In the past, corporate security was more easily maintained via larger centralised gateways to the Internet. As the volume of Internet sourced/destined traffic increases in the network, it’s no longer viable to support carrying this across the corporate network, but instead it should be managed as close to the user as possible.
With the availability of tools to orchestrate a large number of geographically dispersed firewalls, as well as cheap (or embedded) firewalls to deploy on each remote site, as well as low-cost Internet access using ADSL it is now possible to provide a coherent corporate firewall policy implemented at each site.
Whilst the costs of tooling can be higher both for firewalls and the orchestration necessary to manage configuration and most importantly centralised logging, this is typically more than made up by the reduction in cost of the core transport network cost.
Anecdotally, many organisations are seeing a move to a combined internet and MPLS network providing them cost-savings of 66%, or alternatively three times the current bandwidth with their current budget.
The use of cloud applications such as Microsoft Office365, the spread of the Internet of Things, and internet hosted micro-services accessed via JSON and RESTful API calls will continue to drive up direct Internet bandwidth, and it makes absolutely no sense to carry this traffic on the corporate WAN.
Simply connecting an Internet connection to the site is not the way to enable this, it needs to be considered on a network-wide basis, especially if implemented not at the site-by-site level, but at regional hubs. Considerations should be made for:
- Propagating the default route and the impact on routing tables
- Edge security, is the provision of a NAT boundary enough
- Automated tooling for monitoring and management to scale across many sites
- Additional local appliances (physical or virtual) for security or use the cloud?
To achieve the gains of using Local Internet Break out and to prepare for the next step of a hybrid network requires some careful thought and planning.. but the cost-savings of doing so can significantly reduce the budget for the corporate WAN.