What are use cases for SASE and the recommendations?
What are SD WAN security concerns?
Cloud adoption has driven organizations to enable direct Internet access from the branch office to optimize cloud application access and improve user experience.
While this architectural shift eliminates the network latency caused by backhauling all Internet traffic to a central Internet perimeter, it enlarges the attack surface by a rate directly proportional to the number of hub locations, exposing users to Internet-borne threats. Consequently, IT decision-makers must identify the most suitable security architecture that will meet the long-term needs of their business while concurrently reducing the total cost of ownership and ensuring consistent security across all users, locations, and resources.
What is SD WAN security?
SD WAN security refers to using secure IP tunnels, generally, IPsec VPN tunnels, to encrypt network traffic sent between hub locations over the Internet, augmented by a local or cloud-based security stack to deliver security capabilities that can neutralize Internet-based threats.
While many SD WAN providers offer native security solutions to protect branch office application access and user activity, including east-west and north-south network traffic protection, others offer integrated security through "service chaining". Service chaining integrates SD WAN solutions with cloud security solutions from top-tier security vendors, such as SWG, CASB, FWaaS, and ZTNA.
How does SD WAN improve security?
SD WAN can improve security by integrating security capabilities into the SD WAN network fabric without the added complexities of traditional MPLS networks, encrypting east-west network traffic, and enforcing consistent security policies across the entire ecosystem, regardless of the user's network location (remote or on-site). Furthermore, SD WAN's unified management of networking and security policies from a central location, complemented by the zero-touch deployment of SD WAN gateways, provides consistent network device configuration, significantly reducing security risks arising from misconfigured devices.
What are the security challenges with SD WAN?
Many organizations shift to an SD WAN architecture to enable digital innovation and accelerate cloud adoption, focusing on the operational and business benefits with little regard for security. Consequently, IT decision-makers are faced with solving the security challenges of securing a distributed Internet perimeter after selecting an SD WAN vendor or provider, which significantly increases the cost and time to implement.
IT decision-makers have several approaches to choose from to solve the security challenges arising from SD WAN, such as:
- Deploying a branch office security stack, either as a stand-alone solution or built into an SD WAN gateway. While this approach will meet most security requirements, it requires a significant up-front investment and ongoing management, is challenging to scale, and does not provide coverage for remote users.
- Use a cloud-based security platform, enforcing security policies for remote and branch office users from a central location.
- Use a combination of local and cloud-based security, where basic controls are applied locally, and more process-intensive security capabilities are delivered from the cloud.
Each approach has financial, performance, architectural, and operational implications. Therefore, IT decision-makers should evaluate each option against their business needs before selecting an SD WAN vendor.
What are the top-rated SD WAN security features?
While the security features vary from one vendor to another, the core SD WAN security capabilities generally include IPsec VPN, basic stateful firewalling, and DoS protection, with optional native advanced security, such as SWG, NGFW, malware protection, IPS, DLP, and CASB.
What are the top SD WAN security risks?
The top security risks associated with SD WAN arise from enabling direct branch office Internet access without suitable protection. These risks include:
- Increased exposure to malware and phishing attacks
- Increased susceptibility to branch office network compromise
- Lack of visibility into user network activity, resulting in undetected security events and incidents
- Increased likelihood of undetected data exfiltration through the branch office perimeter
How should IT teams implement SD WAN security measures?
While there are many options to deploy SD WAN security, IT Teams should strive to simplify the branch office security architecture. One way to do so is to use a cloud-based enterprise security stack to deliver more advanced and process-intensive security capabilities, such as SSL inspection, SWG, DLP, and CASB, augmented by a local basic or next-gen firewall as needed. This fundamental change protects branch office users and remote users alike; it allows remote users to access applications or the Internet from the nearest cloud-based security enforcement point (or PoP) with the same level of protection as on-site users.
What are the SD WAN security benefits?
The primary benefit of SD WAN security, mainly when delivered as a cloud service, is consistent and scalable protection across all users and applications, regardless of whether users are remote or on-site. Additionally, SD WAN security simplifies branch office Internet access while concurrently reducing the initial capital investment and the total cost of ownership by eliminating the need for vendor hardware integrations at each branch office.