Still Backhauling All Internet-Bound Traffic To Your Data Center?

A long-held tradition of enterprise security professionals is to inspect everything. Not a bad practice, really. But deciding that no traffic can enter or exit the organization’s network without being inspected does have a tendency to introduce some interesting challenges with regard to network design.
Imagine that you have 100 branch offices. To perform enterprise-grade inspection on traffic that is leaving each of these 100 offices bound for the Internet, you traditionally have two options:

  1. Install an expensive, complex security appliance at every one of these 100 branch offices. Practically speaking, this will almost never be a viable option.
  2. Send all traffic back to the primary data center to be inspected by the main security appliances before egress. For economic and operational purposes, this has been the choice for most distributed enterprises.

While Option #2 is certainly an improvement over Option #1, it still leaves room for improvement. The impact to end-user experience when using Option #2 can be negative to say the least. And it limits the options as far as bandwidth available to the branch. Option #2 (commonly referred to as a hub-and-spoke model) simply wasn’t designed with the cloud in mind.

Cloud-First Branch Networks

Perhaps a better security model for the branch is one that we’re starting to see emerge in a more cloud-centric world: the Cloud Firewall (the service may cover more than just firewalling, but for simplicity’s sake I’ll use firewall as an example). Rather than sending traffic back to the primary DC before going out to the rest of the world, traffic from all sites is sent to a third-party cloud service with geographical omnipresence. In other words, the cloud firewall provider likely has a data center in much closer proximity to your branch than you do. A few important benefits of using a cloud-based firewall service like this are:

  • Because the cloud firewall is probably located closer to the end-user than an organizations primary data center, the end user experience is positively impacted compared to sending the traffic back to HQ
  • It becomes possible to use cheap and prolific Internet circuits as opposed to more expensive and harder to maintain leased lines.

Other Branch Management Challenges

At scale, configuring infrastructure-wide policies across many sites is cumbersome, time-consuming, and error prone. In the 100-site example used above, making changes to a company policy could require manual updates to 100 different devices. If each change takes an administrator about 10 minutes to complete (a reasonable assumption), then making this simple change would take 2 days of uninterrupted work for a network administrator to complete. Moreover, there’d be an assumption that he or she could complete all 100 updates with no errors.
The answer to this branch challenge is something called SD-WAN. Simply put, SD-WAN is software intelligence that does the all of the control plane leg work for you based on policies. You tell the controller “I want to disallow access to Facebook for all users between the hours of 8 AM and 5 PM local time” and the controller hauls off and makes the required changes to any applicable device.
Because SD-WAN simplifies network policy configuration and management, leveraging it makes businesses more agile. Also, because it makes it easy to intelligently utilize multiple different network paths, in can increase performance while decreasing cost. Finally, the decreased operational overhead results in lower operational costs per branch.

SD-WAN and Cloud Security: A Beautiful Marriage

Riverbed and Zscaler have recently announced a partnership that leverages technology from both organizations to solve both the WAN management problem (via Riverbed’s SteelConnect platform) and the branch security challenge (via Zscaler’s Cloud Security platform).
SteelConnect provides unified connectivity and orchestration spanning WAN, WLAN, cloud, and data centers, offering enterprises the ability to scale elastically to enable rapid deployment of configuration changes, updates or policy modifications without impacting performance or requiring application refreshes.
And Zscaler operates a massive, global cloud security architecture, delivering the entire gateway security stack as a service. By providing fast, secure connections between users and applications, regardless of device, location, or network, Zscaler is transforming enterprise security for the modern cloud era.

Riverbed/Zscaler Table
Table 1: The harmony between SteelConnect and Zscaler

Now, SteelConnect users can connect to and manage all of their threat prevention, access control, and inline data protection with Zscaler from right within their SteelConnect console, which they’re already using for WAN optimization, path control, and centralized policy. The table above summarizes how the two services are very complementary.

Video Walkthrough

Here’s a great video from Riverbed that walks you through this partnership and why it’s helpful!