What are the drivers for software defined security?
IT organizations have gained significant benefits as a direct result of server virtualization. Server consolidation reduces physical complexity, increases operational efficiency, and provides the ability to dynamically re-purpose underlying resources to quickly and optimally meet the needs of increasingly dynamic business applications. These are just a handful of the gains that have already been realized.
This transformation started a decade ago with x86 hypervisors delivering greater IT efficiency through server virtualization. But as cloud computing drove further evolution of Infrastructure-as-a-Service (IaaS) with greater agility and elasticity, those concepts have spilled over network virtualization and SDN, as well as into Software-Defined Storage, Software-Defined WAN, etc.
Network security is also being impacted. Firewalls, intrusion prevention, and other security appliances have traditionally been deployed as hardware devices at discrete points in the physical network, such as the ingress/egress point at the network edge. But as security needs to increasingly be deployed throughout the network to counter against advanced threats inside the perimeter, there are challenges maintaining visibility and control with dynamic and logical network flows in increasingly softwaredefined environments. With the profound and fundamental changes to data center infrastructure, constricting traffic through a few fixed static inspection points would negate many of the benefits of Infrastructure-as-a-Service agility.
How would you explain RoI of SDSec ?
IT teams are adopting an on-demand consumption model for their compute infrastructure and applications to improve efficiency and productivity. Unlike traditional WAN architectures, new software-defined wide area networks, or SD-WANs, are able to dynamically distribute traffic across multiple locations while automatically responding to changing application policies. SD-WAN is also transport and carrier-agnostic, which means expensive MPLS can be replaced with more cost-effective connections, such as internet and LTE, allowing time and cost-saving functions such as intelligent path selection to be enabled.
At the same time, business-critical applications and services, such as IP-Telephony, need to operate across distributed network environments without down time. On-demand connectivity is critical, especially for latency-sensitive services such as voice and video. Fortunately, manufacturers and vendors like Fortinet have been able to resolve this challenge, thereby accelerating the adoption of SD-WAN.
While SDsec aims to simplify security in virtualized environments, just how complex is it to deploy and maintain the tool itself?
Fortinet has developed a suite of proven technologies designed to enhance and secure SD-WAN deployments. They are built on the foundation of the latest release of FortiOS, version 5.6, which extends Fortinet Security Fabric functionality into the cloud and distributed network. IDC recently designated FortiGate as a market share leader for the distributed enterprise, and NSS Labs has verified FortiGate’s proven security and performance efficacy. Fortinet solutions provide broad deployment options, the highest performance – whether deploying physical or highly optimized software versions, and the automation and adaptability that new network strategies like SD-WAN require.
For example, our new security processor-based based FortiGate Enterprise Firewall not only consolidates networking and security functionality, but also provides market-leading performance and the highest price/performance ratio in the industry. It also comes in a variety of form factors, such as integrated wireless, 3G/4G, POE, and DSL to simplify deployment.
Other features supporting SD-WAN include:
Application Visibility and Extended Fabric Topology View: Provides complete visibility into applications, users, and threats to help admins understand overall traffic patterns to more effectively deploy and troubleshoot business critical applications. The extended fabric topology in FortiOS 5.6 provides the dynamic view of physical and logical topology along with link utilizations.
IPSEC VPN (AES256): Delivers the industry’s highest throughput (~10X higher than the competition) based on SPU off-load, as well as high scalability to support up to thousands of distributed devices and locations. Fortinet also recently announced ADVPN, which enables dynamic VPN tunneling.
Smart Link Load Balancing and Link Monitoring: FortiOS 5.6 has integrated SD-WAN functionality for WAN Link Load balancing so that customers can choose the best link for business critical applications. However, should link health degrade, it simply fails over and to the next best SLA for applications. FortiOS 5.6 also supports TWMAP and other protocols so that customers can get a detailed view on sensitive applications and services, such as jitter, packet loss, latency etc.
Dynamic Cloud (SaaS) application database: The average Enterprise uses ~30 SaaS applications. The cloud application database in FortiOS 5.6 supports hundreds of applications, and dynamically updates their ip address and port for the most efficient routing.
SSL Inspection and Threat Prevention: Organizations shouldn’t have to choose between performance and protection. However, because more and more data is passing through the network in an encrypted form, many security solutions become a bottleneck as they attempt to open and inspect traffic. Fortinet solutions not only support industry-mandated ciphers, but the FortiGate firewalls provide the industry’s highest SSL inspection throughput.
What environments are best suited for SDSec?
SDN Security defines a generalized security architecture framework that can be applied to a variety of business and IT use cases, but a few key ones are emerging commonly for enterprises and service providers deploying virtualization, cloud and SDN technologies.
Auto-Scaling/Auto-Provisioning Protection for Elastic Workloads
Many organizations are looking to accelerate their business by connecting more closely with customers or consumers through social media or web-based initiatives. These mobile, social and multimedia applications need to be able to be deployed rapidly and scale virally in response to end-user demand, hence internal IT teams and cloud service providers alike are being driven to deliver highly elastic IaaS services to line-of-business development teams.
Enabling Security-as-a-Service for Service Providers
Telco’s and managed security service providers (MSSP)’s have long delivered network security solutions as managed services either from centralized provider networks or as customerpremise equipment (CPE). But they are increasingly looking to deliver managed security with IaaS-based characteristics – i.e. security-as-a-service – whether as standalone security services or integrated seamlessly with public clouds and cloud marketplace offerings.
Service providers have been not only the earliest adopters of SDN, but also are key stakeholders in the evolution of SDN Security.
What opportunities does SDSec present to channel partners or resellers ?
Enterprises are adopting new technologies and cutting-edge infrastructure strategies to enable continued growth in today’s competitive digital economy. Most of these organizations have deployed networking and security solutions from multiple vendors, which can pose significant challenges for IT teams to integrate and efficiently operate multi-vendor solutions across heterogeneous environments.
The Fortinet Security Fabric enables customers to maximize their existing technology investments through the Fabric-Ready Partner Program. Working together, Fabric-Ready partner solutions can leverage Fortinet’s well-defined APIs (Application Programming Interfaces) for deep integration with the Fortinet Security Fabric. This integration further extends Security Fabric capabilities across cloud, virtualized and software-defined environments and ensures seamless interoperation with partner solutions and services.
To date, Fortinet has 22 Fabric-Ready Program Partners, representing a cross-section of leading information technology providers to deliver pre-integrated, end-to-end offerings ready for deployment, reducing technical support burden and costs for enterprise customers.
As part of the program, partners undergo solution validation with a commitment to ongoing interoperability. Additionally, Fabric-Ready partners will benefit from joint marketing and go-to-market initiatives with Fortinet.
What are the bottlenecks / challenges for adoption of SDSec?
Just as with software-defined networks (SDN), a significant change in the infrastructure also has huge implications for security. While the infrastructure is undergoing a radical transformation, cyberthreats are also increasing in both volume and sophistication. We are seeing a dramatic rise in Ransomware, more advanced attacks, and increasing IPS attacks per minute.
In addition to traditional attack vectors, cybercriminals are increasingly targeting new distributed networking paradigms. For example, direct internet access to SaaS applications, especially when devices are off-network, has made deploying new security strategies designed for the distributed enterprise very critical. That’s because traditional security solutions tend to be placed in a single location on the perimeter. But as the perimeter disappears, security needs to be able to protect connections from any device in any location, and see and automatically adapt to the changing infrastructure on demand.
At the same time, encrypted traffic across the distributed network (~50% of total traffic is encrypted, with experts predicting that will soon rise to 80%), along with malware targeted at SSL traffic is rising. Which means that the need for real-time SSL Inspection, without slowing down business-critical traffic, is critical.