Our current cybersecurity environment is constantly changing which means it’s crucial for businesses to have strong, integrated security measures. The number of web-based threats has dramatically increased in recent years, with an alarming 490 million ransomware attacks happening globally1 and about 30% of all adults worldwide falling for phishing scams in 20222.
Often, traditional secure web gateway (SWG) solutions are not enough to fully protect both managed and unmanaged devices, leaving enterprises open to attacks. The surge of unmanaged devices in organizations, from IoT to BYOD and guest devices, that access enterprise networks only adds to the difficulty in keeping malicious websites away.
In this post, we shall discuss how integrating SWG with secure SD-WAN creates a unified, efficient, and comprehensive method of network security.
Understanding SWG and secure SD-WAN
A Secure Web Gateway (SWG) functions as your first line of defense against online threats like malware, phishing attacks, and dangerous websites. Multiple security checks such as URL filtering, detection of malicious code, as well as controlling web access. The SWG’s three-tier protection system includes DNS filtering, URL filtering, and content filtering – effectively stopping domains and IPs, as well as filtering web content and access based on policy. Enhanced SWG solutions can even stop the unauthorized dissemination of sensitive material via data loss protection (DLP).
Secure SD-WAN revolutionises network connection and security, providing local branches with inbuilt next-generation firewalls and connecting branch locations to the data centre and multi-cloud environments through internet links or a combination of various links (MPLS, Internet, 4G/5G, satcom).
The necessity for the protection of all devices, both managed and unmanaged.
Standalone SWG solutions frequently do not provide comprehensive security for both managed and unmanaged devices on the company network. Despite the protection generally provided to managed devices running an SSE agent, unmanaged devices are still unprotected, leading to increased security threats.
Unmanaged devices like those used by guests, third-party contractors, or BYODs can access potentially harmful websites while connected to your business network, creating new risks in your system. IoT devices also risk exposure to these web-based threats by creating web traffic when interacting with cloud services for updates, telemetry and other needs. The fact that managed and unmanaged devices share the same business network means there are added cybersecurity risks when unmanaged devices are left unprotected.
Complete protection with integrated secure SD-WAN and SWG
Integrating SWG with secure SD-WAN ensures extensive and consistent protection for all devices on the business network. As devices connect to your network, secure SD-WAN automatically routes the traffic to an SWG via dedicated tunnels, without the need for an SSE agent.
The same level of protection is applied to unmanaged devices, which are typically difficult to secure. This covers guest devices, those used by third-party contractors, or IoT devices, making sure the integrated solution strengthens your network against possible vulnerabilities.
The built-in next-generation firewall of secure SD-WAN provides another level of security, encompassing features like IDS/IPS, DDoS defense, and Zero Trust segmentation. This benefits every user or device that connects to the enterprise network, by offering superior threat detection and protection.
For additional security and to meet digital needs, one can extend the capabilities of the integrated SWG and SD-WAN solution to include Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB). The ZTNA affirms a Zero Trust-centric model and confirms every user, device, or application that tries to access the enterprise network. CASB helps in protecting the sensitive data hosted in SaaS applications and also helps to prevent data loss, keeping in mind the enforcement of policies related to access controls. This thorough integration transforms the solution into a robust SASE architecture, keeping the entire data access and usage secure.
An extension of HPE Aruba Networking secure SD-WAN with SWG
The HPE Aruba Networking EdgeConnect SD-WAN family (comprising of EdgeConnect SD-WAN, EdgeConnect SD-Branch, and EdgeConnect Microbranch) now has an integrated SWG, that is a part of the HPE Aruba Networking SSE through a SASE SWG site license. This solution offers complete protective cover to all users and things on the network. It is easy to deploy and eliminates the need for an agent on each device. To accomplish this, EdgeConnect SD-WAN establishes a bandwidth-licensed tunnel between SD-WAN and HPE Aruba Networking SWG. The traffic from the managed devices (that have a user-based license from HPE Aruba Networking SSE) is sent directly to HPE Aruba Networking SSE, bypassing this tunnel.
Protect all devices with integrated SWG in the EdgeConnect SD-WAN fabric
HPE Aruba Networking can also safeguard devices for enterprises using third-party SD-WANs by forming an IPsec bandwidth-licensed tunnel from the SD-WAN construct to HPE Aruba Networking SWG. This arrangement allows organizations to defend all devices while also addressing the issue of vulnerable devices, such as guest devices, those used by third-party contractors, and Internet of Things (IoT) devices.
Protection for all devices with third-party SD-WAN integration with SWG requires no SSE agent
Advanced threat protection with HPE Aruba Networking SD-WAN
EdgeConnect SD-WAN incorporates a next-generation firewall, facilitating organizations to enhance web content filtration and fortify malware protection. The solution offers IDS/IPS, DDoS prevention, and role-based segmentation, thereby promoting Zero Trust within the organization. With a signature-based system, IDS/IPS constantly scrutinize the network to identify detrimental patterns. To provide an immediate response, IDS/IPS offers inline mode capability that instantly stops the traffic upon intrusion detection. In conjunction, the DDoS defense mechanism identifies and counteracts protocol attacks, SYN floods, IP spoofing attacks, among others. EdgeConnect SD-WAN also supports role-based segmentation, maintaining alignment with Zero Trust principles to reduce lateral movements. Upholding the principles of least privilege access, the user and IoT devices communicate only with destinations supported by business roles.
EdgeConnect SD-WAN ensures secure internet traffic circulation by identifying and classifying applications and web domains from the initial packet. This enables automatic traffic steering towards HPE Aruba Networking SSE. With the help of multiple techniques, it can recognize more than 10,000 applications and in excess of 300 million web domains.
EdgeConnect SD-WAN continually monitors and optimizes network performance employing AppExpress. This feature utilizes synthetic polling along with real-time user traffic observation to direct traffic to the nearest SSE Point of Presence (PoP) and simultaneously chooses the best path across multi-cloud environments.
Advancement of SD-WAN and SWG to HPE Aruba Networking unified SASE
Adopting a robust SD-WAN solution fortified with SWG capabilities empowers businesses to smoothly transition towards an integrated HPE Aruba Networking SASE by integrating ZTNA and CASB features. This consolidated approach refines your security mechanism, facilitating organizations to combine various security functionalities into a singular, unified platform. This amalgamated platform not only fast-tracks implementation but also guarantees harmonized security policies, central management, consistent Zero Trust access, and the ability to effortlessly adapt to changing threat scenarios. With EdgeConnect SD-WAN and HPE Aruba Networking SWG forming the base, organizations can instate future-forward strategies for their security needs.
Institute EdgeConnect SD-WAN in symbiosis with the cloud-native HPE Aruba Networking SSE solution for a combined SASE platform
For more insights, feel free to watch the lightboard video on SWG.
Additional resources:
1Annual number of ransomware attacks worldwide from 2017 to 2022, Statista
2Phishing – Statistics & Facts, Statista