Peplink SD-WAN Approach

Published On 15 Oct 2020

Source: https://www.vitel.com.tr/peplink-sd-wan-yaklasimi/

This article, where we examine Peplink’s view of the SD-WAN infrastructure, reveals the concepts that actually apply to all brand-independent SD-WAN products. For example, we will look at the features that an SD-WAN device should have, traffic distribution over Peplink, traffic routing using DNS, traffic routing with the Peplink bonding approach, how to provide security and continuity when a distributed firewall architecture is required, and how to cost optimization . So, what is SD-WAN infrastructure?

Here are the main features that an SD-WAN device should have:

  • Even if the device is virtual or physical, it must have multiple WAN outputs.
  • All WAN outputs should be able to be used at the same time.
  • A software or similar tool (“SD”) should be used to define which outputs will be used for which traffic. (It may be on-device or external software.)
  • In addition, a good WAN router should be able to manage the input traffic as well as the output traffic in the logic of load-balance and connect all lines between WAN devices (Bonding).

BONDING WAN OUTPUTS

Being able to combine WAN outputs for incoming traffic has several benefits in terms of security and continuity. First and foremost, an outage at one of the service providers does not affect continuity and access. In addition, since VPN and SSL traffic are distributed to WAN exits, access speed increases and uninterrupted access is provided for external users. From a security perspective, since Peplink uses L2TP, secure and flexible network access can be provided for external users, as L2TP is an easy-to-manage access method on almost all devices.

Figure-1 Traffic Distribution via Peplink

Similarly, distributing traffic that goes over more than one WAN outlet has great importance in terms of security and continuity. In addition, services such as WebTitan, which are integrated with the DNS Proxy unit in Peplink, can be used, thus preventing users from choosing their own DNS provider and circumventing DNS security policies. Peplink routers also have a content filtering feature that does not require membership, when supported with a good firewall rule, unwanted traffic can be blocked. An advantage of communicating over a large number of WAN outlets is that it makes it difficult for malicious people to listen to your outside traffic and attack because traffic comes from different channels each time. The use of bonding further increases this degree of security.

Figure-2 Forwarding Traffic Using DNS

Bonding ; It increases security and continuity and reduces costs with its advantages such as sending encrypted traffic over all WAN exits, dividing the traffic into these WAN exits and centrally managing the security infrastructure. To increase the security level, using Peplink SpeedFusion VPN, the “deny all in / deny all out” default firewall rule can be activated on remote ends, thus all traffic that does not comply with the rule is banned. In the central location, all traffic that will go to the internet through the central firewall can be controlled in detail, so all the traffic of the organization can be managed from a central point.

Figure-3 Traffic Routing with Peplink Bonding Approach

SD-WAN AND PEPLINK  

When distributed firewall architecture is required in structures such as MPLS or IPSec VPN, security and continuity are provided as follows:

  • Peplink devices are used over more than one WAN output to provide protection against line interruptions, thus increasing connection options.
  • When bonding is added, VPN traffic is encrypted with 256bit AES and traffic is distributed over all WAN exits.
  • Bonding also provides uninterrupted communication over all lines.
  • When central security management is integrated, Bonding provides defense against attacks.
  • When bonding and central management are used together, a single point of entry management is provided.

COST OPTIMIZATION

Figure-4 Different ISP Usage and ISP Management

Typically, in a multipoint WAN project, the far ends are connected to the center by MPLS or similar lines. Thus, communication and continuity remains dependent on a single service provider. In such a structure, communication costs can also increase significantly. Compared to MPLS line costs, higher speed internet access can be cheaper. Full control over service provider redundancy and communication costs can be achieved, thanks to the access made over internet lines from different service providers. If all the gains are summarized;

  • Ability to establish a manageable subtap by reducing single and independent line costs,
  • Ability to establish and manage your own WAN network using Peplink SpeedFusion VPN structure,
  • Avoid expensive device and line costs for technologies such as MPLS, P2P and IPSec,
  • Avoid high cost line maintenance contracts,
  • Ability to lower network management costs,
  • Ability to take full control of the network, so that the service provider can act independently, and immediately evaluate when a more suitable option is available,

Using central management with Bonding, thus getting rid of costly firewall hardware and other connected services.

Leave your comment