SD-WAN & Security – The Best of Both Worlds?
Earlier this year, I worked on an integrated WAN & Security solution for a retail customer. The project had evolved from a loose set of requirements around WAN performance improvements and local Internet connectivity in branches, which had the incumbent provider falling over themselves with separate point solutions. One for security, another for WAN and yet another for wireless. When I joined the project, I set off down a similar path, albeit with a more modern take on security.
This customer had two main use cases for Internet connectivity in branches. Downloading large update files as part of their daily operation and providing customer Internet access. Neither of which were particularly well suited to their relatively small, expensive MPLS circuits. These activities were actually causing a performance impact to other areas of the business. This customer also liked to buy and sell franchises, regularly, so carrier delays and long contracts were a significant problem for them.
Following some research, it soon became evident that SD-WAN could offer not only the performance gains and flexibility they were after, but it might also alleviate the delay and to some degree the expense of installing new MPLS circuits. Don’t get me wrong, MPLS still had a part to play in the WAN for IP telephony and certain other QOS sensitive applications, but hauling Internet traffic back to a central location to be fed through a basic firewall is never the most cost-effective use of premium bandwidth. Worse still, there was the problem of separating guest traffic along that path.
Looking at the SD-WAN offerings out there, I was spoilt for choice. The market was and still is flooded with vendors, all mostly selling the dream of MPLS like performance using Internet circuits in some configuration or other. Most of their claims I still take with a pinch of salt, some of them make sense. However, I had another requirement that few were able to meet, and only one offered a converged solution.
The SD-WAN solutions I had been evaluating were lacking most of the security features beyond those of the most basic firewall, which is a necessity for local Internet breakout. I’m talking about on-device web content filtering, next-generation features like malware and botnet protection also come into play. Not only for the general public using the guest network, but what about employee access? After all, companies have a responsibility to protect the public and employees from the more nefarious parts of the internet. For the most part, I found those who offered these extra security features did so by way of third-party bolt-ons. Which felt too much like an afterthought and perhaps a hidden expense.
The solution which stood out for me was the Meraki MX security appliance. I’ll be honest, up until this point I had never really taken Meraki’s security solution seriously. Their wireless offering is respectable. It may not have every feature or the ‘nerd knobs’ of a Cisco or Aruba WLC based solution, but it does offer most of the features that the majority of people use and does a fantastic job at providing a solid and performant wireless experience. Knowing what I do now, I could probably say the same about the MX, however I hadn’t invested the time at that point. Perhaps I was put off by the easy to use interface. Firewalls are supposed to be difficult, right?
The security feature set offered by the Meraki MX is particularly impressive when you list the individual services they have bundled together. If you’re acquainted with Cisco security some of these names should already be familiar to you. Meraki have essentially taken the best of Cisco’s security portfolio and offered them all together in a single solution, that you can install anywhere and manage in one convenient place.
L7 Next Generation Firewall (Application based)
Intrusion Detection System (IDS)
Intrusion Prevention System (IPS)
Web Content filtering via Cisco Umbrella (4 Billion+ URLs)
Geographic security filtering
Cisco AMP (Advanced Malware Protection) via Threat Grid, Talos & StealthWatch
Rich Analytics including Web browsing history, AD integration, Reporting
Centralised application visibility and control
Add that lot to some impressive SDWAN features and you can see why I was so taken with the MX:
Transport independent IPSEC VPN overlay networking via MPLS, Internet, cellular
Load balancing over dual active paths with automatic failover
Centralised network visibility and control
QOS and bandwidth management with traffic shaping
Policy based routing with traffic path based on source, destination, or application
Dynamic path selection with traffic path chosen per-application based on loss, latency, and jitter
In summary, once I scratched the surface I was pleasantly surprised by the breadth of the Meraki security offering. I thought SD-WAN was a beneficial feature, not an obvious choice for a security appliance, but I have definitely seen the advantages of marrying both technologies in production.
Ask me if the MX is an SD-WAN appliance and I’d say yes but not dedicated one, or even the most feature rich offering, but it provides what most branch offices need. That’s the point with Meraki in my opinion, offer the useful 80% of features, the ones that people actually need and bundle them into an easily deployable and manageable solution.
Add the very impressive security stack, mostly assimilated from Cisco’s comprehensive security portfolio, and you have a compelling reason to deploy Meraki to your branches. Also consider the recently announced cloud VMX appliance and you have the makings of a highly secure end to end SDWAN solution capable of reaching into your cloud environment, that’s incredibly easy to manage and deploy anywhere.