From the Aruba Orchestrator management console, a user provides their Check Point subscription information. Thankfully for IT, Aruba and Check Point have partnered to automate and streamline cloud-hosted security service chaining. Manually configuring these tunnels for 10s, 100s or 1,000s of branch locations is complex, time-consuming and error prone. Implementing policy #3 requires establishing secure IPsec tunnels between the branch SD-WAN appliance and the closest cloud-security enforcement PoP.
The SD-WAN must identify application traffic and steer it appropriately to enforce granular security policies. This is where the complementary nature of SD-WAN and cloud-hosted security is really on point. By locating security enforcement as closely as possible to branch locations and to SaaS and IaaS instances, it enables local internet breakout to deliver the best application performance and branch security.Īutomating Cloud-hosted Security Service Chaining Automated daily threat definition updates ensure consistent security policy enforcement across the enterprise.Ĭloud-hosted security services utilize security enforcement points of presence (PoPs) strategically located – and even co-located – near SaaS and IaaS PoPs. The cloud-hosted security stack not only includes next-generation firewall services but also IDS/IPS, URL filtering, UTM, antivirus protection, sandboxing and more. This modern approach is cloud-hosted security.Ĭloud-hosted security services centralize the entire security stack and locate it in the cloud instead of on-premise using dedicated, expensive security appliances at each branch location. Therefore, just like with the WAN, delivering the best cloud application user experience requires a new, modern approach to security. Actively using internet connections to transport enterprise application traffic increases the attack surface and exposure the enterprise to vulnerabilities. LIB requires a level of application awareness and automation not available with traditional routers and has spawned a new, modern, software-defined approach to the WAN – SD-WAN.Ī New Security Approach Complements a Modern WANīut sending traffic over the internet is not as secure as private leased line connections. The solution is local internet breakout (LIB) – sending cloud-destined traffic directly from the branch to the closest SaaS or IaaS instance and doing so over the internet. This “trombone” traffic pattern adds latency which negatively impairs performance. Traffic is then steered to SaaS or IaaS instances closest to HQ rather than to instances closest to users in the branch.
Why? Because they typically route cloud-destined application traffic from the branch back to a headquarters-based security stack before sending it to the internet to protect the enterprise from threats.
However, traditional device-centric WAN architectures based on branch routers can’t take advantage of the distributed nature of cloud applications and services. Connecting users to the closest SaaS and IaaS instances minimizes data transmission latency or delay and delivers the highest cloud application performance to end users. SaaS and IaaS providers strategically host their services in multiple data centers around the globe in metropolitan cities where business users are located. No longer centrally hosted solely in corporate data centers, applications are now hosted anywhere, and often in multiple locations. As reported by Forbes, 83 percent of enterprise workloads will be hosted in the cloud by 2020. WAN edge infrastructure is one of the most rapidly changing areas of IT, driven largely by the unabated migration of business applications to SaaS offerings and to public clouds or IaaS instances.