You already know that SD-WAN allows your remote sites to connect more easily to your corporate network, data centers, and/or multiple-clouds services. You get the benefits of lower latency, better performance, and more reliable connectivity.
It is a good to revisit the evolution of modern SD-WAN...
Software Defined Networking and SD-WAN technologies have evolved slowly over the course of last 2-n-half decades. Older and senior networking guys have seen the days when they were working with earlier networking solutions. You would remember that Point-To-Point (PPP) Leased-lines were the original mode for connecting multiple LANS. Then you saw the emergence of Frame Relay (FR) technologies. When Frame Relay came, it practically removed the need of buying and managing 'individual' connecting links between various corporate branches. And then, MPLS.
When MPLS came in early years of 2000s, it soon overtook frame relay in popularity, because it was capable of LEVERAGING Internet Protocol (IP)-based technology. Before MPLS your data, your voice, and your video would traverse on separate IP networks. But MPLS changed all this, as it was perfectly capable of brining voice, video, and data networking onto the SAME NETWORK still using the IP. As far enterprise WANs are concerned, they are still using MPLS, as it is still revered for its benefits of reduced latency and QoS. There is no denial to that.
Around 2013, SD-WAN was born...
As MPLS brought more advantages over frame relay, SD-WAN brought more advantages over MPLS. What you need to remember here is that --
SD-WANs deliver you the same Quality of Service (QoS) as is expected from MPLS, but at the significantly lower costs to your company. SD-WANs are far more easier to scale too. SD-WAN can handle a variety of connections and dynamically move traffic over the best transport available, and can provide both redundancy and much more capacity using lower-cost links.
If you consider the time to installation and time to service delivery, SD-WAN solutions from key security vendors is significantly cheaper than MPLS overall. When you would start researching the SD-WAN solutions in the market, then you would find out that top-level SD-WAN solutions are offering you, what they say, Zero Touch provisioning, meaning that you will be able to bring on your remote sites (networks) quickly and you won't require any networking or security expert to be on-site for installation.
-
What about Security of SD-WAN?
As you read the above mention brief about the advantage of SD-WAN over MPLS, you might feel that it should be a pretty straight-forward decision for companies to adopt SD-WAN. But it is not that simple...
You must be fore-warned that implementing SD-WAN introduces new layers of risk to your company that may not be apparent on the surface.
Security is a top concern for SD-WAN, and that's why it is mandated that your company involves your Chief Information Security Officer (CISO) in considerations, discussions and decisions about the selection, planning, and implementation strategy of a SD-WAN solution.
Managing the connectivity using MPLS alone was relatively simpler. You would just place a high-performance firewall at your data-center end of the connection and then backhaul all your branch traffic through it and your branch connectivity and security issues were solved. But now...
What is happening is that your employees and users at your branch sites not only need DIRECT ACCESS to many SaaS and other cloud-based web applications, but they also need the ability to coordinate and correlate their efforts with other branch-offices of your company, in REAL-TIME. These are those few things your traditional MPLS connections just cannot do.
SD-WAN security is absolutely another matter. Many SD-WAN solutions DO NOT include the range of security tools that are required by dynamic connections over public networks. That's why, many organizations need to select and add a plethora of security tools by themselves on after they have embarked upon the implementation SD-WAN.
When you attempt to tighten the security using a variety of security tools, things start to go awry. As you know, complexity always increases the security risks.
-
4-Major Security Concerns of SD-WAN
1.
Let us take the example of SaaS applications first. As you start using these applications, you would know that--
All such applications and connections need to be authenticated, User privileges need to be assessed, and the traffic needs to be inspected, especially where you have enabled the direct internet access (broadband) in your SD-WAN implementation. All these aspects warrant that your security needs to be able to keep up 'automatically.'
If you visualize this direct access to internet services, along with the very high usage of personal devices + all sorts of IoT devices at your branch or remote sites, then you get the full context of security concerns here. You would know that your SD-WAN solution can quickly be overwhelmed.
If you truly want to maintain a good security posture, then your company need to implement enterprise-grade security such as IPS, web-filtering, and anti-malware as part of their SD-WAN solution.
2.
The second big concern emanates from the situation where your users and employees need to access various applications and other resources which are actually placed in a MULTI-CLOUD environments. The element of multi-cloud environments immediately compounds your security challenge manifold. Because each cloud environment speaks its own language. It means, each cloud environment or service offers you its own set of security challenges.
When a number of simultaneous connections are being made to various SaaS or Clouds, then you would need to accurately translate the relevant security protocols, security policies and functions in REAL-TIME, otherwise your won't be able to enforce the consistency of security practices.
In order to mitigate the threats emerging from malwares and Zero-day exploits, you would surely require that your SD-WAN solution include a sandbox solution too.
3.
Encryption is the central issue in all SD-WAN deployments. Because your data which runs across a public network needs to be encrypted.
All the connections to your central Corporate Data-center, all the connections to various SaaS services and applications, all the connections to the internet, and all the connections made between different branch offices, have to be encrypted all the time. Thus your job is that your SD-WAN solution fully supports SSL and meshed VPN strategies to establish and manage all of these connections.
Now let's see the other side of this encryption issue. When you have more than 70% of traffic encrypted, then you would also need enterprise-grade NGFW too, so that you can inspect this much of encrypted traffic at very high speed. If your NGFW is not capable of doing this at very quick speed, then it would become a network bottleneck. You don't want that. Do you?
4.
Regardless of what security solution you select to address all the above mentioned challenges, it must fit SEAMLESSLY into your company's existing security strategy. You still need to ensure that your company remains compliant to major regulations such as PCI-DSS, HIPAA or whatever is applicable to you. Your selection of security solutions for SD-WAN is extremely important, otherwise you are facing the issues of limited visibility and restricted controls. Not a good situation to be in!
My suggestion would be that you implement some sort of 'integrated' compliance monitoring system to ensure that all your connections meet your baseline requirements, at least.
On a side note, if you use a good CASB solution, you would have better control over your SaaS usage and user activities.
-
Integrated SD-WAN Security is Best Approach
If you take contrary approach and implement various security technologies which have no native support to each other, then it is not a wise approach. It would mean that you have failed to recognize that SD-WANs are highly dynamic in their nature and highly scalable too. That's why, overlaying various security solutions in their isolation, would cause you more troubles than solving your security challenges. Most likely you would end up with delays when you are reacting to connectivity changes. It may also leave your critical connections and data vulnerable.
In contrast, if you deploy an integrated system ensures that SD-WAN connectivity, traffic management functions, and advanced security function as a single, holistic solution, you would be better off. I would like repeat that one of the critical requirements for SD-WAN success is fully integrated security. Without it, SD-WAN becomes just another attack vector. Period!
What is this integrated system?
I am giving you an example. An NGFW, whose key components include intrusion prevention (IPS), web filtering, secure sockets layer (SSL) inspection, and anti-malware, is an example of an integrated solution.
When you would consider an integrated security solution for SD-WAN, then you are actually thinking of solution that combines SD-WAN and NGFW capabilities into one SINGLE OFFERING. It is your secure SD-WAN—and it will ensure the safety and reliability of connections and for your organization overall. How?
The answer is that a secure SD-WAN solution is explicitly DESIGNED to inter-operate as a single offering, ideally with each element running on the same operating system and managed using a single-pane-of-glass interface.
Such integrated secure SD-WAN solutions ensure that your transactions are all seen and inspected, and any threats or anomalous behaviors are shared between every solution for maximum protection. As part of such an integrated monitoring system, the networking and connectivity functionalities of an SD-WAN aren’t just more closely associated with the security solutions installed on the platform. They’re the SAME THING.
Here is the summary...
When choosing a WAN solution, your organization should consider an integrated strategy that brings together security and network connectivity into one system. This ensures that security can easily conform to your network changes and policies can be implemented and controlled using the same integrated management console.
Finally, this approach ensure that configuration issues can be recognized and addressed while remaining compliant with regulatory requirements that cover both security connections and the network.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM