The increasing adoption of SaaS and IaaS applications and infrastructure has been a catalyst for the rapid adoption of SD-WAN architectures. Directly connecting users to SaaS/IaaS instances from branch offices using lower cost internet services to augment (or even replace) MPLS provides the highest performance and user experience.
But, since all web traffic is not created equal, active use of internet connections demands a new approach to security.
At the same time, it’s simply not tenable to deploy an expensive, next-generation firewall at every branch. Therefore, a more intelligent, application-driven security model is enabled by more advanced SD-WAN solutions, such as Silver Peak Unity EdgeConnect. These solutions place just the right amount of inspection at the branch and enable easy, cost-effective service chaining to more advanced – and more expensive – security services deployed in the cloud or in the enterprise data center.
David Hughes, Silver Peak’s CEO, recently wrote about how an advanced SD-WAN edge enables improved security architectures for cloud-first enterprises. He discussed the data plane and three security improvements an SD-WAN delivers versus the conventional, manually programmed, router-centric WAN model:
- Granular, application-driven security policies
- Micro-segmentation of traffic across the WAN and into the branch
- Consistent enforcement of security policies across the WAN
Here I will focus on securing the SD-WAN infrastructure itself and the management plane. Steve Garson raised these points in a recent Network World article titled: Warning: security vulnerabilities found in SD-WAN appliances. Steve raises some important considerations for enterprises looking at SD-WAN solutions. With some 40 vendors marketing SD-WAN solutions, IT leaders really have to do their homework when selecting a vendor to assure a holistic approach to WAN security.
In his article, Steve states, “These are emerging technologies by new companies, and they have not paid the level of attention that a seasoned security person would pay to the entire operational model of security.”
However, as the SD-WAN industry matures, some vendors have begun to distance themselves from the pack in delivering application performance, visibility and control and most notably, security capabilities.
As Steve points out, most SD-WAN architectures depend on encrypted tunnels to provide data plane security. He then raises the issue of security of the appliance itself claiming that “none of those architectures speak to the security of the SD-WAN appliance.” From the article, it is unclear of the timeframe of study, and Steve mentioned that the list of vendors evaluated was confidential.
However, more advanced SD-WAN solutions, like EdgeConnect, have already integrated robust security features to protect the network and network infrastructure from threats and vulnerabilities. Let’s take a look at them one at a time.
Addressing SD-WAN appliance security: Besides the usual password management implementations, Silver Peak adds a number of capabilities to protect EdgeConnect appliances from attacks. At the highest level, EdgeConnect includes an integrated zone-based firewall to minimize the attack surface and block any incoming SSH traffic.
However, as Steve correctly stresses, a firewall alone is not enough. Silver Peak takes this a step further with a secure, zero-touch provisioning implementation that provides a two-step authentication process to prevent rogue devices from becoming part of the SD-WAN. Before being admitted, a new appliance must first be authenticated through the Silver Peak Cloud Portal. In the second step, an end-customer IT administrator must confirm and add the device to the SD-WAN from the Unity Orchestrator. All management communications between appliances, the Orchestrator and the Cloud Portal are protected with TLS, and weak encryption algorithms and hashes (e.g. SSLv2, SSLv3; DES, RC4; MD5) are disabled by default. And, if an appliance were to become compromised, it is a simple operation for an IT administrator to de-authenticate the device and remove it from the SD-WAN.
Addressing Common Vulnerabilities and Exposure (CVEs): Steve writes that test findings showed that open source components including known CVEs – some more than a decade old – were common to SD-WAN vendor solutions; of course, this is unacceptable.
The Silver Peak Product Security Incident Response Team (PSIRT) not only scrubs third-party code to identify and eliminate potential vulnerabilities, it continuously monitors multiple security advisory services to identify new threats as they may emerge. In addition, we publish security advisories, and engineering responds quickly with updates when necessary.
Addressing physical access: Steve identifies another security vulnerability: physical access to branch appliances since “they often do sit in less sterile environments than centralized firewalls – wiring closets accessed by multiple vendors or, let’s be honest, an admin’s desk.” The article continues, “branch appliances are often exposed to ‘innocent’ threats such as being inadvertently disabled by a third-party sales engineer.”
These aren’t new problems associated with SD-WAN; traditional branch routers sit in the same workspaces and are subject to the same exposures. Silver Peak has added incremental hardware and software hardening to protect appliances from inadvertent upgrades or tampering.
SD-WANs are all about connecting users to applications with the highest levels of performance and availability. Actively embracing internet connections in the WAN transport mix delivers on this promise yet at the same time, requires an updated approach to WAN security.
Securing the integrity of application data across the WAN is imperative, but a holistic approach is required for a complete, secure SD-WAN solution. Silver Peak is in complete agreement with Steve, “one thing’s clear: if you’re going to rely on SD-WAN to secure your enterprise, be sure the SD-WAN appliance is secure.”