What is SD WAN Security?

SD WAN Security Features and Capabilities

While SD WAN provides disruptive benefits in performance, reliability, flexibility, and cost reduction, it may be challenging for some enterprises to adapt their centralized security infrastructure given the distributed nature of SD WAN. For example, SD WAN may allow a remote user to connect directly to a cloud-based application with better performance and less latency than ever before. However, in large-scale environments, this could also remove a traditional inspection or filtering point such as a corporate web proxy from a network path.

Many of today’s leading SD WAN solutions have built-in security capabilities which include integrated inspection and filtering (usually by providing an SWG - Secure Web Gateway) as part of a complete SASE or SSE solution), but some do not, so it’s important to make sure that these security controls are addressed when looking at Software Defined WAN.

What are the benefits of SD WAN security?

SD WAN architecture’s primary inherent security benefit is that it massively simplifies the process of ensuring end-to-end traffic encryption for distributed networks.  SD WAN allows IT departments to manage dynamic and distributed network links centrally and deploy uniform encryption without having to deploy and manage statically configured virtual private networks (VPNs).

With the advent of access to shared cloud applications, advanced threats and data protection standards, dynamic setup of tunnels are necessary to support connections from users across the globe as they access resources from untrusted networks and connected devices. SD WAN solutions can also maintain network segmentation across these distributed links to reduce the available attack surface.

Some SD WAN vendors support advanced Next Generation Firewall (NGFW) integration to enable granular packet inspection wherever traffic crosses zones protected by these physical, virtual, or cloud-native firewalls.

What concerns are there surrounding SD WAN security?

As mentioned previously, the primary concern surrounding SD WAN is the potential loss of visibility and filtering capability when dynamically distributed traffic doesn’t always follow the same path across an inspection or filtering point, such as a proxy. 

Modern inspection and filtering capabilities provided through integrated security features such as secure web gateways can alleviate this concern and often exceed the functionality offered by traditional inspection solutions, so it’s important to ensure that network visibility and filtering defences aren’t overlooked during the decision-making process.

Another SD WAN security concern is endpoint security, especially when SD WAN infrastructure enables remote users and their devices to access sensitive corporate assets from untrusted locations or using untrusted services which includes public Wi-Fi.

Any new WAN implementation carries a significant risk of exposing the network as SD WAN traffic is carried beyond the firewall and network devices are outward-facing. Unintended security issues can arise when implementing a new WAN with the added risk when provisioning SD WAN of vulnerabilities existing across both the underlay and overlay layers.

However, SD WAN can help to centralize and standardize security practices. The centralized SD WAN controller can improve the maintenance of security elements across the entire network rather than at each individual endpoint.

IT decision-makers should consider whether their ability to deploy, maintain, and audit secure configuration across their endpoints is suitable. If not, they should only consider SD WAN solutions that include appropriate endpoint security and configuration features. In either case, there’s a good chance that internal efforts or professional services may be required to establish and maintain a baseline endpoint security configuration.

How does SD WAN encryption work?

Most SD WAN solutions dynamically establish secure tunnels using internet protocol security (IPSec, a network security protocol suite commonly used by traditional VPNs) or proprietary network protocols.  In either case, a strong encryption algorithm like AES (Advanced Encryption Standard) encrypts source and destination traffic traversing the network, with key lengths typically ranging between 128 bits and 256 bits. By coupling AES with tunnelling protocols, SD WAN solutions can dynamically set up secure tunnels to uniformly protect the privacy of network traffic across all devices, users, branch-office locations, and beyond.

How do I define SD WAN security?

When defining your SD WAN security architecture, Netify recommends following best practices such as those listed below:

• Analyze your business’ IT operations – IT architects should be tasked with documenting the existing network architecture, service delivery and desired end-state architecture, including HQ, branch offices, remote users, devices, and applications.
• Conduct a threat modelling exercise to identify potential vulnerabilities and security threats in your architecture.
• Conduct a risk assessment to identify the risks to your IT operations and business across external and internal threats.
• Ensure that proposed SD WAN providers apply or support the application of SASE & SSE security – Gartner created the SASE (Secure Access Service Edge) and SSE (Secure Service Edge) cloud framework to help organizations understand the portfolio of security services required to protect the network and users. Technologies include NGFW (Next Generation Firewall), ZTNA (Zero Trust Network Access), SWG (secure web gateway), CASB (cloud access security broker) and MDR (managed detection and response).
• Network Segmentation reduces the attack surface across your architecture to help ensure threats and security breaches cannot bring down the entire network regardless of their ingress point. The business may consider some areas of the network more vulnerable than others due to the type of data processed or stored, so segmenting the network allows for per-segment security policies.
• Use your data – understand past policies and why they changed, ensure your architecture allows for 100% visibility, and use data from past incidents and threat detection in your design to better protect the network and your business in the future.

Think zero trust and authenticate everything - creating strong authentication and access controls is a must. This truly sets a secure SD WAN architecture apart from traditional VPNs.

Is SD WAN secure?

An SD WAN solution is designed to offer security for data transportation across Ethernet, Broadband and 4G/5G cellular infrastructure, but it does not comprise a complete security architecture. It is important to understand that SD WAN is only one component of your organization’s security architecture.

Leading SD WAN solutions have integrated various security technologies and features, which enables them to offer incredible levels of security, allowing them to connect the enterprise with a level of trust above and beyond legacy private networks such as MPLS and VPLS. Such legacy WAN technologies which were not designed with the concept of ‘least privilege’ in mind, remain vulnerable to various internal and external threats introduced by users bringing devices into the branch office or working remotely.

What are the security risks and vulnerabilities with SD WAN?

Man-in-the-middle attacks and malware - SD WAN is designed to meet the needs of public cloud application access which requires supporting data transport from multiple sources and devices which could be anywhere in the world. Unlike private WAN technologies like MPLS, network traffic often flows across untrusted networks like the public internet, making communications vulnerable to man-in-the-middle attacks. Such attacks can be used to impact confidentiality by intercepting and potentially decrypting traffic, as well as introducing malware.

• Visibility - the visibility of application traffic across the network is becoming ever more complex, so network administrators are challenged to keep track of data sources from remote devices and users. While SD WAN reporting does offer insights into the network, these statistics often take time to build the full picture. The use of security technologies like network intrusion protection systems (IPS) and secure web gateways are often required to achieve full visibility into the complete SD WAN architecture across branch locations and remote users.
• Security policy configuration challenges – secure configuration across an enterprise is a challenge in itself. Establishing and maintaining secure configuration across distributed endpoints is even more demanding. If network security controls for both the network itself and the endpoints are not configured correctly, the organization can be at risk of data loss and breaches. Endpoint security misconfiguration or missing patches are often the attack vector used for initial access, which leads to a breach. One common example is URL filtering, where certain legitimate sites are blocked.

While an SD WAN solution offers security for data transmission between offices, the cloud, and remote users, the remainder of your network also requires protection, including local area networks (LANs) at your office locations and within cloud environments. It is often the case that internal security measures do not match those implemented for external communications and are not sufficient to protect the organisation from internal cyber threats.

Lastly, and perhaps the biggest threat organizations face to their systems, is the human factor. Research suggests that approximately 80 to 95 percent of data breaches are either directly or indirectly caused by human error and, to a lesser or greater extent, the primary cause of cybersecurity breaches. Users at all levels with any kind of network access need to be aware of risks, threats, and secure behaviours and procedures to avoid compromising security.

What are SD WAN security best practices?

It is critical that enterprises plan to mitigate security risks by establishing requirements for mitigating their identified risks and then implementing the best possible security solutions and products.

SD WAN security best practices include:

• Implementation of the strongest possible encryption, which can be supported end-to-end to protect sensitive and customer data.
• Implement secure web gateways and integration with next-generation firewalls to inspect and filter traffic across the network.
• Network threat intrusion detection and real-time monitoring to identify and respond to suspicious activity via centralized management.
• Conduct regular vulnerability assessments and penetration tests to ensure the effectiveness of your security controls.
• Conduct architecture reviews and compare to reference architectures to keep up to date with emerging threats and new technologies.

Are you looking for the latest in network connectivity and security? You’ll find it by responding to an assessment that guides you through the world’s leading SD WAN and cybersecurity marketplace. Your destination: the best 150 SD WAN and cybersecurity managed providers and vendors, customized to meet your unique requirements.