Prepare your WAN and network security architecture for a hybrid work future

Corporate networks have evolved over the years around the notion of physical spaces — offices, retail stores, factory floors, production studios, and data centers. We predominantly used client-server applications, with the server-side hosted in private data centers, and the client-side running on desktop and laptop computers at physical office locations. We accommodated remote users, business travelers, and the occasional home-based employees using the dreaded three-letter acronym — VPN. VPNs were deemed a necessary evil, both by the end-users who tolerated the clunky user experience and the occasional disconnects and by the network administrators who had to deploy and manage VPN concentrator appliances. VPNs allowed us to maintain a castle-and-moat model of security — anything on the corporate network was safe, and anything outside it was unsafe.

Fundamental shifts in IT

And then we encountered a few fundamental shifts. The first major shift was that apps were no longer in the private data centers. We all started consuming software as-a-service. And most SaaS apps are delivered over the Internet, using a desktop browser or a mobile app. This created a huge problem for the castle and moat model of security. We could no longer draw clean lines around what was safe and unsafe. Your apps and data were outside the corporate network perimeter, so it became less important to defend the perimeter and more important to protect the apps, the data, and the users — wherever they were.

The past eighteen months have forced yet another shift. As most of us were forced to work from home, and many continue to do so, we are essentially using the Internet as our new corporate network. So what does this mean for the trusted old MPLS wide area network (WAN) that still connects your corporate offices? If we’re doing all our business over the Internet, do we still need a WAN?

Changing expectations and threat landscape

While networking technologies evolve, a few fundamental truths still hold true. We still need a network to interconnect all the apps, users, and devices. The requirements around this network have shifted though and performance expectations have increased tremendously with the consumerization of IT. Employees expect snappy, easy-to-use apps that work the same on any device and from any location. They view VPNs as a relic from another era that hinders their user experience.

Software-defined WANs (SD-WANs) give us more flexibility in building corporate networks but they are primarily an edge technology. They still rely on an unpredictable “middle mile” — usually the Internet. While SD-WAN gateways can monitor app performance and switch between available paths, the middle mile remains outside your direct control. How do you ensure user expectations are being met while running your WAN over an unpredictable Internet?

At the same time, the Internet hasn’t gotten any safer. Threats continue to escalate with the democratization of attack tools and botnets and the proliferation of ransomware within corporate IT environments. Network security is no longer just a perimeter problem — it’s an everywhere problem.

The need for security-as-a-service

The security model for corporate networks has long been at odds with network and app performance requirements. Network security has relied on purpose-built appliances from multiple vendors to solve different use cases like network firewalling, intrusion detection, DDoS protection, and secure web gateways. These appliance-based technologies force us to create finite Internet egress points in the network, where we can squeeze traffic through these appliances and enforce perimeter network security policies. A global insurance company, for example, might have Internet egress only in Chicago. So an employee in their London office will get routed to Chicago to access Office 365 email, even though Microsoft has data centers in London. This is clearly inefficient and degrades the user experience. Yet, many organizations are stuck with this model because network security has been slow to move to an as-a-service model.

Another point of complexity is the proliferation of public cloud services where application components reside. Public cloud services are simply a collection of regional data centers. Each region is an island and you need to provision secure network connectivity between all the regions and your office locations. You can either use the cloud vendor’s proprietary solution and lock yourself into their ecosystem, or provision IPSec tunnels manually between all sites using virtual firewall appliances. Both are less than ideal solutions for modern applications where East-West traffic might far exceed North-South traffic.

Cloudflare One: Unified security and network-as-a-service

The future of IT security is zero trust. However, implementing zero trust should not put you at odds with network architecture and app performance requirements. Virtualized security appliances still create choke points in your WAN, impair user experience and increase support costs. Unified network and security-as-a-service solutions such as Cloudflare One can eliminate network choke points, and provide seamless, scalable zero trust security-as-a-service, integrated with a WAN solution that connects any user to any service, on-premises or in the cloud.

Join our webinar on November 4th, 2021 to learn how you can evolve your WAN and security architecture with Cloudflare One and embrace the Internet as your new corporate network.

Author's Bio

Ameet Naik

Cloudflare