The challenge of Stormshield's SD-WAN here is to better control WAN links and management costs without requiring a constant human presence to manually react to link quality issues.
Automatic
distribution
of the load
Set of
software
features
SD-WAN technology offers the ability to optimize WAN connectivity by dynamically choosing the best possible link and makes it easier to secure your site-to-site links.
Measurement of
the quality
of the link
Automatic switching according to the measured criteria
Monitoring
metrics
for links
The Quality of Service (QoS) of Stormshield Network Security solutions prevents network congestion and ensures 100% reliable connectivity.
Increased
bandwidth
on the network
Guaranteed
availability
of the network
No loss
of productivity
Stormshield SD-WAN solutions
While SD-WAN players offer network functionality, security is not their core business and is absent or poorly integrated. Stormshield offers a secure and trusted SD-WAN approach through a range of Stormshield Network Security (SNS) firewalls, a centralised Stormshield Management Center (SMC) and a Stormshield Log Supervisor (SLS) log management solution. With our solutions certified to the highest European standards, we address both network and security components simultaneously.
Management of multiple WAN links
(distribution and failover)
Easy deployment of equipment
on remote sites
VPN tunnels
management
Recognition of
web applications (SaaS)
Flow routing
by application and protocols
Bandwidth
management (QoS)
Monitoring of the link quality by SLA indicators (latency, jitter, packet loss)
Centralized management from our SMC and SLS solutions or via API
This Stormshield whitepaper describes the various aspects that an organisation needs to consider when implementing an SD-WAN approach, in other words a secure and trusted technological approach. This document is aimed at consultants and IT security managers to help them understand the challenges of SD-WAN today.
When it comes to selecting a vendor from among a number of hardware and software solutions, you need to consider, among other things, the product's robustness and trustworthiness in relation to geopolitical and economic issues. The notion of robustness is defined by the ANSSI as an evaluation of products that "consists of testing their ability to resist computer attacks according to a defined context of use and level of threat". The notion of trust is to be found clearly in the product strategy of the various publishers.
As a result, organisations have embarked on structural and digital changes to deliver a better experience for their staff and customers, as well as improvements to their IT processes. SD-WAN is an essential pillar of this, as this technology simplifies the management of networks across different sites while optimising costs. Provided that the concepts of security and trust are taken on board at the same level. Performance, cost, security, trust: these are the four aspects that should guide your choice of a Trusted SD-WAN offering.
SD-WAN is a catch-all term that can seem complex. Our teams of experts are at your disposal to help you understand it and answer your questions.
Dig this topic with Stormshield in an interactive meeting, hosted by Manuel Jordan, Product Marketing. Our Network Security experts, Simon Dansette, Product Manager, and Quentin Tieghem, Pre-Sales Engineer, answered all your questions about this major advance in infrastructure protection.
How are link quality indicators measured?
These indicators are measured through pings or TCP tests
How are failover policies defined?
They are defined by thresholds in the router objects.
What are the possibilities of pcap filters? The same as in console? Is it the same syntax as tcpdump?
Indeed, pcap filters are based on the same syntax as tcpdump.
Have you started the certification of v4 by the ANSSI?
The process of obtaining a new certification has begun. It is underway for version 4.3. For more information, please visit this webpage.
Will version 4.3 be the Long-term Servicing Branch (LTSB) version?
Yes, this version will be announced as LTSB in the next few months.
Is a SAML-like authentication method planned for future releases?
This topic is currently being studied but is not yet planned in the roadmap.
What multi-factor authentication (MFA) solutions are supported? Do you have a support matrix?
We use the Radius protocol and there is not yet a matrix on this subject. However, you can contact our pre-sales engineers, depending on your case. Contact us for more information.
Can SD-WAN features replace a carrier's MPLS?
SD-WAN could replace MLPS links. However, a case by case evaluation would be necessary. For more information, please visit our Professional Services webpage.
Is there SD-WAN compatibility with the Stormshield Management Center (SMC) solution?
Yes, SD-WAN compatibility is planned and should be available soon.
Something like TCP Probe has appeared in the router object. How does it work? Is it only TCP Handshake? Can it be configured on any port or not?
TCP Probe works with TCP Handshake and can be configured in any port.
Regarding QoS, what happens to the previously created rules? After the migration to version 4.3, it seems that the module should be finalized, but how will the firewall rules work with the old QoS rules, will they not handle the traffic properly or will they work as if the old QoS rules were not there?
In this case, the old QoS will be disabled and the setting must be updated with the new QoS. Queues and queue assignment are retained. Traffic shapers must be created and assigned to the interfaces.
What does the traffic shaper in QoS refer to?
The traffic shaper refers to the flow control mechanism implementing bandwidth limitation and reservation.
Will there be a technical documentation for QoS?
The document is currently being written, a link to it will be available soon.
What are the differences between FQDNs and current objects?
Current objects are made with active resolution while FQDNs used in web services are based on DNS flows observed by the firewall.
What about the management of wildcards in the filtering rules?
This possibility will be introduced in the version following 4.3. Web services objects can be defined with wildcards in DNs and used in rules.
Do you plan to introduce SD-WAN for different applications?
In the next version 4.4, we plan to introduce the notion of web services. They will allow the detection of applications before the use of SD-WAN.