(Republished with permission from Aruba, a Hewlett Packard Enterprise company. You can view the original blog here.)
In today's dynamic cybersecurity landscape, safeguarding modern business networks demands a robust, unified solution. In recent years, organisations have faced a dramatic increase in web-based threats with over 490 million ransomware attacks worldwide1 and around 30 percent of adults worldwide encountering phishing scams in 20222. Traditional standalone secure web gateway (SWG) solutions often struggle to offer a cohesive security approach for both managed and unmanaged devices, leaving organisations vulnerable. The explosion of unmanaged devices in organisations (including IoT, BYOD, and guest devices) accessing enterprise networks amplifies the challenge of preventing access to malicious websites.
In this blog, we’ll explore the benefits of integrating SWG into a secure SD-WAN for a unified, efficient, and comprehensive approach to network security.
Understanding SWG and secure SD-WAN
A secure web gateway (SWG) stands as a frontline defense against web-based threats, including malware, phishing attacks, and malicious websites. It conducts several security inspections, encompassing URL filtering, malicious code detection, and web access control. With a three-layer protection system—DNS filtering, URL filtering, and content filtering—SWG effectively blocks domains and IPs, and filters web access and content, based on policies. Advanced SWG solutions can even prevent unauthorized transmission of sensitive data through data loss prevention (DLP).
Secure SD-WAN revolutionises network connectivity and security by seamlessly protecting local branches with a built-in next-generation firewall and connecting branch locations to the data center and multi-cloud environments through internet links or using a combination of multiple links (MPLS, Internet, 4G/5G, satcom).
The need for protecting all devices, managed and unmanaged
Standalone SWG solutions often fall short in providing comprehensive security for both managed devices and unmanaged devices in the enterprise network. Even if managed devices running an SSE agent are generally well protected, unmanaged devices remain unprotected, leading to increased security risks.
Unmanaged devices such as guests, third-party contractors, or BYODs can reach malicious websites as they connect to the enterprise network, introducing new threats in the organisation. IoT devices are also prone to web-based threats as they generate web traffic when they communicate with cloud services for updates, telemetry, or other purposes. And because managed and unmanaged devices share the same enterprise network, enterprises face additional cybersecurity risks by not protecting unmanaged devices.
Comprehensive security with secure SD-WAN and SWG integration
The integration of SWG to a secure SD-WAN ensures consistent and comprehensive protection for all devices on the enterprise network. As devices connect to the enterprise network, secure SD-WAN automatically directs the traffic to an SWG through dedicated tunnels without requiring an SSE agent.
Unmanaged devices, often challenging to secure, receive the same level of protection as managed devices. Whether they are guest devices, third-party contractors, or IoT devices, the integrated solution fortifies the network against potential vulnerabilities.
Additionally, the secure SD-WAN's built-in next-generation firewall adds an additional layer of security by providing advanced security features such as IDS/IPS, DDoS defense and Zero Trust segmentation. Regardless of the device type or managed status, every user or device connecting to the enterprise network benefits from advanced threat detection and prevention capabilities.
To fortify security and align with evolving digital needs, the integrated SWG and SD-WAN solution can seamlessly extend capabilities to include Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB). ZTNA ensures a Zero Trust-centric model, rigorously verifying every user, device, or application attempting to access the enterprise network. CASB protects sensitive data hosted in SaaS applications and prevents data loss, while enforcing policies related to access controls. This comprehensive integration transforms the solution into a robust SASE architecture, securing the entire spectrum of data access and usage.
HPE Aruba Networking secure SD-WAN augmented with SWG
The HPE Aruba Networking EdgeConnect SD-WAN family (EdgeConnect SD-WAN, EdgeConnect SD-Branch and EdgeConnect Microbranch) now integrates SWG, part of HPE Aruba Networking SSE through a SASE SWG site license. The solution offers comprehensive protection to all users and things on the network. It is easy to deploy and doesn’t require an agent installed on each device. To do so, EdgeConnect SD-WAN forms a bandwidth-licensed tunnel between SD-WAN and HPE Aruba Networking SWG, while the traffic from managed devices (with an HPE Aruba Networking SSE user-based license) is sent directly to HPE Aruba Networking SSE, bypassing this tunnel.
Protect all devices with integrated SWG in the EdgeConnect SD-WAN fabric
In addition, HPE Aruba Networking can protect devices for organisations with third-party SD-WANs by establishing an IPsec bandwidth-licensed tunnel from the SD-WAN solution to HPE Aruba Networking SWG. It enables organisations to easily protect all devices but also fills the gap of unprotected devices (guests, third-party contractors, IoT).
Protect all devices with third-Party SD-WAN integrated with SWG, without the need for an SSE agent
Advanced threat protection with HPE Aruba Networking SD-WAN
EdgeConnect SD-WAN’s built-in next-generation firewall enables organisations to go beyond web content filtering and malware protection. The solution provides IDS/IPS, DDoS defense and role-based segmentation, enforcing Zero Trust in the organization. IDS/IPS operates on a signature-based system, actively monitoring network traffic to identify patterns indicative of specific attack signatures. For immediate response, an IDS/IPS inline mode is available, swiftly blocking traffic upon intrusion detection. In addition, the DDoS defense mechanism identifies and thwarts various attacks, including protocol attacks, SYN floods, IP spoofing attacks, and more. EdgeConnect SD-WAN also includes robust support for role-based segmentation, aligning with Zero Trust principles to minimize lateral movements. This approach adheres to the principles of least privilege access, ensuring that both users and IoT devices establish communications solely with destinations consistent with their roles in the business.
EdgeConnect SD-WAN also securely breaks out internet traffic by identifying and classifying applications and web domains based on the first packet, enabling automatic traffic steering to HPE Aruba Networking SSE. Using multiple techniques, the solution can identify more than 10,000 applications and more than 300 million web domains.
EdgeConnect SD-WAN also monitors and optimises network performance with AppExpress. The feature leverages synthetic polling and real-time user traffic observations to steer traffic to the closest SSE Point of Presence (PoP) while selecting the best path across multi-cloud environments.
Expanding SD-WAN and SWG to HPE Aruba Networking unified SASE
By implementing a secure SD-WAN solution augmented with SWG capabilities, organisations can seamlessly transition to HPE Aruba Networking unified SASE by including ZTNA and CASB capabilities. This integrated approach streamlines the security framework, enabling organisations to consolidate their diverse security services into a cohesive platform. This platform not only accelerates deployment, but also ensures unified security policies, centralised management, consistent Zero Trust access, and the ability to adapt seamlessly to the evolving threat landscape. With EdgeConnect SD-WAN and HPE Aruba Networking SWG as the foundation of HPE Aruba Networking unified SASE, enterprises can adopt a future-proof strategy for their security.
Deploy EdgeConnect SD-WAN with the cloud-native HPE Aruba Networking SSE solution for a unified SASE platform