Communications Reimagined
Industry insights for 5G evolution and transforming digital experience.

Best Practices for Securing the WAN

As organizations expand their IT networking infrastructure to better serve end users in branch offices and support cloud-based applications (among other initiatives), WAN security must become a priority. Moreover, a major shift is underway in how network admins and their teams set up their WANs, and associated security practices have to keep pace. Rather than rely on expensive “guaranteed” MPLS lines, companies are integrating more broadband Internet links, which supply plenty of extra bandwidth for link aggregation but must also be properly secured.

“This shift from using traditional WAN connections to broadband and Internet VPNs requires heightened WAN security at the branch offices,” explained Tessa Parmenter of TechTarget. “Branch offices will need Internet-facing security similar to the security methods deployed in data centers: firewall, intrusion detection and prevention, content filtering and anti-malware.”

With that in mind, what specific steps, beyond the general ones Parmenter mentions, can admins et al take to protect the WAN? Let’s look a few useful techniques and practices that they can take up to ensure network integrity and data security.

Best practice #1: Implement encryption
The vulnerability of traditional connections such as MPLS and Frame Relay was highlighted a few years ago, following revelations about worldwide network surveillance by government bodies such as the U.S. National Security Agency. From that point on, enterprises could no longer assume that even these expensive links were safe from snooping and data interception.

AES encryption can guard any packets that pass over public Internet circuits.

Encryption is essential in this context. The good news is that, with the illusion of superior (but costly) MPLS security now dispelled, IPsec and SSL encryption over Internet VPNs can provide the comprehensive protection as well as the overall affordability (since broadband is cost-effective) that many network admins now expect from modern WANs.

More specifically, 128- and 256-bit AES encryption can guard any packets that pass over increasingly popular public Internet circuits. Encryption helps maintain compliance for sensitive assets by using a VPN over broadband.

Best practice #2: Keep everything up-to-date and patched
Outdated software and firmware are constant risks to information security. Just look at the amount of attention and concern devoted to the end-of-life processes of Microsoft Windows XP and Windows Server 2003 over the past two years. WAN admins cannot afford to fall behind on their updates in the same way.

In particular, applications and servers across the WAN must be regularly patched as new updates become available. An automated monitoring solution may be used to keep tabs on patch status, or admins may check manually from time to time.

Either way, handle patch management with care. Make regular backups in case something goes wrong after an update, and if possible test patches on non-critical systems first to verify their safety.

Best practice #3: Use policies and tools to keep tabs on network utilization
Like a slug inching across the ground, a malicious application often leaves a trail behind itself. Maybe it is consuming excessive bandwidth or otherwise noticeably clashing with your historical application usage data. If you can spot it behaving like this, then you can take action to limit its impact and remove it from your network.

One way to stay ahead of such problematic malware is to monitor overall network capacity and enforce prioritization of business-critical applications. This way, you can see how each network path is functioning, whether there are any deviations from the baselines and if your most important programs are still working as designed.

If something ever needs adjustment, it pays to have a single point of configuration for your WAN security. That way, controlling any rogue traffic can be done easily and efficiently from just one location.