established collaboration with many third-party security devices, this approach will make the security and network analysis integration capabilities vanish.

Networking should be integrated with security

The line between network and security will become more blurred in the next few years - at least on a technical level. In the short term, however, there will still be a clear distinction between network and security teams. SD-WAN will also provide better collaboration between these two groups, which may be the biggest contribution that SD-WAN vendors can make to IT security.

Will networks and security converge in 2017? by Steve Garson and Dave Greenfield

[Translated by 51CTO. Please indicate the original translator and source as 51CTO.com when reprinting on partner sites]