Security-Driven Networking, SD-WAN, and the New Edge: A Q&A with John Maddison

Fortinet's John Maddison, EVP of Products and Solutions, recently sat down for an interview with Dan Woods from Early Adopter Research to discuss what is top of mind for CISOs and security leaders. They discussed three topics: SD-WAN, security-driven networking, and the arrival of the edge. Here are a few brief excerpts from that recording. Clickhere to read or listen to the entire podcast.

SD-WAN has been around for four or five years. What is it and why has it recently become more popular?

There are really two main WAN markets or different use cases. There was what I'd call the distributed enterprise made up of many thousands of retail outlets that needed a cheap transport mechanism back to headquarters, and there was another marketplace called the branch office which a smaller number of locations, that needed to bring all traffic back to the data center where all the applications were.

These marketplaces have started to merge. As enterprises roll out public cloud and SaaS applications, for example, applications don't always go back to the data center. They go to different places. The same for the retail marketplace. Their two main use case drivers are: I want to be able to have more flexibility around applications go because my workloads are moving around, and I want choice on what transport methods I use inside the wide area network.

What's the difference between an SD-WAN system that has security and one that doesn't?

Most of the original SD-WAN vendors were focused on the routing stack. A lot of them forgot that when you open up that wide area network you're then creating an edge that needs to be protected. That requires a higher grade of security built into the SD-WAN controller than was originally being provided.

We believe that networking and security should be integrated and combined. That's why we have a huge investment in building out what we call security processing units and ASICs to make sure that can happen. Our custom-built SD-WAN and Security ASICs allow us to not only run the SD-WAN stack, but also an enterprise-grade security stack in the same appliance. We can see who's attaching, we can see what devices, we can apply policy end to end from the customer premise through the WAN into the cloud, into the data center. It's a holistic concept instead of a layered concept of making sure you can connect applications securely to users.

How soon do you think people will start doing security-driven networking on a larger scale?

SD-WAN is a perfect example of security-driven networking, where having security in place as a foundation allows the network to scale and change without compromising security. In the future, we'll see this same approach applied to the cloud and 5G because of the elastic nature of those environments and protocols. New edge devices and networks will need that security-driven networking approach as well.

The conversation about what's called the edge and what's called the perimeter has become confusing because sometimes people talk about the perimeter as if it's an edge, and they talk about the edge as if it's a class of computing devices. We're going to set the terms right now. When we're talking about a boundary between one domain of computing and another, we're going to call that a perimeter, and we're going to call the edge all of the devices that are emerging now, the IoT in general. How does all of this impact security?

It's all a matter of trust. If you go back not so long ago, the perimeter was pretty small. It was in the data center. In fact, even a big global organization would have just a couple of data centers designated as the internet connection, and that was the perimeter for customers. The other side of the perimeter was endpoints, and those endpoints would go offline, go home, connect into other places. So those were the two pieces of the perimeter.

What we've called perimeters are becoming edges, in our opinion. You've got to be very aware of the edges. You've got to know where they're appearing, and you need that visibility across your network to make sure you see that. One of the new edges that is appearing is the branch office. They used to connect that back to the data center and that was it. Now you're opening up different transport mechanisms. That becomes what we call the WAN edge. Similarly, when you think about a factory where you're starting to put IP-enabled devices, that's creating an OT edge or factory edge.

These edges are going to appear all over the place. Security-driven networking is the idea of bringing security and networking together, but you're going to need many different types of security ­- not just appliances, not just virtual machines, not just agents and software. You're going to need containers in the cloud. APIs will let you extend security to SaaS applications. 5G is another one. When you start rolling out compute not only from in your data center and clouds, but also edge computing for certain applications, this will create additional edges that need to be secured as well.

What's important is that you understand that networks are going to be hybrid environments for a long time, if not forever. So you need different types of technology and security. You need appliances, you need virtual machines, you need APIs, and containers. But most importantly, you need to be able to coordinate policy across all of those things.

You can read or listen to the entire interview, entitled 'How Can SD WAN Help Cybersecurity: A Podcast with Fortinet's John Maddison' on the Early Adopter Research websitehere.

Fortinet's Secure SD-WAN solution includes best-of-breed next-generation firewall (NGFW) security, SD-WAN, advanced routing, and WAN optimization capabilities, delivering a security-driven networking WAN edge transformation in a unified offering.

Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet's Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.