As enterprises modernize their IT infrastructure to meet evolving business demands the conversation of security is always top of mind. More and more companies are now managing a distributed enterprise, with remote offices and branches that are forcing them to move away from a highly centralized IT model to one that extends to the edge. How will your security strategy have to evolve to meet these new security demands as you’re now securing more than just the perimeter? As one of the emerging leaders in SD-WAN technology, we looked at some tips from Fortinet on this topic. Check out these key requirements for distributed enterprise firewall security.
Effective protection of enterprise data and applications comprises a number of successive security measures:
- First, users must be identified, authenticated (preferably via 2-factor authentication, using both password and token), and checked for authorization to access the requested data, applications, or URLs.
- Throughout the session, the user’s pattern of behavior should be checked against known intrusion-prevention techniques, with any anomalies flagged or logged for later analysis as required.
- Due to the existence of zero-day exploits, social engineering, and polymorphic viruses, to name but a few of the tactics employed by cybercriminals, intrusions and malware will still occasionally slip through. When they do, it is essential to minimize the time taken to detect them, so they can be dealt with swiftly and efficiently.
- Finally, the network administrator needs to be alerted to the nature and potential impact of any detected threat, and any infected systems need to be quarantined and cleaned.
In most large organizations, the majority of these security measures will already be applied centrally, but as we’ve just seen, with the recent proliferation of wireless access, this is no longer effective. Unless a common unified security policy can be applied to all new points of access, wired and wireless, wherever they may be throughout the distributed enterprise, the risk of leaving open an unguarded back door remains unacceptably high.
There are two main connectivity challenges for the distributed enterprise. The first is to provide a user access experience that is both consistent and transparent. The second is to interconnect remote sites in such a way as to meet the first challenge without over-reliance on expensive private-circuit WAN services.
- Consistent, Transparent User Access
Fundamental to any distributed enterprise security solution is the provision of flexible wired and wireless connectivity options that can scale as new equipment and personnel are added or moved from one location to another
Authentication aside, all network access needs to be transparent to the user. Whether querying the customer database or making an IP voice call, response times need to be as fast and reliable via Wi-Fi as via Ethernet.
With Wi-Fi speeds soon to exceed 1.3 Gbps and most large organizations now embracing “bring-your-own-device” (BYOD) policies to a greater or lesser degree, this is not only achievable but increasingly the most cost-effective option for new network builds, with some organizations now foregoing wired connections altogether. Integrated 802.11ac Wi-Fi access should therefore be a mandatory requirement for the distributed enterprise.
- Reliable, Cost-effective WAN Connectivity
To address the challenge of maintaining intersite connectivity and quality of service without over-reliance on expensive circuits such as MPLS, the router or firewall responsible for WAN connectivity needs to intelligently balance Internet and intranet traffic across the available WAN services. An effective solution to this challenge, capable of providing load balancing at an application level as well as overall traffic, is SD-WAN technology
Alternative WAN connectivity options such as 3G/4G or ADSL, delivered through integrated modems, can also increase the overall flexibility and resilience of the distributed enterprise network.
Although high-speed wired and wireless access devices are now readily available and relatively inexpensive to deploy, the challenge comes when you start to integrate the aforementioned security measures. This is because the kind of traffic analysis required to provide protection, such as application control, can be highly processor-intensive. It is therefore critical that any unified access and security solution not only meets current requirements in terms of bandwidth and latency but has the architecture to scale to future demands as well.
Security will always represent a compromise between risk and cost. Spend nothing at all on security, and the risk of a serious breach approaches certainty. Impose too many hurdles between users and the data and applications they need to do their jobs, and the cost, both in financial and productivity terms, becomes prohibitive.
Yet, calculating the true cost of a security solution is not straightforward. Not only are there capital and operating costs to consider, but also the potential cost to the business resulting from each breach. In today’s landscape of advanced persistent threats, some level of intrusion is inevitable, but for any given attack, its subsequent impact on the business can vary enormously depending on how it is managed. The longer it takes to detect, quarantine, and eradicate the problem, the greater the impact to productivity, and the higher the subsequent cleanup costs.
In addition to the basic requirements of central configuration and monitoring, the management of large distributed enterprise networks presents three additional challenges:
- Device Provisioning - With tens of thousands of potential devices, automatic provisioning should be mandatory.
- Device Deployment - Similarly, it should be possible to deploy key devices without the need for skilled network engineers to be sent to each location.
- Policy Management - To avoid the inherent vulnerabilities of overlay networks and to ensure a consistent user experience across the distributed enterprise, it must be possible to create and maintain universal security policies.
To integrate these security policies with third-party authentication servers, the solution will also need to support RADIUS, Active Directory, or both. Additionally, in the event of a security breach, the network administrator not only needs to be alerted, but presented with a range of remedial actions to resolve the problem. Furthermore, to remain effective, the system needs to be able to learn from past breaches and, ideally, the input for this learning should come not only from your network but from thousands of others just like it.
As security threats increase in number, risk, and sophistication, Fortinet’s distributed enterprise customers can rest assured that their data protection obligations to customers, business partners, and shareholders can be honored, and that maximum business continuity will be maintained.
NEXT STEPS: Learn more about Fortinet's SD-WAN solution and find out why it might be the RIGHT choice for your organization. Get a FREE copy of Fortinet's exclusive checklist today.