Branch office networks are proving to be the weakest link in many enterprises today. In the 2013 Gartner report, “Bring Branch Office Network Security Up to the Enterprise Standard,” analyst Jeremy D’Hoinne wrote that, “30 percent of advanced targeted threats — up from less than 5 percent today — will specifically target branch offices as an entry point.” The attack landscape has broadened since that report was published and has become more sophisticated, however branch security architectures and the managed service offerings often used to deploy and operate them have not evolved proportionately. Point security appliances, such as next-generation firewalls, unified threat management (UTM) devices, and software overlays in a branch router are typically used to approximate perimeter data center security at the branch.
Challenges for the Branch Office
Enterprises with multiple branches today either manage their security devices in-house or leverage a managed service provider (MSP). Regardless, there are at least five major challenges that need to be addressed when proprietary security appliances are deployed as separate resources in the branch:
- Complexity and staffing: It’s difficult to manage multiple point devices for different layers of security at locations where no IT/security expertise is available locally.
- Complexity and risk of error: Beyond managing each individual security layer, it’s difficult to integrate those layers into a cohesive stack without compromising overall network protection.
- Cost/inability to budget: Small to midsized businesses (SMBs) are not able to purchase or lease security appliances for some or all of their branch offices.
- Cloud apps/Internet connectivity: Companies today have apps running both in the cloud and the corporate data center. Additionally, branch offices often times have different connectivity requirements. Some use high speed Internet, others use MPLS, and some use both technologies. Each connectivity type requires a different security approach, which adds significant complexity when deploying traditional security appliances to create a standard branch security model
- Lack of agility: Companies taking the traditional security appliance approach can experience long deployment times. It takes time to ship the hardware and then schedule consultants or integrators to install, integrate, and test equipment. This process occurs at both initial deployment and when capacity upgrades are required.
NFV Eliminates the Need for Proprietary Network Security Appliances
Recent advancements in network functions virtualization (NFV) are allowing the exact same security features found in proprietary network security appliances to be served via software as virtualized network functions (VNFs) – creating “software-defined security.” Robust VNFs can be found that include all of the standard features in the most common NGFWs and UTMs, including malware protection, URL and content filtering, IPS and anti-virus, DDOS and VPN/next-generation VPN. One of the main advantages of this “software-defined security” is its ability to use commodity x86 servers and appliances.
Another advantage to software-defined security is the ability to service chain functions to easily achieve multi-layer security. For example, a service provider can service chain a next-generation firewall and secure web gateway to provide security for direct internet access. As the traffic flow has been service-chained centrally, each branch office is easy to deploy using a centralized management tool.
Additional benefits to asoftware-defined security solution using VNFs include:
- Elasticity: When deploying branch security through a software-defined model, capacity can easily and dynamically be scaled up or down without having to replace proprietary appliances.
- Flexible and distributed service architecture: With the advent of NFV, service providers and large enterprise have the capability and flexibility to decide where to run each security layer – either on-premises in the branch office or centrally in the data center or provider point-of-presence (PoP).
- Centralized, automated operations: Software-defined security also provides a way to deliver services from a single point of control, avoiding the challenging requirement for skilled personnel to be available to go on-site whenever needed. Instead, services can be deployed, increased in capacity and enhanced with additional functions, all without requiring any onsite presence, hardware refreshes, or manual provisioning.
In conclusion, deploying software-defined security for the branch office offers all of the security features associated with proprietary NGFWs and UTMs plus the ability to add additional layers of security for deeper defense-in-depth, all while reducing deployment times, operation complexity, and capital and operating costs.