Co-author: Den Jones
The last two pandemic years have been difficult for every department in every organization but, in many ways, IT / Networking has been the hardest hit. Two growing trends – (a) applications running in the cloud instead of on-premises, and (b) a growing population of remote and hybrid workers – have accelerated like never before, causing IT / Networking teams to significantly rethink enterprise networking architectures.
In this article we highlight 5 common mistakes we see in enterprise networking today and approaches to fix them.
Over the next few weeks, we’ll publish individual posts on each topic, diving into details on why networking professionals still use such legacy techniques, make a case for why they need to rethink their approach, and suggest more modern architectures they can utilize. Check back in regularly!
1. Backhauling traffic to SaaS applications through your corporate VPN / Stop using VPNs and IP Whitelists to secure access to SaaS Applications
Organizations often require their users to use a corporate VPN to access SaaS applications such as Microsoft Office 365, Google Workspace, and Salesforce. While this technique has long been used to enforce enterprise security standards, it involves the operational overhead of backhauling traffic, and configuring and updating IP whitelists. Worst of all, it is a clunky user experience that causes hours of lost productivity.
We’ll describe a simpler technique that doesn’t require backhauling – device posture checking with continuous authorization – that improves user experience, enhances security and reduces operational complexity.
2. Eliminating Lateral Movement: Turn your office network into a guest network
Many office networks are configured as simple VLANs segmented into users and applications, where once a device is on the network it can connect easily to everything else on the network via an office router. This setup is easy to manage but is also the main reason ransomware can spread rapidly through an organization – a device infected with malware can spread it across the devices it can see on the network in just a few seconds. Preventing such lateral movement often requires complex, fragile network segmentation that seldom gets implemented correctly.
We’ll describe a better architecture – often used for guest Wi-Fi – where devices can connect to the internet but cannot connect directly to resources on private networks. When combined with certificate-based authentication for LAN connectivity and ZTNA for application access, you simplify office networking while significantly reducing the risk of lateral movement.
3. Hairpinning all corporate traffic through vendor PoPs
Many enterprises have adopted network security “as-a-service” offerings – also known in Gartner terminology as Secure Access Service Edge (SASE) – where corporate policy is enforced via vendor Points of Presence (PoPs). There are many legitimate reasons to send network traffic through PoPs; however, a blanket policy to hairpin all corporate traffic – such as traffic between private networks or traffic to cloud IaaS/SaaS environments – via these PoPs is often inefficient and expensive. The hairpinning logic only gets more complex when organizations need to meet data sovereignty and data privacy regulations.
We’ll detail a more modern approach to delivering network security as a service, called the Enterprise Edge. You can get all the benefits of SASE without having to pay big bucks to hairpin traffic through 100s of vendor PoPs; instead, you configure access via a few strategically chosen locations based on where your resources are hosted. This simpler, cloud-based approach ensures consistent security policy enforcement with a highly performant user experience and no traffic hairpinning.
Available in 3 weeks.
4. Using site-to-site VPNs to connect multi-cloud environments
Site-to-site VPNs are a time-tested technique to connect two or more networks, such as corporate headquarters and a branch office. Today, site-to-site VPNs are often used to connect multi-cloud IaaS environments. For example, the core customer-facing application may run in Amazon AWS but the analytics engine leverages AI/ML capabilities in Google Cloud – AWS and GCP will be connected using site-to-site VPNs. This sort of “fat pipe” connectivity is unnecessary in many situations and can quickly get expensive and complex to manage.
We’ll describe a lighter-weight approach to connecting multi-cloud environments – Gartner calls it a Cybersecurity Mesh architecture – that leverages IaaS-native service accounts and short-lived tokens and certificates to securely connect specific applications without connecting entire networks.
Available in 4 weeks.
5. Man-in-the-middling your users’ internet traffic
In days past, when every worker came into the office to do their job, networking teams deployed firewalls and Secure Web Gateways (SWG) in the corporate network to intercept internet traffic, decrypt sessions, and inspect packets for malware signatures and malicious content. Today’s internet usage patterns are very different, and many of those traditional firewall and web gateway rules do not effectively block threats; instead, they just become a man-in-the-middle bottleneck for your users’ internet traffic. Furthermore, modern browsers are more secure than ever (no Flash or ActiveX!), so the primary risk from users’ internet surfing occurs when they navigate to dangerous sites or download dangerous files. Packet inspection is overkill for this modern reality.
We’ll detail a significantly simpler approach to securing your users’ internet usage – based on Google’s Safe Browsing initiative. By extending this technique to apply corporate URL classification policies and work with non-Chrome clients, you can provide the requisite security without resorting to expensive man-in-the-middle techniques.
Available in 5 weeks.
So, there you have it. 5 things you might be doing wrong in your enterprise network, and 5 modern approaches to fixing them.
Between the authors, we have over 45 man-years of experience in enterprise networking. Den spent the last two decades managing IT and security initiatives at large enterprises (Adobe and Cisco) protecting a combined 150,000+ workers. Tarun has been building networking products since 2001, from IP transport technologies at Infinera to edge development platforms at what is now Limelight Networks. Over our years in enterprise networking, we’ve not quite seen it all but, boy, have we seen a lot. We hope IT / Networking teams looking to modernize their technology investments to keep up with their changing business needs will recognize many of the patterns we describe above and consider some of the alternate approaches we propose.