Simply committing to SD-WAN security isn't enough. It's also necessary to create defenses the right way and avoid some common mistakes.
SD-WAN security is essential; there's no denying that fact. The problem is that many organizations, through ignorance, carelessness, or misguided advice, are leaving their SD-WANs vulnerable to misuse and attacks.
It would be a big mistake not to consider adopting SD-WAN due to security concerns, observed Marcio Saito, CTO of network management provider Opengear. "While the explosive growth of SD-WAN is recent, SD-WAN technology is the convergence of trusted VPN, data compression, and traffic management technologies all wrapped in slick cloud-based provisioning," he explained. Saito added that security considerations have been a natural part of the technology's evolution.
Here's a rundown of the five biggest mistakes in SD-WAN security, and how to not to fall victim to them:
1. Failing to determine and implement the appropriate SD-WAN solution architecture for your organization’s risk profile:
The SD-WAN market is still relatively new, and not all SD-WAN solutions are created equal. It's important to select a solution with security tools that match an organization's specific needs. "SD-WAN’s basic security offerings alone are not sufficient for an organization, especially with the growing cybersecurity threats faced today," stated Michael Leung, founder and management consultant to advisory firm Canadian Cybersecurity Inc. "Additional threat management and network security requirement capabilities are usually needed ... such as those found with secure web gateway services or with next-generation firewalls (NGFWs) with intrusion prevention, SSL inspection, web filtering, and anti-malware protection," he added.
2. Scrimping on security:
Network security is only as strong as its weakest link. Organizations that try to cut corners by acquiring low-budget SD-WAN solutions face the risk of limiting their capabilities to apply organizational security policies across their sites consistently, observed Steven Melahn, director of technology, innovation at the design and engineering firm Aricent.
SSL-encrypted traffic is now the majority of all Internet traffic. "A failure to adequately proxy, decrypt, and enforce organizational policy on this type of traffic in the branches increases the risk to the entire organization," Melahn explained. Inconsistent enforcement weakens an organization's security posture. "If a malicious user gains unauthorized access to a branch, it becomes a stepping stone to move laterally, undetected, into the organization's main locations and expose them to attacks or data breaches," he noted.
3. Assuming that SD-WAN eliminates the need for other wide-area networking security and resilience best practices:
SD-WAN should not be viewed as a standalone solution. The technology needs to be subject to the same rigorous security standards as other IT infrastructure elements. Saito advised paying particular attention to branch routers. "It's common for a traditional branch router to go untouched for months, but the same does not apply to SD-WAN routers," he remarked.
It's important to keep the software stack updated with the latest security patches. Having the ability to automate patching doesn't alter the fact that changes will be applied frequently.
4. Not fully understanding which security features are built into in the solution and which are missing:
It's easy for organizations to not fully understand the specific security features a particular SD-WAN solution provides, especially when evaluating multiple solutions. "As with most things in technology, if you don't fully understand a solution, it will likely cause more problems than it solves," noted Tom Conti, a field solutions engineer at SHI International, an IT services company. "Not understanding which security features are part of a solution will often lead organizations to expose themselves to risks."
A missing security feature might not be detected until it's too late. Conti said he often sees companies adopting an SD-WAN solution move from centralized Internet egress in their primary data center, where their UTM (unified threat management) appliances reside, to a distributed Internet egress model. "Most SD-WAN solutions only offer a simple, stateful firewall, which does not provide the same protection as the next-gen UTM that controls access in their centralized model," he explained. This oversight can place users in remote locations at risk, as well as the entire network. "One unsecured entry point is all that's needed for a breach to occur," Conti observed.
5. Taking zero-touch provisioning and one-click deployment features described in marketing brochures literally
A prime SD-WAN selling point is that the technology "just works" without requiring adopters to pre-configure routes or network paths. This attitude, however, can create a major SD-WAN security weakness. "Without a pre-determined path, companies will be unable to answer several key questions, like what path does the data take from point A to point B, who owns the networks it travels across, and, more importantly, what happens to the data in transit," said Bogdan Botezatu, senior e-threat analyst for cybersecurity technology provider Bitdefender.
Approaching SD-WAN security with a completely hands-off attitude can lead directly to trouble. "Data, which might or might not be encrypted, travels across broadband Internet nodes operated by entities not known to the company," he noted. "This (activity) requires extra security controls and technologies to encrypt the data in transit across IP networks."