Why zero trust matters for your network
In today’s security landscape, simply trusting users or devices based on their presence within a corporate network is no longer sufficient. A zero trust approach ensures that access to resources is granted only when absolutely necessary, based on the identity and role of the user or device. This principle of least privilege significantly reduces the attack surface by ensuring that users and devices can only access what they need to perform their tasks — nothing more. Traditional router-centric WAN architectures often fail to enforce this level of control, leading to inconsistent security policies across branch locations and exposing the organization to potential breaches. By adopting a secure SD-WAN, organizations can enforce strict access controls consistently across all branches, aligning network access with zero trust principles and enhancing overall security.
How does a secure SD-WAN work?
Over the years, branch offices and remote locations can accumulate a sprawl of network and security equipment that is not only difficult to maintain but also not designed for the cloud era. Traditional router-centric WAN architectures often require traffic to be sent back to the corporate data center for security inspection, significantly impacting application performance and introducing inconsistencies in security policies across branches. These inconsistencies can expose the entire organization to potential breaches.
A secure SD-WAN addresses these challenges by integrating advanced SD-WAN capabilities with a next-generation firewall that includes advanced security functions such as IDS/IPS, DDoS protection, role-based segmentation, and network encryption. It enforces consistent end-to-end network and security policies across both the LAN and WAN through centralized orchestration, greatly improving both networking and security operations. Advance secure SD-WAN can even leverage machine learning to enhance protection. For example, the configuration of DOS thresholds can be automated with machine learning, eliminating errors and frequent adjustments.
As workloads shift to the cloud, a secure SD-WAN enables organizations to intelligently steer traffic based on application type without backhauling it to the data center. For example, trusted cloud applications like UCaaS can be sent directly to the cloud. Oher application traffic such as Microsoft 365 and internet traffic are directed to an SSE solution for further inspection using advanced security features such as SWG, CASB or DLP.
Role-based segmentation with a secure SD-WAN
To enforce zero trust, a secure SD-WAN provides end-to-end network segmentation spanning the LAN, WAN, and even into the cloud. Security policies are defined on a zone-by-zone basis, limiting connectivity with other zones according to predefined security policies. For instance, a policy might allow only outgoing traffic, permit incoming traffic only from approved applications and services, or block all traffic from less secure zones.
Advanced secure SD-WANs can also integrate with identity access management systems to provide user and device identity and role-based context, for fine-grained segmentation. This additional identity-based context enables consistent security policy enforcement across the network, propagating security policy information and updates related to user, device type, role, and security posture to the SD-WAN fabric.
This new layer of context eliminates the complexity of managing multiple VLANs. A fine-grained segmentation policy can prevent IoT security cameras from accessing credit card transactions or HVAC systems. Zero trust segmentation helps branch offices isolate any potential security threats by device type, role, and application ensuring that users and devices only reach destinations consistent with their role on the network.
Zero trust segmentation with HPE Aruba Networking EdgeConnect SD-WAN
Protect all users and devices with a secure SD-WAN and Secure Web Gateway (SWG)
Unmanaged devices, such as IoT, can reach malicious websites as they connect to the internet for updates, telemetry, and other purposes. Standalone SWG applications often fall short of protecting these devices as they cannot run an agent.
A secure SD-WAN augmented with SWG protects users and devices across the network from web-based threats without the need to install an SWG agent on each device. This is particularly beneficial for securing unmanaged devices such as guest users and IoT devices. Moreover, integrating SWG into a secure SD-WAN provides an easy path to expand to a unified SASE framework by enabling the addition of Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) , for a holistic and cohesive approach to network and security management.
Simplify operations
In traditional network environments, branch firewalls are often configured manually, leading to inconsistent security policies across the WAN. This manual process is time consuming and must be repeated every time a policy changes. A secure SD-WAN simplifies this process by centrally configuring security policies and quickly updating thousands of locations, minimizing errors and enforcing consistent policies. This centralized policy management enables a secure SD-WAN to operate as a single logical firewall across the entire SD-WAN fabric, greatly simplifying operations and enhancing security, and eliminates the need for local technical expertise.
In addition, a secure SD-WAN enables organizations to consolidate hardware equipment by integrating a router, a firewall, and a WAN optimization device into one solution , reducing costs and simplifying maintenance.
A secure SD-WAN provides end-to-end firewall capabilities across the LAN and the WAN with centralized policy management
Why you should use a secure SD-WAN to build a zero trust network
- Implement fine-grained segmentation
A secure SD-WAN uses zero trust network segmentation to secure devices, including IoT devices that cannot run security agents, extending protection beyond traditional SASE. It uses an identity-based access control security framework, ensuring that users and IoT devices can only access network destinations consistent with their role in the business.
- Retire traditional branch firewalls
Advanced secure SD-WAN solutions that include next-generation firewall capabilities can enable organizations to seamlessly replace legacy branch firewalls. They can also secure untrusted links with IPsec tunnels and enforce security policies at the branch and across the WAN through centralized orchestration.
- Simplify branch operations
By integrating multiple capabilities, including SD-WAN, routing, WAN optimization, and firewall, a secure SD-WAN helps branch offices reduce hardware footprint by consolidating network and security functions into one solution. The solution can be easily deployed across thousands of sites with zero-touch provisioning from a single console, improving IT efficiency and streamlining management.
- Support cloud-centric architectures
A secure SD-WAN intelligently steers traffic to the cloud, eliminating the need for backhauling traffic and improving application performance. Trusted SaaS and web traffic can be sent directly to the internet, while unknown or untrusted web traffic can be sent to SSE cloud services for additional inspection.
- Easily move to SASE
With a secure SD-WAN, moving to SASE is simplified because it integrates key networking and security functions within a single solution. With the addition of services like SWG, ZTNA and CASB, organizations can easily expand to a unified SASE model without major infrastructure changes.
The Benefits of Building a zero trust network with secure SD-WAN
- Reduce business risk
A secure SD-WAN provides comprehensive security across the entire SD-WAN fabric, spanning the WAN and LAN with end-to-end microsegmentation capabilities. It helps organizations comply with regulatory frameworks such as HIPAA, PCI DSS, or NIST.
- Enhance flexibility
A secure SD-WAN enables flexibility when implementing security controls at the branch and across the WAN. The solution can be easily and quickly deployed, adapting to changing business needs.
- Increase IT efficiency
A secure SD-WAN supports all necessary security functions and helps eliminate equipment sprawl in branches. By moving to a thin branch model, organizations can streamline both network and security management, increasing overall IT efficiency.
EdgeConnect SD-WAN: zero trust at the branch
EdgeConnect SD-WAN provides comprehensive security services, including next-generation firewall, IDS/IPS, adaptive DDoS defense using machine learning to automatically set DoS thresholds, and role-based segmentation using a tight integration with HPE Aruba Networking ClearPass. With these features, EdgeConnect SD-WAN can replace outdated and difficult-to-manage physical firewalls at branch locations and branch routers, delivering consistent security and performance for all users and devices in the branch network. EdgeConnect SD-WAN also integrates with HPE Aruba Networking SSE and many other third-party SSE solutions to form a robust SASE architecture.
To learn more, please visit our glossary page on secure SD-WAN
Other resources:
Gabriel_Gomane
Gabriel Gomane has more than 15 years of experience in product marketing and product management, focusing primarily on networking, security and digital transformation. He has broad international experience, having held marketing positions based in Europe and in the US. Before joining HPE Aruba Networking, Gabriel worked for various high tech companies including Meru Networks and MEGA International. Gabriel holds a BS in engineering from Grenoble INP and an MBA from HEC Paris.
