#HowTo Do SD-WAN Security

Written by

Enterprises today relentlessly pursue new methods to transform and virtualize their traditional IT environments, and increasingly they’re seeing real-world success extending the benefits of virtualization—automation, improved security, and agility—to network and application delivery.

The software-defined wide-area network (SD-WAN) is at the forefront of this transformation. SD-WAN is a targeted, software-defined approach to the traditional wide-area network. Where WAN connections are often manually configured between basic links, SD-WAN’s aim is to simplify WAN provisioning and extend operations over the public internet, cloud express routes, and more. While SD-WAN isn’t a new technology, it’s well-defined with more standards and deployments than other SDN technologies.

Over the past few years, there’s been significant proliferation of SD-WAN and its popularity shows no signs of waning. In fact, research from Gartner predicts over 40% of enterprises will adopt SD-WAN by the end of 2019, while IDC predicts the market is poised to reach a value of $4.5 billion in 2020.

The benefits of SD-WAN in tightening up security and centralizing management and control have been driving factors in its uptake, along with substantial cost savings when compared with legacy WAN networks like MPLS. Some IT professionals initially dismissed the bold claims around SD-WAN, but they are fast waking up and realizing it unlocks a new era of flexibility and bespoke networking.

Organizations have long been attracted to the SD-WAN vendor promise of interoperable or “plug-and-play” solutions, seamlessly implemented to run over existing WAN infrastructure right “out of the box.” Arguably its greatest benefit—with reasonable skepticism—is identifying and closing holes in an enterprise’s security.

While some SD-WAN offerings include security services, they vary in their approach and best practice. This has left some organizations and IT professionals uncertain of how best to use SD-WAN security capabilities in constantly changing environments regularly targeted with new and emerging threats.

Understand the Security Built In
SD-WAN solutions and the accompanying typical security offerings aren’t a one-stop shop solution. The critical factor in optimizing network and application security is tailoring the program to align with the needs of an organization and its risk profile.

Awareness of what is and isn’t included in the SD-WAN solution is central to achieving this goal. Because without a clear understanding of the security components composing a newly implemented SD-WAN, organizations ultimately put themselves at risk.

Almost all SD-WAN solutions include a simple, stateful firewall, but these are limited by their ability to simply distinguish legitimate network packets from different types of connections. It’s far more valuable to almost any large enterprise to implement a next-generation firewall for deep packet inspection, intrusion prevention, web filtering, and malware protection.

Furthermore, with SD-WAN enabling greater connectivity between branch offices, the amount of data transmitted from site to site grows considerably. However, more data in motion means an increased risk of data interception.

End-to-end encryption to protect the traffic flow of data seems obvious but upskilling secure deployment policy management is another critical security element and should be factored into any SD-WAN solution.

A Cultural Shift and a Technical One
While adding proven IT security solutions is a reliable way to tighten up security, organizations must, at the same time, drive adoption of a company-wide security posture to align with new methods. For example, zero-trust is regularly cited as best practice for SD-WAN security, and it does exactly what it says on the tin. This method, key to network segmentation, encourages organizations to verify and assess anything and everything attempting to access a given network, refining context down to users, locations, and applications.

Coupled with adopting the culture shift is the need for organizations and IT pros to remember SD-WAN doesn’t eliminate the need for other wide-area networking security and resilience. In many cases, the rollout of SD-WAN doesn’t eliminate the need for MPLS (Multiprotocol Label Switching) networks—and in fact, it’s expected MPLS will be in play for years to come.

Therefore, organizations should be mindful of maintaining the security and privacy of the underlying network infrastructure, ensuring enterprise data is encrypted before it travels between sites.

Complete Stack Visibility
The ability to monitor and manage network and application performance across the network stack when implementing an SD-WAN solution is another key consideration when it comes to security. While not necessarily a direct security solution, SD-WAN performance monitoring may help surface unusual behaviors, reveal compromised admin accounts, and identify potential threats that may slip through the net of manually configured and monitored WANs.

Traditional monitoring is primarily focused with keeping the lights on and delivering a great Quality of Service (QoS) to network users. With SD-WAN’s improved access to application specific network configuration, Quality of Experience (QoE) in the delivery of those applications to the end user has grown in importance. However, this requires IT pros to gain new skills to maintain a holistic view of the expanded network stack.

Only then may they be aware of both potential security threats, be in position to provide great network and application performance and assure the SD-WAN rollout is a success.

SD-WAN seems to be delivering on its transformation promises better than some other heavily hyped software actuation technologies (and winning over many skeptical traditional network administrators in the process).

While automation is a big selling point of SD-WAN, the new approach won’t solve every issue alone. It’s vital when rolling out SD-WAN to have a clear view of your organization’s objectives and how to do it securely.

As is always the case with IT change, coupling a new technology with cultural change is pivotal when it comes to success. SD-WAN is a great foray into software’s promise of building effective security into everyday network configuration tasks.

What’s hot on Infosecurity Magazine?