The Security of SD-WAN

With Software-Defined WAN (SD-WAN), lower costs and increased efficiency are the big payoffs. Is there a price to be paid in security?

Perhaps we exaggerate, but IT professionals, especially those involved in telecommunications, should always beware of anything that's connected to the Internet, as well as services provided across the Internet. That includes websites, email, cloud-based applications, and of course, WANs.

The bad news is that the wild, unfettered Internet can indeed be a dangerous place; it's a good thing we have firewalls, universal threat defense, intrusion prevention systems, heavily encrypted VPNs and endpoint security to protect us. The good news is that SD-WAN, one of the fastest-growing technologies for connecting branch offices, data centers, cloud services and remote locations, are perfectly safe.

While SD-WAN provides a reliable method to route traffic over the Internet, the underlying technologies are hardened, armored and fully protected. You can trust SD-WAN to provide the same or even better security as traditional dedicated WAN services such as Multiprotocol Label Switching (MPLS) at a much lower total cost of ownership (TCO).

What is SD-WAN?
A Software-Defined WAN (SD-WAN), in a nutshell, can be thought of as an overlay architecture that connects enterprise on-premises data centers, infrastructure-as-a-service (such as those hosted by Amazon Web Services or Microsoft Azure), cloud services (such as software-as-a-service), remote locations and branch offices.

In some cases, those locations might be already linked by dedicated circuits using carrier-provided services like MPLS. Those services are usually reliable and secure, offering guaranteed bandwidth and mostly high availability. On the flip side, they can be extremely expensive, locked in by contracts and slow to provision new locations or change service parameters for existing links and are not always immune to performance issues.

Other locations, particularly branch offices, may have dedicated lines, but those types of connections are overkill for the type of connectivity that remote sites need -- which is fast, reliable access to enterprise applications and file sharing, as well as to corporate communications tools like on-premises applications, Voice over IP (VoIP) or video conferencing. In many cases, those branch offices simply need more raw bandwidth -- and the least expensive bandwidth is a straightforward Internet connection or connections. But the Internet isn't inherently secure or the highest quality. The performance and reliability of wired and wireless Internet are unpredictable at best.

SD-WAN establishes communications overlay using software running inside an edge appliance, as a virtual instance, or on a virtual customer premises equipment (vCPE) inside the branch office, data center, campus and headquarters. Cloud-delivered SD-WAN extends this overlay to the front door step of nearly every cloud service, resource and application via cloud gateways distributed around the globe.

Every industry leading SD-WAN leverages a cloud-based controller which coordinates communications and ensures business policy, priorities and criteria are propagated throughout the network. The controller extends these instructions and changes to edge and cloud gateway devices to ensure the right traffic is sent, in a secure and reliable way, over the best means possible to its destination. SD-WAN edges and gateways understand applications and priorities: A VoIP session is steered to the best available link with the least jitter and packet loss, and even if there is packet loss, the link impairments are remediated; lower priority applications such as chat applications or laptop data backups don't receive the same gold-plated treatment.

But what about security?
If SD-WAN sometimes sends data over virtual private MPLS links, and sometimes over the Internet, isn't the organization at risk? No, not at all. SD-WAN technology uses industrial-grade, standards-based authentication and encryption, completely securing every bit of control and traffic end-to-end. What's more, as the enterprise SD-WAN is implemented and managed through the cloud, the security IT experts can monitor the quality and performance of the connection and ensure that all communications meet corporate policies for security and reliability.

Leading edge cloud-delivered SD-WAN services are located in SSAE16 Type II data centers supporting SHA256 and encryption of sensitive data. Activation of edges utilizes a one-time activation key with limited life TLS along with an orchestrator certificate and tamper resistant toke. When it comes to data and transport top tier SD-WAN solutions use technologies like IPSEC VPN, IKEv2 with certificate, end-to-end encryption using AES256, shared keys and PKI.

That's only the start. Different organizations have different security needs -- but they all have security needs that must be met. A medical institution must not only protect its intellectual property, but also patient data. A bank has to protect its operational data, and also secure customer accounts and verify the integrity of transactions in order to meet US and international requirements. Technology companies must protect their patents, and perhaps secure source code, encryption algorithms and other key data against export laws.

In order to help an organization enforce its security policies, SD-WAN must be able to implement those types of policies -- and be able to demonstrate that security to regulators or internal/external auditors. That's where the abstraction of an SD-WAN can actually be better than managing dozens of separate WAN systems -- today's best SD-WAN solutions have a single, multi-tenant management tool for handling application and business policies across all connections, regardless of the underlying communications medium (like MPLS, Internet or wireless).

Leading SD-WAN solutions also enable organizations to confidently take advantage of best-of-breed security technologies such as universal threat management, intrusion protection systems, secure web gateways, cloud security and advanced firewalls. This is done via seamless interoperability with third-party security vendors, service insertion with cloud security services and integration of security virtual network functions (VNF) inside the SD-WAN virtual customer premises equipment (vCPE). An SD-WAN solution must also coordinate both business policy and security policy to deliver exception quality of experience combined with the necessary security treatments based on the application.

To summarize: By using a state-of-the-art SD-WAN platform, any and all external communications between data centers, remote office and even public clouds are secured, using scalable, high-grade authentication and encryption. Because of the abstraction, remote offices and cloud links can be centrally managed, with no need to visit those branches. And the SD-WAN not only monitors security, but it gives granular visibility to IT departments on a single pane of glass and gathers the data needed to demonstrate compliance with corporate policies.

Safe? Not safe? That depends.
Thank heavens for our firewalls, which protect the enterprise network perimeter against attack. Give praise for intrusion detection/prevention systems that guard against threats where the perimeter has been penetrated. Those are necessities for every organization. And for many businesses, enterprise and cloud security products are at the heart of data security. Realizing that SD-WAN is only one piece of an enterprise IT system, the best SD-WAN platforms integrate and interoperate with today's leading enterprise/cloud security platforms, such as those from Fortinet, Check Point, Palo Alto Networks, Zscaler, IBM Security and Forcepoint. When it comes to security, everything must work together.

SD-WAN allows enterprises to use inexpensive, flexible, high bandwidth and pervasive Internet connections to securely implement wide-area networks to link branch offices and remote locations. With SD-WAN, organizations are saving money while extending the level of security expected with dedicated WAN links like MPLS to every location, even over the Internet, or cellular wireless. Not only that, but with SD-WAN, it's fast and easy to set up a trustworthy remote connection using the Internet in a matter of minutes -- compared to the months it takes with traditional dedicated links.

Thanks to cloud-delivered SD-WAN platforms that offer integration with the industry's leading security platforms, enterprise IT and security staff can ensure that corporate data is protected, and compliance regulations are met -- even while employees in those field offices enjoy uncompromised application performance, quality of experience and reliable access to their corporate applications and resources. An industry-leading cloud-delivered SD-WAN solution will also give you the option to bring all of these components onto your own premises and let you host the entire solution behind your own firewall.

The bottom line is that SD-WAN is perfectly safe for implementing wide-area networks affordably, efficiently and securely.

Related posts:

Michael Wood is Vice President of Marketing for VeloCloud Networks, responsible for worldwide marketing, revenue generation, channel and sales enablement and communications. He has more than 20 years of leadership and management experience in the networking industry. Prior to VeloCloud, he served as Vice President of Product Management and Marketing for Akamai Technologies' Cloud Networking Business Unit. He also was an executive in residence, and is currently an adviser, for Plug and Play Tech Center, a startup incubator and accelerator. Early in his career, Wood was with StrataCom as a senior member of the technical staff. After Cisco acquired StrataCom in 1996, he spent 15 years with Cisco in various positions, culminating in the director of product management and marketing role for the multibillion dollar branch office integrated services router business for enterprises and service providers.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading