Hybrid work is now the standard as the workplace continues to evolve. These days, employees work wherever they can be most productive, easily moving between home, remote locations, and the traditional heart of most IT operations—the company office and corporate campus.
The explosion of connected devices in campus and branch networks— often personal ones used to access sensitive data and company SaaS applications, along with a growing number of IoT devices to enhance monitoring, streamline operations, and improve overall operational efficiency—presents a specific set of security risks needing a new approach.
Despite evolving network requirements, many teams still rely on traditional technologies such as Virtual LANs (VLANs) and 802.1x NAC for monitoring, segmentation, and enforcement. These legacy approaches create broadcast domains that enable threats to proliferate without checks or countermeasures, and are unable to monitor and track movement, allowing high-risk devices to spread malicious threats.
To protect this critical infrastructure in today’s context, it’s essential for organizations to adopt a more unified and secure networking approach built on Zero Trust principles for superior visibility, control, and security.
‘Secure Everywhere’ Also Includes the Workplace
An advanced software-defined LAN (SD-LAN) is a new approach to LAN connectivity ideally suited to a world of evolving security threats, growing numbers of devices of all types, and hybrid workforces that regularly move between locations and networks.
While legacy LANs struggle to identify devices or users, segment traffic precisely, and track device movement, a Zero Trust software-defined approach leapfrogs these limitations with built-in micro-segmentation for users and devices, device-level visibility, and dynamic policy enforcement at every port. It unifies routing, switching, and security policy control into a centrally managed platform and in the process eliminates hardware lock-in and reduces operational overhead.
SD-LAN solutions with Zero Trust principles built in bring two fundamental characteristics to the task that make them capable of reducing the attack surface while simplifying operations:
- A scalable software-defined architecture: Unlike traditional networks assembled from siloed solutions of WLAN access points, routers, Ethernet switches, and firewalls connected in a hierarchical access-to-distribution-to-core approach, an advanced, secure SD-LAN takes a standards-driven software-defined networking approach. It leverages an overlay connecting across all layers in a full mesh topology, overcoming the challenges found in underlay connection approaches while putting emphasis on decision-making at the edges. An SD-LAN fabric uses an overlay control plane with a central controller to deliver a unified control plane.
- Built in security features: Legacy architectures require an additional security appliance to enforce policies and protect branch networks. Such security enforcement points can be located anywhere in the enterprise LAN, creating traffic steering in and out and avoiding the complexities experienced with rigid configurations. A modern SD-LAN solution with smart edges can embed security directly into the networking function, including the capabilities of a next-generation firewall (NGFW), East-West visibility, and Zero Trust Network Access (ZTNA), which are integrated directly into the edges of the SD-LAN fabric. Smart edges with built-in L4-L7 capabilities enable Zero Trust policy enforcement by controlling access to the enterprise LAN for corporate, guest, and IoT devices based on user identity, security posture, and device privileges, delivering an intelligent security perimeter for the LAN which was not possible before.
Intelligent Enforcement at the Edge
A modern SD-LAN solution's ability to deliver micro-segmentation for granular isolation and control is due to a series of interlocking capabilities. One may think of various criteria as an input to a policy enforcement function, running on the edge of the LAN, while micro-segmentation is one of the key decisions that gets implemented as an outcome. Evaluation criteria that contribute to such an intelligent policy enforcement function on the LAN edge include:
- Device tracking and containment across the LAN: By dividing the network into microsegments, or isolated (smaller) zones, an advanced SD-LAN controls any and all communication between devices and users within the LAN. An SD-LAN solution capable of micro-segmentation can track lateral movement anywhere within the LAN and allow or disallow further movement based on micro-segmentation policies
- Posture checks for continuous policy-based access control: A modern SD-LAN solution with built-in ZTNA checks continuously for device and user risk postures using real-time, inline evaluation of traffic patterns. The system creates unique tags for users and devices based on their risk posture and user and device identity. Policy control is then implemented to determine traffic flow and track device movement between segments. For example, if a user’s device has an outdated antivirus, it is immediately placed in a quarantine segment to prevent the threat from propagating to the rest of the network.
- Accelerated enforcement of access controls: Unlike traditional switches that rely on software-based access controls, an SD-LAN enforces micro-segmentation at wire speed with network processing hardware. Policy changes are provisioned instantly when the user device moves across the network, ensuring consistent security posture and enforcement are always maintained.
- IoT device auto discovery: To address the increase in unmanaged and headless devices in the enterprise, an SD-LAN can eliminate visibility gaps by automatically identifying and classifying network connected devices using device fingerprinting. This includes IoT and OT devices that lack endpoint agents or built-in user interfaces. Once identified and classified, each device is tagged and mapped to the correct microsegment to enable precise access control and tracking of lateral movement. Flow-level reporting is also generated and analyzed, delivering comprehensive visibility and actionable insights to help strengthen LAN security.
- Complete IoT and OT visibility: With organizations adopting IoT from unknown vendors possibly running outdated operating systems, the threat of unknown vulnerabilities is now higher than ever. An SD-LAN eliminates these risks by automatically identifying and classifying devices with an AI-powered IoT inventory. Once accurately identified, the system generates inline, flow-level reporting that delivers comprehensive 360-degree visibility and analytics, making possible deep insights and better actionable intelligence to enhance network performance and security.
Simplicity is Security
In looking for a secure SD-LAN solution, organizations should insist that they eliminate the deployment complexities of traditional networks by offering zero-touch provisioning, dynamic smart ports, and template-driven policies. And with unified management for switching, routing and security, an SD-LAN can further reduce the usual “Day 1” operational challenges seen with siloed tools and inconsistent enforcement.
Finally, a modern SD-LAN with built-in ZTNA and security perimeter reduces ongoing operational overhead by leveraging the power of AI/ML to detect risks, identify the root cause, and resolve performance and security issues faster than before.
