Navigating Your SD-WAN Strategy

Every major provider of software-defined wide area networking (SD-WAN) talks about its network segmentation strategy as a major benefit of the technology, offering a way to address path isolation and security.

The right strategy includes not just a consideration of the tools offered by the provider, but also a complete understanding of enterprise IT’s goals and systems. Each SD-WAN solution will have its own version of a network segmentation strategy, and no single solution will address every aspect of your organization’s needs. Choosing a direction requires a discussion that includes authentication and authorization, managing security roles, and how policies will be applied.

The Traditional Approach: As a whole, teams have historically segmented their networks using a number of tools to foster path isolation throughout processes. They used tag routing schemes and virtual routing in addition to security access control lists (ACLs). These techniques were applied in Layer 2 and Layer 4, and all were labor-heavy, complex processes to apply and manage.

Rather than being based on identity, isolation depended on the location of each IP address. While this was appropriate when a single machine ran a single service, or a user only interacted with one device, they aren’t appropriate for today’s mobile workforce. IP location-based isolation is no longer a solution.

Security was also unwieldy, whether it was based on location or identity. Teams struggled to determine which users should have access to different applications and systems.

Segmentation with SD-WAN: The main purpose of network segmentation is to prevent a process from navigating the entire network. A solid network segmentation strategy will effectively isolate processes so that the user is only accessing the systems and applications necessary for their task.

When implementing SD-WAN, network teams will need to sort through the segmentation features offered by the solutions they are considering. Some providers use a network-centric plan, using segmentation at Layers 3 and 4 and path isolation. Others approach segmentation with application-centric tools at Layer 7, while other providers will combine these approaches at different layers. The end goal of every strategy is simply to create barriers between the systems and the processes users need to access.

Given the prevalence of cyber security breaches, network teams should prioritize security controls when selecting an SD-WAN solution. A product that segments the network statically is not a solid security approach to the technology. Any good SD-WAN solution must have the capability to audit and mitigate security instances in real-time. Network teams should also look for the following features:

  • Deployment automation
  • Path isolation support
  • Strategies for access and authorization (a dedicated secrets vault)

Shifting from a nonsegmented network to an SD-WAN solution with a robust network segmentation strategy requires a great deal of planning and a deep understanding of your business requirements.

While no single SD-WAN platform will address every network segmentation strategy requirement your enterprise has, by understanding your network and the reasons for segmentation, you can build a solid plan. Contact us at One Connect to get started.