The networking industry is quickly transforming. The implementation of networking services used to be the exclusive domain of fixed, proprietary hardware appliances, and now its software combined with major advances in commodity server architectures and virtualization.
Virtualized network functions (VNFs) are the network architecture where L3-L7 network services are virtualized in software and decoupled from the underlying hardware. This approach makes rolling out new, or upgrading existing network services faster, more flexible, and less complex, while significantly reducing costs and operational overhead. Many service providers and enterprises are using this technology format to deploy software-defined wide area networks (SD-WANs).
In a recent Gartner blog, Andrew Lerner interviewed fellow Gartner analyst Bjarne Munch about managed SD-WAN services. Andrew asked Bjarne what he thought about SD-WAN, network functions virtualization (NFV), and virtual customer premises equipment (vCPE) as they relate to managed WAN services, and Bjarne said, “We are on the brink of one of the most dramatic changes in WAN services that we have seen in decades.” When asked about his predictions for the future, Bjarne replied, “By 2020, at least 30 percent of international enterprise WAN service contracts will incorporate NFV-based services, up from less than one percent in 2016.”
Another one of the new types of NFV services we’re starting to see is software-defined security (SD-security), and, as the name implies, it offers all of the same security features and functionality you’ve come to expect from proprietary hardware-based network security devices but served via software.
SD-security inbuilt on security VNFs’ unmatched agility, cost savings, and flexibility over traditional network security appliances. For service providers, this means the enablement of next-generation managed security services such as vCPE, managed SD-WAN with SD-security, and pure managed security services. For enterprises, the technology provides a needed (and integrated) layer of security for SD-WAN projects, which generally include direct Internet access.
Software-defined security enables service providers and large enterprise IT teams to deliver a range of layered security services for branch offices, including advanced functions such as next-generation firewalls and secure web gateways (SWG). By moving security functions to software, service providers and enterprises can toss those proprietary appliances and replace them with high-performance, feature-rich software systems that only require an inexpensive white box at the site.
How SD-Security Works
Conceptually, SD-security is an architectural approach to protection and compliance that decouples and abstracts controls away from physically-oriented elements. It’s important to understand that this approach is critical for enabling security and compliance to operate harmoniously with software-defined infrastructure models that also decouple application and data hosting from the hardware underneath. To support these shifts, security services have evolved to become programmable, adaptive, scalable, and portable.
Enterprises and service providers are evaluating SD-security solutions today because it:
- Increases agility—Migrating from proprietary hardware to VNF-based security services reduces deployment time from weeks or months, down to hours. All that’s required at the location is a commodity appliance — no more truck rolls. Even more compelling, incremental security functions can be centrally provisioned and downloaded in real time to the commodity appliance as needed, significantly reducing deployment and integration work.
- Reduces capex and opex—Capex can be radically lowered by replacing proprietary security appliances and perpetual software with security VNFs and pay-as-you-go subscription pricing. Systems with built-in multi-tenancy further lower capex. Opex is reduced through zero-touch provisioning, which eliminates truck rolls and greatly simplifies ongoing operations such as software updates and capacity expansion.
- Minimizes operational complexity—SD-security simplifies the validation and deployment of security features through built-in service chaining. Integrating multiple security functions (including third-party) into a network stack becomes simple, and the level of time and troubleshooting required during deployment is minimized versus installing and integrating proprietary security appliances and software. Zero-touch provisioning further simplifies deployment. Ongoing operations can be simplified through a management platform that provides a single console and control across all security functions. In an ideal SD-security scenario, users should be able to dynamically provision capacity increases centrally and to add incremental security functions easily by downloading a VNF.
- Customizes your security stack based on the environment—SD-security enables providers and enterprises to cost-effectively build their own custom security stack to meet the needs of specific environments from SMBs to large enterprises. For example, one branch environment could consist of a simple firewall and antivirus, with other security functions handled by HQ. Another branch environment could consist of an entire suite of unified threat management (UTM) functions that are all managed by a service provider. Whether you’re an enterprise or a service provider, SD-security takes the challenge out of managing the security stack at branch office sites. It also simplifies the integration between security and network products.
SD-security delivers more agile and cost-efficient security by migrating from hardware-based services to a software-defined approach that leverages VNFs. The SD-security system you end up evaluating should provide a broad set of security VNFs, including next-generation firewall (NGFW), malware protection, URL and content filtering, in-plane switching (IPS) and antivirus, distributed denial of service (DDoS), and VPN/next-generation VPN. It should be purpose-built for managed services and be just as easily deployed by the enterprise. And it should have capabilities such as multi-tenancy, service chaining and zero-touch provisioning, enabling the delivery of security much more rapidly. In the end, enterprises win with lower capital and operating costs and service providers win with higher revenue and profitability.
Why SD-WAN and SD-Security “Make the Perfect Pair”
While they can share a similar architecture (if both designed using VNFs and open hardware), the synergy between SD-WAN and SD-security goes much deeper—to the use case level. One of the main value propositions of SD-WAN is the ability to seamlessly include Internet connectivity alongside MPLS to create a hybrid and unified WAN. The obvious security downside of enabling direct Internet access (DIA) from each branch office is the requirement for strong security at each site, which can be costly and very difficult to manage effectively.
With the emergence of SD-security, multi-layer security can be more easily integrated into an SD-WAN solution via software, which isn’t possible with a standalone appliance-based approach.
The benefits for providers and enterprise IT teams alike is a much simpler insertion of security into the branch to protect Internet access, far more timely service deployment and upgrades, and greatly reduced chances of one standalone network or security component breaking another one.