A Quick Guide to SD-WAN Security: Internet, Bundled Features, and Buyer Tips

Posted on April 9, 2019

Today nearly every IT decision maker wants to invest in innovation that will facilitate network performance and agility without compromising security. For many, the answer is SD-WAN. The intersection between security and SD-WAN is critical in keeping data not only accessible but safe. Here’s a quick guide to the security benefits and precautions for SD-WAN.

SD-WAN Security: Need-to-Know Basics

The Security of SD-WAN Appliances

SD-WAN hardware is essentially a small computer, which means that the devices themselves are not necessarily built to be secure. In many cases, these devices may not have the most up-to-date operating system when it is shipped to the customer location, so checking for appliance security updates is critical.

What mistakes do enterprises make with SD-WAN security?

SD-WAN’s Bundled Security Features: Benefits and Challenges

Because SD-WAN secures traffic in transit, deploying solutions which include integrated firewalls and associated unified threat protection have an advantage over solutions which require separate threat management. Properly configured SD-WAN devices can simplify security and defend data from attackers.

However, these bundled solutions can sometimes trigger challenges, blurring the line between network and security operations. Adding an unmanaged (and possibly unsecured) SD-WAN appliance to a corporate network can make roles and responsibilities confusing. Tight alignment is critical to help network teams address questions such as, “Does that mean our internal IT security team is responsible for managing the SD-WAN devices on our corporate network?” The worst-case scenario: the network team assumes the security team knows about the SD-WAN deployment and will take care of it. Then, critical security monitoring tasks are disregarded. It happens!

Overlooked Benefits: Segmentation & Zero Trust

Often overshadowed by other benefits, increased security is another advantage to come from SD-WAN. Built on flexible, software-defined architectural models, SD-WAN facilitates the normally difficult task of WAN segmentation, helping businesses deal with issues such as security threats from within. Segmentation is key due to the dramatic uptick of threats from inside a network, and it’s a focal point for many zero-trust security strategies.

SD-WAN makes segmentation and implementing zero-trust processes far easier, but it’s also playing a key role in first-line-of-defense capabilities. Approaches include SD-WAN solutions that whitelist online applications and websites for branch offices that may not have local firewalls.

SD-WAN and Internet: Security Risks and Resource Impacts

Given that SD-WAN paves the way for enterprises and their branch locations to leverage the internet for connectivity, security must be at the top of the priority list. When SD-WAN is deployed over dedicated internet connectivity or public broadband it can introduce security risks that require next-generation firewalls, threat monitoring, and management. Therefore, bundling security into SD-WAN isn’t just an option—it’s a requirement.

Here’s a quick background. Closely monitored firewalls are key defense mechanisms when SD-WAN shifts the network architecture away from a small set of centrally managed internet gateways and toward a highly-distributed set of gateways. Because this dispersed architecture inherently increases the attack surface, the next move of any savvy network engineer is to implement next-generation firewalls with Unified Threat Protection. Built-in features make this step seamless.

SD-WAN Security: Must-Have Features and Capabilities

Your enterprise must be prepared to defend against any increased vulnerabilities, including leveraging:

It’s not uncommon for CIOs and CISOs to feel overwhelmed at this point. SD-WAN implementation and management can tax IT resources. This is where managed SD-WAN, 24-7 security monitoring services, and managed detection and response solutions can help take the workload off your internal team. Service-based approaches are more scalable from both a resource and budgetary standpoint.

Secure SD-WAN: A Quick Buyer Guide

Looking to buy secure SD-WAN? Ask these three questions before you buy:

  1. Does your SD-WAN solution include an integrated, next-generation firewall with Unified Threat Protection (UTP)?
  2. Do you offer secure local Internet breakouts, and if so, how?
  3. Does your SD-WAN include an integrated router and firewall, making it easy to directly and securely route traffic to the Internet without stacking multiple devices at a given location?

Don’t forget about analytics. Buyers also take a hard look at security analytics, which is sometimes just bolted on as aftermarket components rather than being deep-seated into the SD-WAN solution. Within the online portal, most providers will give you visibility at the box-level onsite, but not at the network level itself. However, partners with security and analytics tools integrated into the solution (truly embedded into the fabric of the software-defined network platform) offer the ability to view data from the actual network ports inside the SD-WAN portal. These are key differentiators for those seeking full transparency and the deepest levels of insight.

Like this article? Download the white paper.

Ray Watson

Ray Watson is VP of Innovation at Masergy. He brings over 17 years of expertise in IT strategy, application solution design and next-generation network architectures. Ray has enabled numerous global enterprises in transforming their IT infrastructures to guarantee business outcomes. Ray is an industry thought leader in IT transformation and is a frequent speaker on topics such as hybrid networking, SDN, NFV, cloud connectivity and advanced security. Prior to joining Masergy, Ray worked at Airband Communications and Broadwing Communications. He holds a B.S. from Purdue University.

Related Content