Skip to main content

When it comes to network security, there should be no disconnect between the corporate and the distributed locations


Background:
I have a number of customers in the retail industry.  Usually, they have a large number of remote locations (restaurants, brick and mortar stores, and kiosks). Before the cheap/high-speed Internet connections being used for enterprise connectivity (IPsec tunnels over these connections) and before the SD-WAN revolution, all of these remote locations’ traffic traversed private connections such as MPLS or frame relay connections to one or two centralized data centers to reach corporate resources or the Internet. Securing these types of set up were rather less complicated because you had one or two centralized points to secure (mostly at the edge where Internet was accessed).

We are now faced with every remote location acting as an “Internet PoP” (point-of-presence).  These locations will use an IPsec tunnel over the Internet connection to reach corporate resources.  The Internet traffic is locally routed using their existing high speed connection but with centrally configured and managed firewall/Unified Threat Management (UTM) policies.

My Take:
What I have seen rather often is a disconnect between the corporate and the store security operation groups.  Budgets, differences in operational processes and requirements, workload and headcounts as well as internal politics makes it harder for these two teams to strategize, plan and execute holistically.
This usually results in higher cost of implementation and operation. Multiple skill sets are required to support different vendors/appliances which basically do the same function.  More importantly, the security gap created by this lack of cohesion and integration could have devastating impacts on the enterprise or brand as a whole.

A good example is implementation of Intrusion Prevention System (IPS) in this type of enterprise.  If the corporate security group is aware of the remote location network upgrade efforts (refresh), they could (usually with no need for extra licenses or hardware), ask the IPS feature of the UTM appliance to be turned on and with granular administration profile configuration, only manage that portion of the appliance.

Another example would be the implementation of sandboxing technology throughout this environment.  The newly upgraded remote location firewalls or security appliances could act as sensors against zero-day attacks.

I recognize the delicate inner workings of corporate environments and various departments within an organization specially in Information Technology (IT). However, the more unified, holistic, dynamic, automated and integrated the corporate IT/Network security solutions are, the business as a whole benefits. 

That’s the bottom line.

Labels:

Comments

Post a Comment

Popular posts from this blog

MPLS vs VPN (Internet Connection) and power

This topic has been covered extensively by experts. What has not been covered in my opinion, is the underlying and fundamental change of transport infrastructure and specially power. The traditional WAN transport mechanisms are solid in terms of power normalization all through the last mile.  With the new (or not so new) shift towards commercially available Internet connections (namely DSL and Cable), customers need to watch out for excessive power coming through those lines and the respective modems and into their edge devices. There are surge protectors out there with "ethernet in/out" ports which could be used to mitigate this problem. Happy conversation out there...
Post a Comment
Read more

“If you want to make beautiful music, you must play the black and the white notes together.” ― Richard M. Nixon

Does your product integrate with other security products? At this point, you should hate product silos (point products) as much as I do.   I understand and respect “divide and conquer” or “best of breed” strategies. I also understand having different security vendors at different layers of the network could possibly prevent an incident better (one vendor might not see/catch a vulnerability but another might have a signature or way of catching it). But isn’t it time to ask your vendors how and if they can work with each other? So what we (vendors) are competitors?   If by integrating with each other, we are able to increase the return on investment (ROI) for the customer, then why not (I know it might sound naive and unaware, but could you just imagine ). Vendors have application programming interfaces (APIs) for interaction with other platforms.   However, customers have to have application development resources to write code for these APIs, and that's not answ...
Post a Comment
Read more

SD-WAN? Let's talk

I am sure at this point, you all have caught up on with this SD-WAN craze.  Some early vendors are now bought by industry giants.  Some have really cool cloud provisioning and management dashboards. Some claims that your edge has never been this simple to set up before. However, there are still a few concerns I have: VPN technology is a mature one by now.  There are vendors out there who can offload IPsec tasks and processes onto a hardware based processor.   Would these new "SD-WAN" providers give me the same throughput/granularity? How scalable is the solution? Applications - There are vendors out there who did WAN Optimization for living and have a very rich application signature database.  What about the pure play vendors? Same goes for routing.  can you handle complex routing? can you offload or optimize those touting decisions? What if I already have that infrastructure (VPN/Routing) in place? would your solution be a tunnel in ...
Post a Comment
Read more