The consensus is software-defined networking in a wide area network (SD-WAN) will provide organizations unprecedented agility but possibly at the expense of security, as traffic flow changes to a distributed model without the safety of traditionally centralized security tools. Being the consummate contrarian, I challenge a well-planned SD-WAN implementation will drastically increase
an organization’s security profile.
Your TL;DR SD-WAN Overview
(software-defined networking) was what everyone was talking about but not doing, its cousin, SD-WAN, shot up in popularity not just as a topic of conception, but with a meaningful burst of adoption. Driven by changes in remote site connectivity needs and specifically a more mobile workforce combined with more internet-connected apps, organizations seeking a way to enhance agility and avoid hairpin routing to data centers turned to SD-WAN, and they’ve been devouring it with more ferocity than a five-year-old with an ice cream cone on a hot summer day.
In its most basic form, SD-WAN offers a way to manage multiple WAN or internet connections for remote sites, smartly and dynamically making decisions about the best route for traffic based on things like specific applications’ security needs, latency sensitivity, or preferences based on link/bandwidth costs. Instead of having primary and backup links, SD-WAN automates more advanced connectivity algorithms that would be impractical to manage manually.
SD-WAN comes in a few different flavors, in terms of solution models (e.g., cloud vs. traditional on-premises hardware) but that’s a post for another day. For now, let’s focus on how we can use SD-WAN to enhance security instead of compromise it.
Security Gaps in Today’s Architectures
As technologists, we tend to be comfortable with the devils we know. It’s human nature, and it’s one of the reasons enterprises always ask about “common” practices as much as they ask about “best” practices. When we examine our current remote site architecture and security strategy, there are many little devils lurking in design and opportunities for us to right some of those wrongs with a refreshed approach.
How SD-WAN Can Increase Security Posture
1. Encryption of Traffic
What’s likely the most obvious gap in current solutions is a lack of encryption. In the typical MPLS model, your traffic is encapsulated, but not encrypted, by the provider, meaning there are lanes marked on the highway, but no real barriers keeping your data protected from the standpoint of confidentiality. CISOs and CIOs pore over compliance regulations with link encryption requirements to understand how, when, and what they need to encrypt.
Almost any SD-WAN solution will have IPSec encryption for data traversing the links between segments. Out of the gate, assuming the traffic routing policies are correct, we’ve already drastically increased security with encryption.
2. Centralized Management and Policy
If you’ve been a victim, I mean professional, dealing with MPLS, you know managing remote sites is often tedious, and organizations frequently have several tiers of remotes based on the site size and type of connection. Small sites may be VPN-only, larger sites have MPLS with a traditional internet and VPN secondary link. Sites in “B.F.E.,” as we lovingly describe them, may have cellular connected backhaul instead of traditional wired connectivity. Each of these tiers of connection has a different architecture, different traffic flow, different security, and therefore a different posture and risk to the organization.
SD-WAN solutions help by centralizing management and policy of the routing and security for remote sites. Regardless of the deployment model or product, a centralized platform gives better visibility and control of the traffic, and therefore a better opportunity to mitigate risk.
Similarly, the centralized policy management also helps with change management. With SD-WAN, we have fewer needs for temporary and ad-hoc solutions like the temporary VPNs. Having the system make smart decisions about routing traffic and managing security inspection reduces changes, reduces the chance temporary configurations becomes permanent, and reduces human error.
3. Advanced Security at the Edge
Right now, the bulk of an organization’s security intelligence is centralized. Traffic from across your organization must find its way there for inspection, policy mapping, routing, and decision making.
Another wildly impactful advantage of SD-WAN is the ability for an organization to bring advanced security services to its remote edge. We’ve been singing the praises of making our LAN edge smarter to better serve changing needs of IoT, address enhanced mobility, and segmentation. SD-WAN presents the opportunity to push intelligence and control to our remote site WAN edge in a similar way. By taking the robust security tools in our data centers and extending them to the WAN edge, we can not only save bandwidth but also reduce risk with threat containment closer to the edge.
Today’s leading SD-WAN solutions include features such as those found in today’s NGFWs—application-layer visibility, deep packet inspection, IDS/IPS, content and URL filtering, anti-malware, SSL inspection, and even sandboxing.
With services like this at the WAN edge, we can enjoy the cost- and time-saving benefits of SD-WAN and have a more agile connectivity architecture while increasing security.
These are just some of the ways SD-WAN can enhance security in an organization with remote sites. Secure SD-WAN deployments start with proper product selection to ensure the same security at your core is extended to the edge, and security is maintained through proper centralized management and monitoring.