Fortinet Secure SD-WAN

This is the third article I write about SD-WAN because I’ve been reading and studying a lot about this kind of networks lately. I had already worked with SD-WAN years ago when I had to configure eight uplinks WANs to send traffic for all of them in a datacenter. It was really easy with this kind of technology. Therefore, I’ve configured lots of SD-WAN since then. However, I’ve had to learn how SD-WAN works in Juniper 128T and Nokia Nuage these days for a new project. This is the main reason I’m also writing about SD-WAN today.

SD-WAN is very interesting when we have lots of WAN uplinks and we want to send different types of traffic for each WAN link. For instance, mail traffic for one link, web traffic for another link and streaming traffic for another one. However, it is also interesting when we have lots of branches or small offices and we need to manage all of them from a centralized platform where we configure and deploy all WAN links easily and quickly. Juniper and Nokia can do it but Fortinet can also do it from the security perspective. In addition to SD-WAN, Fortinet adds NGFW features to the branch.

Secure SD-WAN - All in one SDWAN + Security

SDN architectures are based on the management plane, control plane and data plane where each of them is a component or device. For instance, Nokia Nuage has a real SDN architecture because VSD is the management plane, VSC is the control plane and NSG is the data plane. However, Juniper and Fortinet work like a SDN architecture but they are not a real one because the Conductor is the management plane and the SSR is the control & data planes for Juniper while FortiManager is the management plane and FortiGate is the control & data planes for Fortinet.

Secure SD-WAN architecture components

The provisioning process is really important when there are lots of branches because SD-WAN projects require configuring and deploying each branch remotely and quickly without the need to go there. For example, we can use FortiDeploy along with FortiManager to install FortiGate devices in branch offices quickly. When FortiGate devices are connected to the Internet, we can use FortiDeploy to configure the FortiManager IP address into FortiGate devices, which is from where we are going to manage it centrally. Once we see the branch device from FortiManager, we can deploy the configuration.

Zero Touch Provisioning (ZTP)

Reading and studying about SD-WAN these days, I’ve come across the magic quadrant for WAN Edge Infrastructure where we can see Fortinet and VMware as leaders for SD-WAN. I think Fortinet is a leader because FortiGate adds security features to the branch. With regard to VMware, they are also leaders thanks to the recent VeloCloud acquisition. However, Juniper 128T, who are visionaries, I think the tunnel-less technology is really innovative. Finally, Nokia Nuage is a real SDN solution which works very well and it has already been deployed in many countries.

Fortinet recognized as a leader for WAN Edge Infrastructure

Regards my friends! What SD-WAN solution would you like to deploy?

Nokia Nuage SDN

When someone asks you what SDN is and what the benefits are, sometimes we don’t know what to reply. However, we know how to design a network architecture and we know what devices we have to buy for the customer’s request but, actually, we don’t know sometimes we are deploying an SDN solution. For instance, when a customer with several internet links wants all VoIP traffic use only one link and another one for backup, and the rest of the traffic use another internet link, we know they need an SD-WAN solution, which is actually an SDN solution.

At the beginning of WAN networks, if you wanted a private network between an office and the datacenter, or between two offices, you had to buy a leased line, which was really expensive. Later on, frame relay allowed us to share the same physical network for several customers. Therefore, it was cheaper. Today, IP/MPLS networks are like frame relay but it also allows us better QoS for applications. However, I think SD-WANs are the networks of the future because they are transport independent and we can manage and control the whole network from a centralized perspective.

WAN networks evolution

Nokia Nuage is one of the SD-WAN solutions based on SDN. This solution has mainly four components. The Virtualized Services Directory or VSD is the management console where network administrators are going to design the architecture and they are going to define the network policies. The Virtualized Services Controller or VSC has the network control plane and all branches’ configurations are stored in this device. The Network Service Gateway or NSG is the edge router where the data plane takes place. Finally, the Elastic Search or ES component is a database which is used by VSD to show network statistics.

Nuage Virtualized Network Services (VNS)

The Nokia Nuage is an SDN solution where we can see each component of an SDN architecture very well because data plane, control plane and management plane are each of them a component. The control plane (VSC) and the management plane (VSD) are usually deployed in high availability, thus, a load balancer is needed. In addition, we could install NSG-UBRs to breakout traffic to another network. For example, we can configure a backup private network through the Internet when the main IP/MPLS network fails.

Nuage VNS standard deployment architecture

Finally, if you are going to configure and deploy a Nokia Nuage SD-WAN solution, you have to know how to configure the network topology. First of all, we have to configure an Enterprise, which is a tenant or end user and they are isolated from each other. The Domain is a layer 3 instance, like a VPRN or VRF, and they are also isolated from other domains, although shared domains with route leaking is possible. A Subnet is a layer 2 instance, like VPLS. A Zone is an administrative group of subnets, which shares the same policies. The last component is the Vport which is a virtual interface of a VM (virtual machine) or LAN side port+vlan.

Service abstractions

Regards my friends! What SD-WAN solution do you like?

Juniper 128T Session Smart SD-WAN

I’ve installed and configured SD-WAN networks just for redundant Internet links where customers have more than one Internet link for high availability, thus, if the primary link is down, another one works as a backup link, or even it works as active/active link. I’ve configured this kind of service mainly with FortiGate devices because customers wanted NGFW and SD-WAN in the same box but I would like to write today about Juniper 128T which is a revolutionary SD-WAN solution with Session Smart Routing.

First of all, I would like to tell you who is 128T. This is a U.S. company acquired by Juniper last year which has sold mainly SD-WAN solutions in the US. For instance, they have deployed SD-WAN in the U.S. DoD where performance and security is really important. Juniper wants to deploy this solution to the rest of the world as well as accelerate the industry evolution from the first generation SD-WAN technology that focuses on optimizing connections from branch-to-cloud to a modern AI-driven network that optimizes user experiences from client-to-cloud.

128 Session Smart

There are four business benefits I would like to tell you. The first one is that SD-WAN works without tunnels which I think is really powerful and revolutionary because there is no overhead and increases the network performance. The second one is the adaptative encryption technology which is very interesting because we can encrypt all traffic or only the one that is not encrypted. The third benefit is that it is software based, thus, we can install 128T wherever we want. Finally, the fourth benefit is the session awareness where there is a forwarding table with source addresses to route traffic from clients properly.

Business Benefits

There are many reasons why 128T is replacing Cisco, Silver Peak or Citrix solutions. Money is one of them because an architecture without tunnels reduces 75% in infrastructure costs and 30-50% in bandwidth costs because we can install 128T in any server and there is no traffic overhead. In addition, 128T scales rapidly and easily to lots of edges thanks to the tunnel-less architecture while other vendors require hard work to deploy new branches and services. However, there are many other reasons we could comment on.

Session Smart Routing

The Secure Vector Routing is revolutionary because routers send the first packet with a metadata, where the original addresses are inserted, and next packets are sent without this metadata because it is no needed due to the fact that there is already a session table to know how to translate addresses. Therefore, there is an important traffic saving with no overhead.

Secure Vector Routing

To sum up, Juniper 128T is revolutionary in SD-WAN networks because it is a tunnel-less architecture and it is an alternative to encapsulation with IPSec and/or IPSec + VxLAN, GRE or MPLS. As a result, there is an important saving traffic and money.

Regards my friends! What SD-WAN solution are you deploying?

Best Cybersecurity Practices

I knew almost nothing about cybersecurity when I finished University twelve years ago. However, I started working at Ariadnex where I’ve been working for lots of projects till now. I’ve been installing lots of security systems such as firewall, IPS, antivirus, vulnerability scanners, antispam, etc. In addition, Ariadnex was certified in ISO 27001 & ISO 20000, and I was working on it. Therefore, I’ve been working last days in a speech for the FAROTIC project where a training about best cybersecurity practices has been carried out.

When I have to speak about best cybersecurity practices, I always like to speak about ISO 27001 because we have 114 security controls, which are really interesting, in this international standard. The first group is about information security policies. It’s really important. However, most companies don’t have any security policy. Organization of information security is another group which should be taken into account. For instance, companies should force segregation of duties to reduce the opportunities for unauthorised modification.

When we speak about best cybersecurity practices, the human resource security is also a best practice because companies should ensure that all employees are qualified for the job as well as employees understand their roles and responsabilities. Asset management and access control are also two best practices but I think both are increasingly known by most companies. Most of us have an asset inventory and users have the minimum privileges.

Encryption is well known by most employees. They know it is a requirement for sending and receiving information on the net but they forget saving their passwords in a secure way with a password manager. Physical and environmental security is also well known by most companies. We are used to seeing guards at the doors and rooms locked. However, operations security is very important and there are still companies who forget to schedule backups.

I don’t understand how there are companies that they don’t have any VLAN on the network. There is no communications security. There are also lots of companies without a policy for system acquisition, development and maintenance. However, this is usual for companies who has almost no security controls. What’s more, supplier relationships is another group of security controls that few companies take into account.

All of these are some groups of security controls, although we should also add incident management, business continuity and compliance, that companies should take into account for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Maybe, it seems 114 security controls are too many but it’s important to start small, but most of all, start.

Regards my friends! What kind of best cybersecurity practices are you applying.