SD-WAN technology offers numerous benefits, such as greater agility and lower transport cost. But how do you address security once you move traffic off a structured, private MPLS VPN and onto public broadband links?
Here are five tips to ensure that your SD-WAN will always be resilient and secure.
1. Integrate SD-WAN security into your organization's overall security architecture
Many enterprises make the mistake of treating SD-WAN security separately rather than as a key element in their overall enterprise security strategy. "Most organizations look at SD-WAN as a connectivity tool that provides a level of data encryption," observed Amit Bareket, CEO of network security technology provider Perimeter 81. "However, SD-WAN solutions commonly don’t protect the security of the data, which exposes your organization to security risk."
To lock down SD-WAN traffic, organizations and their security teams should develop an approach that integrates policy-based control rules that are designed to monitor data traffic with a holistic SDN managed detection response model, Bareket advised. "By putting security first, it provides another layer in the fight against holes in your organization’s network," he noted.
2. Don't view your SD-WAN as a traditional network technology
It's a mistake to view SD-WAN security in the same context as a traditional physical network, which automatically places certain constraints on data flow that don't apply to SD-WANs. "For example, with a traditional network, you have to consider the traffic patterns and bandwidth requirements," explained Kowsik Guruswamy, CTO of cyber security firm Menlo Security. "This will determine where and how you enforce your security policies." But with an SD-WAN, the Internet is the network, so the constraints that apply to traditional networks simply don't exist.
3. Don't tie security to a single vendor
An enterprise’s security needs evolve over time as the network infrastructure expands and new threats arrive. Having the flexibility to migrate to alternative security solutions quickly and cost-effectively as attack vectors appear, while retaining the basic SD-WAN investment, is a valuable ability. Unfortunately, some SD-WAN vendors effectively lock-in customers to a single proprietary security stack. "As a result, [they] don’t offer flexibility for the future, nor the flexibility to work with an existing [enterprise] security infrastructure," noted Karl Brown, senior director of VMware's VeloCloud business unit.
4. Don't rely on legacy firewalls
With traditional WANs, branch traffic is either backhauled to the enterprise data center, where it may be processed by a legacy firewall, or there may be a legacy firewall deployed at the branch that's maintained separately from the edge router. "This can lead to several issues, such as expensive bandwidth, heavy performance penalties, unpredictable application performance, and unnecessarily complex branch IT management," Brown said. "With SD-WAN, enterprises can more efficiently hand off traffic to cloud and SaaS tools via cheaper Internet access services or utilize cloud-hosted gateways that peer with cloud and SaaS providers."
However, when deploying SD-WAN access at branch locations, enterprises must take additional security precautions, since connecting to the Internet creates a broader attack surface. "The best approach to mitigate this new security risk is to leverage the power of the cloud for threat detection and mitigation," Brown advised. He also suggested adopting a unified management approach, incorporating templatized policies and auditing, and integrating networking and security at each branch. "Taken together, an enterprise can efficiently implement and maintain a consistent advanced threat management strategy," he noted.
5. Properly position the SD-WAN appliance
Many SD-WAN adopters accidentally bypass their firewall, either by deploying the SD-WAN appliance behind the firewall or bypassing the firewall while troubleshooting and/or configuring the SD-WAN box, explained Brendan Patterson, vice president of product management at network security firm WatchGuard Technologies. "In this scenario, the organization has no security at all, which puts them at a high risk of malware infection," he observed.
Security vulnerabilities created by a misplaced SD-WAN box can be eliminated by installing the appliance in front of the firewall so that it's able to handle the WAN connections while the firewall continues to protect the internal network. Patterson noted that it's important to remember to re-check all security controls after making any changes to the SD-WAN.
Patterson also advised taking advantage of the latest network security technologies. "Many unified threat management appliances and next-generation firewalls now offer SD-WAN capabilities, such as intelligent path routing," he explained. "Using these built-in capabilities also fixes [the placement] issue, plus it cuts down on the management and cost of maintaining two appliances." Patterson suggested that this is often a good option for small and mid-sized businesses.