One of the biggest challenges for organizations adopting SD-WAN is that issues like provisioning, meshed VPN, and the complexities of managing multiple network edges can quickly become more of an IT burden than originally anticipated. For example, workflows such as cloud connectivity or tying security enforcement to specific connections can be time-consuming, especially when they need continuous management and configuration adjustments.
This is especially challenging for those organizations that have had to deploy a variety of security tools and point products as an overlay to compensate for the lack of security included in their SD-WAN solution. This can quickly lead to infrastructure complexity, which not only increases manageability burdens but also creates defensive gaps at the network edge.
To address these challenges, centralized orchestration and automation can be leveraged to make workflows more efficient without human intervention. And they not only eliminate complexity and simplify network operations, but also contain costs, improve efficiency, and reduce risks.
However, while many vendors are rushing to add orchestration functions to simplify the day to day operations of managing a broad SD-WAN deployment, it is important to understand that orchestration and automation are really only as useful as the SD-WAN components they able to see and manage.
An orchestrator that only focuses on the network side of an SD-WAN deployment, but is unable to address the full range of security functions that any SD-WAN deployment requires, can still leave organizations open to unnecessary levels of risk. It is unable to correlate configurations and policies between critical networking and security functions, nor can it address the security gaps that arise when security and networking are not tightly synchronized. And it can also make issues like compliance difficult to achieve or demonstrate.
What’s needed is an orchestration tool that is able to truly eliminate disaggregated branch infrastructure complexity by consolidating and automating the management of both networking and security tools. This approach reduces an organization’s attack surface, but also better enables digital innovation while simplifying operations for networking teams.
The first area that an effective orchestration needs to address is the time it can take to roll out SD-WAN deployments – especially when dozens or hundreds of branch offices need to be upgraded from their traditional edge router and firewall configuration. Provisioning of an SD-WAN solution – especially when security needs to be deployed as an overlay solution – can be expensive and time-consuming, not to mention the overhead costs required for the ongoing management of separate systems.
An effective orchestration system should allow an SD-WAN solution to be pre-provisioned with a phone-home connection. Once plugged in at the branch, it should immediately connect to the main office via a broadband connection where it can remotely configured by the orchestration system. This not only reduces the time to deploy a solution to minutes, but it also ensures that networking and security policies and configurations are not only synchronized with each other, but with the larger set of policies governing all SD-WAN deployments.
In larger deployments, automation plays a critical role in ensuring that SD-WAN connectivity functions optimally. For example, automation can ensure that security is consistently applied and enforced, especially when coupled with APIs to ensure broad interoperability across solutions. Rather than deploying siloed security solutions at each branch, security needs to be integrated seamlessly across every branch and remote office location to prevent, detect, and respond to threats in real-time.
Automation is also vital to enabling single click multi-cloud connectivity for enhanced application performance. To achieve this, network and security engineering teams require the ability to have visibility across the entire attack surface, all from one location. But because of the speed and sophistication of today’s threats, they also require automation to ensure that connections are properly protected.
Another challenge is the detection of a network breach. Dwell times for undetected malware is measured in months, and automation is needed to reduce the window between a network breach and its detection and remediation. A central orchestration system that can see and correlate threat data collected from all remote locations can reduce detection and remediation time to minutes. This is achieved through the coordination of policy-based automated response actions across the distributed environment and leveraging threat-intelligence automation as well as security workflows.
Meshed VPN is another critical area that can overwhelm limited IT resources if not automated. VPN complexity increases exponentially as new branch offices are brought online and need to be interconnected. A central orchestration system should be able to manage meshed VPN deployments to ensure availability and eliminate configuration errors. It should also be able to realign resources based on traffic volumes and other metrics.
Some branch offices, for example, can be designated as hubs based on size, bandwidth, and traffic, and less active branch offices in a particular region can then interconnect through their local hub rather than directly with each other. These hubs can then connect to each other to efficiently move traffic between regions. This approach can significantly reduce the complexity of a meshed VPN model and can be modified dynamically as the functions of branch offices evolve.
Simplifying SD-WAN operations is core to making its implementation and expansion successful. By combining the management and orchestration of SD-WAN's networking and security functions, an organization can realize a number of critical benefits.
To start, a single, intuitive management console simplifies provisioning and ensures that policies and device information are configured and updated centrally across all branches and locations. This not only reduces operational complexity at the branch but across the entire distributed organization. At the same time, a centralized orchestrator that can track real-time threat activity, perform risk assessment, detect potential issues, enable compliance, and mitigate problems is crucial, especially for highly distributed SD-WAN environments.
Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.