As capably as MPLS-based wide-area networks have performed for businesses in a wide range of applications and markets, their Achilles heel long has been cost and network availability. As any network manager with MPLS experience likely knows, operating and maintaining a network on MPLS can be expensive.
Which explains in large part why businesses are migrating in droves to a less expensive and more flexible option, the software-defined wide-area network. SD-WAN hasn’t been around long, yet the tech trendspotting firm Futuriom expects revenues for SD-WAN tools and network-as-a-service (non-legacy service provider) to reach $1.5 billion by 2019 and $2.5 billion by 2021.
The allure for enterprises is obvious as they migrate more key business functions to the cloud: greater network agility at a lower cost. “SD-WAN enables network managers to plan network needs with software-based design and configuration that can be changed and managed centrally,” Futuriom founder and chief analyst R. Scott Raynovich observes in the firm’s 2018 SD-WAN Growth Outlook. “It also enables IT and network staff to leverage growing broadband Internet capabilities to lower” operating expenses.
As early adopters are learning, SD-WAN in most cases delivers on those flexibility and cost-reduction promises. Still, concerns about the technology linger — justifiably so, as SD-WAN operates as an over-the-top application that uses the internet for transport. Many of those questions have to do with security. How does SD-WAN ensure that data transmitted over, and systems exposed to, the internet are private and secure?
Based on our experience, the security of an SD-WAN solution can be bolstered by keeping the following safeguards in mind:
1. Firewall: SD-WAN’s ability to distribute core assets across on-premises, cloud, and hybrid environments creates new surfaces that require protection. Say, for example, an organization shifts its corporate email system from corporate exchange servers to Office365 directly through SD-WAN. This lack of central corporate involvement can create new vulnerabilities for the enterprise’s local and remote offices and users.
The foundation for protecting against these types of vulnerabilities is a Zero Trust security philosophy, along with firewall policy/governance that is based on user, device, and actual application flow. Zero Trust is an important concept in SD-WAN security, rooted in the philosophy that organizations should verify anything and everything attempting to access its systems. Adhering to a Zero Trust philosophy requires organizations to leverage an application-centric security policy. They must also use micro-segmentation and granular perimeter enforcement based on the users, devices, locations, and applications that are tied to the network. All of this goes to determining whether to trust a user, machine, or application seeking access to a particular part of the enterprise.
As far as firewall requirements with SD-WAN, deep packet inspection is vital to protect data from APTs (advanced persistent threats), ransomware/malware and the like. In a decentralized IT and network environment, micro-segmentation within a firewall allows organizations to inspect and protect traffic from outside as well as traffic between internal sites. The firewall ties back to a centrally managed security policy that applies to all IT assets across the network, whether they are located inside or outside the company.
Whether you’re relying on cloud-based or on-premises firewalls, you want an SD-WAN solution that at minimum delivers application control and is aligned with a firewall, intrusion prevention, and content filtering.
2. Encryption: While data in any form can be vulnerable to exfiltration, data in motion is especially susceptible to attack. To counter that threat, an SD-WAN solution needs strong end-to-end encryption algorithms across all transport types. This is particularly important in protecting traffic flowing over the internet between branch offices, or between branch offices and remote users, for example.
3. Security class differentiation. Data classification is critical in helping data owners to prioritize security resources based on data class around SD-WAN. They need the ability to set distinct segmentation and security policies for each data class level. Enterprises whose networks hold protected health information (PHI) or personally identifiable information (PII), for example, may need to apply the highest possible policy/governance to these data classifications, given the enormous impact that a data breach would have on the business and its customers.
The same holds true with PCI compliance and end-customers’ payment data. The network manager needs the ability to set different policies, access permission rules, and audit trails to data using separate segments (VLAN or VRF) for PCI and corporate data. Two-factor authentication for admin and remote user access, along with more in-depth log monitoring, are a must for systems containing data with a higher security classification.
4. VNF (virtual network function) software: VNF allows common network functions (such as a router, WAN optimization, and firewall) to run as a virtual instance, and in the case of SD-WAN, a virtual firewall running on the same universal CPE as SD-WAN. VNFs help security solutions run more efficiently, in a more integrated fashion. The roles and functions of VNFs are dynamic, not fixed, so hardware capacity can be efficiently used across regions and customers. VNFs also can be centrally managed to allow for faster provisioning time and making policy changes. Running on-premises devices with VNFs can also eliminate human error.
Any compromise to an organization’s network security is too high a price to pay. By incorporating security measures like these into an SD-WAN solution, businesses gain assurance that their data, network, IT assets, and customers are protected.
Trent Pham is head of security products for Windstream Enterprise, where he is responsible for the organization's enterprise security service strategy, development and lifecycle management. He has 20 years of security product management experience with communication service providers, security service providers, and startups.