The traditional reliance on in-house data centers gave organizations the advantage of being able to monitor and manage access to the internet from a centralized location – and to implement security policies and controls which emanated from a single point.
With the evolution of technology and a shift in traditional working patterns, enterprise networks have since moved beyond the single campus to include remote sites, branch offices, international locations, and a multitude of endpoints furnished by remote, home-based, and mobile workers using a wide range of devices.
Developments such as the software-defined Wide Area Network (SD-WAN) now enable organizations to provide direct internet access from virtually any point of the corporate network. While quick and convenient, this has the potential to expose the enterprise to security threats on an increasing number of fronts.
Extending protection to each node point or branch office requires planning and security awareness – and in this article, we’ll be looking at some tips and best practices for managing security on the SD-WAN.
The SD-WAN Conundrum
To minimize the expense of running Multi-Protocol Label Switching (MPLS), many organizations turn to software-defined Wide Area Networks (SD-WANs), which enable them to add and manage bandwidth and applications more efficiently. Rather than having to send network managers out to troubleshoot problems or run firmware updates, most of the routine setup and maintenance tasks on SD-WAN can be performed remotely over a central console.
However, SD-WANs are heavily reliant on the internet – and it’s this connectivity requirement that has the potential to expose an enterprise to external threats, or to make internal vulnerabilities available to a global field of cyber-threat actors. So SD-WAN managers must find ways to more effectively encrypt, filter and manage their data traffic.
The SD-WAN Security Advantage
There’s a degree of security inherent within the SD-WAN architecture, as network traffic may be encrypted at all sites without requiring the network administrator to perform a series of manual configuration changes to every router, each time a change is made to the network. And an SD-WAN has a security advantage over the majority of private IP services, as data can’t be breached even if the carrier network is compromised.
Many of the leading SD-WAN vendors also offer solutions with security tools “baked in”. These may include the ability to deploy services like firewalls, Virtual Private Networks (VPNs), and virtual WAN optimization through network functions virtualization (NFV). This makes it very straightforward to deploy security services to any location, be it a branch office, data center, or cloud deployment.
For the highest standards of security performance, on-board protection for SD-WAN should include:
· A state-dependent firewall and/or application firewalls
· Detection and protection against viruses and DDoS (Distributed Denial of Service) attacks
· Dynamic IPSec tunneling
· Site-to-site pairing
· Secure encryption key management
· Inline detection and protection against malware
· Full end-to-end event correlation for all devices, users, applications, locations, networks, and security events
· Tools for event collation, display, reporting, and remediation
Such a security tool-kit will typically originate from a single vendor. While this can simplify matters in terms of management and product support, some enterprises may feel the need for more specialized tools and capabilities, to lend greater depth to their security posture.
A Layered Approach
Idealized models for network security adopt a “layered” approach, and the splitting up of systems into zones whose unique security characteristics and risk factors may be addressed by specific tools and protocols.
Network segmentation can be readily accomplished through SD-WAN, which uses virtualization and software to allow coarse and fine-grained segments to be defined and managed through security policies, as dictated by business needs. This software-based segmentation means that security policies aren’t tied to specific hardware, and may be ported across the network to find or follow devices, as required.
But even with a next-generation Layer 7 firewall in its edge devices, an SD-WAN may not provide the total security coverage that an enterprise desires. So a layered approach to security may require the insertion of additional tools and services at strategic points.
Security as a Service
A security insertion delivered via the cloud in the form of Software as a Service (SaaS) can offer the network protection with ease of use and management, while reducing the need for on-site security devices.
An SD-WAN is able to perform deep application recognition, which allows administrators to exercise granular control over how specific network traffic is routed through security services. So security functions like data loss prevention and malware scanning can be positioned as close to the appropriate traffic as possible.
This said, many third-party SaaS security solutions can only recognize network traffic based on HTTP, leaving potential vulnerabilities unchecked that use other protocols.
Appliance-based Security On Premises
Enterprises which have a history of dealing with certain device manufacturers may have a trusted option for additional protection in the form of site-based security appliances. These give network security administrators hands-on access and personal management of their deployment.
However, if an organization’s operational centers are widely spread, this approach can soon mount up in terms of expense, personnel, and management overheads. Over time, problems may arise due to hardware incompatibility and integration with new products or processes.
The use of a widely dispersed set of security appliances also suffers from the lack of a central point for the co-ordination of event scanning and reporting. Viewed across the enterprise, this can leave gaps which vulnerabilities and acts of omission may seep through, to adverse effect.
Securing The Branches
Using SD-WAN technology in the new breed of extended enterprise campus also requires a shift in mind-set from the traditional “single site, single data center” way of thinking.
For enterprise-wide security, administrators must be prepared to shift security inspection and policy enforcement points to individual branch offices, or to any other location where the network maintains a presence. This would extend to mobile deployment (via apps and web-based platforms), and any resources which the enterprise retains in the cloud.
Virtual overlays may also need to be created within the SD-WAN framework to segment and protect different types of applications traffic, in accordance with the specific requirements of any regulatory compliance regimes to which an organization is committed.