For years now, I have been a big advocate of cloud hubs as the future of WAN architecture. There are some serious benefits to anchoring a network on a series of cloud hubs, and this article explores the benefits for network security.
But first, a basic definition of what’s meant by “cloud hub.”
A cloud hub consists of racks of switching and routing equipment that are typically deployed in carrier-neutral, co-location data centers, such as those operated by Equinix and CyrusOne. Then, these data centers are interconnected with high-capacity, low-latency circuits that create a high-performance core network. At the edge of this network, an enterprise can interconnect with its existing carrier services, whether they are MPLS networks, dedicated internet access networks, Ethernet, or private line services. The organization also can directly connect to its branch offices, remote and mobile users and partners, and of course, its own core data centers.
I firmly believe that establishing a WAN backbone architecture based on cloud hubs connected with high-speed links is the future of wide area networking. This model can have a huge impact on enterprise security.
Consider how security is typically deployed in a legacy, hub-and-spoke WAN architecture (i.e., before the idea of cloud hubs). Say an enterprise has its corporate headquarters in Dallas and branch offices in Los Angeles, Atlanta and Chicago. In the legacy WAN environment, security is centralized at the headquarters’ data center. Traffic from the branches must be backhauled to Dallas to pass through security before it can go out to the cloud or the public internet, and it makes the reverse route to go back to the branches. We call this hair-pinning of the traffic. It adds latency and harms application performance. Unfortunately, this scenario is extremely common today, and the problem is magnified when there are numerous branch locations that must backhaul their traffic through the enterprise data center before sending it to the cloud.
If the company decides to distribute security to the branches, it must place a firewall in each branch location. Traffic no longer has to be backhauled to the main data center before going to the cloud and internet. However, now the company has numerous firewalls (and perhaps other security solutions) to support and maintain instead of one. Not only security policies, but also firewall patches and updates can quickly get out of synch among the branches and home office.
The Benefits of a Cloud Hub Approach for Security
Cloud hubs allow a company to regionalize security, which is a perfect substitute to either the centralized security posture that causes latency and low performance, or the overly distributed security that causes a management nightmare and high cost.
Cloud hubs are an intermediate point where a full-security environment can be deployed and an organization’s security policies can be enforced closer to cloud applications and distributed users, without the need to deploy and manage additional firewalls in the branches. In fact, security can be offered “as a service,” including NGFW, CASB, DLP, IDS/IPS, and more.
Using distributed peering points, cloud hubs can act as a cloud security gateway to cloud-based products giving the enterprise even more options for security.
By hosting security in a cloud hub, the company is no longer responsible for keeping and managing the security devices on-premise—someone else takes care of those needs. This can ease the demands of the company’s own security staff, who can then concentrate on developing and maintaining policies rather than on the operation of the security appliances themselves.
Cloud hubs are the future of WAN architecture and the perfect place to host enterprise security.