With RSA San Francisco—one of, if not the biggest security show of the year—behind us, it’s a good time to revisit security and SD-WANs. I know, we already lived through Yoda’s prognostications about the future of networking and security. In that blog post, we spoke about vendor approaches to securing the new Internet connections created by SD-WAN. There’s another dimension, though, to SD-WAN security that we didn’t discuss and that’s about the WAN.
The WAN: Risk and reward for today’s attackers
For a lot of SD-WAN vendors, security integration means inspecting incoming and outgoing Internet traffic. But while services, such as Zscaler, may inspect HTTP traffic bound for the internet, they do nothing for traffic bound to other locations. And that’s a problem because increasingly site-to-site traffic requires its own inspection and protection.
If you’re like many of my clients, you probably have firewalls, secure web gateways (SWG), next-generation firewalls (NGFW) and the rest of the security stack segmenting your network from the internet. Within premises, you probably already use VLANs and ACLs to segment resources from one another. But by the same logic, you’re probably not segmenting your WAN; once traffic enters the WAN, there probably is no logical separation between locations.
It’s understandable. Unfortunately, or fortunately if you’re a consultant, segmentation of L3 WAN architectures has been, shall we say, challenging. It’s not that you couldn’t use IP routing to segment the WAN, after all, IP can be made to do almost anything. But like of lot of things in networking, segmentation across the IP-MPLS environment would be too complicated for many companies. Besides the deep understanding of IP routing, you’ll need expertise in MP BGP, MPLS/LDP and VRFs. Like I said, it’s good to be a consultant some times.
But as more security threats originate from within the enterprise, WAN segmentation increasingly is becoming a must-have for many organizations. Segmenting the office from the WAN helps prevent attacks in one small office from spreading across the enterprise.
Controller-based networks, such as SD-WANs, make WAN segmentation radically simpler. Details will vary between vendors, but in general, you define a policy describing the underlying “network” as it would appear to the application—the application characteristics, network configuration in some cases, addressing and more. The policy is then distributed across the nodes in the SD-WAN, which creates the multi-point tunnels (typically using IPsec) linking the offices defined in the policy. Traffic in one segment is limited to the sources and destinations associated within that segment.
Some vendors might claim to have a separate SD-WAN segment per application, but I haven’t met anyone deploying an SD-WAN seriously thinking about going that far. It’s just too complicated to manage. Normally, companies will break their WAN into five to seven groups of applications based on use case—guest Wi-Fi, real-time applications, mission-critical applications, file transfer, general internet browsing, and everything else, for example.
Firewall or router, anyone?
Network segmentation alone is a big step forward for many WANs, but for greater granularity, some providers allow you to segment down to the endpoint. It’s the kind of granularity you might see on a VLAN versus a firewall. In fact, they integrate a firewall (and other elements of the security stack) into their SD-WAN, claiming to create one security policy for the LAN and the WAN. Normally, SD-WAN vendors struggle with that level of detail because application classification is done the five-tuple—the source and destination addresses, source and destination port number, and layer three protocol type—or six-tuple, which adds DSCP or ToS value. Neither of which gives them the granularity to identify users and services at the application layer.
Who are the vendors to look at for SD-WAN and WAN firewalls? Nuage Networks is the only vendor I know to extends its software-defined network (SDN) across the WAN; a layer 2-4 firewall is included as part of its Virtual Security Services (VSS) portfolio. Versa Networks produces an Network Function Virtualization (NFV) platform that allows you to deploy an NFV-compliant firewall as part of the SD-WAN.
Cato Networks provides a WAN firewall in its Cato Cloud service. Traffic traveling across Cato’s privately run backbone service to other offices is first inspected by the WAN firewall. The same security policies governing the users in the office can be applied to mobile users outside of the office. (Speaking of RSA, you can click here to see Cato Networks founder, Shlomo Kramar, explaining the Cato technology for the Innovation Sandbox awards ceremony in this video.)
New security for new WAN
Local internet access is only one part of the SD-WAN security problem. You also need to think about how you’re going to secure and segment traffic across the WAN. Network-layer segmentation is an important step beyond what’s being done today on MPLS and DMVPN. As companies look for even more granular security, vendors building the firewall and other security services into the SD-WAN will provide an attractive approach.