Enterprises are adopting SD-WAN solutions at an accelerating pace, largely due to it being a better fit than traditional router-centric WANs for today’s geographically distributed enterprises pursuing a cloud-first strategy for application delivery.
The one thing that’s often overlooked, however, is the handful of security challenges and issues that are introduced by or otherwise associated with such an approach. This can limit the ability for enterprises to achieve the gains associated with deploying SD-WANs.
One of the advantages of deploying an SD-WAN is that it provides enterprises with the flexibility to leverage multiple types of network connectivity – including broadband internet services – when connecting users to applications. But using broadband services for enterprise WAN connectivity introduces new security challenges that must be addressed.
The fact that broadband is “public” instead of “private” introduces the need for capabilities to ensure the confidentiality and integrity of application traffic traversing such connections. Also, the capacity for SD-WAN devices to be deployed at the edge of the network, connecting directly to an internet carriage, places them on the front line and susceptible to potential threats.
Enabling local internet breakout is another good example. Although it’s essential for enhancing performance and reducing the bandwidth (i.e., dollars) needed for backhauling traffic to the data centre, it also exposes branch users and their local networks directly to the internet and its myriad of threats.
This means establishing consistent security policies to limit outbound destinations, block unwanted/unsolicited inbound traffic and filter allowed/expected traffic for threats. Not all web applications are created equal, however, and some web traffic can expose the enterprise to viruses, trojans, DDoS attacks and other vulnerabilities.
Web traffic must be steered granularly to its correct destination. This requires identifying and classifying applications on the first packet. Once an application session has been established, it can’t be redirected to an alternate destination without breaking the flow resulting in application disruption. Since IP address ranges used by SaaS applications change almost continuously, address table updates must be automated and implemented on a daily basis.
A few other areas where security is applicable to the success of an SD-WAN implementation, include enabling applications with different security requirements to share the same physical connectivity; as well as enabling consistent enforcement of an application’s specific security policies regardless of where that application is located or accessed from.
In addition, enabling faster deployment and more efficient management, such as with secure, automated provisioning of SD-WAN devices, automated security policy enforcement and a secure management plane.
Securing your SD-WAN
Fully realising the many compelling benefits of an SD-WAN depends, to no small extent, on having a solution that accounts for the security issues, challenges and opportunities that are inherent to an SD-WAN implementation.
To achieve SD-WAN success, it’s important to have the flexibility to use any combination of transport technologies to connect users to applications – including public broadband services – without compromising application performance or security. This involves ensuring the confidentiality of application traffic traversing public networks.
Go beyond the minimum required level of protection afforded by transport-level encryption and message authentication. Ensure your SD-WAN solution combines robust data and management plane security features with the ability to seamlessly service chain application traffic to numerous security technology partners. This will provide you with a level of security that better meets the actual protection and compliance needs of your enterprise.
The net result is the full spectrum of protection needed to fully realise the benefits of an SD-WAN architecture – enhanced application performance, lower WAN TCO and increased business agility – without being exposed to greater security risks.
Different applications require different treatment, both from a performance and forwarding perspective. Given this flexibility and granular approach to application needs, the emphasis on security becomes even more important in so far as different applications require distinct security policies. A one size fits all approach is no longer sustainable.
A financial application processing sensitive transactions, for example, might require granular segmentation, effectively isolating this traffic across the network regardless of the type of transport being used to adhere to compliance requirements; while SaaS applications could be left to rely on their own native capabilities, such as transport layer security (TLS).
This is why it’s important to have a business-driven SD-WAN, where policies and configuration settings can be centrally administered on a per application basis.
Trusted SaaS and web traffic, for example, can be sent directly to the internet avoiding the performance impact and cost of backhauling, while unknown or untrusted web traffic can be service chained to more advanced corporate or web-based security services.
Third-party security products and services should be another big part of the overall effectiveness equation for an SD-WAN solution. Most organisations already have an existing set of security tools and infrastructure in which they’ve made a considerable investment.
It’s simply not realistic for a single solution provider to do everything on its own when it comes to security. The scope of threats, risks and corresponding technologies is simply too great. The net result is that it’s not only advisable to work with third-party security solutions, but also necessary.
About the author
Graham Schultz is ANZ regional director for Silver Peak, responsible for accelerating growth and customer adoption of the company’s SD-WAN solutions. Schultz has over 20 years of industry experience, spanning cloud, virtualisation, networking, storage and business intelligence. For more information, visit: https://www.silver-peak.com