The Security Side of SD-WAN
Deck: SD-WAN solutions reduce total cost (TCO) but need security integration with other security products to be effective.
SD-WAN is fast becoming a go-to technology
SD-WAN is fast becoming a go-to technology for IT departments and organizations looking to reduce the cost of connecting their various sites. Historically, private links such as MPLS, T1, and Private Ethernet connections were used to provide sufficient, reliable bandwidth. In most cases, these legacy connections were premium priced and difficult to manage. Network redundancy was labor-intensive, required a high degree of complexity, and was costly. WAN acceleration for applications required extra add-in products. Although cost savings have been the major adoption driver to date, moving forward, the application performance improvements and simplicity will likely be the defining reason for moving to SD-WAN. The challenge will be how to meld application performance with security.
Big Picture – How Does it Fit Together?
To conceptually frame where the SD-WAN trend is headed, the following diagram provides a high-level overview. Every site has multiple physical connections on the SD-WAN edge. SD-WAN devices manage and optimize application traffic between sites. Most SD-WAN providers offer a cloud management component that includes a hosted gateway with basic firewalling functionality.
The key to the future of networks and security is application awareness. Application performance acceleration (SD-WAN) and firewall-application level security are both very difficult. Both require specialization, but they work very well together.
​
Many SD-WAN providers have partnered or will work with the next-generation firewall (NGFW) cloud vendors. The NGFW vendors are starting to provide hosted cloud firewall gateways, allowing organizations to centralize their outbound only (for now) firewall services and Internet access in the cloud (essentially FWaaS). Independently, the SD-WAN cloud gateway and hosted cloud firewalls are interesting services, but combined they’re a game changer!
Improved Application Performance
With this deployment in mind, the most pertinent benefit is the improved application performance across the WAN (traffic between sites; and destined for private data centers, public cloud data centers, and Software as a Service (SaaS)). The SD-WAN solution is application and network aware, meaning the solution has algorithms for optimizing common application traffic between sites.
It also means that it’s aware of the network links and the quality – end to end to optimize the traffic between sites using all of the paths available. This is particularly important for applications that are sensitive to packet loss, jitter, or latency – like voice or video communications traffic. SD-WAN will also prioritize application traffic between sites. This allows network managers to have visibility into their network traffic at the application level. This level of visibility can allow for capacity management when needed by simply adding an additional low-cost connection to a site SD-WAN device.
Advancement in Security
Security has become a significant challenge for most organizations. One of the biggest challenges has become the complexity of managing multiple sites. SD-WAN allows organizations to centralize their Internet access using a centralized NGFW. While this firewall has traditionally been located at a head office, the SD-WAN allows organizations to move to a cloud-hosted NGFW, where Internet capacity is far greater, and reliability is easier to manage. Edge connectivity improvements are made through SD-WAN.
Security has become a significant challenge for most organizations. One of the biggest challenges has become the complexity of managing multiple sites. SD-WAN allows organizations to centralize their Internet access using a centralized NGFW. While this firewall has traditionally been located at a head office, the SD-WAN allows organizations to move to a cloud-hosted NGFW, where Internet capacity is far greater, and reliability is easier to manage. Edge connectivity improvements are made through SD-WAN.
​
Most SD-WAN gateways and cloud firewall service providers are located in multiple highly available data centers with locations around the world – often in the same cloud data centers (i.e. AWS, Azure, Google). These large connections between the SD-WAN gateway and the hosted NGFW allow for very good connectivity.
This centralization simplifies policy management but also centralized Internet application traffic visibility.
Security administrators can centrally control the decryption of SSL traffic, giving them even better insights and control over application traffic. This centralized management across branch networks with advanced application visibility and control enhances security protection, detection, and response capabilities. This enhances security enforcement with cloud security detection and response systems.
Control Traffic
Additionally, SD-WAN enables network managers to span network segmentation across all sites of the organization. The segmentation of the networks across sites allows an organization to isolate access (think conceptually of VLANs across the WAN) to specific types of network devices. These network segments can be extended to the NGFW via encrypted links to control traffic between segments.
A good example of how this might be of benefit would be for HVAC contractors or vendors (or any other partner or supplier). These vendors need remote access to monitor and manage HVAC systems at various sites across the organization. Historically, this could only be done on a site-by-site basis or more generic access was provided.
Many of us remember the Target security breach, where the hackers stole credit card data after they accessed Target’s network via the HVAC contractor. If the HVAC systems had been on a separate network segment, this security breach would have been isolated to just HVAC systems. This can be especially beneficial moving forward with the proliferation of Internet of Things (IoT) devices.
Business Enhancement
One of the benefits of SD-WAN has been the simplicity of management.
SD-WAN devices and configurations are centrally managed, usually using cloud management tools. This management allows for service standardization with greater business agility and responsiveness across the organization.
Historically, setting up a new site for an organization was complex from a connectivity and security perspective. With SD-WAN coupled with a cloud-hosted NGFW, it will allow network managers to deploy a SD-WAN device and a couple of standard (low cost) Internet connections to the new site. The new site will then be connected with all of the network policies, network segmentation, and Internet access that all of the other sites have. This has significantly enhanced options for connection types for building more robust networks.
Improving Security With SD-WAN
The overall benefit of SD-WAN solutions is that it can significantly improved security operations when integrated. This improved management will significantly reduce security risks and improve your IT security's defense. The bonus is the enhanced business agility and scalability for the organization.
First Published No Jitter October 22, 2019