Bold predictions are in order at this time of year.分析师Zeus Kerravalalooked into his crystal bowl for the networking space, and泰勒Armeriding做相同的安全。我们经历了我们的幸运饼干翻找以及与此想出了尤达样一个2017年:
安全应成为联网。
What did that really mean?我们的尤达翻译was of no help. Could networking replace security (or vice versa) in 2017? Should CIOs and CISOs prepare themselves for the inevitable assimilation (点头你衰老Trekies)?应该如何,那么,安全和网络人才,为不可避免的冲击做好准备?
我们有我们自己的想法,当然,但我们要看到别人怎么想,以及。因此,我们追了几SD-WAN厂商在星系结束它们的输入(杀手延迟,但没有黑洞,丢包率和真棒,优化路由缩短行程)。我们也从出土的80年代(需要有人谁可能已经达到尤达),以帮助弄清楚这个不祥的预感了几个CIO僵尸。
Here’s what we learned.
请问的“SD” SD-WAN意味着安全灾难?
应该清楚,任何人提供直接互联网接入(DIA)为禁止通过SD-广域网在其完整的化身每个办公室代表一个公司的攻击面的极大扩容。最让我们与参与的企业有一个或至多几个区域安全的互联网接入集线器。在分行把DIA打开网络,全方位的,我们在互联网上找到的威胁:勒索软件,网络钓鱼,路过式下载网站等等。
更糟糕的是,如果你像我们的许多客户,机会是你已经非常有限,现有的安全,如果有的话,在你的分支机构。无论他们依靠MPLS或基于互联网的IPSec VPN,大多数公司与我们仍回程流量在中央或区域中心一个安全的互联网访问门户见面。有可能没有防火墙,恶意软件检测或其他安全设施的分支。
事实上,最近的一项调查Dimension Data(sponsored by Versa Networks, an SD-WAN supplier), spoke to this point. The survey found that 40 percent of enterprise branches don't have even a basic stateful firewall. Half of all branches don’t have a Next-Generation Firewall (NGFW). SD-WANs and DIA at the branch represent a kind of double jeopardy. Not only do companies have more attack surface to secure, but they can’t even leverage existing tools and procedures to secure those points.
Different approaches to networking and security
SD-WAN厂商都心知肚明的安全挑战。你会看到很多关于网络层的问题加密,IPSEC认证和更多的讨论。在WAN网络分段隔离在自己的覆盖交通,保护覆盖中的应用从上覆盖的广域网外部的威胁。这是大致的主机上隔离在自己的虚拟机应用程序相同的值。现在很多人在其分支机构的设备建立一个状态防火墙。
但更大的安全问题是如何在分支提供NGFW,恶意软件检测,IDS / IPS,URL过滤等应用层安全机制。在这一点上,我们看到厂商采取的四种方法之一,并经常采取综合的做法。
服务链and cloud security
在最基本的层面上,SD-WAN提供商,如银峰,ViptelaandVelocloud以“最好的品种”安全供应商的合作伙伴。(不要在我们缺少SD-WAN读得太多,时间不允许我们每一个公司联系。)服务链allows security functions to be “stitched’ together. Deep Packet Inspection (DPI) at the edge is needed to identify and direct the relevant traffic to and from the relevant security devices that are still typically, though not necessarily, centralized in the data center.
But service chaining security devices still leaves organizations backhauling branch traffic to some location for inspection. To provide DIA without having to deploy a full stack of security devices at the branch, many SD-WAN vendors are partnering with a cloud security provider, notably在Zscaler等等。随着Zscaler中,所有入站和出站TCP,UDP和ICMP流量转发到目的地之前发送到Zscaler上云进行检查。
服务链provides a framework to address the basic security issues, but enterprises still face the challenge of creating instances of that service across hundreds of application, user types and sites. A high-degree of policy integration and automation is needed to make that enterprise WAN management feasible. SD-WAN and security parameters should ideally be defined and delivered through one interface. The necessary tools should then be able to push those policies out across the infrastructure.
Many leading SD-WAN providers offer those capabilities, but even then the networking and security analytics remain separate. There is no way, for example, to minimize security alerts storms for security operations personnel by correlating security and networking information. The same is true with security device detecting a DDoS attack, for example, and blocking the segment’s ingress from the relevant location. Networking and security logs can always be exported to third-party tools, but these kinds of tight analytic and control functions are still beyond the scope of most SD-WAN – security partnerships.
本机SD-WAN和安全集成
With the on-premises approach, organizations are still left with all of the management and operational complexity of maintaining security infrastructure. Firewall sizing, updates and patches are still necessary. With a cloud security service, organizations still must secure non-HTTP traffic. In both cases, policy integration can be limited and analytics integration usually non-existent.
For these reasons and more, some SD-WAN providers are going a step further and tightly coupling security and SD-WAN functions.Versa Networks使用NFV运行安全功能在网站上的perimeter connecting into the SD-WAN.卡托网络运行安全性,以及在其云路由功能。
通过紧密耦合的安全和网络在一起,企业才能获得一些可观的收益。反之亦然,例如,相关安全和网络日志更深的分析,有可能减少对安全运营的事件负载。通过将所有功能,它的云,卡托从单独的基础设施的运营成本unburdens IT团队。
缺点?最大的是靠“最好的品种”安球员仍相对年轻的组织转变。虽然Versa的将与第三方安全设备的工作,这意味着上集成的安全和网络分析放弃。
安全shall networking become
网络和安全线将在未来几年模糊,至少在技术层面上,而是独立的网络和安全团队将持续可预见的未来。SD-广域网也为安全和网络团队更好地协作在一起,这可能仅仅是他们最大的贡献,IT安全提供了一种方法。