Security is the top concern for most organizations updating their wide-area networks (WANs)…other concerns include ensuring high-performance connectivity to branch offices and managing escalating costs associated with traditional connections such as MPLS.
Today, networks have multiple connectivity requirements as well as types of connectivity: secure, diverse, highly available, public and/or private cloud, and Software as a Service (SaaS) connectivity. With data moving across networks and between different ecosystems and devices, both core data centers and cloud environments need to connect to branch offices and IoT devices to meet new digital enterprise requirements. To address the growing need for future proofing and scalable connections, organizations are replacing their traditional WAN connections to their remote locations with SD-WAN.
With MPLS being the go-to technology in the past decade, enterprise customers typically adopted a centralized architecture versus a distributed security architecture. Transitioning to highly interconnected networks with the incorporation of cloud and SaaS solutions requires architecture and security redesign for networks moving away from private MPLS networks.
SD-WAN offers the ability to use available WAN services, both private and public connectivity, more effectively and economically—giving users across distributed organizations the freedom to better engage customers, optimize business processes, and innovate. SD-WAN services can provide WAN optimization as well as application awareness secure tunneling, Quality of Experience (QoE), and SaaS acceleration. This not only enables faster performance for cloud-based applications and platforms but enhances performance for hosted voice and video solutions.
SD-WAN SECURITY CONCERNS
Regrettably, of the many SD-WAN solutions available today, almost none of them provide a truly integrated security strategy. While many provide basic VPN connections and some simple stateful security for Layer 2 and 3 protections, they do not address the range of Layer 4-7 security issues to which today’s digital businesses are increasingly exposed. Vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Many SD-WAN capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Network security issues are compounded when they try to extend the complex, multi-vendor security strategy they have deployed inside their core networks to their cloud, mobility, and SD-WAN environments. Not only do these hybrid, multi-vendor architectures fail to provide consistent levels of protection in different environments, they also fail to provide seamless security for the data, applications, and workflows moving between these ecosystems.
Basic stateful firewalls might be sufficient for basic connectivity leveraging an elementary network address translation (NAT) solution for connecting locations across the Internet to specific SaaS IPs, but not for broader Internet access. For that, you’ll need capabilities such as next-generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more. It’s for that reason that SD-WAN appliance vendors have partnered with third-party security providers to provide cloud security, emphasizing the ability to direct traffic from across the SD-WAN to the security resources using service insertion and service chaining. Leveraging third-party providers for cloud security has improved security compared to the basic stateful firewalls included in the SD-WAN providers’ own SD-WAN appliances. Using cloud security allows organizations to avoid the deployment and operational challenges of a security appliance at the branch. Care must still be taken that site-to-internet and site-to-site traffic are secured. Companies are also left deploying and managing two entities — the SD-WAN and the firewall (appliance or service), requiring two different administrative portals.
Some vendors are including Next Generation Firewall (NGFW) capabilities within their SD-WAN appliances giving them a single GUI to manage. These vendors may have limited feature functionality as well as resource constraints on the SDWAN device. Enterprise customers are also leveraging third parties to supplement the lack of NGFW features and repackaging specific third-party NGFWs in their appliances. Managed Service Providers (MSPs) claim to repackage best-of-breed, third-party services as part of their Managed Secure SD-WAN appliance. Other vendors are able to run third-party virtual network functions (VNFs) within their appliance. Organizations gain one physical device to deploy, but they are still left managing separate security and networking domains, even though it’s a single GUI. It’s precisely that kind of fragmentation that has obscured IT visibility and control.
There are also questions about the appliance. Appliances carry significant lifecycle costs involved with testing, deploying, maintaining, and managing the appliance (unless you have a managed services agreement that includes appliance upgrades). The limited resources of an appliance can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. At the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances.
With SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of a seasoned SD-WAN offering.
Ideally, the industry will evolve to deliver threat protection at the cloud’s edge as well as the customer’s WAN gateway points to help organizations avoid the challenges created by having to adopt fragmented, multi-vendor security strategies to protect their SD-WAN deployments.
Customers need security tools that provide the full range of security solutions and are also natively integrated into the SD-WAN solution. With such tools, security can dynamically adapt to changes in connectivity and support business-critical applications and transactions. Those tools also need to seamlessly interoperate with tools deployed in other environments, whether in the core network, in the cloud, or deployed in endpoint and IoT devices. And finally, they all need to be managed through a single management and analysis portal to ensure that policies can be easily deployed, orchestrated, and updated wherever data and workflows need to travel.
While the industry strives to evolve the security technologies surrounding SD-WAN, providers and consultative solution planners will be a good source of information and expertise to support organizations as they undertake SD-WAN initiatives.
Published on Tuesday, January 7, 2020 @ 2:46 PM CDT