Posted on Reading Time: 3 minuteson
The MEF 3.0 PoC (115) will be of great interest to service providers that want to offer advanced managed SD-WAN services based on MEF 70 to enterprise customers using cloud services from branches with Internet access.
Fortinet, TCTS, and Spirent, have joined together to demonstrate the use case of secure Local Internet Breakout connecting to O365 and Azure from branch offices. To gain further insight on this project, Daniel Bar-Lev spoke with Nicolas Thomas, from Fortinet to understand this MEF 3.0 PoC.
DBL: Nicolas, please explain the setup for us.
NT: What we have done is, firstly, to create an SD-WAN service with Fortinet’s Fortigate as the SD-WAN Edge (MEF 70) at a branch office. We’ve automated the configuration of the Fortigate with a Local Internet Breakout to enable the branch to connect out via the Internet securely.
Secondly, TCTS has configured multiple IPsec tunnels from this SD-WAN Edge using Azure vWAN and ExpressRoute to provide the branch users with access to O365 and Azure cloud. Note that this does not require a VM in the public cloud.
Finally, Spirent has introduced its security testing technology in and out of the SD-WAN Edge to test the protection of the SD-WAN-managed traffic (breakout or internal).
DBL: For whom is this MEF 3.0 PoC aimed?
NT: Primarily, companies planning to, or currently, offering managed SD-WAN services. We’re showing how they can use the combination of Fortinet, TCTS, and Spirent, to offer very attractive managed SD-WAN services, security as a service, and security assurance, quickly and effectively.
DBL: Why is a combination needed?
NT: Obviously, SD-WAN managed service providers can use our solutions separately or in combination. What we are seeing is that, often, Tier 1 service providers are going to use Fortinet solutions directly to develop and deliver SD-WAN services for their enterprise customers. However, there are many potential Tier 2 and smaller managed SD-WAN service providers that would prefer to get a white label SD-WAN solution that includes secure and robust access to cloud applications like O365, which they can then enhance and offer under their own brand. TCTS is using the combination of Fortinet products and its cloud access solutions to create an off-the-shelf offering for service providers.
DBL: Where does the security assurance from Spirent fit in? Why does the Fortinet security need to be tested?
NT: SD-WAN services are dynamic, and enterprise customers want to adjust and configure them in real-time, including protection of the traffic over the Local Internet Breakout at specific branches. What Spirent provides is an additional level of security assurance to ensure that, if and when the enterprise customer reconfigures their service, they haven’t inadvertently introduced vulnerabilities into the SD-WAN service.
This managed security assurance service ensures the security layer is accurate, continuously improved, and configuration mistakes are spotted quickly.
DBL: In short, this MEF 3.0 PoC shows service providers how they can offer a premium SD-WAN + SECaaS service?
NT: Yes, but it is worth expanding on that. The challenge for the enterprise is that their data is becoming increasingly distributed. It used to be that all the enterprise data was located in secure locations within the full control of the enterprise. Protecting that data was primarily about ringfencing those locations with firewall technology. Today, critically important enterprise data is distributed or decentralized—for example in public and private clouds.
Protecting the enterprise data in all these locations requires a wide range of technologies that are based in the cloud. Gartner recently coined the term ‘SASE’ pronounced ‘sassy,’ which stands for ‘Secure Access Service Edge.’ SASE describes ensuring secure access to corporate data scattered across SaaS and cloud providers and, eventually, IoT applications. The MEF 3.0 PoC demonstrates treating the provisioning of secure access in an SD-WAN service context to applications in the public cloud, with continuous security assessment, as a managed service in its own right.
DBL: How does this tie back to MEF 3.0 standards work?
NT: MEF is now developing the working draft of MEF 88 (Protection of Application Flows over SD-WAN) with myself as co-editor. MEF 88 aims to provide the basis for managed SECaaS offerings from service providers. What we are learning in MEF 3.0 PoC (115) will be introduced into that work and may also seed new work on standardized testing of SECaaS. This is only the beginning.
MEF 3.0 PoC (115) – Security Assurance in SD-WAN Application Flows (“The Protectors”), will be showcasing at MEF19 18-20 November 2019 in Los Angeles.