How IT pros deal with SD-WAN security concerns

When baseline SD-WAN security is not enough, enterprises are adopting extra measures such as intrusion prevention, anti-virus, unified threat management and more

SD-WAN technology is becoming increasingly popular because it's less expensive, more flexible and easier to deploy than MPLS, it provides centralized visibility and management, and it boosts the overall performance of WAN links, which makes employees more productive. But enabling end users in branch offices to connect directly to the public internet and to cloud services raises serious security concerns, which adds another level of complexity and risk to an SD-WAN rollout. 

Organizations that had deployed SD-WAN at their branch offices were 1.3 times more likely to have experienced an actual data breach than those who didn't, according to a survey of 250 enterprises in North American and Europe conducted by Enterprise Management Associates in late 2018. That's because many enterprises initially relied exclusively on the native security features in their SD-WAN devices, rather than augmenting those capabilities with additional layers of defense, says EMA analyst Shamus McGillicuddy, who authored the research.  

Typical SD-WAN products offer a stateful firewall, plus other features such as network segmentation and site-to-site tunneling. But they don’t deliver more sophisticated security measures such as application-aware next-generation firewalls, intrusion prevention, data loss prevention and unified threat management. In addition, they don’t automatically integrate with the rest of the enterprise's security infrastructure. 

The good news is that enterprise customers are becoming more aware of the need for additional security features beyond the baseline offerings. In a recent survey conducted by IDG Research and managed SD-WAN provider Masergy, 81 percent of respondents say security is the most critical factor in SD-WAN vendor selection. 

The pure-play SD-WAN vendors have heard the message loud and clear and have responded by teaming up with traditional security vendors like CheckPoint or Palo Alto Networks, as well as cloud-based providers like Zscaler, to offer integrated packages. 

There are two other options for customers who want to make sure their SD-WAN connections have in-depth security. An enterprise can go with a company with a long history in security that has more recently developed an SD-WAN offering, such as Cisco or Fortinet. Or it can choose a carrier or managed service provider that assumes responsibility for end-to-end WAN traffic and offers a menu of additional security features like web content filtering and anti-virus protection that can be purchased a la carte

Network World interviewed two companies that deployed SD-WAN but took entirely different approaches to securing their branch office connections. Here’s what made Westcon-Comstor and GHD realize they should do more to bolster their organization's SD-WAN security, and how they made that happen.

Westcon enhances Silver Peak SD-WAN with next-gen firewalls 

Michael Soler, senior infrastructure manager at Westcon-Comstor, a global IT distributor, says the driving forces behind his move from MPLS to SD-WAN based on the Silver Peak Unity EdgeConnect platform were resiliency, cost, scalability and visibility. 

His far-flung network consists of two co-managed data centers, two Azure data centers and 23 offices in North America, Europe and Asia. Resilience was an issue with the old MPLS network. “IPSec failovers were hit or miss,” Soler says. “They look great on paper until you actually need them.” 

Cost was another issue. Lacking visibility into network usage, Soler says he found it challenging to optimize his bandwidth needs and to determine where he was oversubscribed or undersubscribed.   

Then there’s the notorious lack of flexibility and slow response time when making a change or launching a new service with an MPLS network. And Soler says the complexity of an MPLS deployment increases the chance for errors, which translates into a subpar user experience. 

After investigating a number of SD-WAN vendors, he began a proof of concept in late 2017 with Silver Peak gear and was impressed with the simplicity of the rollout and the effectiveness of the product, particularly performance features like forward error correction and path conditioning. He established a template for the deployment process and began rolling out SD-WAN technology at all of his sites.  

“We’ve had a tremendous amount of success,” Soler says. WAN costs are down, resiliency and visibility are much improved, and end users are happy with the performance and flexibility that they can achieve by taking advantage of direct access to the Internet and the Azure cloud.  

To address security issues associated with Internet breakout from branch offices, Soler has deployed next-generation firewalls to enhance the stateful firewall that comes with the Silver Peak devices. Internet breakout is when branch-office internet traffic isn't backhauled to a central site where security controls are applied.

To continue reading this article register now

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.