A Quick Guide to SD-WAN Security

Today, nearly every IT decision-maker wants to invest in innovation that will facilitate network performance and agility without compromising security. For many, the answer is SD-WAN. The intersection between security and SD-WAN is critical in keeping data not only accessible but also safe. Here’s a quick guide to the security benefits and precautions for SD-WAN.

SD-WAN Security: Need-to-Know Basics

The Security of SD-WAN Appliances

SD-WAN hardware is essentially a small computer, which means that the devices themselves are not necessarily built to be secure. In many cases, these devices may not have the most up-to-date operating system when it is shipped to the customer location, so checking for appliance security updates is critical.

DevOps Connect:DevSecOps @ RSAC 2022
  • Hardware: Off-the-shelf box servers and microservices should come only from well-known vendors with tested products.
  • Patches and Security Updates: Make sure your appliance is automatically updated by the service provider, or, at the very minimum, there is a process in place to do so.

SD-WAN’s Bundled Security Features: Benefits and Challenges

Because SD-WAN secures traffic in transit, deploying solutions that include integrated firewalls and associated unified threat management have an advantage over solutions that require separate threat management. Properly configured SD-WAN devices can simplify security and defend data from attackers.

However, these bundled solutions can sometimes trigger challenges, blurring the line between network and security operations. Adding an unmanaged (and possibly unsecured) SD-WAN appliance to a corporate network can make roles and responsibilities confusing. Tight alignment is critical to help network teams address questions such as, “Does that mean our internal IT security team is responsible for managing the SD-WAN devices on our corporate network?” The worst-case scenario: The network team assumes the security team knows about the SD-WAN deployment and will take care of it. Then, critical security monitoring tasks are disregarded.

Overlooked Benefits: Segmentation & Zero Trust

Often overshadowed by other benefits, increased security is another advantage to come from SD-WAN. Built on flexible, software-defined architectural models, SD-WAN facilitates the normally difficult task of WAN segmentation, helping businesses deal with issues such as security threats from within. Segmentation is key due to the dramatic uptick of threats from inside a network, and it’s a focal point for many zero-trust security strategies.

SD-WAN makes segmentation and implementing zero-trust processes far easier, but it’s also playing a key role in first-line-of-defense capabilities. Approaches include SD-WAN solutions that whitelist online applications and websites for branch offices that may not have local firewalls.

SD-WAN and Internet: Security Risks and Resource Impacts

Given that SD-WAN paves the way for enterprises and their branch locations to leverage the internet for connectivity, security must be at the top of the priority list. When SD-WAN is deployed over dedicated internet connectivity or public broadband, it can introduce security risks that require next-generation firewalls, threat monitoring and management. Therefore, bundling security into SD-WAN isn’t just an option—it’s a requirement.

Here’s a quick background: Closely monitored firewalls are key defense mechanisms when SD-WAN shifts the network architecture away from a small set of centrally managed internet gateways and toward a highly distributed set of gateways. Because this dispersed architecture inherently increases the attack surface, the next move of any savvy network engineer is to implement next-generation firewalls with unified threat management. Built-in features make this step seamless.

SD-WAN Security: Must-Have Features and Capabilities

Your enterprise must be prepared to defend against any increased vulnerabilities, including leveraging:

  • A single on-premises or virtual client device that can handily and cost-effectively serve multiple security functions, including embedded firewalls for secure internet offloads and automatically encrypted tunneling to secure data across the internet.
  • The ability to centrally drive policies and configurations to reduce complexity and ease of security management–for example, centralized orchestration is a path to chaining WAN security services such as firewalls and routers across locations around the globe.
  • The ability for SD-WAN network performance monitoring as well as security monitoring to sort through alerts generated by SD-WAN firewalls.

It’s not uncommon for CIOs and CISOs to feel overwhelmed at this point. SD-WAN implementation and management can tax IT resources. This is where managed SD-WAN, 24-7 security monitoring services, and managed detection and response solutions can help take the workload off your internal team. Service-based approaches are more scalable from both a resource and budgetary standpoint.

Secure SD-WAN: A Quick Buyer’s Guide

Looking to buy secure SD-WAN? Ask these three questions before you buy:

  1. Does your SD-WAN solution include an integrated, next-generation firewall with unified threat management (UTM)?
  2. Do you offer secure local internet breakouts, and if so, how?
  3. Does your SD-WAN include an integrated router and firewall, to direct and secure route traffic to the internet easily without stacking multiple devices at a given location?

Don’t forget about analytics. Buyers also take a hard look at security analytics, which is sometimes just bolted on as aftermarket components rather than being deep-seated into the SD-WAN solution. Within the online portal, most providers will give you visibility at the box-level onsite, but not at the network level itself. However, partners with security and analytics tools integrated into the solution (truly embedded into the fabric of the software-defined network platform) offer the ability to view data from the actual network ports inside the SD-WAN portal. These are key differentiators for those seeking full transparency and the deepest levels of insight.

Craig DAbreo

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Craig DAbreo

Craig oversees the managed security, threat intelligence and security professional services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in computer science and an MBA in information security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.

craig-dabreo has 4 posts and counting.See all posts by craig-dabreo