The case for securing the SD-WAN

With everything from massive data breaches at global organizations to explosive ransomware attacks that infect hundreds of thousands of users within days, it’s well established that enterprises these days are dealing with more threats than ever before – all of which are increasing in abundance, frequency and complexity.

Among other things, this rapidly evolving threat environment can be attributed to new and expanding threat vectors that have opened the door for external threats to reach critical business assets via non-corporate entities, whether through a consumer device, poorly secured partner network or branch office. The Internet of Things (IoT) and guest tenant services, for example, force a unique method of segmenting the traffic service/workloads and introduce a level of operational complexity.

A new threat vector being exploited today has its roots in the software-defined WAN (SD-WAN), which has inadvertently created new attack surfaces with the utilization of direct internet access that upends the current security model and paves the way for an influx of ransomware, APTs, viral worms and other malware. Historically, organizations secured internet access via centralized access plus security handled in the data center. However, moving to direct internet access at the branch opens it up to a myriad of inbound attacks, while the emergence of SD-WAN and the move to hybrid connectivity leaves many enterprises unprepared to protect each branch location from the new resulting wave of sophisticated attacks.

A security mind shift

Enterprises can resolve this new spate of security challenges by moving their inspection and enforcement points away from the data center to either the branch or the cloud. Specifically, security administrators need to assess if they require security layers that consist of more than just encryption and general stateful firewall services. Then they need to ask whether there’s more risk in either the branch or the cloud, which will help determine what layers of security they will require.

By nature, SD-WAN provides embedded security because of its native support for encryption end-to-end and segmentation on a per application or organizational level. However, the delivery of a comprehensive enterprise grade security solution is not wholly supported natively in numerous SD-WAN providers. So, how and what do you use to secure the branch that simultaneously serves as a direct pipeline for a maelstrom of malware and other threats?

There are a several ways. Organizations have the option of going with:

• An integrated advanced security offering that is baked into the SD-WAN solution,
• A third-party SaaS offering, or
• Deploying an existing or new vendor for an on-premises, appliance-based approach.

Each of these approaches come with their own set of benefits and caveats.  (Some vendors also offer a stateful firewall as well – a common service that many routers support today – so it’s a like for like functionality. That said, it’s missing the native support for next generation and UTM features from most of the vendors in the SD-WAN market.)

Security baked into the SD-WAN

Pros: Integrated security for the branch takes SD-WAN to the next level of branch connectivity and can be delivered in multiple ways. This approach offers a single vendor, simpler management and inline protection of traffic coupled with intelligent traffic management and steering. With this option, enterprises will likely receive strong performance, with no extra hops or appliances to deal with. In addition, SD-WAN with baked in security offers a single pane of glass for all event correlation, including the user, applications, device, location and the network.

Cons: The level of security might not be as “in-depth” from a traditional “defense-in-depth” perspective, which is often achieved by relying on multiple vendors to cover all aspects of security infrastructure and not taking an approach that “puts all the eggs in one basket” with regards to security.

Third-party Software-as-a-Service (SaaS) offering

Pros: This approach will alleviate some administrative headaches with a consumption model that features a light or zero on-site footprint and offers comparatively higher agility and ease of use from an implementation and management standpoint. SaaS security can inject new kinds of inspection to protect the data, preventing a potentially costly, stealthy and unexpected attack.

Cons: A third-party SaaS solution has some limitations. Many can only recognize HTTP-based traffic, leaving organizations uncertain of what to do with the rest and potentially missing threats that enter via alternate protocols. And, from a management perspective, SaaS solutions separate management interface and the touchpoint, creating extra steps for administrators that can complicate operations and add up timewise.

Deploying an existing or new vendor

Pros: Many organizations rely on tried-and-true existing vendors for an appliance-based approach on-premises. Not surprisingly, one of the most significant benefits with this approach is that organizations are often very familiar with these products. As these solutions reside on-premises, security administrators automatically have hands-on familiarity with these products. And because of the longevity these products have, they tend to remain within a branch infrastructure for long periods of time and are often proven to have a certain degree of effectiveness.

Cons: While familiar, the dedicated appliance approach can be expensive from both an acquisition and operations perspective. Because they are often complex, they require a labor-intensive implementation cycle and require more resources to manage across an entire organization. Additionally, multiple data-intensive, appliances at each branch exponentially compound this problem. That same complexity can be the source of potential integration and/or interoperability issues that are certain to impede productivity down the road. And with numerous appliances, there is no single point of event correlation, which all but ensures that threats and other anomalies will fall through the cracks.

Securing the SD-WAN: what to expect

Organizations with security integrated into the SD-WAN will likely benefit from high performance and ease of management and use. To achieve a high standard of security performance, certain functionality is non-negotiable for branch and WAN connectivity solutions. For example, organizations should require a stateful firewall and/or application firewall, along with dynamic IPSec tunneling and site-to-site pairing. Security features should also include secure key management and dynamic rekeying, as well as malware and x-ware inline detection and protection. Standard security functionality such as antivirus and DDoS protection and detection should naturally be included. To round out the expected set of security capabilities, integrated SD-WAN security needs to provide full end-to-end event correlation, incorporating all apps, users, devices, locations, networks and security events, managed with a tool that can collect, display and react appropriately to these events.

The benefits of a secure SD-WAN are undeniably extensive, enabling organizations to meet compliance mandates, reduce infrastructure and circuit costs, improve and simplify segmentation and decrease branch sprawl.

At the end of the day, threats against the enterprise are in a continual state of flux, constantly adapting to overcome impediments to their objective – corporate assets. To effectively function in today’s security environment, SD-WAN security should not be an afterthought, bolted on after the fact or added in as needed. Instead, a paradigm shift needs to occur to make security an inherent part of the SD-WAN fabric, and thus, a robust, critical and necessary component of an organization’s comprehensive security infrastructure.