• United States

The case for securing the SD-WAN

Nov 28, 20176 mins

The SD-WAN and the move to hybrid connectivity leaves many enterprises unprepared to protect every branch location from new waves of sophisticated attacks.

network security primary2
Credit: Thinkstock

With everything from massive data breaches at global organizations to explosive ransomware attacks that infect hundreds of thousands of users within days, it’s well established that enterprises these days are dealing with more threats than ever before – all of which are increasing in abundance, frequency and complexity.

Among other things, this rapidly evolving threat environment can be attributed to new and expanding threat vectors that have opened the door for external threats to reach critical business assets via non-corporate entities, whether through a consumer device, poorly secured partner network or branch office. The Internet of Things (IoT) and guest tenant services, for example, force a unique method of segmenting the traffic service/workloads and introduce a level of operational complexity.

A new threat vector being exploited today has its roots in the software-defined WAN (SD-WAN), which has inadvertently created new attack surfaces with the utilization of direct internet access that upends the current security model and paves the way for an influx of ransomware, APTs, viral worms and other malware. Historically, organizations secured internet access via centralized access plus security handled in the data center. However, moving to direct internet access at the branch opens it up to a myriad of inbound attacks, while the emergence of SD-WAN and the move to hybrid connectivity leaves many enterprises unprepared to protect each branch location from the new resulting wave of sophisticated attacks.

A security mind shift

Enterprises can resolve this new spate of security challenges by moving their inspection and enforcement points away from the data center to either the branch or the cloud. Specifically, security administrators need to assess if they require security layers that consist of more than just encryption and general stateful firewall services. Then they need to ask whether there’s more risk in either the branch or the cloud, which will help determine what layers of security they will require.

By nature, SD-WAN provides embedded security because of its native support for encryption end-to-end and segmentation on a per application or organizational level. However, the delivery of a comprehensive enterprise grade security solution is not wholly supported natively in numerous SD-WAN providers. So, how and what do you use to secure the branch that simultaneously serves as a direct pipeline for a maelstrom of malware and other threats?

There are a several ways. Organizations have the option of going with:

  • An integrated advanced security offering that is baked into the SD-WAN solution,
  • A third-party SaaS offering, or
  • Deploying an existing or new vendor for an on-premises, appliance-based approach.

Each of these approaches come with their own set of benefits and caveats.  (Some vendors also offer a stateful firewall as well – a common service that many routers support today – so it’s a like for like functionality. That said, it’s missing the native support for next generation and UTM features from most of the vendors in the SD-WAN market.)

Security baked into the SD-WAN

Pros: Integrated security for the branch takes SD-WAN to the next level of branch connectivity and can be delivered in multiple ways. This approach offers a single vendor, simpler management and inline protection of traffic coupled with intelligent traffic management and steering. With this option, enterprises will likely receive strong performance, with no extra hops or appliances to deal with. In addition, SD-WAN with baked in security offers a single pane of glass for all event correlation, including the user, applications, device, location and the network.

Cons: The level of security might not be as “in-depth” from a traditional “defense-in-depth” perspective, which is often achieved by relying on multiple vendors to cover all aspects of security infrastructure and not taking an approach that “puts all the eggs in one basket” with regards to security.

Third-party Software-as-a-Service (SaaS) offering

Pros: This approach will alleviate some administrative headaches with a consumption model that features a light or zero on-site footprint and offers comparatively higher agility and ease of use from an implementation and management standpoint. SaaS security can inject new kinds of inspection to protect the data, preventing a potentially costly, stealthy and unexpected attack.

Cons: A third-party SaaS solution has some limitations. Many can only recognize HTTP-based traffic, leaving organizations uncertain of what to do with the rest and potentially missing threats that enter via alternate protocols. And, from a management perspective, SaaS solutions separate management interface and the touchpoint, creating extra steps for administrators that can complicate operations and add up timewise.

Deploying an existing or new vendor

Pros: Many organizations rely on tried-and-true existing vendors for an appliance-based approach on-premises. Not surprisingly, one of the most significant benefits with this approach is that organizations are often very familiar with these products. As these solutions reside on-premises, security administrators automatically have hands-on familiarity with these products. And because of the longevity these products have, they tend to remain within a branch infrastructure for long periods of time and are often proven to have a certain degree of effectiveness.

Cons: While familiar, the dedicated appliance approach can be expensive from both an acquisition and operations perspective. Because they are often complex, they require a labor-intensive implementation cycle and require more resources to manage across an entire organization. Additionally, multiple data-intensive, appliances at each branch exponentially compound this problem. That same complexity can be the source of potential integration and/or interoperability issues that are certain to impede productivity down the road. And with numerous appliances, there is no single point of event correlation, which all but ensures that threats and other anomalies will fall through the cracks.

Securing the SD-WAN: what to expect

Organizations with security integrated into the SD-WAN will likely benefit from high performance and ease of management and use. To achieve a high standard of security performance, certain functionality is non-negotiable for branch and WAN connectivity solutions. For example, organizations should require a stateful firewall and/or application firewall, along with dynamic IPSec tunneling and site-to-site pairing. Security features should also include secure key management and dynamic rekeying, as well as malware and x-ware inline detection and protection. Standard security functionality such as antivirus and DDoS protection and detection should naturally be included. To round out the expected set of security capabilities, integrated SD-WAN security needs to provide full end-to-end event correlation, incorporating all apps, users, devices, locations, networks and security events, managed with a tool that can collect, display and react appropriately to these events.

The benefits of a secure SD-WAN are undeniably extensive, enabling organizations to meet compliance mandates, reduce infrastructure and circuit costs, improve and simplify segmentation and decrease branch sprawl.

At the end of the day, threats against the enterprise are in a continual state of flux, constantly adapting to overcome impediments to their objective – corporate assets. To effectively function in today’s security environment, SD-WAN security should not be an afterthought, bolted on after the fact or added in as needed. Instead, a paradigm shift needs to occur to make security an inherent part of the SD-WAN fabric, and thus, a robust, critical and necessary component of an organization’s comprehensive security infrastructure.


Kumar Mehta is the co-founder of and Chief Development Officer at Versa Networks. Kumar brings a proven track record of leading mega-projects at startups as well as publicly traded companies.

Kumar brings a proven track record of leading mega-projects at startups as well as publicly traded companies. His vision, work ethic, and leadership as VP of Engineering at Juniper Networks resulted in multiple blockbuster product deliveries, including the market-leading Metro and Carrier Ethernet solution, the MX series. His leadership in design, development, and delivery of differentiated solutions resulted in huge and continuing revenue streams for the company and brought Kumar the prestigious CEO Excellence Award. Prior to Juniper, Kumar held engineering management positions at Riverstone Networks and Yago Systems.

Kumar is a graduate of the Executive Program at Stanford University Graduate School of Business. He has a master’s degree in Engineering from Virginia Tech and a Bachelor of Technology from Indian Institute of Technology, Kharagpur.

The opinions expressed in this blog are those of Kumar Mehta and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.