How IT pros deal with SD-WAN security concerns

When baseline SD-WAN security is not enough, enterprises are adopting extra measures such as intrusion prevention, anti-virus, unified threat management and more

network security lock padlock breach
Getty Images

SD-WAN technology is becoming increasingly popular because it's less expensive, more flexible and easier to deploy than MPLS, it provides centralized visibility and management, and it boosts the overall performance of WAN links, which makes employees more productive. But enabling end users in branch offices to connect directly to the public internet and to cloud services raises serious security concerns, which adds another level of complexity and risk to an SD-WAN rollout. 

Organizations that had deployed SD-WAN at their branch offices were 1.3 times more likely to have experienced an actual data breach than those who didn't, according to a survey of 250 enterprises in North American and Europe conducted by Enterprise Management Associates in late 2018. That's because many enterprises initially relied exclusively on the native security features in their SD-WAN devices, rather than augmenting those capabilities with additional layers of defense, says EMA analyst Shamus McGillicuddy, who authored the research.  

Typical SD-WAN products offer a stateful firewall, plus other features such as network segmentation and site-to-site tunneling. But they don’t deliver more sophisticated security measures such as application-aware next-generation firewalls, intrusion prevention, data loss prevention and unified threat management. In addition, they don’t automatically integrate with the rest of the enterprise's security infrastructure. 

The good news is that enterprise customers are becoming more aware of the need for additional security features beyond the baseline offerings. In a recent survey conducted by IDG Research and managed SD-WAN provider Masergy, 81 percent of respondents say security is the most critical factor in SD-WAN vendor selection. 

The pure-play SD-WAN vendors have heard the message loud and clear and have responded by teaming up with traditional security vendors like CheckPoint or Palo Alto Networks, as well as cloud-based providers like Zscaler, to offer integrated packages. 

There are two other options for customers who want to make sure their SD-WAN connections have in-depth security. An enterprise can go with a company with a long history in security that has more recently developed an SD-WAN offering, such as Cisco or Fortinet. Or it can choose a carrier or managed service provider that assumes responsibility for end-to-end WAN traffic and offers a menu of additional security features like web content filtering and anti-virus protection that can be purchased a la carte

Network World interviewed two companies that deployed SD-WAN but took entirely different approaches to securing their branch office connections. Here’s what made Westcon-Comstor and GHD realize they should do more to bolster their organization's SD-WAN security, and how they made that happen.

Westcon enhances Silver Peak SD-WAN with next-gen firewalls 

Michael Soler, senior infrastructure manager at Westcon-Comstor, a global IT distributor, says the driving forces behind his move from MPLS to SD-WAN based on the Silver Peak Unity EdgeConnect platform were resiliency, cost, scalability and visibility. 

His far-flung network consists of two co-managed data centers, two Azure data centers and 27 offices in North America, Europe and Asia. Resilience was an issue with the old MPLS network. “IPSec failovers were hit or miss,” Soler says. “They look great on paper until you actually need them.” 

Cost was another issue. Lacking visibility into network usage, Soler says he found it challenging to optimize his bandwidth needs and to determine where he was oversubscribed or undersubscribed.   

Then there’s the notorious lack of flexibility and slow response time when making a change or launching a new service with an MPLS network. And Soler says the complexity of an MPLS deployment increases the chance for errors, which translates into a subpar user experience. 

After investigating a number of SD-WAN vendors, he began a proof of concept in late 2017 with Silver Peak gear and was impressed with the simplicity of the rollout and the effectiveness of the product, particularly performance features like forward error correction and path conditioning. He established a template for the deployment process and began rolling out SD-WAN technology at all of his MPLS-enabled sites.  

“We’ve had a tremendous amount of success,” Soler says. WAN costs are down, resiliency and visibility are much improved, and end users are happy with the performance and flexibility that they can achieve by taking advantage of direct access to the Internet and the Azure cloud.  

To address security issues associated with Internet breakout from branch offices, Soler has deployed next-generation firewalls to enhance the stateful firewall that comes with the Silver Peak devices. Internet breakout is when branch-office internet traffic isn't backhauled to a central site where security controls are applied.

Soler says he believes in continuous improvement, and he is on the lookout for ways to make his security posture even more effective. He is investigating a technique called service chaining, which would allow him to take traffic from regional satellite locations, for example, and funnel it to a regional hub site, where firewall policies would be applied. And longer term, Soler says he is also interested in looking into cloud-based SD-WAN security services.  

Cloud-based security services bolster SD-WAN security 

Randy Taylor, global network manager at GHD, took a different approach when he rolled out Riverbed SD-WAN gear. Instead of investing in additional branch office security tools, he chose cloud-based security services from Zscaler. 

GHD, which provides engineering, architectural, environmental and other professional services, at one point had a 100 percent MPLS WAN that backhauled traffic from 30 sites around the world to its colocation data centers.  

In 2015, the company underwent a flurry of merger-and-acquisition activity that brought the company’s WAN footprint in North America to nearly 130 sites. Faced with the reality that it could take three to five months to get each new MPLS link deployed, Taylor began looking for alternatives. 

“We needed a faster way. The long ramp-up for ordering MPLS circuits was killing us,” Taylor says. GHD is a Cisco shop on the LAN side and was a Riverbed customer for WAN optimization, so he began investigating the Riverbed SD-WAN offering. 

Initially, Taylor says he was “somewhat skeptical” of what he considered a disruptive technology like SD-WAN. But he was “intrigued by the idea that it uses Internet as transport.” He decided to “put our toe in the water” at some of his smaller, North American sites. Taylor says he found the Riverbed SteelConnect SD-WAN gear so easy to deploy that he was able to connect 50 sites in less than six weeks. 

With Riverbed’s nearly zero-touch process, he was able to preconfigure a device in a cloud portal before delivering it to the branch. There, a non-IT person could follow some simple instructions, plug in the device and have it running in minutes. 

“We immediately began seeing benefits, first and foremost Internet breakout,” says Taylor. The rollout of SD-WAN came at a perfect time, meshing nicely with company’s increased use of SaaS applications. “Almost immediately, this became our solution for SaaS access,” says Taylor. 

As a company that works for government clients and needs to be in compliance with ISO standards, GHD is extremely security conscious. Taylor says that he needed to augment SteelConnect’s integrated firewall with additional layers of security to protect against the increased amount of malware that the company was encountering. 

The company had enterprise-class firewalls deployed in its data centers and found them to be expensive to purchase and to maintain. Taylor wanted to avoid putting additional security hardware in all of the branches, so GHD looked to a cloud-based option and selected Zscaler

All traffic from the branches hits the Zscaler site, where security policies are enforced. Zscaler looks at data as it breaks out to the Internet and watches the return stream as well. The service provides a laundry list of functions, including anti-virus, whitelisting, blacklisting, UTM, sandboxing of attachments, and zero-day protection. 

Taylor says Zscaler saves him money and is much more convenient than having to maintain and update his own security hardware. One cautionary note: Taylor points out that traffic from the branches needs to connect to the nearest Zscaler node, so performance may suffer to some extent if the closest node is a distance away from the requester.  

In terms of the overall SD-WAN experience, Taylor has been able to shift from six full-time network engineers maintaining the old topology to a single engineer rotating in and out for oversight purposes. Day-to-day maintenance is essentially handed by the help desk, and those six engineers are now focusing on innovation. 

Taylor has moved beyond the initial 50 small sites and has rolled out SD-WAN globally. “The cost savings and performance gains are so great that we’re pulling the plug on MPLS” wherever possible. There are certain traffic streams that can’t go into the cloud for compliance reasons, and some voice and video applications will stay on MPLS, but SD-WAN has become the primary WAN transport mode for the company. 

Hybrid approach to SD-WAN security

The shift from a centralized model of WAN security, where branch traffic is backhauled via secure MPLS to a data center, to a distributed model, where security is enforced at each branch office, requires a new type of organizational approach as well. 

Instead of networking and security groups working independently, SD-WAN is driving partnerships, as the teams look to deploy integrated tools and to use common data sets. This collaboration is moving beyond tactical situations like incident response and is being extended to infrastructure design and implementation, McGillicuddy says. 

As a practical matter, many companies are taking a hybrid approach to SD-WAN security. If they have existing security devices that still have years of useful life, they aren’t ripping and replacing. They are integrating that functionality into the SD-WAN implementation, with the goal of piecing together an in-depth defense.   

Others are taking the managed service route. Since many pure play SD-WAN vendors are selling their products through managed service providers and also providing the hardware that traditional carriers are using in their SD-WAN offerings, a customer can select a specific vendor’s gear and hand off the implementation, ongoing maintenance and security functions to a service provider.  

“There’s more than one way to skin a cat,” says John Burke, an analyst at Nemertes Research. Companies are doing what works best for their individual circumstances, both financially and architecturally. He notes that service chaining, which uses the concept of multiple satellite sites connecting to a larger hub site that houses the security stack, is an intriguing approach.  

Finally, while getting off of MPLS was, for many companies, the impetus for a move to SD-WAN, Burke notes that more than half of companies are keeping MPLS for specific applications. MPLS has simply gone from being the primary WAN link to being one small part of a diversified, optimized, secure WAN traffic stream.


Copyright © 2019 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022