As the use of business-critical, cloud-based applications and tools continue to increase, distributed organizations with multiple remote offices are switching from performance-inhibited wide-area networks (WANs) to software-defined WAN (SD-WAN) architectures. However, SD-WAN has its own shortcomings—especially when it comes to security with direct internet access. SD-WAN includes next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities.

SaaS applications like Office 365, G-Suite increase overall traffic while requiring very low latency to work. To manage these demands, you need a different architecture that enables local internet breakouts at every location for direct access to cloud services. The current scenario of Hybrid WAN (Internet and MPLS ) is challenged by an intelligent SD-WAN technology that provides better features and performance.

 SD-WAN mainly deals with

• WAN links
• Branch office connectivity
• VPN support & orchestration
• Application visibility & routing

Software-Defined Wide-Area-Network(SD-WAN)  is an increasingly popular and cost-effective alternative to dedicated network connections and MPLS infrastructures. SD-WAN significantly increases WAN network reliability, agility, and performance by using and aggregating multiple active, load-sharing connections of any type (Broadband/cable, MPLS, 3G/4G).

Advanced data caching, traffic compression, and other WAN optimization capabilities leverage the available bandwidth. This lets you ensure that there is always enough bandwidth for business-critical applications, by automatically making dynamic, on-the-fly adjustments to QoS and application usage policies depending on real-time bandwidth and latency measurements.

Key components of SD-WAN include:

1. Ability to route traffic over your existing network connections with support for multiple network technologies including MPLS, Internet broadband, fiber, LTE, and DSL.
2. Automatic failover of network connections.
3. Ability to dynamically change network paths to optimize network traffic loads.
4. Segmentation to automatically priority and route network traffic based on its source or type.
5. A visual management console that lets administrators manage the network from a central location without dealing with physical network connections.
6. Zero-touch provisioning of new branches and locations.
7. Support for VPNs.

Benefits of SD-WAN:

• Lower costs by replacing expensive ILL & MPLS connections with cost-effective broadband options such as Ethernet, DSL and 3G/4G
• Achieve consistent performance and availability of business-critical and SaaS applications
• Secure traffic from advanced threats across the entire network
• Simplify deployment and ongoing management through centralized administration

OEMs: Sophos, Barracuda, GFI

Email has become the de facto medium through which organisations  carry out their business communication and share important data. The ever-growing popularity has also enabled hackers to use email as an attack vector. As per the statistics, 91% of cyber attacks start with an email. Incoming and outgoing email can expose your organization to viruses, spam, confidential data loss, regulatory violations or legal disputes.

Over the past few years, phishing emails continue to exploit even the most experienced professionals. This is because the attachments in these emails are designed to look legitimate and prod an individual to click on them. Phishing emails can also trick a person into sharing sensitive information by posing as a trusted individual or organization.

The malware sent through email attacks can bring down the reputation of your company to an end. Spam mails not only expose your network to email-borne threats such as phishing, malware and ransomware, but also consumes lot of internet bandwidth and disk space of your desktop/laptop and on premise mail server.

Inbound anti spam gateway solutions have Recipient Verification and Sender Policy Framework tools to enhance email security. An outbound secure email gateway allocates a Spam Confidence Score to each outbound email and inspects it for malware. This process prevents a business´s IP address being blacklisted by global block list agencies. On-premise anti spam solutions can be more customizable than cloud-based solutions.

Secure Email Gateways, provide pre-delivery protection by blocking email based threats, whether on-premise or cloud based mail solutions like Office 365 / G-Suite. They protect businesses from spam, viruses, malware and denial of service(DoS) attacks. The gateway scans all inbound, outbound and internal email communications, including attachments and URLs for signs of malicious or harmful content.

OEMs: Sophos, Barracuda, GFI

VPNs are used by businesses to extend private networks over the public internet, allowing remote workers or offices  to connect to a company’s LAN and its centralised resources . Initially, two basic VPN types were used to achieve this networking solution: Remote-Access VPN and Site-to-Site VPN.

Site to site VPN:

IPSec based VPNs  create a tunnel between two network and provide direct (non-proxied) access and full visibility to the entire network.  IPSec needs compatible VPN gateway at both locations to protect from hackers who can use the remote IPSec VPN tunnel to gain unauthorized access to the corporate network. VPN gateways are in charge of authentication of the user and the network, encryption, and the integrity of the data.

Intranet-based site-to-site VPNs are used to combine the LANs of multiple office locations into one single private network., which would then be known as a WAN (Wide Area Network). Extranet-based site-to-site VPNs, on the other hand, allow your company to use the public internet to connect its LAN with those of other companies, customers, or communities.

L2TP or Layer 2 Tunneling Protocol is the result of a partnership between Cisco and Microsoft. It was created to provide a more secure VPN protocol than PPTP. L2TP uses 256 bit keys giving a higher level of encryption. It uses the IPSec suite to provide end-to-end encryption, data origin authentication, replay protection, as well as data integrity. L2TP VPN is a combined protocol that has all the features of PPTP, but runs over a faster transport protocol (UDP) thus making it more firewall friendly.

Remote access VPN

SSL VPNs are designed specifically to enable increased productivity for remote users by providing easy-to-use, secure remote access to applications. SSL works at the application layer instead of the network layer, providing the highly granular policy and access control needed for secure remote access. Because SSL is included in all modern browsers, SSL VPNs can empower today’s mobile workforce with clientless remote access. A remote-access VPN requires a VPN gateway, to encrypt/ decrypt  the outgoing/incoming traffic,  authenticate the credentials of any device attempting to sign into the VPN.

PPTP (Point-to-Point Tunneling Protocol)  VPN developed by Microsoft uses 128-bit encryption which makes it the fastest but the weakest in terms of security. PPTP is supported on MS Windows  by default and easy to configure and cheaper. But if you’re dealing with sensitive information, it is not secured enough as it doesn’t require Public Key Infrastructure (PKI) to run, which uses digital certificates for authentication.

OEMs: Sophos, Barracuda, GFI

With more than 70% of corporate data residing on desktops/laptops – the desktop management has become a never-ending job for the IT dept. With increasing service requests and growth in the number of desktops – overall time spent towards this repetitive nature of work- kills the productivity of IT team.

Server or appliance based centralized deployment, ease of installation & configuration, light weight & performance optimised, granular report and post installation support–are the key factors of choosing the right solution.

DLP & Encryption

Data leakage prevention solution with user Identity-based policies helps to  protect sensitive corporate data, preserve customer data privacy and meet regulatory compliance and security requirements while retaining work flexibility. Network security appliances offer gateway data leakage prevention controlling data transfer over email, web mail, file upload and file transfer applications.

Email Leakage Prevention – Organizations have to implement Identity-based policies to block attachments and forward email copies of departing and pre-specified employees to their managers and IT security. The result is quick preventive action against data leakage. Email archiving prevents destruction of critical data.

Web Leakage Prevention – Firewall prevents file upload over HTTP, Web mail, FTP, P2P and other file sharing applications based on username and work profile.

Instant Messenger Leakage Prevention – Firewall can be configured to  block  chat conversations based on pre-specified keywords and file transfer over IM in accordance with Identity-based policies.

Encrypted HTTPS/SSL Protocol Leakage Prevention – Cyberoam controls file upload over HTTPS/SSL websites, preventing misuse of this encrypted medium in the form of unauthorized transfer of sensitive data.

Logging and Reporting – Identity-based logging and reporting includes chat logs which help in monitoring and taking corrective action. The extensive logs and reports support CIPA, HIPAA, PCI DSS regulatory compliance.