What is SD-WAN?
Of course, it is Software-defined wide area networking (SD-WAN). You already know that.
SD-WAN is basically a distributed networking approach that provides organizations a sustainable alternative to high latency hub-and-spoke network topologies.
All the hub-and-spoke networks you have been building for enterprises, were mandated for routing all the traffic of our branch-office, to a centralized data-center of your company directly. This was achieved via dedicated MPLS lines. You have been allowing your remote users or home-based workers/employees to connect to your centralized data center via VPN. This approach favoured the centralized management and security and quite successful too and worked reasonably well in an era when all applications were installed either on the desktop, or on the servers of your data-center.
BUT...
The word CLOUD and the rapid proliferation of cloud applications and services, caused the OVERLOADS of your MPLS circuits. How?
Because now every little action a remote user was taking in any cloud application, was forcing the following pattern of traffic to happen:
First to the data center --> Then out to the cloud --> Back through the data center again --> finally, out to your user again at the end of the trip.
Now, you can CLEARLY see that--
1. This is a longer trip of traffic.
2. It is a recipe for extreme latency.
3. It would result in poor user experience.
4. It would surely not allow to maximize the benefits of your cloud apps.
-
WELCOME TO SD-WAN
SD-WAN precisely solves this pain-point. It allows your branch office and your remote users to connect directly to the internet when the need for such a direct-link is warranted.
SD-WAN is essentially a kind of a software that is capable of making intelligent decisions about -- HOW TO ROUTE TRAFFIC...??
These decisions are made based on factors like 'priority' policies created by you and 'QoS settings' you configure as per your evolving needs.
It builds out a mesh of network links that have the flexibility to connect directly to the Internet, to other branches, or to the data center, based on the application being used, using a range of transport services that include not only MLPS, but also commodity broadband services and LTE/5G.
SD-WAN uses the mesh networking topology more prolifically. It allows you to maximize the application performance and reliability, and the flexibility in transport services that helps you in bringing down your IT costs. Additionally, an SD-WAN's virtualized console still offers centralized management and visibility into all of these connections.
However, the SD-WAN model breaks the existing 'Centralized Security Inspection' that was hallmark of most organizations that have built into their hub-and-spoke network architectures.
Because when SD-WAN architecture is used, then so much of your traffic is moving outside the bounds of your data center perimeter. When remote workers connect directly to the cloud, to IoT devices, and to other Internet resources, that traffic never crosses the traditional inspection point, such as your on premise Firewall.
-
The idea behind this post is to make you rethink the security aspects of SD-WAN...
You must rethink the way --
• How would your Security Controls examine the traffic for malicious behavior?
• How you would apply content security policies?
If you don't do rethink that then trust me, your remote users and your branch-offices are going to give you a hell of time.
Another point is that many people have a big misconception that SD-WAN is secure by default, because it allows all traffic to be encrypted from the very moment it is deployed. Don't fall into this trap! Remember, though Encryption is a valuable layer in your security posture, but it is not everything. You will still need extra defenses in the form of INSPECTION and FILTERING, so that you can detect and block malwares, bot-nets, other threats emanating from internet traffic.
You must base SD-WAN security largely on the use of IP security (IPsec), VPN tunnels, next-generation firewalls (NGFWs), and the micro-segmentation of application traffic, if you want granular visibility into your network.
You should ensure that security functionality is everywhere: at an organization’s headquarters, branch locations, and the cloud.
-
What are the basics of SD-WAN Security?
IPsec and VPNs are the basics of it.
IPsec-based VPNs are nearly universal to all SD-WANs. Since an SD-WAN uses the public internet in addition to MPLS connections, you must have a VPN or IPsec tunnel to, at the very least, ensure that-- your traffic is not interfered with between the sender and receiver.
Here is how you can do it?
This is done by:
• Authenticating the sender, receiver, and packets being sent.
• Using encryption keys already shared by the hosts sending and receiving the data, or using public and private key encryption.
• Ensuring packets have not been tampered with by using the Encapsulating Security Payload (ESP) protocol.
• Confirming that the origin of packets is trusted through an Authentication Header (AH) that looks at the IP header.
Nearly all security features in an SD-WAN are reliant on the amount of network visibility you may have because the software can only interact with the traffic it can detect. Not all SD-WAN solutions offer the same degree of visibility, some offers visibility to the level of users and device, some even offers visibility into applications that are generating traffic.
This degree of visibility you would have will govern what security policies, controls etc you can build...
-
ADD THE NGFW TO THE SPECTRUM
A next-generation firewall (NGFW) is a key element of SD-WAN security. Deployed at branches as well as headquarters, an NGFW is a virtualized and improved version of traditional hardware-based firewalls. An NGFW runs multiple virtual network functions (VNFs), such as application awareness, intrusion detection and prevention, URL and web content filtering, malware detection, and antivirus protection.
NGFWs and the VNFs they run can be based in the CLOUD in addition to on-premises. Virtualized NGFWs are most suited to the task!
-
MICROSEGMENTATION IS MUST
It is like the creation of virtual networks within the SD-WAN’s virtualized network overlay. Micro-segmentation will allow you to segregate the traffic from different applications or groups of applications, from each other. This will eliminate any attack vector and you will be allowed to apply security policy and quality of service much more granularly. Different policies can be applied to individual segments.
Microsegmentation is able to segment traffic down to the workload. Traffic that is coming from a less secure location cannot interact with sensitive information.
Robust patch-management policy goes with it without saying!
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM