Problem solve Get help with specific problems with your technologies, process and projects.

Evolve WAN security architectures to keep from accelerating malware

WAN security architectures must evolve to keep pace with workplace trends. Use these tips to make sure WAN optimization isn't accelerating malware.

IT professionals are under constant pressure to refine their WAN security architectures. They need to support and enhance employee productivity, while protecting against an increasing number of sophisticated threat vectors -- and do all that without significantly increasing costs.

Why should your WAN security architecture change?

But there are a few trends making it timely to conduct a wholesale overhaul of WAN security architectures. First, is the shift in employee location and behavior. Branch office locations hold fewer employees per site and teleworking continues to grow as new collaboration tools and mobile applications make it even easier to work virtually. Also, almost 70% of companies use bring-your-own-device (BYOD) purchasing models to varying degrees, forcing security staffs to think in terms of protecting and managing corporate data, rather than devices.

Second, companies continue to increase their use of cloud-based solutions, with roughly a quarter to a third of organizations using Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) cloud solutions. This shifts network traffic flows from circulating internally (from user to enterprise data center) to traveling externally (from user to cloud). As a result, many organizations are replacing their backhauled branch network architecture with direct-to-net branch networks.

The upshot? IT professionals need to consider alternative approaches to providing pervasive, policy-based WAN security.

Combining WAN optimization and security on-premises

One promising alternative is to combine WAN optimization with security at the branches.

This requires completely revisiting the traditional approach to providing Internet connectivity to branch sites. The backhauled branch, or traditional approach, has been to combine MPLS services for secure site-to-site connectivity with the use of WAN optimization controllers at each branch. Security, meanwhile, is handled at the data center via enterprise-grade gateways that have functions like firewalling, network intrusion prevention, antivirus/anti-spam (AV/AS), VPN, content filtering and data leak prevention (DLP).

The upside to this approach is that it provides consistent security to all sites, and IT remains firmly in control of implementing policy changes.

More on WAN security architecture

Learn to balance between WAN security and performance

Consider combined WAN optimization and security branch office boxes

BYOD challenges that lurk beyond network security

However, there's a downside: cost. IT has to cover the hard-dollar cost of appliance purchases in the branches and security appliances in the data center (plus annual software maintenance), as well as the internal operational (human) cost of managing and maintaining the appliances. Finally, enterprises are paying transport and service costs for Internet and cloud-bound traffic twice: once to backhaul across the WAN and again to transport traffic across the Internet.

The solution? Begin to move toward a direct-to-net approach. With this architecture, companies consolidate functionality into a single branch device -- one that combines WAN optimization features with traditional security functions (mentioned above) and unified threat management (UTM). They route traffic to its ultimate destination via the most direct approach: Internet traffic out to the cloud, and data-center traffic back across the private WAN. Vendors like Blue Coat, Cisco, Juniper, Riverbed and others are headed down the path of providing such devices.

WAN Optimization Security as a Service

That said, this still leaves IT professionals managing on-premises devices -- with all the headaches that entails. The longer-term solution will be WAN optimization and security as a (combined) cloud service. Although many carriers offer separate Optimization as a Service and security services, they haven't yet made the leap to offer a consolidated solution. And carriers are still loath to permit customers to modify configurations within their networks, which means that IT professionals lose a certain degree of responsiveness and control when moving to these services.

But, combined WAN security cloud services are emerging and evolving. Nemertes Research predicts that they'll be widely available within 24 months to 36 months. In the meantime, IT professionals should explore the use of branch-based WAN optimization and security as a way to future-proof their architecture.

For more information, view's WAN security and performance tutorial.

This was last published in March 2013

Dig Deeper on Network Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.