Grow IT Secure...

Whether you are a private person or a corporation, which is a person or persons with a business, you have been made aware of the ever-growing demand to protect private data.  Hackers can be individuals acting against a competitor or groups out to steal information and collect revenues by selling that information (data).

GrowITSecure.com LogoAt Grow IT Secure, LLC, we are focused on the IT security industry and market.  GrowITSecure.com was created and developed by Mr. Woods in effort to launch a privately owned IT Security business. Mr. Woods has well over 25 years in the Information Technology business with thousands of computers supported over the years, several networks and websites.  In recent years, the global leader in IT Security, Fortinet, has come into view and Grow IT Secure, LLC has become Partners with Fortinet, engaging in marketing, installation and integration, provisioning and support.

Whether your company is considering expanding your wireless reach at the local branch, or connecting to several remote branches with multiple end-use connections or upgrade your data center security, Grow IT Secure, LLC is prepared to present options and carry out upgrade plans. 

Your IT needs to grow, you need to do it securely, Grow IT Secure.  Reach out today for a free quote from GrowITSecure.com and schedule a CTAP scan of your IT environment, it's on us and Fortinet.

Let us consider a few questions about NGFW, SD-WAN and how Fortinet CTAP (Cyber Threat Accesment Program) can uncover potential breaches in your network.

Fortinet - Protect What Matters



 

What is SD-WAN?

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It consolidates the physical transport connections, or underlays, and monitors and load-balances traffic across the links. VPN overlay networks can be built on top of the underlays to control traffic across different sites.

Health checks and SD-WAN rules define the expected performance and business priorities, allowing the FortiGate to automatically and intelligently route traffic based on the application, internet service, or health of a particular connection.

WAN security and intelligence can be extended into the LAN by incorporating wired and wireless networks under the same domain. FortiSwitch and FortiAP devices integrate seamlessly with the FortiGate to form the foundation of an SD-Branch.

Some of the key benefits of SD-WAN include:

We love FortiNet devices and the corporation who is a leader in IT Security and customer appreciation.

 

What are some examples of SD-WAN?

Practical basic SD-WAN examples

Let's consider a site with two Internet connections plugged into the interfaces "wan1" and "wan2" respectively (as depicted on the diagram in Basic SD-WAN configuration). What kind of SD-WAN strategies could we configure in this setup?

  • Best Quality. For services particularly sensitive to high latency (such as video conferencing), we can configure an SD-WAN rule that selects a WAN link with the best measured latency among the two SD-WAN Members "wan1" and "wan2". The health of both links is being constantly probed. If the latency of the selected link degrades during the video call, the session will automatically switchover to a better SD-WAN Member, ensuring the best possible call experience.

  • Lowest Cost (SLA). It is quite common to treat the available links as a primary and a backup connection. For example, imagine that "wan2" is connected to a mobile router, providing a costly 4G/5G Internet connection with imposed traffic limits. We would like to use this connection only as a backup. At the same time, a typical requirement is to guarantee minimal SLA for business-critical applications. Hence, if "wan1" cannot meet the SLA target, we must use "wan2".

    We can configure an SD-WAN rule matching our business-critical applications and preferring "wan1" over "wan2", but only as long as it meets the required SLA target (for example, 200 ms latency). If the health of "wan1" degrades, and it can no longer meet the target, the sessions will be steered to "wan2". All the existing sessions will (by default) switchover. Still, the health of "wan1" will be constantly probed. Once the Internet connection "wan1" recovers, the application sessions will switchover back to "wan1", freeing up the backup link "wan2" and always meeting their SLA targets.

  • Maximize Bandwidth. Another typical requirement is to guarantee minimal SLA for business-critical applications, while striving to utilize all available bandwidth (as opposed to the primary/backup model described in the previous example). We can configure an SD-WAN rule matching these applications and load-balancing them across both SD-WAN Members ("wan1" and "wan2"), but only as long as they meet a certain SLA target (for example, 200 ms). If the health of one of the Internet connections (for example, "wan1") degrades, and it can no longer meet the target, the sessions will not be steered there, and all the existing sessions will (by default) switchover to the remaining healthy Internet connection ("wan2"). Still, the health of both links will be constantly probed. Once the Internet connection "wan1" recovers, the application sessions will be load-balanced again, always meeting their SLA targets.

Credit:
https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-sd-branch-architecture-for-mssps/25877/practical-basic-sd-wan-examples

 

Is SD-WAN same as VPN?

Software-Defined WAN (SD-WAN)—An Overview

Credit: https://www.fortinet.com/resources/cyberglossary/sd-wan-vs-vpn

SD-WAN vs VPN: Pros and Cons

When comparing SD-WAN vs. VPN, it pays to remember that both aim to secure traffic and keep users safe while they browse the web or access internet-connected applications. Below are some SD-WAN pros and cons, the benefits and limitations of VPN, as well as the key differences between SD-WAN and VPN networking solutions:

1. Cost of SD-WAN vs VPN

SD-WAN pricing is generally lower than traditional WANs because they use the public internet, which removes the need for private connections. The SD-WAN pricing model also offers an inexpensive option to build a network, reducing operating expenses such as those associated with commodity lines like cable, digital subscriber line (DSL), or fiber.

VPNs are available in both free and paid-for VPN solutions. However, the more money organizations spend, the more reliable and secure the solution. VPN pricing for remote access packages begins at around $7 per user. Additional costs will include the time and human resources spent managing network connections.

2. Configuration and maintenance: SD-WAN vs VPN

SD-WAN solutions are typically adaptable and easily updatable. The approach is centralized and software-driven, so it does not require specialized hardware coding or infrastructure changes. However, maintaining WAN connections gets more complex as organizations add more sites, resulting in performance issues and the infrastructure becoming disjointed.

VPNs service configuration and management may require extensive work. For example, securely configuring Internet Key Exchange (IKE), Internet Protocol security (IPsec) tunneling, and Network Address Translation Traversal (NAT-T) requires networking expertise. VPNs are relatively simple to manage but offer less flexibility than SD-WAN, as each VPN connection is end to end rather than centralized. 

3. Connectivity of SD-WAN vs VPN

An SD-WAN establishes a dual-layer network formed of an underlay and overlay. The underlay connects to the public internet and an existing private WAN using public and private lines, such as dedicated internet access (DIA) circuits, multiprotocol label switching (MPLS), and point-to-point links. The overlay is a top software layer that enables organizations to monitor and fix connection issues. 

This approach ensures data is intelligently routed between public and private networks based on priority and simplifies the management of the network. However, SD-WAN can still be vulnerable to public internet issues like fluctuating bandwidth, latency, and packet loss.

A VPN provides encrypted tunnels that create secure, stable user connections. However, VPN connectivity speed often depends on the type of VPN service. It can also be impacted by the encryption process. Paid-for networking solutions typically offer more reliable, higher-speed connections than their free alternatives. 

4. Security solutions for SD-WAN vs VPN

SD-WAN security is efficient. The advantages of migrating to SD-WAN include having high levels of security at a lower cost and reduced complexity than solutions like MPLS. SD-WAN security provides centralized controls that deliver end-to-end encryption across organizations’ entire networks rather than manually securing individual connections. It is compatible with advanced security features and solutions like antivirus, encryption, firewalls, sandboxing, and Uniform Resource Locator (URL) filtering.

VPNs are efficient but slightly more vulnerable than SD-WANs. Most leading VPN security services provide IPsec protocols and secure traffic through the Advanced Encryption Standard (AES) 256-bit encryption. Some also offer Layer 7 firewall protection, which enables organizations to filter application-specific traffic. However, VPNs can be vulnerable to threats from the public internet, so they need to be monitored carefully. 

For example, some remote-access VPNs have enabled malware and viruses to spread from users’ home devices onto corporate networks.

5. Performance of SD-WAN vs VPN

SD-WAN solutions enable organizations to reap the benefits of networking features like application-aware routing, dynamic path selection, and quality of service (QoS). Cloud-based SD-WAN also eliminates latency issues.

VPN solutions can be vulnerable to public internet performance issues. This includes spikes in traffic, which can lead to an internet connection slowing down, or latency issues caused by traffic traveling long distances.

6. Reliability of SD-WAN vs VPN

SD-WAN technology provides stable connectivity, which drastically reduces the chances of downtime. It increases the reliability of WAN, the public internet, and mobile connections. The approach also simplifies network management through remote monitoring. Additionally, SD-WAN offers features like multiplexing and path conditioning, which protect networks from connection issues or dropped packets, and intelligent network resourcing, which guarantees the performance of business-critical applications.

Learn more about reliability at What is SD-WAN?

VPNs are generally stable. Trusted VPN routers offer highly reliable services that should not suffer connection drops. However, if an encryption issue occurs, users’ actual Internet Protocol (IP) addresses will be exposed to the public internet.

7. Implementation of SD-WAN vs VPN

SD-WAN enables fast onboarding. The software-based nature of the technology means it can be implemented even without significant specialist knowledge, such as coding or making changes to the infrastructure. However, getting SD-WAN implementation right requires careful planning and deployment, especially if organizations are transitioning from old, legacy network hardware and topology. 

Furthermore, implementing SD-WAN can introduce loopholes or gaps in a secure network, so it is crucial to have vulnerability scans and robust quality assurance processes in place.

VPNs are designed to be user-friendly. VPN software is relatively easy to implement, and most reliable providers offer how-to guides and troubleshooting assistance. However, implementing site-to-site VPNs can get complicated, requiring additional equipment or specialist resources. Also, the initial setup phase can create vast amounts of manual activity that is prone to human error.

Read more about VPN technology to understand the advantages and disadvantages of VPN.



What are some primary components of SD-WAN?

SD-WAN components and design principles

SD-WAN can be broken down into three layers:

  • Management and orchestration

  • Control, data plane, and security

  • Network access

The control, data plane, and security layer can only be deployed on a FortiGate. The other two layers can help to scale and enhance the solution. For large deployments, FortiManager and FortiAnalyzer provide the management and orchestration capabilities FortiSwitch and FortiAP provide the components to deploy an SD-Branch.

Layer

Functions

Devices

Management and orchestration

  • Unified management

  • Template based solution

  • Zero touch provisioning

  • Logging, monitoring, and analysis

  • Automated orchestration using the REST API

FortiManager

FortiAnalyzer

Control, data plane, and security

  • Consolidation of underlays and overlays into SD-WAN zones

  • Scalable VPN solutions using ADVPN

  • Static and dynamic routing definition

  • NGFW firewalling

  • SD-WAN health-checks and monitoring

  • Application-aware steering and intelligence

FortiGate

Network access

  • Wired and wireless network segmentation

  • Built-in network access control

FortiSwitch

FortiAP

Design principles

The Five-pillar approach, described in the SD-WAN / SD-Branch Architecture for MSSPs guide, is recommended when designing a secure SD-WAN solution.

Underlay

Determine the WAN links that will be used for the underlay network, such as your broadband link, MPLS, 4G/5G LTE connection, and others.

For each link, determine the bandwidth, quality and reliability (packet loss, latency, and jitter), and cost. Use this information to determine which link to prefer, what type of traffic to send across the each link, and to help you the baselines for health-checks.

Overlay

VPN overlays are needed when traffic must travel across multiple sites. These are usually site-to-site IPsec tunnels that interconnect branches, datacenters, and the cloud, forming a hub-and-spoke topology.

The management and maintenance of the tunnels should be considered when determining the overlay network requirements. Manual tunnel configuration might be sufficient in a small environment, but could become unmanageable as the environment size increases. ADVPN can be used to help scale the solution; see ADVPN for more information.

Routing

Traditional routing designs manipulate routes to steer traffic to different links. SD-WAN uses traditional routing to build the basic routing table to reach different destinations, but uses SD-WAN rules to steer traffic. This allows the steering to be based on criteria such as destination, internet service, application, route tag, and the health of the link. Routing in an SD-WAN solution is used to identify all possible routes across the underlays and overlays, which the FortiGate balances using ECMP.

In the most basic configuration, static gateways that are configured on an SD-WAN member interface automatically provide the basic routing needed for the FortiGate to balance traffic across the links. As the number of sites and destinations increases, manually maintaining routes to each destination becomes difficult. Using dynamic routing to advertise routes across overlay tunnels should be considered when you have many sites to interconnect.

Security

Security involves defining policies for access control and applying the appropriate protection using the FortiGate's NGFW features. Efficiently grouping SD-WAN members into SD-WAN zones must also be considered. Typically, underlays provide direct internet access and overlays provide remote internet or network access. Grouping the underlays together into one zone, and the overlays into one or more zones could be an effective method.

SD-WAN

The SD-WAN pillar is the intelligence that is applied to traffic steering decisions. It is comprised of four primary elements:

  • SD-WAN zones

    SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies as source and destination interfaces. You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces. Routing can be configured per zone.

    See SD-WAN members and zones.

  • SD-WAN members

    Also called interfaces, SD-WAN members are the ports and interfaces that are used to run traffic. At least one interface must be configured for SD-WAN to function.

    See Configuring the SD-WAN interface.

  • Performance SLAs

    Also called health-checks, performance SLAs are used to monitor member interface link quality, and to detect link failures. When the SLA falls below a configured threshold, the route can be removed, and traffic can be steered to different links in the SD-WAN rule.

    SLA health-checks use active or passive probing:

    • Active probing requires manually defining the server to be probed, and generates consistent probing traffic.

    • Passive probing uses active sessions that are passing through firewall policies used by the related SD-WAN interfaces to derive health measurements. It reduces the amount of configuration, and eliminates probing traffic. See Passive WAN health measurement for details.

    See Performance SLA.

  • SD-WAN rules

    Also called services, SD-WAN rules control path selection. Specific traffic can be dynamically sent to the best link, or use a specific route.

    Rules control the strategy that the FortiGate uses when selecting the outbound traffic interface, the SLAs that are monitored when selecting the outgoing interface, and the criteria for selecting the traffic that adheres to the rule. When no SD-WAN rules match the traffic, the implicit rule applies.

    See SD-WAN rules.



Is SD-WAN cost effective?

Short answer, yes.  The increase in realiability of WAN services and significantly lower communication costs help solve problems since the introduction of SD-WAN..

 

 Contact Grow IT Secure, today, for a free consultation and a Comprehensive Threat Analasys from Grow IT Secure and Fortinet CTAP.