Now that broadband Internet is becoming a regular connectivity type for enterprise wide area networks (WANs), IT organizations must learn to properly
For an increasing number of organizations, the Internet is the new enterprise WAN. Nemertes Research Group Inc. is seeing a rapid increase in interest among organizations -- across many verticals and of all sizes -- in directly connecting branch offices to the Internet. In some cases, this will mean an Internet connection that accompanies a WAN connection -- perhaps even a "split pipe" using one partition on an MPLS link for WAN access and another for access to the Internet via the carrier's cloud rather than the WAN and data center.
In other cases, Internet access will be the only network link. Some Internet-only branches use the Internet link solely to host VPN connections back to the WAN; others use it to provide that VPN link and direct access to the Internet without backhauling traffic through a data center; still others use the link only for that broader Internet access, and users in such a branch reach out to company resources as though they are any other user on the Internet.
Assuming the Internet link isn't just hosting a VPN connection, IT has to plan how to secure the branch office to protect it from Internet threats. There are three ways to approach branch office Internet security: using an on-premises appliance, using cloud services and using a hybrid approach. The first take-away here is that IT should use the whole connection for an Internet VPN until it has a tested security solution ready to deploy.
Secure the Internet-connected branch through appliances
The appliance model's main advantage is that IT already knows how to do this -- and already having all the skills on tap is no small advantage. Nearly as important is that this is an effective and straightforward way to approach the problem.
The main disadvantage of using an appliance for Internet security is when IT is not going to use only those security features integrated into its router and has to put an appliance at every location. This adds capital and operational costs and increases the complexity of the branch infrastructure, which heightens the risk of outages through misconfiguration and equipment failures. These costs can be mitigated by using virtual appliances if a hosting environment is available and capable of accommodating the load.
Our advice here: IT should not deploy an appliance-based solution without strong central management that is policy-driven and highly automated. If IT has to manage it on a box-by-box basis, an appliance-based strategy is hard to scale past a handful of sites. Look for solutions that address a broad range of security threats, and see if you can integrate security with routing, management or with some other function.
Secure the Internet-connected branch with the cloud
The cloud option shifts security screening into someone else's stack of network gear, generally your connection provider, but possibly a third party. In the split-pipe scenario, it's the MPLS provider, for example.
On the plus side, there are no boxes in the branch so this strategy keeps the branch nimble and lightweight. Short start-up times (sometimes these services can be fired up on demand), easy portability and no capital investment make it an agile solution.
On the minus side, most IT shops are not familiar with this security model and will need to develop a certain level of expertise in making sure it actually fulfills the organization's security requirements. Also, IT has less control over security and less visibility into how it is being achieved. Lastly, the option is often not available: Only some carriers and a few third-party service providers offer "firewall in the cloud" and other cloud-based branch protection services.
Advice: IT should consider cloud security, and if the organization's security policy and risk management guidelines allow, look for and test vendors that can meet its needs. One advantage is this is usually pay as you go; sometimes you can even "try before you buy." Plus, it's easy to turn on and off, so piloting with more than one provider is easy.
Secure the Internet-connected branch using hybrid solutions
The hybrid approach combines the features of both appliance and cloud solutions. A box onsite provides localized services but reaches out to a cloud provider for management and updates and even additional layers of functionality. For example, the appliance can ask the cloud service to evaluate a URL it sees for the first time.
On the plus side, cloud management reduces operational costs while local boxes improve processing performance and perhaps make it easier to deal with localized security requirements.
On the minus side, this model relies on cloud services, and disruptions to those services may degrade or eliminate their utility temporarily. It also puts a box on every site, which adds to the equipment stack in each branch. Some providers completely operationalize the cost -- where the box is a piece of the service -- but not all of them, and sometimes IT has to buy the appliances.
Advice: if your organization is OK with cloud security, IT should look into hybrid solutions as a way to optimize performance, especially for large branches.
Most companies with lots of locations are going to become hybrids of WAN- and Internet-connected branches. IT needs to begin assessing its options for how to secure branches with direct access to the Internet and should consider appliance, cloud, and hybrid approaches.
For more information, learn why enterprises are considering broadband for WAN connectivity.
This was first published in July 2012