The more remote workers are added to business networks, the harder it becomes for IT to manage their connections back to headquarters. In order to ensure speedy and secure connections to branch offices, a WAN manager must strike a careful balance between WAN security and performance.
WAN security and performance tutorial
table of contents
Prepare your WAN for more remote users
WAN connections to remote offices
WAN security concerns for remote users
WAN performance concerns for remote users
Balancing WAN security and performance
WAN security and performance of different network infrastructures
More on balancing WAN security and performance
Historically, enterprises have grown the number of branch offices 9% each year, Nemertes Research founder Johna Till Johnson said; however, the recession led to zero growth in 2009 and a meager 1% growth in 2010. As the economy creeps out from the recession, branch office growth should rebound to 5% in 2011, and WAN managers must be prepared to support broader remote access, Johnson said. (This excerpt was adapted from the article, WAN outlook 2011: 4G and iPads drive mobile VPN, branch office growth.)
This uptick in teleworkers will change how WAN managers should dole out bandwidth and connect their branch offices, said Nemertes Research Executive Vice President Robin Gareiss. Organizations that are smart about connecting their workers will use collaborative tools like Web and video conferencing and deploy desktop virtualization to connect employees on nearly any endpoint device (like a personal desktop, company laptop, thin client or mobile device). While unified communication tools help management supervise employees, and virtual desktops help IT better manage security, access and application revisions -- UC tools put a strain on bandwidth. As a result, companies are turning toward WAN optimization to avoid the costs associated with buying more bandwidth.
→ You can learn more about how remote users change WAN connection and bandwidth requirements in this tip from Robin Gareiss.
To understand why the number of branch offices are increasing and how this change will affect WAN security, listen to the podcast below on the trend of remote offices with Nemertes Research analyst John Burke:
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Most IT budgets are not increasing very much, and prices for services like MPLS are not going to get any cheaper than they already are. Couple this trend with the increase in both telecommuters and branch offices, and it makes MPLS networks a luxury for some. Many enterprises then look to the Internet for branch office or backup connectivity.
Nemertes Research reports that roughly 26% of branches are connected to both WAN and Internet -- supporting direct branch-to-Internet access, while 45% of branches support Internet virtual private networks (VPNs).
Gareiss explained: "Remote users in Internet VPN branches don’t always enjoy direct Internet access. In many cases, the branch is using the Internet only for VPN access back to the organization’s WAN, possibly only as a dormant backup to the primary WAN link, unused except when that link fails. Internet VPNs help enterprises virtualize by reducing the expense of having smaller branches in more remote locations, where consumer broadband may be more readily available than WAN connections."
IT should be prepared to address -- with the cooperation of security and risk management teams -- the option of using broadband Internet access as a backup for, adjunct to, or replacement for a WAN link. Traditional WAN connections may simply be more difficult to procure -- and more expensive. That added expense makes redundant WAN links harder to justify compared to a WAN link with an Internet VPN backup, or even a pure Internet branch. And of course, network engineers who use live Internet access at the branch must make sure to address WAN security issues on the spot, Gareiss said.
This shift from using traditional WAN connections to broadband and Internet VPNs requires heightened WAN security at the branch offices. Branch offices will need Internet-facing security similar to the security methods deployed in data centers: firewall, intrusion detection and prevention, content filtering and anti-malware, etc., Gareiss said. She said that branch offices containing 10 or fewer employees may need distributed security via endpoint defenses. In other branches, distributed security may require unified threat management appliances or other single-box security appliances in order to keep capital and maintenance expenditures under control.
"As MPLS and carrier Ethernet move further into enterprises, [distributed WAN security] may also mean increasing use of carrier-based security-as-a-service (SaaS) in the cloud, protecting Internet access through the cloud, direct to each branch," Gareiss said. (This excerpt was adapted from remote users change WAN connection and bandwidth requirements.)
Before you accelerate traffic to your remote users, WAN engineers and managers must first understand that speed is not just a function of bandwidth and capacity across a single network or multiple networks. Tim Scannell, Shoreline Research founder, says that WAN speed involves a variety of factors that all fall under the category of network topology -- like the distance between endpoints and linked networks. Topology is something every network engineer should think about as part of initial network design. Once a wide area network has been designed and deployed, the work doesn't stop there. IT managers should continue reviewing topology as the network is expanded (whether it is to another remote office or Small Office Home Office (SOHO)) and resources are added or shifted around the buildings of campus.
When employees work outside a primary office, such as at home or in a branch office, enterprises have difficulty striking a balance between accelerating traffic to those offices and keeping that data secure.
Organizations should be focusing on the overall application delivery infrastructure -- storage, networks, end-user devices -- as opposed to just monitoring the network.
Bojan Simic, TRAC Research Founder
"Most organizations typically have some technology in place to secure IT and network resources at each branch office, but the bulk of these security solutions are being deployed in central network locations to control and manage data that is being sent to each remote location," said TRAC Research founder Bojan Simic. Although this WAN security approach "reduces management costs, it can also reduce a company’s ability to deal directly with WAN security threats at each branch location," he said.
While more branches are considering or already using VPNs, "many organizations find it difficult to compress and accelerate Secure Sockets Layer (SSL) traffic without increasing WAN security risks and creating new management challenges. Accelerating this type of traffic creates an additional burden for Web servers because they must decrypt and re-encrypt SSL traffic, as well as process end-user requests," Simic said.
→ Expert Robin Layland explains how enterprises can accelerate encrypted traffic (like SSL) using WAN optimization in this tip.
Simic advises enterprises to do the following in order to balance WAN security and performance:
- Enhance WAN security through policy management of business-critical applications: Many organizations find it difficult to define network usage policies. While you ensure that a network usage policy protects your company's networks from malware, spyware and other WAN security and application threats, make sure the policy doesn't adversely affect the quality and consistency of the end-user experience.
- Address any WAN security and performance risks in a timely manner: Not responding to such requests can result in lost revenue opportunities, declines in employee productivity and increased IT management costs.
- Use integrated platforms for managing both WAN security and performance. In some cases, this may be a single product; in other cases, it may be a combination of different products that have a high degree of integration. These benefits predominantly include cost savings on implementation and management.
- Gain full visibility into how network capacity is being used by both the applications and the users on the network. Network visibility improves WAN performance and security. In order to achieve full WAN performance visibility, it is important to choose solutions that can collect not only generic performance data but also data that is truly actionable and can be turned into information needed to prevent performance problems before end users are affected. In example, network anomaly detection can analyze historic performance data to define dynamic thresholds for acceptable levels of performance and issue alerts every time the performance falls below these thresholds. This will help you be more proactive about managing WAN security and performance.
- Automate processes for identifying performance anomalies: The majority of network behavior anomaly detection (NBAD) tools can define baselines based on capabilities for ongoing learning, which enables organizations to adjust to changes in network traffic, which in turn automates the process for proactive WAN management. This improves the success rate in preventing problems while enabling organizations to manage more with less.
- Align network visibility tools with policies: The effectiveness of network anomaly detection and visibility capabilities improves if they are coupled with tools for ensuring that policies are enforced. This gives organizations the ability to have full control over WAN traffic and measure the effectiveness of initiatives.
- Match security techniques to applications: Different applications have different security risks. Find out those risks and take specific actions to address each of these threats. Applications like instant messaging (IM) or peer-to-peer (P2P) sharing pose new security and performance management challenges, calling for a new set of capabilities to control this type of traffic. Organizations need to have capabilities in place that will allow them to identify this type of traffic and filter these applications to ensure they don’t negatively impact their networks. Underlying technologies for these applications are significantly different from those of traditional enterprise applications.
Simic says that in order to balance WAN security with performance, organizations must not only deploy new technologies with adequate network visibility but develop new strategies that will allow them to take a more coordinated approach when managing security and performance of data delivered over the network. This means that organizations should be focusing on the overall application delivery infrastructure (storage, networks, end-user devices, etc.) as opposed to just monitoring the network.
While Simic's best practices above apply to any wide area network, you may want more detailed advice on how to balance WAN security and performance by the type of network infrastructure and connectivity type your enterprise WAN runs on.
IT departments managing any sizable fixed-location office must decide whether to provide the office with direct connectivity to the Internet and whether to connect the office to the WAN says Nemertes Research analyst John Burke.
If your enterprise uses the following connectivity types or branch network infrastructure, view the following tips to balance WAN security and performance:
- Backhauled branch network infrastructure: IT shops managing branch office networks without direct connection to the Internet and with direct connections to the WAN are considered backhauled branch networks. With this setup, Internet traffic gets routed via the main data center or network hub, through the WAN, to the branch -- which creates special WAN security and optimization considerations.
- Direct-to-net branch network infrastructure: "When IT chooses to connect a branch to both the Internet and the WAN, a direct-to-net branch is created. In a direct-to-net branch, the WAN is only for traffic headed to internal hosts. Although this considerably reduces bandwidth demands on WAN connections, it can complicate [WAN] security and optimization," Burke says.
- Micro-branch network infrastructure: A micro-branch typically consists of a small handful of remote workers who connect to headquarters via the Internet. WAN security and optimization need to be host-based because micro-branches live on the Internet and "as a defining characteristic have no network infrastructure beyond a router," says Burke.
- Virtual desktop infrastructure: If your company is using virtual desktop infrastructure (VDI) over the WAN view this tip from Bojan Simic on the functionalities your WAN performance management solution needs for VDI monitoring.
Do you have questions about balancing WAN performance and security? Then get answers from Bojan Simic in this WAN planning podcast. Listen to the podcast player below to get answers to these questions:
- What are some of the key challenges facing companies today in terms of their WAN performance and network operations?
- How difficult is it to find a way to effectively manage WAN performance while keeping it secure for end-user organizations?
- What are some of the top technology challenges facing companies in respect to making products easy for end users to experience remotely?
- How has the increased demand and reliance on WAN and WAN security and performance put an impact on the policies that companies are structuring?
- Are the tools needed for proactive WAN management that are available right now adequate? Or does the industry have some work to do in terms of developing new tools?
- Do we need to have a dashboard, develop a tool or physically monitor the WAN at every moment in order to keep our WANs secure?
- Are different industries varied so much that they will have to deliver corporate data and security differently?
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Have more questions? Then ask the experts on the IT Knowledge Exchange (ITKE). Use your SearchEnterpriseWAN.com member email and password to access thousands of IT questions and answers, or have us send in your question for you by emailing Editor@SearchEnterpriseWAN.com.
This was first published in February 2011