Why SD-WAN Requires New Security Control Points

With SD-WAN enabling direct internet access, and thus, the ability to circumvent DMZ security, IT must address several different security issues.

Jeff Reed

May 29, 2019

5 Min Read
Why SD-WAN Requires New Security Control Points
(Image: Pixabay)

It’s no surprise to see more and more enterprises today are adopting SD-WAN technology. This innovative technology enables the efficient digital transformation enterprises are looking for, especially as more users and things are accessing applications and data in the cloud. Over the next few years, research shows by 2022 SD-WAN will increase five-fold and will represent 29 percent of WAN traffic. IDC's latest SD-WAN Infrastructure Forecast stated: "This rapidly evolving segment of the networking market will grow at a 40.4 percent compound annual growth rate from 2017 to 2022 to reach $4.5 billion.” It’s clear that this is the networking industry’s biggest change in 2019, but it’s also for cybersecurity. 

But first, why is SD-WAN driving this paradigm shift in the way we architect wide area networks? For one—we know traditional WAN architectures are not optimally designed for cloud applications. With SD-WAN, organizations use the internet as their virtual network through direct internet access (DIA) from a remote branch that is easy to deploy at scale and simple to manage. It also provides enterprises with high-quality, affordable backbone alternatives to the traditional MPLS services, how most WAN traffic is being backhauled. As an example, enterprises can enable direct access to Office365, AWS, Salesforce and other SaaS/IaaS offerings, and route their traffic directly to the closest Point of Presence (PoP) for the cloud application provider, improving network responsiveness and application experience for the user while lowering bandwidth costs for the business.

SD-WAN exposes new security challenges

However, with SD-WAN enabling direct internet access, and thus, the ability to circumvent DMZ security, IT must consider addressing several different security components to enable their SD-WAN topology:

Outside-in threats: The use of direct internet access leaves the WAN vulnerable. It could expose the branch to a broader attack vector that may lead to unauthorized access into its infrastructure, denial of service attacks, and ransomware.

Inside-out threats: When a breach occurs, data is sent through the internet to malicious infrastructures. And we're seeing this in the form of malware infections, command and control attacks, phishing attacks, and insider threat. Without traffic backhauled to the corporate firewall, there must be edge protection at the cloud to secure and protect critical data from compromise.

Internal threats: Corporations always need to authenticate, encrypt, and segment their traffic. Otherwise, they leave the attack surface open. And these internal threats come in several forms, e.g., breaches or insider threat, where lateral movement is possible to infect critical infrastructures. And it's increasingly important because 80 percent of branch breaches occur within the perimeter of enterprise companies.

Trust: Top of mind for IT when expanding remote connectivity is ensuring the security and integrity of the users and the remote devices (end users and network appliances) that are no longer under lock and key in the data center. Confirming user and device identities, posture assessment, visibility and then access to the network driven by policies (security, data, and application) will be one of the biggest challenges as enterprises drive to adopt a software-defined architecture.

How to achieve an effective SD-WAN security implementation

In terms of deployment, there are a few effective models which enterprise can implement:

For an on-premise solution:  Enterprises can take control and embed capabilities like next-generation firewall (NGFW), intrusion prevention (IPS), and URL filtering capabilities for a comprehensive branch edge security running locally in the router itself.

Segmentation is a fundamental way to isolate and protect critical assets in an enterprise. SD-WAN provides for a differentiated segmentation solution by building a single overlay across all enterprise links based on an encryption protocol like an IPsec, and maps VLANs or IP address ranges to those defined tunnels at each location. Segmentation with SD-WAN allows for complete visibility and control into each network segment.

Security functions in the cloud for IaaS: Effective collaboration between security and networking teams can result in a secure, scalable cloud footprint for applications and/or workloads. SD-WAN facilitates tighter integration, orchestration, and service chaining between virtual network functions (VNFs) for routing and security. This enables enterprises to build a proper security perimeter around cloud-hosted services.

Security for SaaS and DIA access: The inside-out and outside-in threats while accessing SaaS applications via DIA can be mitigated using Secure Internet Gateway (SIG) services in the cloud providing for visibility and enforcement on and off the network, protection over all ports and protocols and discovery and control of SaaS. Cloud Access Security Broker (CASB) service enforce authentication and authorization of resources and effectively enables secure access to SaaS in the public domain. 

Bring your own device (BYOD) and mobility: BYOD demands proper security measures in place for secure and scalable access to on-premise as well as cloud-based applications and workload by all employees connecting via cellular or public Wi-Fi. SD-WAN and identity services integration can ensure device/user-level authentication, posture assessment, and secure segmented access into enterprise infrastructure. Multifactor Authentication (MFA) has proven to be an effective practice for secure access to resources. 

Encrypted traffic analysis: Most of the application traffic on the internet is encrypted, be it a SaaS or P2P or https transactions. Using the encrypted threat analysis techniques is an only scalable model where it constantly updates itself with the threat heuristics using machine-learning.

Figure out where those placements of controls make the most sense given your environment. And look at what are the opportunities using cloud-based management and align policy so that you can get the same policy regardless of where that control lives in their environment.


About the Author(s)

Jeff Reed

Jeff Reed is Senior Vice President of Product for Cisco's Security Business

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights