Why SD-WANs are Just the Beginning of WAN Security

Written by

The recent advent of software-defined wide area networks (SD-WANs) has brought a new layer of security to traditional wide area networks (WANs) and multi-protocol label switching (MPLS) connections. Unlike the unrestricted user access that many MPLS-based backbones often grant to users, SD-WANs make it easy for IT to use tunneling to segment traffic over the network.

As any security professional knows, layer three segmentation hardly classifies as secure networking. SD-WANs still lack layer-seven visibility to prevent a malicious user (or malware) from accessing a system on a different segment. Only by fusing security into the SD-WAN will companies gain the protection they seek.

WANs Require Segmentation

The nature of work has almost completely changed over the past decade. Both workers and data are now distributed, with data residing in the cloud and newly flexibly workers able to access it from virtually anywhere. While this has created tremendous efficiencies from a business standpoint, it’s also dissolved the traditional network perimeter.

Whereas networks once surrounded physical business locations in order to protect against outside threats, the network now extends to anywhere and any device where work is taking place. This means that attacks can now come from just about anywhere, and this has already had drastic consequences. For example, IBM security found that over half of all attacks can now be classified as “insider”. This is directly related to the use of flat WANs.

Without some form of network segmentation, attackers with network access from one location can access the core components of the business, including datacenters. One prominent example of this occurring was the Target breach in 2013. In that instance, security experts found that there were no limits placed on access from within the network, enabling lateral movement from the initial point of entry, the vendor's accessible system to POS registers.

SD-WANs Can Help

SD-WANs can improve security by restricting access to key resources. For example, by placing HR users in their own overlay or segment, they can access the payroll server but not the engineering department’s file server. Or, users on the guest WiFi network can use the general internet but aren’t able to access internal resources. These are now fairly common and familiar examples found in SD-WAN implementations around the world.

SD-WANs achieve this type of basic separation by segmenting the WAN with layer three encrypted tunnels, typically based on the IPsec standard. The SD-WAN nodes in each location map VLANs or IP address ranges to the tunnels - the segments or overlays - based on customer-defined policies.

SD-WANs help minimize the internal attack surface and protect against many types of basic attacks. Malicious users and scripts can only attack the resources accessible from within the overlays, and lateral movement across resources on different overlays is restricted.

Regular SD-WANs are Still Vulnerable

However, SD-WAN segmentation only restricts access based on device. An unsecured device means unsecured network access.  Once that happens, SD-WAN segmentation does nothing to keep an attacker from crossing segments — malware can still quickly spread across an organization.

Fixing this issue means applying the same advanced security services that organizations use to protect the perimeter — next-gen firewalls, malware protection and more — between segments of the enterprise network. Security decisions need to be made based on true application-layer information, such as the user, and not simply the device address.

Integrating Firewall as a Service into the SD-WAN makes implementing that kind of deep WAN segmentation much easier for all mobile users, cloud resources, and locations. Enterprises avoid the upfront hardware investments, maintenance costs, or lengthy provisioning processes when the traditional security stack is coupled with SD-WAN. As more enterprises embrace the shift to integrated security and networking services in the cloud, advanced segmentation will become the norm, hopefully making Target-like, lateral movement a thing of the past.

What’s hot on Infosecurity Magazine?