Our requirements to create secure interconnected wide area networks have changed little over time. Retailers need to communicate with their branch outlets, banks need to connect to their local stores, Local Councils need to connect to their local services, and General Practice Surgeries all communicate together to create a single useful store of patient data. The common theme across all this is the sharing of data. Whilst the need hasn’t changed much the volumes of data have…significantly.
Increasing demands on the availability of systems and data has created a hunger for increasing levels of bandwidth. Appetites for “everything now” in distributed networks and enterprise wide area networks means that we must invest invest invest in connectivity to satiate our needs…
Technology has brought many changes in the ways we can service our distributed network needs however the rate of change of the demand for data has left most organisations opting for expensive MPLS networks but is this now the only option and what are the challenges that are not addresses in MPLS environments?
Advantages of a WatchGuard Layer 3 IP/VPN Network
- Layer 3 IP/VPN’s with WatchGuard will work with any connectivity provider
- You can control the changes to the network configuration and can affect them immediately (managed services are available with same day deploy SLA)
- Suits networks of all sizes reducing cost of circuitry and increases return on investment on core technology the larger the network grows
- Full Layer 3 connectivity
- Built in Quality of Service (QoS) allowing you to prioritize your own traffic without incurring additional service costs
- Built in Security Scanning within the VPN tunnel
Firewalls, typically, manage date passing through them based on source and destination. Many, including WatchGuard, use proxies to allow for scanning of viruses, malware, unauthorised applications, and odd behaviour within the traffic but what about bad traffic on the inside of your Enterprise WAN. Private interconnecting circuits routing out to the internet through one centrally located firewalled gateway means that bad traffic can be present in the internal network without the administrators knowledge. In a traditional branch-to-branch VPN environment the option to use the proxies on the firewall will be available but often unused simply because of the service degradation when enabled almost forcing the MPLS case.
High profile breach cases have proven that it can be trivially easy to establish backdoors into a trusted network that can be almost impossible for an administrator to detect so it makes sense to start detecting and blocking the bad traffic in your network.
WatchGuard, using Intel QuickAssist Acceleration Technology, are now able to offer high speed, high security, and low cost solutions for the distributed network and enterprise WAN. QuickAssist enables WatchGuard to use the firewall endpoints of the VPN WAN as security check points without impacting the user experience of the . Enabling features such as Gateway Antivirus and Intrusion Prevention, Application Control, APT Blocker, and Date Leakage Prevention each gateway becomes a security boundary for the rest of the internal network. By decentralising your security gateway you are effectively segmenting your WAN into security zones, gaining more control of the traffic that travels within your internal network.
WatchGuard Branch to Branch VPN Architecture
The following is a representative description of the needs of a typical environment…
|Site Name||Bandwidth Requirement||No. of Employees on Site||Firewall Recommendation|
|Head Office||T1 100 Mbps||500||WatchGuard M500 High-Availability Pair|
|Remote Site 1||T1 10 Mbps||100||WatchGuard XTM 330 Redundant Pair|
|Remote Site 2||10 Mbps Broadband||20||WatchGuard XTM 25-W|
|Home Worker||5 Mbps Broadband||1||WatchGuard T10-D|
Cost of the Enterprise WAN
The most common scenario we are asked about is what is benefit of MPLS over a Firewall based Layer 3 IP/VPN.
MPLS is typically priced at £200 – £400 per Mbps per month for the copper connectivity typically deployed at all but the very largest enterprise locations, while the monthly price of business fibre broadband connectivity is now £25 per month for speeds up to 40 Mpbs.
In the WatchGuard environment detailed above the cost per Mbps would be something closer to £450-£500 per month for the hardware plus roughly £100 per Mbps per month for the T1 transit and £25 per month for the fibre broadband.
In our scenario, implementing WatchGuard in a distributed environment rather than an MPLS, would equate to a saving of nearly £100,000 over a 3 year period.
The Full WatchGuard solution described would include:
- Resilliant firewalls at both main sites
- Web Filtering at all locations
- Email Filtering at all locations
- Gateway Antivirus and Intrusion Prevention at all locations
- Central Management
- WatchGuard Dimensions for Central Reporting and Network Monitoring on all devices in the WAN
- Full Quality of Service
- High Speed VPN