Finding the Right Notes for Your Network Security: The Trombone Effect

In this latest post in our ‘Mitigating Gartner’s Network Security Worst Practices Blog Series’ we’ll discuss my thoughts on Gartner’s worst practice of “suboptimal branch architecture[1]”.

Global organizations today have some big challenges when it comes to figuring out the best architecture for their networks. On the one hand they need to get their applications closer to their users for better performance, but on the other hand they need to centralize security in order to leverage new features and capabilities that are continuously being released onto the market and therefore require specialized management by a bunch of highly trained and knowledgeable security analysts. This is what Gartner has coined, “the trombone effect[2]”.

I believe the trombone dilemma is applicable to at least two additional core scenarios:

The first is Internet access within branch offices, and the second is your basic data center architecture where multiple boxes reside physically near each other inside the data center. In this scenario traffic flows through multiple ports before they can benefit from the huge, advanced firewalls at the edge of the data center.

To address the first scenario – internet access at the branch office – companies often route risky traffic back to the heavy guns for security, or deploy multiple boxes at the branch office. But both of these options have significant downside: latency and/or high cost.

In their research note, Gartner recommends that “Organizations should look to build hybrid WANs, which combine Internet and Multiprotocol Label Switching (MPLS)/Ethernet[3]” as a solution for tromboning.

I believe that there are some additional solutions that should be considered. For enterprises not in the process of fully moving to the cloud just yet (which is essentially the vast majority of organizations) one option is to use trailblazing solutions  such as zScaler, zScaler has proved that security delivered via a cloud offering can be as good, or in fact even better, than an on-premise internet access security architecture.

For internal applications that need to be deployed close to the end-users for performance as well as for internal data center security – i.e. the second scenario – utilizing a private or public cloud deployment architecture is a possible solution to alleviate ‘tromboning’.

In addition, today most firewall vendors, and increasingly many other security vendors, offer virtualized versions of their kit, with pricing models to match an enterprise’s needs. These pricing models are as important as the virtualization itself. The ability to run tens or hundreds of small firewalls wherever you need them, instead of one big box at the edge, without losing functionality, enables the deployment of security close to the applications that need it, and reduces ‘tromboning’ and associated latency—although it also adds management overhead (which is something that AlgoSec’s security policy management capabilities can help alleviate). This deployment model enables you to match firewall capabilities to required functionality and allows you to now have firewalls embedded in the fabric of your network.

But this does have a price: having comprehensive understanding your entire network topology is now as much the job of the security analyst as it is the job of the network analyst. As Gartner says it “In addition, to build the ideal balance between security controls and WAN performance, networking and security teams must work together.[4]” And as these two teams collaborate, both will need a solution, such as AlgoSec, that will enable them to speak the same language and manage their security policy in a unified form across their entire hybrid environment.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.