Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

01:17 PM
Michael Wood
Michael Wood
News Analysis-Security Now

The Security of SD-WAN

With Software-Defined WAN (SD-WAN), lower costs and increased efficiency are the big payoffs. Is there a price to be paid in security?

Perhaps we exaggerate, but IT professionals, especially those involved in telecommunications, should always beware of anything that's connected to the Internet, as well as services provided across the Internet. That includes websites, email, cloud-based applications, and of course, WANs.

The bad news is that the wild, unfettered Internet can indeed be a dangerous place; it's a good thing we have firewalls, universal threat defense, intrusion prevention systems, heavily encrypted VPNs and endpoint security to protect us. The good news is that SD-WAN, one of the fastest-growing technologies for connecting branch offices, data centers, cloud services and remote locations, are perfectly safe.

While SD-WAN provides a reliable method to route traffic over the Internet, the underlying technologies are hardened, armored and fully protected. You can trust SD-WAN to provide the same or even better security as traditional dedicated WAN services such as Multiprotocol Label Switching (MPLS) at a much lower total cost of ownership (TCO).

What is SD-WAN?
A Software-Defined WAN (SD-WAN), in a nutshell, can be thought of as an overlay architecture that connects enterprise on-premises data centers, infrastructure-as-a-service (such as those hosted by Amazon Web Services or Microsoft Azure), cloud services (such as software-as-a-service), remote locations and branch offices.

In some cases, those locations might be already linked by dedicated circuits using carrier-provided services like MPLS. Those services are usually reliable and secure, offering guaranteed bandwidth and mostly high availability. On the flip side, they can be extremely expensive, locked in by contracts and slow to provision new locations or change service parameters for existing links and are not always immune to performance issues.

Other locations, particularly branch offices, may have dedicated lines, but those types of connections are overkill for the type of connectivity that remote sites need -- which is fast, reliable access to enterprise applications and file sharing, as well as to corporate communications tools like on-premises applications, Voice over IP (VoIP) or video conferencing. In many cases, those branch offices simply need more raw bandwidth -- and the least expensive bandwidth is a straightforward Internet connection or connections. But the Internet isn't inherently secure or the highest quality. The performance and reliability of wired and wireless Internet are unpredictable at best.

SD-WAN establishes communications overlay using software running inside an edge appliance, as a virtual instance, or on a virtual customer premises equipment (vCPE) inside the branch office, data center, campus and headquarters. Cloud-delivered SD-WAN extends this overlay to the front door step of nearly every cloud service, resource and application via cloud gateways distributed around the globe.

Every industry leading SD-WAN leverages a cloud-based controller which coordinates communications and ensures business policy, priorities and criteria are propagated throughout the network. The controller extends these instructions and changes to edge and cloud gateway devices to ensure the right traffic is sent, in a secure and reliable way, over the best means possible to its destination. SD-WAN edges and gateways understand applications and priorities: A VoIP session is steered to the best available link with the least jitter and packet loss, and even if there is packet loss, the link impairments are remediated; lower priority applications such as chat applications or laptop data backups don't receive the same gold-plated treatment.

But what about security?
If SD-WAN sometimes sends data over virtual private MPLS links, and sometimes over the Internet, isn't the organization at risk? No, not at all. SD-WAN technology uses industrial-grade, standards-based authentication and encryption, completely securing every bit of control and traffic end-to-end. What's more, as the enterprise SD-WAN is implemented and managed through the cloud, the security IT experts can monitor the quality and performance of the connection and ensure that all communications meet corporate policies for security and reliability.

Leading edge cloud-delivered SD-WAN services are located in SSAE16 Type II data centers supporting SHA256 and encryption of sensitive data. Activation of edges utilizes a one-time activation key with limited life TLS along with an orchestrator certificate and tamper resistant toke. When it comes to data and transport top tier SD-WAN solutions use technologies like IPSEC VPN, IKEv2 with certificate, end-to-end encryption using AES256, shared keys and PKI.

That's only the start. Different organizations have different security needs -- but they all have security needs that must be met. A medical institution must not only protect its intellectual property, but also patient data. A bank has to protect its operational data, and also secure customer accounts and verify the integrity of transactions in order to meet US and international requirements. Technology companies must protect their patents, and perhaps secure source code, encryption algorithms and other key data against export laws.

In order to help an organization enforce its security policies, SD-WAN must be able to implement those types of policies -- and be able to demonstrate that security to regulators or internal/external auditors. That's where the abstraction of an SD-WAN can actually be better than managing dozens of separate WAN systems -- today's best SD-WAN solutions have a single, multi-tenant management tool for handling application and business policies across all connections, regardless of the underlying communications medium (like MPLS, Internet or wireless).

Leading SD-WAN solutions also enable organizations to confidently take advantage of best-of-breed security technologies such as universal threat management, intrusion protection systems, secure web gateways, cloud security and advanced firewalls. This is done via seamless interoperability with third-party security vendors, service insertion with cloud security services and integration of security virtual network functions (VNF) inside the SD-WAN virtual customer premises equipment (vCPE). An SD-WAN solution must also coordinate both business policy and security policy to deliver exception quality of experience combined with the necessary security treatments based on the application.

To summarize: By using a state-of-the-art SD-WAN platform, any and all external communications between data centers, remote office and even public clouds are secured, using scalable, high-grade authentication and encryption. Because of the abstraction, remote offices and cloud links can be centrally managed, with no need to visit those branches. And the SD-WAN not only monitors security, but it gives granular visibility to IT departments on a single pane of glass and gathers the data needed to demonstrate compliance with corporate policies.

Safe? Not safe? That depends.
Thank heavens for our firewalls, which protect the enterprise network perimeter against attack. Give praise for intrusion detection/prevention systems that guard against threats where the perimeter has been penetrated. Those are necessities for every organization. And for many businesses, enterprise and cloud security products are at the heart of data security. Realizing that SD-WAN is only one piece of an enterprise IT system, the best SD-WAN platforms integrate and interoperate with today's leading enterprise/cloud security platforms, such as those from Fortinet, Check Point, Palo Alto Networks, Zscaler, IBM Security and Forcepoint. When it comes to security, everything must work together.

SD-WAN allows enterprises to use inexpensive, flexible, high bandwidth and pervasive Internet connections to securely implement wide-area networks to link branch offices and remote locations. With SD-WAN, organizations are saving money while extending the level of security expected with dedicated WAN links like MPLS to every location, even over the Internet, or cellular wireless. Not only that, but with SD-WAN, it's fast and easy to set up a trustworthy remote connection using the Internet in a matter of minutes -- compared to the months it takes with traditional dedicated links.

Thanks to cloud-delivered SD-WAN platforms that offer integration with the industry's leading security platforms, enterprise IT and security staff can ensure that corporate data is protected, and compliance regulations are met -- even while employees in those field offices enjoy uncompromised application performance, quality of experience and reliable access to their corporate applications and resources. An industry-leading cloud-delivered SD-WAN solution will also give you the option to bring all of these components onto your own premises and let you host the entire solution behind your own firewall.

The bottom line is that SD-WAN is perfectly safe for implementing wide-area networks affordably, efficiently and securely.

Related posts:

Michael Wood is Vice President of Marketing for VeloCloud Networks, responsible for worldwide marketing, revenue generation, channel and sales enablement and communications. He has more than 20 years of leadership and management experience in the networking industry. Prior to VeloCloud, he served as Vice President of Product Management and Marketing for Akamai Technologies' Cloud Networking Business Unit. He also was an executive in residence, and is currently an adviser, for Plug and Play Tech Center, a startup incubator and accelerator. Early in his career, Wood was with StrataCom as a senior member of the technical staff. After Cisco acquired StrataCom in 1996, he spent 15 years with Cisco in various positions, culminating in the director of product management and marketing role for the multibillion dollar branch office integrated services router business for enterprises and service providers.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...