As the geographic spread of employees expands and their connections back to headquarters evolve, IT managers must...
understand how to optimize and secure corporate branch networks. This article explains how to speed up and secure network infrastructure of backhauled branch office connections -- branch networks without direct connection to the Internet and with direct connections to the wide area network (WAN). To skip ahead to other parts of this article series, use the table of contents below:
- Security and optimization for backhauled branch network infrastructure
- Security and optimization for direct-to-net branch networks
- Security and optimization for micro-branch networks
With nearly 90% of companies operating a virtual workplace and large percentages of employees working away from their home office or the primary data center (if there is one), IT must support ever-increasing numbers of remote and virtualized workers. So, when creating or renewing the branch network infrastructure, organizations must pay close attention to shifting IT architectures, staff usage habits and performance expectations.
With fixed-location offices of any significant size (more than 10 employees, say), IT must decide whether to provide the office with direct connectivity to the Internet and whether to connect the office to the WAN (for organizations large enough to have one, that is).
In this article, we'll examine branch office networks without direct connection to the Internet and with direct connections to the WAN. In these backhauled branch networks, all Internet traffic gets routed via the main data center or network hub, through the WAN, to the branch. With this approach, branch network designers need to consider both security and optimization.
IT should assume that centralized firewalls, malware filters and IDS/IPS systems have screened Internet traffic going to the branch. Branch network security devices should focus on the branch itself -- i.e., protecting computers there (including servers, if there are any) from one another. Desktops remain the main vector for malware infections and security breaches. If removable media or a Trojan webpage infects one desktop, IT must make sure others aren’t immediately in danger. The success of attacks like Conficker in subverting host defenses makes network security a necessary adjunct to host-based security.
So, if the organization is using network access control (NAC), backhauled branch network closets should be hosting some of the NAC equipment. If NAC is not on the menu:
- The simplest (but most extreme) solution is for IT to simply block all direct inter-desktop communication. For example, some organizations assign a separate VLAN to each desktop system, forcing any traffic headed from desktop to desktop to go through a router -- which can do basic filtering -- and possibly other gear, such as an IDS/IPS system, firewall or unified threat management (UTM) box.
- More permissive organizations can set switch ACLs to allow systems to speak to one another, but only over specific, approved ports and protocols.
IT may also have to protect each branch from other branches. Although any organization with a traditional hub-and-spoke WAN should be watching and filtering the WAN at its center(s) for malicious traffic, the rise of any-to-any WANs built on MPLS renders this steadily less sufficient.
The backhauled branch network stack should also -- to whatever degree is dictated by overall policy -- be providing a logging/auditing point for tracking use of the network. The branch router provides a point to log traffic patterns and watch for anomalous behavior, and if a PC is overtaken and turned into an army of spam-spewing zombies or tries to infect other PCs, this is where IT can see these issues.
Of course, security is only half of the picture; performance is the other. When user demands push past the performance or capacity limits of the existing WAN, IT has three choices: re-engineer systems to reduce demand, upgrade connections or use optimization to make the most of existing bandwidth.
Optimization focused on caching and compression of file, backup and Web traffic is often critical to ensure that capacity is available for other applications. Likewise, traffic prioritization, shaping and conditioning ensures that bandwidth goes first to the applications the organization prefers, and that the link behaves as well as possible (i.e., by mitigating packet loss or adjusting each stream's packet sizes to allow for the needs of other applications). Protocol accelerations make LAN-friendly applications stop trying to treat the 3 Mb WAN link like a 100 Mb LAN connection. These accelerations typically emphasize cutting out roundtrips between clients and hosts.
IT can provide these functions using appliances in the backhauled branch network connecting back to appliances in the main data center. Sizing the appliance to balance capacity and budgetary needs is the main challenge. Also, many carriers and service providers now offer optimization as a service on WAN or Internet links.
Next in this article series is how to secure and optimize direct-to-net branch networks.
Use the table of contents below to view other tips in this series, or for more information, see our WAN security and performance tutorial: