MPLS, SD-WAN and Network Security
|
Listen to post:
Getting your Trinity Audio player ready...
|
TechTarget has recently published an interesting article on the security implications of deploying SD-WAN using 2 customer case studies. In both cases, the customers wanted to extend an MPLS-only WAN into a hybrid WAN based on a combined MPLS and Internet connectivity.
There are several interesting anecdotes by the financial services customers (Scott Smith and βD.V.β) and a system integrator, Tim Coats from Trace3, interviewed for this article that I would like to highlight.
Is MPLS Secure?
MPLS security is based on the fact that it is a private network vs. the βpublic Internetβ. The private nature of MPLS allowed an organization to not encrypt MPLS traffic, a big benefit in terms of encryption key management and required CPE (customer premise equipment) capabilities. Β As D.V. puts it: βalthough the public Internet always carries some risk, the reality is that MPLS is also a shared medium. The irony of an MPLS circuit is that the security is VLANsβthatβs all it is. You have your trafficΒ marked and put into a special VLAN, so itβs running over the same pipe as everyone elseβs MPLS circuitβ.
Does SD-WAN improve on MPLS security?
For the customers, SD-WAN needs to be as secure as MPLS to be a viable extension. The immediate concern is encrypting the internet tunnel of the SD-WAN solution. This is a no-brainer: MPLS networks are often not encrypted and SD-WAN require organizations to think about encryption, something they may not have done before.
However, SD-WAN or MPLS arenβt security solutions.
βItβs not a physical layer of security. Thereβs no special inspection that a firewall might throw in, or an IDS or IPS. None of that is present in an SD-WAN solution, but none of thatβs really present in an MPLS solution unless you choose to put it in.β
Beyond its core objective of offloading traffic from expensive MPLS link, SD-WAN doesnβt typically include Internet access security. This means that while SD-WAN solutions do slow down the growth in MPLS spending by using the Internet for backhaul, they have no impact of enabling direct internet access at the branch without adding 3rd party security solutions.
Do SD-WAN solutions go far enough in solving customers WAN challenges?
SD-WAN solutions abstract the physical topology of the network using a set of overlay encrypted tunnels. SD-WAN management help withΒ encryptionΒ keyΒ distributionΒ and management for remote locations, this could potentially be a bigΒ advantageΒ as youΒ don’tΒ need a point to point encryption.
But does this address all WAN challenges?
Tim Coats says he is concerned with the point solution nature of SD-WAN. Coats would like to see SD-WAN vendors go oneΒ step further in simplifying how hybrid networks are secured by removing a lot of the manual labor and guesswork out of service chaining. And then there are the new emerging WAN elements. βEveryone is trying to solve this one little piece, and no oneβs looking at the whole picture. And the whole picture is I have users who are everywhere, and my services are distributed on different platforms. I need one place I can pull it all together,β he says.
Summary
SD-WAN is primarily a networking technology β it is aiming to address the spiraling cost of MPLS by weaving into the WAN a cheaper, Internet-based, alternative.
Is security just an afterthought in the world of SD-WAN? It shouldnβt be. βOh, God, yes,β D.V. says. βSecurity is networking. I object to the whole idea that security is separate.β
We couldnβt agree more. We view the integration of networking and security as a critical component of the future WAN. By security, we donβt mean just encrypting the transport layer which is a required enabling capability to route traffic over the Internet. We see an opportunity to embed a full network security stack into the WAN, and extend it to Cloud infrastructure and the mobile workforce. This approach can dramatically cut the capital and operational expense of networking and security, while delivering a powerful defense for the enterprise.
Learn more about SD-WAN vs. MPLS and the current and emerging options available to architect a secure WAN, by watching our recorded Webinar: MPLS, SD-WAN, and Cloud Network: The Path to a Better, Secure, and More Affordable WAN.
