Controlling Network Access in an SD-WAN World

Why SD-WAN? Why Now?

The rise of Software-as-a-Service (SaaS) and cloud services is resulting in decentralized data traffic flows, in turn rendering the traditionally expensive Mutliprotocol Label Switching (MPLS) inefficient for wide area network (WAN) transport.

MPLS vs. SD-WAN diagram

The emergence of software-defined WAN (SD-WAN) in response to rising cloud adoption is significant because it promises to deliver reduced cost and enhanced performance and availability.

This is a trend that is unlikely to go away. In fact, it’s set to intensify. According to Gartner. SaaS and Infrastructure-as-a-Service (IaaS) will grow at 17% and 27%, respectively, through 2022. Both are key drivers of SD-WAN adoption in that time.[1]

 

The Impact of SD-WAN on Networking & Network Security

Today, organizations can leverage SD-WAN technology to implement software-defined branch (SD-branch) as a way of extending IT environments to any of its branches outside of its headquarters that require high-quality network connectivity.

For retailers, hospitality groups (hotels, restaurants, etc.), commercial banks and other large distributed organizations, SD-branch is particularly useful as it utilizes SD-WAN technology to simplify a branch’s IT architecture – reducing the resources and budget needed to maintain operations.

Sample SD-branch diagram

Branches are typically more at risk of network threats than organizational headquarters due to the fact that they’re inherently understaffed or underserved from an IT standpoint.

To combat this, the SD-branch approach is to have security functions present in the IT devices at the branch so that data transmitted from the branch to another node in the WAN is as secure as other parts of the network from square one, instead of waiting until the data reaches security tools outside the branch. It’s like locking a house’s front door instead of just the bedroom doors.[2]

 

Network Access in a SD-WAN World

The rise of BYOD, mobile workforces and IoT has driven an exponential increase in the number and types of devices that can connect to today’s corporate networks. Securing and protecting these devices – particularly agentless IoT devices – is a core principal and best practice in cybersecurity.

 

Today, device segmentation (especially for IoT) has evolved to become the only effective option for network defense, as it enable organizations to protect themselves against lateral movements and to detect network breaches faster. Executing this requires a network access control solution be deployed – one that can not only control the port security, but also segment the network by the type of device or its user.

 

Traditionally, network access control has necessitated a connection to the organizational headquarters, with an appliance deployed at each branch. This has historically limited the use of SD-WAN / SD-branch technologies.

 

Side-stepping these limitations has required innovation in network access control. The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for cost on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection.

 

With Portnox CLEAR, organizations gain unprecedented network visibility and continuous risk monitoring of endpoints across all access layers – no matter device type or branch location. All from the cloud with no on-premise components.

 

Here’s how it works…

Portnox CLEAR architecture diagram

[1] SD-WAN is Killing MPLS, So Prepare to Replace it Now, Gartner (2018)

[2] What is SD-Branch?, SDXCentral (2019)

 

Request the White Paper