mobile logo
Security Technology: Private WAN & SD-WAN
16
October

Security Technology: Private WAN & SD-WAN

October 16, 2020
In Company, Industry, Partners
By Secure Sense

Written By: Matthew Watkinson

As discussed in our previous blog (you can check it out here), being technology aware is important in todays landscape as threats and security are advancing at a rapid rate.  Sometimes we face challenges in finding the right technology for our organization, one being long-term, cost effective solutions.  As we near the end of the second week of Cyber Security Awareness Month, we move our focus to a second security technology with key implications for today’s landscape and a discussion of how you can simplify networking and reduce your costs: private WAN technologies and SD-WAN.  

Within the last couple of years, there has been an increase in requests to move away from dedicated private WAN technologies like MPLS to more flexible technologies such as SD-WAN and those that facilitate Zero-Trust architectures.  

Security implementation is not exclusively about denying process, blocking activities, and eliminating risk by being in the way. Security should be about empowering the business to operate as smoothly as possible, and empower users to work in the most effective manner possible. 

The Costs of Private WAN Technologies 

In traditional Private WAN topologies, many remote sites are all interconnected through a Private WAN setup, like a dedicated MPLS provider or even dedicated SD-WAN hardware which is operating like MPLS funnelling all internet bound traffic to the internet through the Private WAN. 

With more services being consumed in a SAAS model, or IAAS model from public clouds, these services are moving even further away from office workers. Applications that were available in the local site, organizational datacenters, or even colocation facilities over private WAN links now have to cross these same boundaries, but then add additional networking distance by crossing internet links to access the required resources.  

Bringing internet access closer to the consumer has become a way to reduce spending in private WAN links, simplify routing and networking, and distribute internet access through SD-WAN topologies. This has been a very popular request from our customers as they have adopted these cloud technologies faster, especially during the current heavy reliance on workfromhome. As these technologies are being adopted, it is putting more demand on enterprise WAN edges and decentralizing this access has relieved this pressure across the organization.  

Managed Private WAN circuits cost money. Serious money. Providers are accounting for the possibilities of outages and SLA penalties are costed into your monthly fees. You effectively pay extra for the privilege of the service provider having to provide a “rebate” in an SLA non-compliant windowUnmanaged WAN technologies like GPON and DSL have become so much more resilient and stable in the last decade. These networks that are traditionally “less stable” have greatly increased in stability with advances in technologies and the reduction of costs that come along with them. This said, the cost for the services increased. Managed network circuits still have a fantastic uptime and stability, but the delta between managed and unmanaged circuits in actual performance has dropped significantly.  

Managed circuits still experience outages, rare as they are, but the money you “get back” on an SLA penalty doesn’t really recover the costs for a site being down or degraded. It is just an incentive to get your ISP to not make silly mistakes. But with unmanaged circuits being so affordable now, 3rd party players in the market reselling primary provider bandwidth, and reasonably priced LTE bandwidth available just about everywhere in North America, you can self-manage a reasonably high connectivity profile just by getting your WAN bandwidth from one of these more cost-effective solutions. To reduce single points of failure, layer multiples of these more costeffective WAN solutions and you are well on your way to providing better performing networks. 

The Promise of SD-WAN 

The benefits of SD-WAN over private networking is that the consumer can take advantage of the increased resilience in commodity networks over managed circuits, and using the power of software bond cheaper circuits together to “add” up to the resiliency of more robust networking.  

By moving traffic to unmanaged circuits, moving off of dedicated bandwidth links, and taking the power into your own hands, you can absorb the risk of outages and operate at: 

  • Lower costs
    • Since you are using unmanaged links with minimal to no SLA penalties, you aren’t paying extra “insurance” for links being down during normal operationThis lets you “self-insure” and gain additional resiliency by using multiple links with different media and ‘lastmiles’ to eliminate single points of failure 
  • Better Application performance 
    • Since we are now delivering true internet to remote sites, we can leverage WAN security technologies right at the remote site. This means you are not piping all of your remote site traffic through your egress points, and you can decentralize the security processing power, allowing for better performance at reduced costs, to both internally hosted applications and SAAS&IAAS public cloud services
  • Better stability 
    • Since we are saving some money by using unmanaged links, add additional diverse carriers/providers into your WAN edge at each site. Eg. Instead of an MPLS link costing you 1000$/month for 200mbps you can get:
      • Commercial unmanaged 1Gbps Fibre line for 200$/month 
      • 500Mbps Cable Internet for 100$/month 
      • 120Mbps Cable internet from provider #2 @ 90$/month
      • And you still have plenty of money to build out an LTE Data Pool for all of your remote sites to have backup LTE modems in the unlikely event that all of your wired providers suffer an outage at the same time.
        Note: all prices collected based on information available for local providers in October 2020
  • Better user internet experience
    • By bringing internet in right at the remote location, instead of through a central network ingress/egress point and connecting over a private WAN link, latency will be reduced and you will have an increase in bandwidth to serve your users 
  • Potentially shorter recovery periods 
    • In the event you do have an event that affects the hard-wired network connections, you have wireless backups in place to take over during the period of time of failover
    • You now have multiple different service providers working on getting your wired networking back in place, making it more likely that your reconnections will be quick
Securing your new distributed WAN edge 

SDWAN topologies come with their own complications. Distributed environments already have their own wireless and wired networking, authentication to networks, and adding a distributed and decentralized security model has its own complications. With private WAN links, internet edge filtering is easily accomplished through a limited set of controlled network access points, firewalls, web filters, IPSs etc. but as soon as you have multiple internet ingresses into the environment, all of these security resources must be also made available at each local site. Tying security into SD-WAN is fundamental for its success.  

When we look at the Fortinet SD-WAN/SDBranch model of distributed network access, it offers the following benefits: 

  • Each local site edge device (FortiGates) act as the sites local wireless/wired networking controller. No more requirements for management networks to have internet access 
  • Each local site edge device is providing full stack network security including: 
    • Network Antimalware and Sandboxing – detect malicious code before it hits your endpoints 
    • Web filtering – mitigate risks by blocking websites with unknown and unproven track records 
    • Intrusion Prevention – mitigate both server side and client side threats as they cross your network perimeter 
    • SSL Inspection – We have seen web browsing traffic which contained over 93% HTTPS content. Without SSL inspection, HTTPS is functionally a tunnel past your entire network security stack. 
  • The SD-WAN routing engine provides full path monitoring on not only for each destination but for specific applications. When a route is deemed unfit for specific applications, such as VOIP, that application is rerouted, while less sensitive applications can continue to use the same path. 
An example SD-WAN Topology 


As you can see in the above diagram, by leveraging SD-WAN secure internet access can be delivered directly to remote sites. Even if you are hosting content in public cloud infrastructures, we can leverage SD-WAN edge technologies to take advantage of the excellent internet connectivity these services offer and provide access directly to your remote sites. Your costly private WAN links have been eliminated and latency and bandwidth for access to collocated datacenter facilities, private cloud infrastructure, and even hybrid environments have all been improved. Connectivity between remote sites will be sent using the best path available as discovered and measured by the SD-WAN controllers and ensure a resilient path for all applications communicating between sites inside the SD-WAN ecosystem. If you have multiple public clouds being used, each one can be attached to the SD-WAN environment, giving each one diverse connectivity through various paths. 

How Secure Sense can help

If you don’t have the expertise to run your own SD-WAN deployment, this is where our new Managed BYOA SD-WAN Service comes in. BYOA, bring your own access, allows you the consumer to be in control of what you want to spend on a per-link basis to get the best performance/dollar available. We will glue all of the links in each of your sites together using SD-WAN technologies to effectively provide you with the best resiliency of all links combined. Alternatively, through our partnership with Telus, we can bring network connectivity along with the service and you still get full control over what connectivity and WAN links are used. Our engineering and architecture staff will guide you through what your options are for each of your sites, and you are able to broker connectivity with your ISPs directly or as a bundle with our Telus partnership, ensuring that you are in control of all your data. 

Contact your Secure Sense sales representative at sales@securesense.ca.

Don’t forget, our week 2 pop quiz will be available at 12:00pm EST on LinkedIn. Each week we will be givingaway a Yeti Tumbler to one lucky participant!

Talking to our experts can answer any questions you may have about any security technology issues you are facing and give your organization the awareness and confidence to make the best decisions for your security now and for the future. Don’t hesitate to reach out to us at 866-999-7506 or shoot us an email at contactus@securesense.ca

In honour of Cyber Security Awareness Month, we will be sharing insight on the latest cybersecurity news, tips from Secure Sense experts and general security knowledge geared towards keeping you out of the headlines and focused on what matters most, your business. Don’t miss a beat by following along on our TwitterFacebook and LinkedIn Pages.

 Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.

Post Tags:

Related Posts

Effective Patch Management Tools for Your Organization

Welcome back to the...

The Evolution from Password Managers to Privileged Access Management. Which is right for you?

Welcome back to the...

A Secure Sense Competitive Advantage

Welcome back to the Cyber Security Month blog! In last week’s blog, we talked about the importance and value of an MSSP, what sets Secure Sense apart from other MSSP’s and how Secure Sense can help your business. Today, we want to continue the conversation around the competitive advantage of working with Secure Sense and what sets us apart in the world of managed security.

In addition to our dedicated customer success teams and our 24×7 SOC (read more in the previous blog here) Secure Sense’s white glove service stands out in many other ways. Continue reading to find out the secret keyphrase, and our competitive advantage.

Expert engineers/analysts

Our experienced technical team comes from diverse technical backgrounds, representing a wealth of security knowledge. They play an integral role in everything we do at Secure Sense; from evaluating partners to developing services, allowing us to focus entirely on the best products and the highest training certificates.

Our engineers, architects, and analysts are required to ensure they are up-to-date on technical training. In addition to solution technical training, our technical team has focused on training in the following areas:

  • Communication for clearer and more accurate ticket updates​
  • Troubleshooting skillsets have led to fewer escalations internally, and ultimately shorter times to remediate​
  • Critical analysis skills which have measurably improved our ticket responses in providing higher quality responses to tickets.

This training has had a measurable increase in the quality of our services, as well as time to remediate and reduce escalations.

Our SOC has many teams that work with our expert analysts to ensure you receive the most from your service. In addition to our security analyst team, Secure Sense has four other technical teams: the reporting team, the threat intel team, the automation team, and the purple team.​

Automation team:

The Secure Sense automation team reviews customer requests, as well as potential customer controls, and ties those controls in with our managed services for automated systems mitigation, stopping threats in their tracks.​

The team is also responsible for:

  • Automated SIEM log analysis, tied into our Threat intelligence team to streamline the ingestion of IOCs into our managed services.
  • Implementing our vendor vulnerability review and remediation systems allows us to reduce our critical vulnerability remediation windows and provide improved visibility into coverage and reporting.
  • Delivering smart-responses from our SIEM solution, and implementation of Reporting team recommendations and improvements.​
  • Automating reporting and alerting directly into our ServiceNOW portal, providing short response times to customer alerts

Reporting team:

Secure Sense has created a dedicated reporting team to streamline and bring more meaningful data to our customers on a regular basis. This team not only builds custom reports, but also analyzes how our customers are using our services, identifying any particular improvements that we could be making to the services, and providing recommendations to the rest of the managed service teams.​

Our reporting team also builds datasets and analyses based on our customer tickets, as well as managed service systems, to identify new use cases and patterns that we can leverage to improve services internally.​

Threat intel team:

Our internal Threat Intel team reviews various events that have occurred and identifies the relevant TTPs. They provide this intelligence to our purple team which will operationalize it.​

The Secure Sense threat intel team focuses on both systematic collection of IOCs and analysis thereof, as well as individual TTPs that are used to identify new and emerging threats. ​The team looks at those tools, Techniques and procedures that threats are using in the market, and identifies how they could be leveraged against our existing customer base, along with better enhancing our services to detect those TTPs when in use.​​

Purple team:​

Secure Sense’s Purple team reflects the blend of both defensive or blue team skillsets, along with offensive or red team skillsets. The team takes tools, techniques and procedures identified by the threat intel team, analyses our customer’s environments and identifies if we can detect them. ​ With customer collaboration, the Purple team can provide execution packages where we can simulate specific components of a threat, and then validate that we have visibility into that TTP being run in a customer environment.

Professional services

Secure Sense’s implementation and support experts are experienced in a wide variety of Professional Services engagements with specialized tactical teams within our extended technical bench, focused on specific technologies and or products.

In most cases, Professional Services are project-based services that require a skilled engineer or architect for a one-time project or short-term change in your organization; or a senior consultant to provide a wide range of risk advisory services. Project teams will also typically address any ongoing support or maintenance after the initial project is complete.

Our cybersecurity consultant team and senior architects hold a broad range of top industry certifications and credentials, along with many years of experience in the industry. Our methodologies for common engagement types have been developed and refined to reflect the most up-to-date best practices and to scale to projects of any size, including global enterprise enablement.

A few of the engagements we commonly offer include:

  • Cybersecurity Architecture Assessment and Design
  • Solution Implementation Services
  • Health Checks
  • Penetration Testing
  • Vulnerability Assessments
  • Threat and Risk Assessment
  • Enablement & Training
  • Ongoing Support

Secure Sense focuses on continual training and certification among our technical ranks in order to provide the most knowledgeable technical support.

Security training

Secure Sense offers security training and can assist in helping your organization to create its cyber security training program. From general employee awareness training to specific security training for your IT and security staff, Secure Sense can help your organization combat the threats they face on a daily basis. Our team is able to offer:

  • Engaging user awareness training for end-users
  • Technology training for security solutions and products
  • Security Analyst training
  • Threat hunting training
  • Threat simulations to give your internal security teams practice in using internal tools
  • Tabletop exercise development and execution to simulate incidents and incident response

Your Key word is “Purple Team”

Don’t forget! Take this keyword and head to our LinkedIn page here to comment on it for your chance to win one of many prizes this month!

As always, if you’re interested in learning more about Secure Sense’s competitive advantage or any of our services, don’t hesitate to reach out to us at 866-999-7506 or sales@securesense.ca!

Continue reading