Service chaining is a popular topic when it comes to SD-WAN implementation, and it’s no surprise why. With the vast amount of services deployed at the network layer, IT shops have to position their WAN traffic in such a way that each service is allowed to deliver its inherent value in a timely manner without affecting the rest of the network design in a harmful way. VPN concentrators are a common example of this, and that’s still a strong use case today even with the omnipresence of SD-WAN.
Let’s take a moment to focus on one specific service chain with SD-WAN: Firewalls. This service chaining example is one of the most common questions that IT professionals will encounter when standing up an SD-WAN deployment, so it’s important to dig into the options and the showstoppers that are inherent to the technologies themselves.
The Hub and Spoke Network
The most common configuration here is to emulate a hub and spoke network where there is one central firewall handling the filtration and exfiltration for an organization. This ties in nicely to the inherent value of SD-WAN as the control plane/orchestrator will allow you to configure a centralized policy where the SD-WAN appliances ride their traffic over an IP connection to the firewall service. If all sites are on a shared VPN, this is as simple as configuring IP addresses and redirects through the remote sites.
However, this can get tricky with more VPNs or private lines being added into the mix, let alone an organization that is standing up new sites on a consistent basis. Best practice would be to create a central policy that cascades down to all sites in a list. However, this will vary based on what SD-WAN service provider you are using.
Next Generation Service Chaining
Service chaining is really about understanding what is possible. For example, it’s not uncommon to find multiple services per node being routed through a chain. The key is distinguishing whether it’s a control policy that is needed (as stated in the example above) or if it’s a data policy that is needed in tandem with the service policy. A common use case for this would be data that is meant to reside in a private server or even for quality of service on a voice network that is distinct from the rest of the data packets flowing through the network.
As organizations start to build more robust security frameworks, service chaining will soon have (or already has) network diagrams looking like frenetic detective boards with thumbtacks and string creating complex and incoherent mapping profiles. Intrusion detection and prevention systems facilitate the need for these checks and balances, and there’s even more in sophisticated cybersecure network profiles.
What About Firewalls?
As I have written before, many of the firewalls that are included in SD-WAN appliances are not going to be a fit for a business that takes its network security seriously as they are essentially common retail off-the-shelf firewalls tagged onto the appliance. In some cases, you can download a virtual instance of a more robust firewall to an SD-WAN appliance, but that’s not what most IT shops turn to SD-WAN to solve for. That being said, it’s best to turn off the SD-WAN firewall if you already have a firewall in place.
What About a Next Generation Firewall?
These tools are included in a true zero trust network architecture and therefore represent the next wave of firewall technologies as it relates to SD-WAN configuration and service chaining. To define, a next generation firewall (NGFW) includes extra features like application awareness and more real-time threat intelligence services. The emergence of application layer attacks facilitates the need for more control to block these applications. This should, in theory, decrease the time to detect an attack on the network. However, there is no replacement for human vigilance, so NGFW is not a silver bullet to cure all security issues.
One of the main promises of NGFWs is enhanced policy management, which can then lead to better practices around service chaining, particularly when services are being chained or reallocated during a cyberattack. But far more common than this is the simple phenomenon of shadow IT and how that can create new policies that affect the service chain adversely or simply exposes the network to more risk.
Now that you know all about these best practices, it’s time to implement them.
Get more tech insights like this right in your inbox with CompTIA’s IT Career Newsletter. Subscribe today, and you can save 10% off your next CompTIA purchase.
