Best Practices for the Enterprise (Part 3) Multi-tiered Architecture

Welcome to the Third installment of the Enterprise Best Practices Blog. My name is Neil Danilowicz, Principal Architect for Versa Networks. This week we will focus on why the Enterprise should require a secure multi-tiered architecture for their SD-WAN solution.
So why is a secure multi-tiered architecture a requirement for Enterprise deployment of SD-WAN? Historically, Enterprises would contract with a service provider to purchase private circuits (MPLS, PIP, or dedicated TDM circuits) to provide secure private connectivity between their branches and data centers. If an Enterprise required access to the Internet or remote networks, demilitarized zones (DMZs) were established to vet and validate the connections. The Enterprise would create mechanisms for authentication, authorization and accounting (AAA) for all permitted traffic flows and to record any illegal attempt to access the Enterprise network.

In the early days, firewalls were considered the main security element to secure the DMZ.  However, reliance upon a single security device proved to be rather foolish network design.  Single failure of that element opened the branch to potential breaches and loss of access. Soon, Enterprise networks deployed perimeter security functions [firewalls, intrusion detection/prevention systems (IDS/IPS), web access firewalls (WAF), for example.], network address translation (NAT), discreet segmented network routing, encrypted connections, and proxies amongst others.

Thus, the evolution to a secure multi-tiered security architecture.  Today, secure Enterprises do not store critical data in a DMZ.  Most applications today are based upon, at minimum, a 3 tier architecture with many utilizing secure connectivity via TLS1.2 or greater.

But why has a secure multi-tiered infrastructure become the go to architecture option for both networking, security and applications?

Let’s review the different multi-tier architecture approaches:

To start, let’s begin with a basic foundation and assume a flat network between the Enterprise network and the consumers that need to access the Enterprise business model.

Option 1: Direct Access Model Diagram

In this model, everyone has direct access to critical information.  Both the Enterprise and the consumer.  However, this also implies that threat actors (hackers) also have direct access to these systems.  This affords the hackers the ability to poke, prod, poll, scan and exploit any vulnerability in the system to gain access – even if the system currently employs the most impenetrable, advanced, never-exploited security features.  Remember, what was secure twenty years ago, might not be secure today and what is secure today is not guaranteed to be secure in five years.  New vulnerabilities and exploits are being exposed almost every day of the week. The threat actors are constantly looking for new vulnerabilities that have yet to be discovered so they can be exploited. So clearly, any system that allows direct access to the critical information is only a ticking time bomb before someone will crack the security suite and capture the data to utilize outside the Enterprise.

Option 2: Two-Tiered Access Model

 

The second Option is a two-tier architecture.  In a two-tier architecture, the first tier would have a perimeter security suite to validate the connections, providing all the AAA policies for both permitted and illegal entry attempts, and would pass the permitted connections to the second tier for access to the critical data.  While this method is significantly improved over the direct access model, the fact remains that by exploiting a vulnerability in the primary zone, the threat actor can gain access to the second zone rather easily.  Usage of NAT and discreet, segmented routing could make the threat actor’s job harder to penetrate the primary zone, but most of the systems within the primary zone would contain enough sensitive information, that once compromised, would yield a good-enough blueprint for the threat actor to follow in order to compromise the Enterprise Network.

Option 3: Multi-tiered Access Model

 

So, this brings us to a three-tiered or multi-tiered architecture.  In this scenario, each zone is secured by a secure perimeter suite, engages in encrypted connections, utilizes discreet segment routing, and one or more tier utilizes NAT.  The critical data is stored in the third or greater tier in the network.  Unlike the two-tier approach, compromise of the first tier does not provide a blueprint to the critical data path as the critical data is not in the next level.  Given that multiple secure perimeter suites are utilized, this makes it far more difficult for the threat actor to successfully navigate and exploit all the necessary systems without being detected.  Utilization of secure connections between tiers also complicates the ability of the threat actor to successfully compromise the next level in the multi-tiered architecture.

Versa Solution – Multi-Tiered Architecture

As Enterprises look to transform the network, they should deploy an SD-WAN solution which supports a secure multi-tier architecture. In fact, here at Versa Networks, we have ingrained this principal throughout our entire architecture and solution offering. No node within the SD-WAN solution has direct access to Versa Director, the database and operations interface for all configurations, policy, certificates, etc.  In order for a node to access Versa Director, it first must create an IPSEC tunnel to one of the Versa SDWAN Controllers.  Even during zero-touch provisioning (ZTP) process, an IPSEC connection must be made to a controller for the SD-WAN branch to retrieve its initial configuration.  The SD-WAN controller has a secure connection to the Director which advertises the branch management IP address (during ZTP, this is a proxied IP provided by the controller).  An overlay network is established between the SD-WAN branch cpe and SD-WAN controller.  This way the conversation is encrypted through the underlay network and no direct access from the underlay network exists.  Once the overlay network is established, Versa Director communicates through the SD-WAN Controller to each branch device.  Versa Networks also supports multiple secure Controller connections between the branch and Director.  This enables a natural ability to build a multi-tiered and resilient architecture for control. Versa Networks has achieved the NSS Labs recommendation for NextGen Firewalls and Intrusion Prevention Systems to further protect the Enterprise critical and sensitive data.

 

So, in conclusion, Enterprises should only consider deploying SD-WAN solutions that support a multi-tier secure architecture to provide the maximum protection to the access of critical, sensitive data.
Until next week, when we will focus on the importance of failure domains, network segmentation, and device redundancy to provide a resilient SD-WAN solution.