Suppose for a moment you want to construct a secure perimeter around your compute resources in your data center and Amazon Web Services (AWS) implementation. Normally, you’d introduce a firewall and an Intrusion Detection System (IDS) into each location. That way, should a security incident happen in one location, such as a malware outbreak or a denial of service attack, you would be able to mitigate that event without any reengineering work.
+ Also on Network World: Gartner predicts: SD-WANs to replace routers, but which SD-WAN is the question +
But bringing a full “security stack” to the traffic at each location comes with all sorts of problems. It’s expensive, for one. You can spend tens of thousands of dollars for each branch. And you’ll need to monitor, patch and upgrade those appliances. You’ve also fragmented your visibility into the security domain by spreading your security data across all of these appliances.
A far better approach is to flip the scenario. Deploy your security appliances and services in as few regional locations as possible and bring the traffic to the security stack. By doing that, you minimize the number of security appliances that need to be purchased and maintained. Of course, you have the challenge of getting the traffic to the security stack. This is where service insertion and service chaining come into play.
How service insertion and service chaining help
With service insertion, the SD-WAN appliance identifies and steers the traffic of interest (not all of the traffic) based on a predefined policy to the hub location for inspection by the security stack. If the traffic is allowed, it will continue to its destination in the data center, whether it be on premises or in a cloud data center. If it is not allowed, the traffic will be dropped.
Service chaining extends this process a step further, inserting a sequence of services—not just one service—into the network. The SD-WAN steers the traffic through this set of services, such as a firewall and then IDS. Once again, allowed traffic will continue to the data center; traffic failing the process will be dropped.
With service insertion, traffic is brought to the layer 4-7 service for operation, in this case a firewall. Service chaining brings the traffic through a series of layer 4-7 steps, in this case a firewall and then an IDS.
Service chaining and insertion are commonly thought of for security, but they can be used whenever you want to maximize the investment in your networking equipment. Let me give you another example.
An engineering firm with 11 sites in the U.S. and three sites in the Asia Pacific (Tokyo, Singapore and Hong Kong) was struggling with moving some very large CAD images between the offices in the different regions. Within region, each office had plenty of bandwidth and the latency was such that throughput wasn’t an issue. Across the Pacific, though, was another story. WAN optimization would have compressed and deduplicated those large CAD images, solving the problem, but the client didn’t want to deploy WAN optimization at each location.
With service insertion, we were able to solve the problem far more affordably. Only two locations—one in Tokyo and one in San Francisco—were equipped with WAN optimization equipment. We were able to steer the necessary flows in the U.S. to the WAN optimization appliance in San Francisco office for treatment and delivery before sending to the Tokyo office. Once it reached the Tokyo office, the flows were broken out and steered to the necessary locations.
Service chaining and service insertion are powerful ways to expand the agility and utility of your network. It’s often considered a tool for very large companies, but the reality is that any organization can benefit from the control it engenders.
This article is published as part of the IDG Contributor Network. Want to Join?