The adoption of cloud services has broken traditional corporate network models and is causing a boom in SD-WAN adoption. Compared to traditional, hardware-based approaches it can cut an organization’s capital expenditures in half, and shave around half of their ongoing operational and management costs, while boosting network efficiency.
However, SD-WAN can be deficient in one important area: advanced security functionality.
Research firm Gartner recently noted that “most SD-WAN vendors support basic capabilities such as stateful firewalling and VPN, however, they lack and hence, depend on security partners for advanced functionalities such as intrusion prevention system, malware analysis and sandboxing.”
The firm’s recommendation is to deploy “integrated and dynamic threat protection for multiple cloud connections at both the cloud’s edge and the customer’s Internet/WAN gateway points.” What are the most common security pitfalls that can put SD-WAN deployments at risk?
Direct Traffic Egress to the Internet
In certain SD-WAN architectures, internet-bound traffic leaving directly from satellite offices is not inspected. Sometimes, this occurs because users don’t understand how their network has been configured. In other cases, the traffic is intentionally allowed to leave without inspection in order to reduce MPLS backhaul.
In many cases, traffic that is inspected lacks critical next-generation firewall and endpoint protection capabilities such as SSL decryption, intrusion prevention or malware detection and response. Consequently, remote sites can be easily compromised by malware and other attack vectors — opening up avenues for threats to reach and propagate inside the organization.
Poor Visibility into Endpoint Threats
Lateral attacks which spread from infected endpoints across the network have become a preferred technique used by hackers. Once inside the network, malware can be used to conduct reconnaissance to find other vulnerable devices and exfiltrate data. Containing and preventing the spread of lateral threats requires the ability to detect and quarantine compromised devices, so they can be remediated.
Lack of Network Segmentation
Securing traffic between workstations or other endpoints is often a headache. If a workstation were to be compromised with malware or another threat, the problem could rapidly spread to other endpoints throughout the organization. Network modernization implementations that lack visibility into internal traffic and segmentation capabilities are unable to contain threats if they get inside the network.
Increased Security Surface Area
When network configurations become software defined and controlled from the cloud, the network management plane becomes a part of the security surface area requiring protection. All the traditional challenges of securing access to cloud assets applies to SD-WAN administration.
Since many SD-WAN products and services lack advanced security capabilities, organizations should supplement their deployments with next-generation firewalls and endpoint protection, and add multi-factor authentication. Also, protect branch offices and mobile workers with a strong VPN, authentication protocols, and a cloud-based firewall.
SD-WAN enables organizations to avoid backhauling traffic to headquarters and instead route traffic from branch offices directly out to the internet and back. To mitigate security risks, branch office traffic should be protected using advanced security mechanisms and fully encrypted network connections.
In addition, security policy enforcement should be centralized via a controller in the cloud to avoid vulnerabilities caused by inconsistent traffic policies and endpoint security enforcement.
The SD-WAN management interface should be protected with strong, multi-factor authentication and be integrated with an organization’s privileged access management strategy.
The above best practices were previously only affordable to larger enterprises with deep resources; fortunately they now are within reach of midsize companies via cloud-delivered alternatives.