A Brief Introduction to Netskope’s Borderless
SD-WAN Solution
Author: Paul Graham
Release Date: 28/11/2022
This blog post is a very high level view of SD-WAN in relation to Netskope’s offered solution and has been written to provide anyone, at any level, an understanding of the technology’s principles.
What is SD-WAN?
Imagine in the old days that you had a data centre and some branch offices as well as a few remote workers.
You needed these offices and workers to be able to communicate to and from the data centre to send and access centrally stored data securely.
You Might Also Like:
How do you do it?
Usual older methods would be single point VPN for the remote workers wherein a secure tunnel is created from the user’s machine back to the data centre after authentication and for the offices a very expensive point to point dedicated connection provided by an ISP.
This gives you something like this wheel and spoke design:
As time goes by, the cost of every P2P connection is crippling the business and you now want the traffic to traverse the internet instead of relying on dedicated private lines to each office. So we turn to MPLS (Multiprotocol Label Switching) via our ISP instead.
To (extremely) summarise MPLS, as we are losing our dedicated private lines, we have to efficiently tell our traffic where it needs to go and this is done by putting little labels into our packets at source as opposed to every hop having to lookup the intended destination manually. With this, we can also label our traffic types (protocol) hence we can control QoS (Quality of Service) by giving priority to certain traffic types based on its destination or protocol.
So our private lines are now gone and we end up with something like this:
In the above, our traffic is now being routed without the need for private lines but what is not shown is a big stack of appliances in the data centre that facilitate the network optimisation, monitoring and security tools required to allow us to efficiently run this setup and in addition to this we are still reliant on our ISP to provide the back end services for it to function – this too can be expensive and we are bound by their timescales when looking to add new connections, etc. The management of MPLS can also be extremely resource intensive from a support point of view in relation to the overall configuration and mapping of the network as a whole.
We now add in a further complication, we don’t want that data centre anymore with our goal of being a fully cloud native organisation and we also want as much of all of our technologies under one roof to save on costs and to simplify support & management whilst also not wanting to rely on our ISP for the backend functionality. We could also consider getting rid of those legacy VPN connections whilst also providing full security to our remote users without them having to hairpin into the corporate network given that their need to go straight to online cloud resources is increasing all the time.
And to do all of this, we look to Netskope Borderless SD-WAN and Netskope Intelligent SSE to deliver a converged, single-vendor SASE offering.
Before I begin on Borderless SD-WAN, we have to understand Netskope NewEdge. Netskope NewEdge is the world’s largest, highest-performing security private cloud and powers the inline security services of the Netskope Security Cloud. NewEdge provides customers with unparalleled service coverage, performance and resilience. Today NewEdge is powered by data centers in 55+ regions with new data centers being added every month. More information can be found on NewEdge here.
In the above, our three offices have been set up to use Netskope’s Borderless SD-WAN by way of making them SASE spokes. This is done by way of either a choice of various physical hardware options or a virtual appliance. The spokes now have a secure connection to Netskope NewEdge and all applicable traffic is managed by these.
The data centre has been left in for now to represent a Netskope SASE Gateway Hub i.e. a secure destination for the offices or remote workers to connect to, this can also be non-physical such as Cloud Providers. It too has been set up with a secure connection to Netskope NewEdge.
Our user in the top right has been set up to use Netskope’s Borderless SD-WAN and is now essentially a SASE spoke. Their traffic from their home office is now being steered to Netskope NewEdge and form part of the wider Borderless SD-WAN topology.
The user in the bottom right has no single location they work from, hence they are utilising Netskope’s solutions such as their Next Gen SWG, CASB and DLP controls and also the Zero Trust Network Access solution, Netskope Intelligent SSE to secure their web usage and also provide access to the data centre resources they need.
The Netskope Hub has been configured to direct applicable traffic directly to the web hence there is no need to hairpin traffic back into the data centre security stack.
Within this, we now have what are essentially virtual point to point connections from our offices to our data centre that can all be controlled from a central interface, right down to individual interfaces and WiFi connections. We not only get a central view of WAN activity, usage & packet loss but we can also control all routing be it static, BGP, OSPF, etc. We can in turn also configure our QoS within the centralised interface to implement priorities of traffic based on protocol.
Should we need to create a new SASE spoke, this can be done extremely quickly as opposed to relying on ISP time scales.
And in the end, we have moved our security and control stack from the data centre into the Cloud, we can manage the SD-WAN traffic centrally and all other required technologies for our SASE goals are managed under one roof hence complexity and support overheads are reduced significantly.