SD-WAN is an emerging solution for branch offices that enables them to directly connect to the Internet instead of always backhauling traffic through the headquarter servers. This makes it easy to establish local Internet breakouts and offers branch office users the ability to quickly and efficiently access cloud applications and services, like Office 365. According to Gartner, 40% of enterprises are expected to adopt SD-WAN by end of 2019.
Security Implications
While SD-WAN greatly improves agility and simplifies branch IT, direct connection to the Internet means these branches are exposed to security risks. Branch offices cannot replicate a full security stack due to resource and footprint constraints, and prohibitive costs. Some organizations address this problem by putting in “ad hoc” security appliances, but struggle to scale their security architecture as the branch office grows.
Current SD-WAN solutions offer some basic firewalling capability but that alone is not sufficient, especially with the growing sophistication of today’s cyberthreats. If a branch office is breached, it becomes a launch pad for threats to move laterally into an organization’s headquarters or datacenters. Embarking on SD-WAN deployments without planning for security needs of today and tomorrow, could compromise your business and leave your organization vulnerable to threats and data breaches.
Simple, Scalable, Foundational Security Using Infrastructure You Already Rely On
Let’s take a step back and think about the one network infrastructure element that you already rely on for connectivity, but forgot you had. The answer is quite simple – DNS, DHCP and IPAM. DNS is the foundation of every network conversation. Without it, your SD-WAN branch office loses connectivity to the Internet. Users lose access to email, VoIP and business applications. And because DNS is critical for connectivity, it is ubiquitous in networks – be it in headquarters, datacenters or branch offices. What’s less widely known is the fact that security controls can be implemented on DNS infrastructure easily and at scale. Let me explain.
A DNS physical or virtual appliance can leverage millions of threat indicators and block resolution to domains associated with threats like ransomware, exploit kits, APTs, and other types of threats, effectively stopping malware in its tracks and preventing its spread. But if putting in DNS appliances in a branch is not feasible, you can easily route your DNS traffic to a SaaS-based DNS security solution that can detect and block threats in the cloud. This foundational security approach allows you to secure your SD-WAN branches in a simple and cost-effective way, without deploying a full security stack. In addition to malware, you can detect advanced threats like data exfiltration, DGA, Fast Flux, Fileless malware and zero-day threats leveraging a combination of high accuracy reputation feeds and machine learning based analytics.
BloxOne™ Threat Defense from Infoblox provides this simple, cost-effective security using DNS as a first line of defense. In addition to blocking threats, BloxOne Threat Defense allows you to get more information about the infected devices using IPAM and DHCP fingerprint information, and automatically notify the rest of the security stack about incidents, significantly reducing MTTR (mean time to respond/remediate). Benefits of the solution include:
- Same scalable foundational SaaS-based security for HQ, Data center and SD-WAN branch offices
- Single console to manage and see infected devices whether in HQ, Datacenter or SD-WAN branches
- Enrichment of security ecosystem with DDI data
- Faster incident response with ecosystem integrations
To learn more, read the datasheet.
