Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

// // //
01:17 PM
Michael Wood
Michael Wood
News Analysis-Security Now

The Security of SD-WAN

With Software-Defined WAN (SD-WAN), lower costs and increased efficiency are the big payoffs. Is there a price to be paid in security?

Perhaps we exaggerate, but IT professionals, especially those involved in telecommunications, should always beware of anything that's connected to the Internet, as well as services provided across the Internet. That includes websites, email, cloud-based applications, and of course, WANs.

The bad news is that the wild, unfettered Internet can indeed be a dangerous place; it's a good thing we have firewalls, universal threat defense, intrusion prevention systems, heavily encrypted VPNs and endpoint security to protect us. The good news is that SD-WAN, one of the fastest-growing technologies for connecting branch offices, data centers, cloud services and remote locations, are perfectly safe.

While SD-WAN provides a reliable method to route traffic over the Internet, the underlying technologies are hardened, armored and fully protected. You can trust SD-WAN to provide the same or even better security as traditional dedicated WAN services such as Multiprotocol Label Switching (MPLS) at a much lower total cost of ownership (TCO).

What is SD-WAN?
A Software-Defined WAN (SD-WAN), in a nutshell, can be thought of as an overlay architecture that connects enterprise on-premises data centers, infrastructure-as-a-service (such as those hosted by Amazon Web Services or Microsoft Azure), cloud services (such as software-as-a-service), remote locations and branch offices.

In some cases, those locations might be already linked by dedicated circuits using carrier-provided services like MPLS. Those services are usually reliable and secure, offering guaranteed bandwidth and mostly high availability. On the flip side, they can be extremely expensive, locked in by contracts and slow to provision new locations or change service parameters for existing links and are not always immune to performance issues.

Other locations, particularly branch offices, may have dedicated lines, but those types of connections are overkill for the type of connectivity that remote sites need -- which is fast, reliable access to enterprise applications and file sharing, as well as to corporate communications tools like on-premises applications, Voice over IP (VoIP) or video conferencing. In many cases, those branch offices simply need more raw bandwidth -- and the least expensive bandwidth is a straightforward Internet connection or connections. But the Internet isn't inherently secure or the highest quality. The performance and reliability of wired and wireless Internet are unpredictable at best.

SD-WAN establishes communications overlay using software running inside an edge appliance, as a virtual instance, or on a virtual customer premises equipment (vCPE) inside the branch office, data center, campus and headquarters. Cloud-delivered SD-WAN extends this overlay to the front door step of nearly every cloud service, resource and application via cloud gateways distributed around the globe.

Every industry leading SD-WAN leverages a cloud-based controller which coordinates communications and ensures business policy, priorities and criteria are propagated throughout the network. The controller extends these instructions and changes to edge and cloud gateway devices to ensure the right traffic is sent, in a secure and reliable way, over the best means possible to its destination. SD-WAN edges and gateways understand applications and priorities: A VoIP session is steered to the best available link with the least jitter and packet loss, and even if there is packet loss, the link impairments are remediated; lower priority applications such as chat applications or laptop data backups don't receive the same gold-plated treatment.

But what about security?
If SD-WAN sometimes sends data over virtual private MPLS links, and sometimes over the Internet, isn't the organization at risk? No, not at all. SD-WAN technology uses industrial-grade, standards-based authentication and encryption, completely securing every bit of control and traffic end-to-end. What's more, as the enterprise SD-WAN is implemented and managed through the cloud, the security IT experts can monitor the quality and performance of the connection and ensure that all communications meet corporate policies for security and reliability.

Leading edge cloud-delivered SD-WAN services are located in SSAE16 Type II data centers supporting SHA256 and encryption of sensitive data. Activation of edges utilizes a one-time activation key with limited life TLS along with an orchestrator certificate and tamper resistant toke. When it comes to data and transport top tier SD-WAN solutions use technologies like IPSEC VPN, IKEv2 with certificate, end-to-end encryption using AES256, shared keys and PKI.

That's only the start. Different organizations have different security needs -- but they all have security needs that must be met. A medical institution must not only protect its intellectual property, but also patient data. A bank has to protect its operational data, and also secure customer accounts and verify the integrity of transactions in order to meet US and international requirements. Technology companies must protect their patents, and perhaps secure source code, encryption algorithms and other key data against export laws.

In order to help an organization enforce its security policies, SD-WAN must be able to implement those types of policies -- and be able to demonstrate that security to regulators or internal/external auditors. That's where the abstraction of an SD-WAN can actually be better than managing dozens of separate WAN systems -- today's best SD-WAN solutions have a single, multi-tenant management tool for handling application and business policies across all connections, regardless of the underlying communications medium (like MPLS, Internet or wireless).

Leading SD-WAN solutions also enable organizations to confidently take advantage of best-of-breed security technologies such as universal threat management, intrusion protection systems, secure web gateways, cloud security and advanced firewalls. This is done via seamless interoperability with third-party security vendors, service insertion with cloud security services and integration of security virtual network functions (VNF) inside the SD-WAN virtual customer premises equipment (vCPE). An SD-WAN solution must also coordinate both business policy and security policy to deliver exception quality of experience combined with the necessary security treatments based on the application.

To summarize: By using a state-of-the-art SD-WAN platform, any and all external communications between data centers, remote office and even public clouds are secured, using scalable, high-grade authentication and encryption. Because of the abstraction, remote offices and cloud links can be centrally managed, with no need to visit those branches. And the SD-WAN not only monitors security, but it gives granular visibility to IT departments on a single pane of glass and gathers the data needed to demonstrate compliance with corporate policies.

Safe? Not safe? That depends.
Thank heavens for our firewalls, which protect the enterprise network perimeter against attack. Give praise for intrusion detection/prevention systems that guard against threats where the perimeter has been penetrated. Those are necessities for every organization. And for many businesses, enterprise and cloud security products are at the heart of data security. Realizing that SD-WAN is only one piece of an enterprise IT system, the best SD-WAN platforms integrate and interoperate with today's leading enterprise/cloud security platforms, such as those from Fortinet, Check Point, Palo Alto Networks, Zscaler, IBM Security and Forcepoint. When it comes to security, everything must work together.

SD-WAN allows enterprises to use inexpensive, flexible, high bandwidth and pervasive Internet connections to securely implement wide-area networks to link branch offices and remote locations. With SD-WAN, organizations are saving money while extending the level of security expected with dedicated WAN links like MPLS to every location, even over the Internet, or cellular wireless. Not only that, but with SD-WAN, it's fast and easy to set up a trustworthy remote connection using the Internet in a matter of minutes -- compared to the months it takes with traditional dedicated links.

Thanks to cloud-delivered SD-WAN platforms that offer integration with the industry's leading security platforms, enterprise IT and security staff can ensure that corporate data is protected, and compliance regulations are met -- even while employees in those field offices enjoy uncompromised application performance, quality of experience and reliable access to their corporate applications and resources. An industry-leading cloud-delivered SD-WAN solution will also give you the option to bring all of these components onto your own premises and let you host the entire solution behind your own firewall.

The bottom line is that SD-WAN is perfectly safe for implementing wide-area networks affordably, efficiently and securely.

Related posts:

Michael Wood is Vice President of Marketing for VeloCloud Networks, responsible for worldwide marketing, revenue generation, channel and sales enablement and communications. He has more than 20 years of leadership and management experience in the networking industry. Prior to VeloCloud, he served as Vice President of Product Management and Marketing for Akamai Technologies' Cloud Networking Business Unit. He also was an executive in residence, and is currently an adviser, for Plug and Play Tech Center, a startup incubator and accelerator. Early in his career, Wood was with StrataCom as a senior member of the technical staff. After Cisco acquired StrataCom in 1996, he spent 15 years with Cisco in various positions, culminating in the director of product management and marketing role for the multibillion dollar branch office integrated services router business for enterprises and service providers.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file