The truth about SD-WAN security
Q&A with Frontier’s Scott Irwin, Senior Director Product Management, SD-WAN
Scott has over 20 years of telecom experience across companies in IT and telecom. He joined Frontier from Nuage Networks, an SDN Division within Nokia, where he operated as a director of business development for North America. Prior to Nuage, Scott led the solution architects over enterprise and carrier networks for US West at IBM. Scott brings a wealth of knowledge in datacenter and cloud virtualization, networking and software-defined environments.
Scott has over 20 years of telecom experience across companies in IT and telecom. He joined Frontier from Nuage Networks, an SDN Division within Nokia, where he operated as a director of business development for North America. Prior to Nuage, Scott led the solution architects over enterprise and carrier networks for US West at IBM. Scott brings a wealth of knowledge in datacenter and cloud virtualization, networking and software-defined environments.
“One-click and zero-touch does not mean one-and-done.”
When we talk to IT and business leaders about SD-WAN, the conversation quickly turns to security. And for good reason. With all the myths and misconceptions out there, their search for answers often leads to more questions. In light of the uncertainty, we sat down with our resident SD-WAN expert, Scott Irwin, to answer the questions we hear most frequently from our customers about SD-WAN security.
Why is security such a big concern with SD-WAN?
While SD-WAN delivers on the promise of performance, control and connectivity, it places new demands on security. As it connects and interconnects internal and external networks, it can attract threats. As it handles critical applications, access to cloud services and a multitude of traffic flows and locations, it can open opportunities for attacks. As it optimizes productivity and collaboration, it can create points of compromise for the entire network.
That’s why security is just as important as connectivity in an SD-WAN strategy. I mean, most security solutions offer some sort of SD-WAN capability with limited features, like stateful ACLs with some additional application signatures. But that simply isn’t enough for an SD-WAN network, especially in a large-scale environment.
"Unfortunately, the majority of SD-WAN vendors don’t pay enough attention to integrating security into a comprehensive solution, leaving businesses to fend for themselves even as their requirements—and the complexities—escalate."Why is it so difficult to add security to SD-WAN?
At a multi-site organization, each location has numerous and varied traffic flows, each with different security needs. On top of that, the entire SD-WAN infrastructure needs to be protected. If an SD-WAN provider doesn’t integrate security up front, you have to add it on after the fact, often with legacy systems lacking the capabilities required for SD-WAN. That ends up being more complicated and expensive at best and leaving your network exposed at worst.
Is firewalling, encryption and VPN enough to protect against cyber threats with SD-WAN?
No. Firewalling can prevent intrusion into your network, and encryption and VPN can help secure your connection between sites, but they don’t include identity threat or DDOS prevention, or other critical protections like malware and virus spread. A complete SD-WAN security solution recognizes threats that can get overlooked by stateful ACLs.
What are the most common mistakes enterprises make with their SD-WAN security?
I think the overarching one is simply not being aware of the limits of today’s SD-WAN’s security offerings. They just don’t provide enough protection. But not everyone realizes that until it’s too late to add security in an efficient way.
Another common error is sacrificing security for upfront cost savings. That’s never going to play out well. Without adequate proxy, decryption and an enforced policy on SSL-encrypted traffic, for example, your security could be weakened enterprise-wide.
A third mistake is overestimating SD-WAN’s features. For example, just because there are automatic updates doesn’t mean you don’t still need to keep your stack current with the latest security patches and updates as you scale. And you need more protection than what’s included with the typical solution, like a simple, stateful firewall. You can’t rely on those basics. You need to add something like UTM or next-gen firewalls that include intrusion prevention, SSL inspection, web filtering anti-malware protection and more.
And finally, just because SD-WAN is supposedly “one-click” and “zero-touch,” it’s not just “one-and-done.” You need to continually monitor and maintain the system 24/7/365 to keep up with the highest risks, like securing USB ports and shutting down network access for computers not authorized to be on the network. This can be a challenge at the WAN edge.
What should I ask SD-WAN providers about their security solutions?
Here are a few of the most important areas to discuss:
You should use stateful ACLs and application signatures from within an SD-WAN appliance to secure micro-segmentation between sites and datacenters. For site-to-internet security, use a security appliance on-premises or a cloud based centralized security solution.
What is the best way to manage branch security and coordinate across the network?
Depending on the number of sites, your remote users can manage branch security. But it becomes more difficult to manage, maintain and monitor when you have numerous sites if you don’t have “single pane of glass” visibility from a central location. That’s where a managed services provider comes in, offering full line of sight into the network from a central location and 24/7/365 proactive monitoring with alert generation.
Another common error is sacrificing security for upfront cost savings. That’s never going to play out well. Without adequate proxy, decryption and an enforced policy on SSL-encrypted traffic, for example, your security could be weakened enterprise-wide.
A third mistake is overestimating SD-WAN’s features. For example, just because there are automatic updates doesn’t mean you don’t still need to keep your stack current with the latest security patches and updates as you scale. And you need more protection than what’s included with the typical solution, like a simple, stateful firewall. You can’t rely on those basics. You need to add something like UTM or next-gen firewalls that include intrusion prevention, SSL inspection, web filtering anti-malware protection and more.
And finally, just because SD-WAN is supposedly “one-click” and “zero-touch,” it’s not just “one-and-done.” You need to continually monitor and maintain the system 24/7/365 to keep up with the highest risks, like securing USB ports and shutting down network access for computers not authorized to be on the network. This can be a challenge at the WAN edge.
What should I ask SD-WAN providers about their security solutions?
Here are a few of the most important areas to discuss:
• Stateful ACLs and number of ACLs they can support without compromising network performanceWhat are the best practices for securing network micro-segments?
• Application intelligence for traffic steering and prioritization
• Agility to add third party security solutions with life cycle management as an option
• Dynamic routing like BGP to address the automation of distributing subnets to the rest of the organization
You should use stateful ACLs and application signatures from within an SD-WAN appliance to secure micro-segmentation between sites and datacenters. For site-to-internet security, use a security appliance on-premises or a cloud based centralized security solution.
What is the best way to manage branch security and coordinate across the network?
Depending on the number of sites, your remote users can manage branch security. But it becomes more difficult to manage, maintain and monitor when you have numerous sites if you don’t have “single pane of glass” visibility from a central location. That’s where a managed services provider comes in, offering full line of sight into the network from a central location and 24/7/365 proactive monitoring with alert generation.
Are the risks greater in my branches or in the cloud?
Public cloud platforms are pretty good at securing the applications they house. But at your branch locations, you need IT experts to maintain patches and signature updates, for example. That’s why many customers find a managed services provider actually saves them money in the long run, by providing ongoing monitoring and maintenance without the expense of an IT expert on site at each location.
Is it possible to provide SSL-encrypted traffic inspections without compromising SD-WAN’s speed and performance?
Unfortunately, no. But you can reduce the performance hit by working with an SD-WAN provider who uses offloading like DPDK or SR-IOV technologies. For example, Frontier Managed SD-WAN utilizes DPDK to increase performance more than 50% with acceleration enabled.
What are the best practices for encryption, key exchange and key rotation?
The industry standard right now is IPSec for encryption with a key rotation frequency using 256bit encryption.
How does centralizing the network with managed SD-WAN make it more secure?
When you have a full view of current network activity, analytics and performance, along with an application layer view from a single, centralized location, you can quickly assess traffic patterns and proactively address issues and possible threats. For example, you can redirect unrecognized traffic to a centralized IDS/IPS system for additional inspection before allowing it to move forward. That’s why, given the limitations of most SD-WAN security solutions, managed SD-WAN is really the best option for securing your WAN in a comprehensive, meaningful and cost-effective way.
Frontier’s Managed SD-WAN solution pairs with Frontier’s SD-WAN Private Network (SD-WAN EVPL) to provide organizations with a compelling alternative to legacy MPLS connections.
