benefits in terms of WAN traffic management, but it can introduce new opportunities for network attack. IT leaders need to architect strong network security for SD-WAN from initial deployment as an integrated system.
SD-WAN is now widely deployed in distributed organizations to provide reliable, high-speed connectivity for critical data center and cloud-based applications. From a security standpoint, when IT deploys a new technology and it reaches critical mass, attackers begin to find ways to exploit the technology because security generally isn’t part of the original deployment. To eliminate the develop-deploy-attack-defend cycle, IT must evaluate alternatives to harden the SD-WAN architecture.
Threats associated with SD-WAN are similar to those that confront other network infrastructure. The key difference is SD-WAN enables direct internet access, which doesn’t require branch network traffic to pass through an organization’s data center, where security protections and policy can be enforced. These potentially unprotected branch locations can become footholds into an organization’s main facilities and expose them to attacks or data breaches.
Four steps to secure SD-WAN
Effective SD-WAN implementation requires additional security within the enterprise infrastructure to ensure corporate security policy is enforced at all levels. To secure SD-WAN at the branch level, IT teams should address four components:
- direct threats
- traffic visibility
Direct threats. Protection against direct, external threats requires extensive network security functions deployed directly at the edge. These security capabilities can be supplied by dedicated hardware, virtual appliances or cloud services, and they must be enforced at the edge of the direct internet access. Features need to include stateful and next-generation firewalls (NGFWs), URL and content filtering, intrusion prevention systems, protection against distributed denial-of-service attacks, malware detection and encryption.
Trust. The trust component of a security strategy is associated with the ability to authenticate and authorize user and device identities, ensure they operate under the appropriate security policies, verify compliance requirements and enforce microsegmentation. Network security must have identity access capabilities and support the detection and management of a wide range of edge endpoints, including mobile phones, as well as point-of-sale and IoT devices.
Traffic visibility. Traffic visibility is key to any security strategy. Proper visibility must encompass central visibility and control for all internal, inbound and outbound traffic. This should include knowledge of which applications are accessed, what ports and protocols are active, and views into the data, especially if it is encrypted with Transport Layer Security. Visibility is also especially important for auditing and reporting for compliance management.
Network security orchestration. It is imperative that security strategies include a centralized management and orchestration capability with a single pane of glass console for IT and security personnel. Administrators must be able to update and disseminate corporate security policies, configuration changes and software upgrades to all locations or reconfigure individual devices. The orchestration processes should be as automated as possible and include analytics that can provide organizations with early warnings of any problems.
The future of SD-WAN security
The comprehensive use of multi-cloud environments and cloud-based applications means IT and security teams must use network intelligence to keep attackers out and sensitive data inside the organization. Current SD-WAN vendors have improved their network security capabilities, but they don’t match the comprehensive capabilities of specialized NGFWs. Some network security providers now offer basic SD-WAN feature sets.
Organizations with sophisticated security requirements and dedicated personnel will likely continue to deploy their favorite network security products from Palo Alto Networks, Cisco, Checkpoint and Fortinet, among others. The key element is the preexisting level of integration, including orchestration, between the SD-WAN supplier and the preferred network security vendor.
Both SD-WAN and network security suppliers are increasingly using cloud-based intelligence to address direct threats, enhance traffic visibility and improve orchestration. For example, Zscaler is a widely used cloud-based security provider that partners with most leading SD-WAN providers.
How to ensure SD-WAN security
For SD-WAN security to be effective, IT and security leaders need to reimagine and rearchitect their operations to provide the appropriate controls, including trust, visibility and orchestration. This should be done during architecting and deployment to get ahead of any attackers that are looking for opportunities to enter your network.
When done right, SD-WAN implementation can greatly improve connection policy controls, which bolster network security across the board. Most large organizations will need to integrate their SD-WAN systems with their preferred network security suppliers. Smaller organizations may find that SD-WAN providers offer “good enough” network security with their partners or that network security providers with added SD-WAN features can meet their branch requirements.