A quick guide to SD-WAN security: Risks, bundled features and buyer tips

Ray Watson, VP of global technology at Masergy and IT security expert, outlines how to invest in this innovation that will facilitate performance without compromising security

17Apr

SD-WAN Security: Need-to-Know Basics

Today nearly every IT decision maker wants to invest in innovation that will facilitate network performance and agility without compromising security. For many, the answer is SD-WAN. The intersection between security and SD-WAN is critical in keeping data not only accessible but safe.

Here is a quick guide to the security benefits and precautions for SD-WAN.

The security of SD-WAN appliances

SD-WAN hardware is essentially a small computer, which means that the devices themselves are not necessarily built to be secure. In many cases, these devices may not have the most up-to-date operating system when it is shipped to the customer location, so checking for appliance security updates is critical.

  • Hardware: Off-the-shelf box servers and microservices should come only from well-known vendors with tested products.
  • Patches and security updates: Make sure your appliance is automatically updated by the service provider, or, at the very minimum, there is a process in place to do so.

SD-WAN's bundled security features: Benefits and challenges

Because SD-WAN secures traffic in transit, deploying solutions which include integrated firewalls and associated unified threat management have an advantage over solutions which require separate threat management. Properly configured SD-WAN devices can simplify security and defend data from attackers.

However, these bundled solutions can sometimes trigger challenges, blurring the line between network and security operations. Adding an unmanaged (and possibly unsecured) SD-WAN appliance to a corporate network can make roles and responsibilities confusing. Tight alignment is critical to help network teams address questions such as: "Does that mean our internal IT security team is responsible for managing the SD-WAN devices on our corporate network?" The worst-case scenario: The network team assumes the security team knows about the SD-WAN deployment and will take care of it. Then, critical security monitoring tasks are disregarded – it happens.

Overlooked benefits: Segmentation and zero trust

Often overshadowed by other benefits, increased security is another advantage to come from SD-WAN. Built on flexible, software-defined architectural models, SD-WAN facilitates the normally difficult task of WAN segmentation, helping businesses deal with issues such as security threats from within. Segmentation is key due to the dramatic uptick of threats from inside a network, and it is a focal point for many zero-trust security strategies.

SD-WAN makes segmentation and implementing zero-trust processes far easier, but it is also playing a key role in first-line-of-defense capabilities. Approaches include SD-WAN solutions that whitelist online applications and websites for branch offices that may not have local firewalls.

SD-WAN and internet: Security risks and resource impacts

Given that SD-WAN paves the way for enterprises and their branch locations to leverage the internet for connectivity, security must be at the top of the priority list. When SD-WAN is deployed over dedicated internet connectivity or public broadband it can introduce security risks that require next-generation firewalls, threat monitoring and management. Therefore, bundling security into SD-WAN is not just an option – it is a requirement.

Here is a quick background: Closely monitored firewalls are key defense mechanisms when SD-WAN shifts the network architecture away from a small set of centrally managed internet gateways and toward a highly distributed set of gateways. Because this dispersed architecture inherently increases the attack surface, the next move of any savvy network engineer is to implement next-generation firewalls with unified threat management. Built-in features make this step seamless.

SD-WAN security: Must-have features and capabilities

Your enterprise must be prepared to defend against any increased vulnerabilities, including leveraging:

  • A single on-premise or virtual client device that can handily and cost-effectively serve multiple security functions, including embedded firewalls for secure internet offloads and automatic encrypted tunneling to secure data across the internet
  • The ability to centrally drive policies and configurations to reduce complexity and ease of security management – for example, centralized orchestration is a path to chaining WAN security services like firewalls and routers across locations around the globe
  • The ability for SD-WAN network performance monitoring as well as security monitoring to sort through alerts generated by SD-WAN firewalls

It is not uncommon for CIOs and CISOs to feel overwhelmed at this point. SD-WAN implementation and management can tax IT resources. This is where managed SD-WAN, 24-7 security monitoring services, and managed detection and response solutions can help take the workload off your internal team. Service-based approaches are more scalable from both a resource and budgetary standpoint.

Secure SD-WAN: A quick buyer guide

Looking to buy secure SD-WAN? Ask these three questions before you buy:

  1. Does your SD-WAN solution include an integrated, next-generation firewall with unified threat management?
  2. Do you offer secure local internet breakouts, and if so, how?
  3. Does your SD-WAN include an integrated router and firewall, making it easy to directly and securely route traffic to the Internet without stacking multiple devices at a given location?

Do not forget about analytics. Buyers also take a hard look at security analytics, which are sometimes just bolted on as aftermarket components rather than being deep-seated into the SD-WAN solution. Within the online portal, most providers will give you visibility at the box-level onsite, but not at the network level itself. However, partners with security and analytics tools integrated into the solution (truly embedded into the fabric of the software defined network platform) offer the ability to view data from the actual network ports inside the SD-WAN portal. These are key differentiators for those seeking full transparency and the deepest levels of insight.

Smart city transportation initiatives require advanced mapping systems small

Read next:

Smart city transportation initiatives require advanced mapping systems

i