How Secure is Your SD-WAN?

September 27, 2017

The market for SD-WAN has been driven in part by its ability to reduce bandwidth costs and improve the performance of cloud access. These drivers, though, also come with baggage: the reassessment of today’s corporate security model.

Traditionally, Wide Area Networks (WANs) and network security were loosely coupled entities.

Networking teams focussed on the connectivity between locations; security teams focussed on protecting against malware threats and other external or application-layer security issues. Security between locations, though, was not an issue provided the WAN was based, as most were, on a private MPLS service. With its ability to separate customer traffic, MPLS services give enterprise IT professionals enough “confidence” to send data unencrypted between locations.

This amicable live-and-let-live separation falls apart with today’s SD-WAN. In order for companies to realize SD-WAN’s cost savings  and cloud performance benefits, branch offices must be connected directly to and communicate across the Internet. This requires a shift in our security models. We can no longer assume that the WAN is secure. Instead, we must bring networking and security disciplines closer together. To do that, we must think about network security at three levels — traffic protection, threat protection, and securing mobile and cloud access.

Traffic Protection

The reliance on the public Internet requires the SD-WAN to protect traffic against eavesdropping. Any SD-WAN should build a virtual overlay of encrypted tunnels between locations. The SD-WAN make configuring this mesh of tunnels simple, managing the encryption keys, creating the tunnels, and automating their full mesh setup. The encryption protocols typically used are the legacy, and less efficient, IPsec and the newer, and more advanced, DTLS.

Threat Protection

While traffic protection secures traffic in transit from interception by third-parties, the SD-WAN is still not protected against malware infections, phishing attempts, data exfiltration, or other Internet-based threats. Advanced threat protection addresses these risks with various technologies, such as next generation firewall (NGFW), Secure Web Gateway (SWG), malware protection, and Intrusion Prevention System (IPS).

The most common way to deliver threat protection at a branch is to deploy a local firewall or UTM appliance. It is also the most problematic, resulting in appliance sprawl and the high overhead of configuring, patching and upgrading appliances at each location.

Traditional WANs overcome the problem by centralizing security appliances at a datacenter or regional hub. Internet-bound traffic is backhauled across the MPLS network to this secured Internet access point, inspected, and then sent to the Internet. It’s a cost effective, manageable approach, but one that introduces latency into Internet- and cloud-based applications and waste MPLS capacity.  

Backhauling traffic makes little sense when branch offices connect into the SD-WAN with Internet lines. But because traditional SD-WAN lacks integrated threat protection that companies are unable to use these Internet lines for direct Internet access at the branch, and backhauling to a data center must continue.

Here’s where SD-WAN architects must consider their options carefully. Rather than deploying physical security appliances at remote locations or backhauling traffic, some SD-WAN vendors address the threat protection problem through the use of Virtual Network Functions (VNFs) or Firewall-as-a-Service (FWaaS).

With a VNF, a network security stack is deployed in a virtual form into the SD-WAN box or another white box known as vCPE. This model can reduce the number of physical appliances at the branch office. However, it still requires full management of the virtual appliance software and policies. Furthermore, the compute intensive nature of security functions can impact the core networking functions of the device, if sizing isn’t done properly. As traffic volumes grow or the SSL-encrypted traffic mix changes, security professionals find they’re in the unenviable position of having to choose between disabling some features and compromising security, or being forced to into a hardware upgrade, often outside of their budget cycle.

Alternatively, Firewall as a Service (FWaaS) can extend network security in the cloud and to all locations without physical or virtual appliances in the branch office or anywhere for that matter. Scaling and maintaining security infrastructure that was built as a cloud service from the ground up eliminates the maintenance workload and capacity uncertainty associated with network security appliance deployments and the changing traffic volume and traffic mix.

Secure Cloud and Mobile Access

The new ways we are doing business these days, puts pressure on the fabric of the legacy WAN. The heart of the business now includes not only physical locations, which are the primary focus of traditional SD-WAN, but also cloud data centers, cloud applications and mobile users. We need to connect these resources to our WAN, provide optimal access, and secure that access.

Cloud datacenters and Software-as-a-Service (SaaS) applications create the root of the problem. As we migrate datacenter applications to a cloud datacenter or public cloud applications, we need to provide secure and optimized access to these applications at their new home. We need to ensure our security infrastructure extends to all traffic flows, not just those between our locations but also between locations, mobile users, and the cloud.

Naturally, we can “shove” everyone into a choke point in the physical datacenter and from there, using centralized security, get to the cloud. This solution will work, we have been using mobile VPN for years, but users will hate it. Branches or travelling users may be far from the datacenter, and the datacenter may be far from the cloud destinations. Users would prefer to go directly to the cloud, and IT would like to enable that access, if security can be maintained. SD-WAN must support these new requirements.

SD-WAN and Security: Breaking the Silos

When you consider an SD-WAN deployment, network security is a major consideration that could dramatically impact the business value you will extract from the project. Traditionally, the networking and security domains are separate, and we tend to follow the silos and make decisions in a vacuum. The result is a suboptimal network design that forces traffic of a software-defined and agile network into a rigid, static security architecture. We should drive our WAN transformation in a way that advances an integrated approach to networking and security, and aligns our WAN with the needs of the global, cloud-centric and mobile-first enterprise.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.