Traditional WANs are considered relatively secure because they primarily use private connections (MPLS) into the corporate network. However, funneling all your branch and cloud network traffic back to the data center (also known as backhauling) to apply security policies has several downsides, including unnecessary latency, congestion, and cost.
With backhauling, it’s not unusual for users to pay a performance tax for security. They may complain, “My connection at our branch office is worse than at home.” Because of the tremendous growth in public cloud applications, most companies find themselves needing, and paying for, additional expensive MPLS bandwidth. Most worrisome, backhauling can also lead to a false sense of security. If an attacker penetrates a remote location, they will have access to the entire corporate network.
The other option to backhauling is to build a perimeter around each and every office. In this model, there are simply too many gateways to buy, deploy and manage effectively.
Software-Defined WAN (SD-WAN) technology presents an attractive alternative. It decouples the physical and virtual devices from the software management layer to allow companies to optimize how they route traffic over multiple channels such as MPLS, broadband, LTE, etc. It relies on a centralized, policy-driven console to manage path selection across multiple branch links in order to provide better performance, security, and reliability. Traffic may be routed over existing MPLS or to a cloud-based security solution (known as a cloud access security broker) for secure direct internet access.
Like software-defined compute and storage, many organizations are migrating to or deploying SD-WAN as an overlay technology. In the Gartner Market Guide for WAN Edge Infrastructure, Gartner recommends that businesses should “prefer SD-WAN solutions or vCPE-based platforms when refreshing or replacing WAN-edge equipment, instead of just refreshing existing router-based platforms.”
How do you keep your network secure when you move some traffic off structured, private MPLS and onto public Internet links?
How SD-WAN Implements Security Policies
As SD-WAN decouples data plane from the control plane and management plane, it allows you to establish central control of network-wide policy and security from the branch to the cloud. Rules can be implemented, deployed, managed, and changed universally throughout the system—without requiring command-line interface (CLI) configuration that is time consuming and often prone to human error.
In addition, SD-WAN solutions provide policy definition at the level of traffic rules (which user should take which path), security rules (what inbound/outbound rules are applied at the user and application level), and hardware assignment rules (assign ports to zones).
Unlike traditional WANs, SD-WAN solutions typically include dashboard views and analytics across the entire network topology with the ability to drill down into sites, applications and user views. They capture registered and online appliances and surface new events and tunnel status. With this added visibility, you can troubleshoot problems quickly, better plan for changes and even rollback changes if they are not working as intended.
Containing Breaches
Network segmentation and granular access control are essential to containing breaches. Just ask Target. (Note: Target suffered a breach impacting more than 41 million credit card accounts when a refrigeration vendor was able to access the payment processing server.)
Network segmentation can be configured using SD-WAN solutions and allows companies to reduce attack surfaces. In the Target example, the network is segmented so that vendors only have access to applications that are directly relevant to their jobs. When a breach does occur, it is limited to a smaller portion of the network.
Granular access control allows you to identify users by names, roles, or job functions. Using SD-WAN solutions, you can assign users to a virtual network zone to simplify management. These virtual zones automatically follow the users and the devices to which they are assigned across all locations, no matter which device is used. Companies can rely on user-identity based access control to better secure mobile and bring-your-own-device (BYOD) environments.
Avoiding Unwanted Guests
Guest traffic can and should be appropriately segmented. With SD-WAN, all guest traffic is directed over the internet with a firewall between the guest zones and the internal zones. Guests can self-register each device in a matter of minutes and the administrator automatically attaches the security policy to each device registered by that user. Web content restriction and malware filtering can also be set as policies.
Security need not take a backseat when implementing SD-WAN either as an overlay or replacement for traditional WANs. Most importantly, security is built into the solution rather than tacked on as an afterthought, requiring manual efforts and potentially additional appliances to maintain. With SD-WANs, security policies can be implemented uniformly across the entire network as users traverse across multiple devices and access points. Traffic routing is defined to maintain quality of service (QoS) while guaranteeing security controls are met and maintained.
When planning to upgrade a traditional WAN, you should first evaluate the reliability and security needs of each application to determine which traffic is routed over traditional MPLS and which traffic is routed over internet or Wi-Fi. You can then configure your SD-WAN to centrally manage the traffic routing according to business policies and to use embedded firewalls, AutoVPNs, network segmentation, and access control for tighter security.
As an extra precaution, some companies opt to deploy integrated cloud-based security solutions with their SD-WAN to ensure all direct internet traffic, even SSL, is inspected.