Search
Close this search box.
Talk to our Experts
Talk to our Experts

SD-WAN security: Protecting your traffic without losing efficiency

Jump to...
    Add a header to begin generating the table of contents

    Just as you would with all other technologies in enterprise telecommunications, you must take cybersecurity into consideration when adopting a software-defined wide-area networking (SD-WAN) solution or considering doing so. While some measures commonly used to safeguard SD-WAN should be familiar even to those new to the virtualized network solution, others will be new and require some explanation.

    In today’s Techtorial blog post, we’ll look at the security methods used to protect the traffic passing through SD-WAN networks — and how they do their job without infringing on performance or quality of service.

    What are the key security features of SD-WAN?

    SD-WAN security begins with the essential IP security (IPsec) framework common to most modern internet traffic, as developed by the Internet Engineering Task Force (IETF). This involves the encryption of packets via authentication headers, the internet key exchange (IKE) and the encapsulating security payload (ESP) protocol.

    Packets — the building blocks that form all internet transmissions — are delivered back and forth via a process called tunneling. Whether the tunnels are formed per standard IPsec standards or as virtualized private networks (VPNs), they’re essential for creating a baseline of security for any information traveling over the public internet. Advanced Encryption Standard (AES) encryption in either the 128 or 256 iteration is recommended to protect data in motion through the branch, data center, cloud or any other key endpoints. Meanwhile, authentication headers and the ESP framework ensure that all packets come from trusted sources and haven’t been tampered with while in transit, respectively.

    The increased visibility of network traffic that an SD-WAN deployment allows for is also critically important to ensuring its security. Network administrators have a centralized and fully transparent view of the activity therein, enabling them to quickly identify unusual patterns or inconsistencies that could be indicative of unauthorized access (whether attempted or successful). However, to leverage visibility as successfully as possible, an SD-WAN solution must be able to cover all applications, users and devices - application-level insight won't be sufficient on its own.

    Microsegmentation is another SD-WAN feature that uses a core aspect of the network solution’s general functionality — the ability to redirect traffic in real time based on operational priorities — to contribute to security. This process separates the traffic originating from different applications into individual components, so if one app is compromised via something in its traffic, this doesn’t by default put other apps at risk. Admins can also adjust the security policies for individual segments of app traffic, applying more rigorous standards to apps that need the tightest possible protection.

    Finally, an SD-WAN solution worth its salt should include next-generation firewalls (NGFWs). These can be either hardware-based (like traditional firewalls) or virtualized, and should provide malware detection, anti-virus measures, application monitoring, SSL inspection, web content filtering and intrusion detection and prevention.

    How secure is SD-WAN vs. traditional WAN?

    The security features common to SD-WAN solutions offer a level of protection for the WAN architecture underneath its overlay - usually cable or cellular broadband circuits or multiprotocol label switching (MPLS) infrastructure; sometimes both - that the WAN might not include on its own. This is particularly true of old-fashioned WANs protected only by stateful firewalls as opposed to NGFWs.

    That said, lower-budget SD-WAN deployments, which have predictably emerged in the market to undercut the leading sellers, may not include all of the security features a premium SD-WAN solution typically has. Also, if the network has all of its traffic traveling solely across the public internet (as some SD-WAN deployments do) instead of over MPLS or other private cloud connections, there will always be a certain degree of vulnerability.

    Choosing an SD-WAN solution from a vendor that has a strong reputation for its security capabilities is one key way to mitigate this risk. Enterprises can compound such protection by working with a managed services provider (MSP) that offers a wide selection of access points for that SD-WAN, such as parallel broadband networks, MPLS alongside a parallel broadband circuit, Ethernet over fiber and other options. Selecting a method of access that keeps some traffic off of the public internet, and ensuring that NGFWs and microsegmentation are included in the deployment, will ultimately help ensure that SD-WAN is more secure than traditional WAN.

    What are the best practices for ensuring SD-WAN security?

    Along with all of the native features and practices described above, enterprises must leverage the rest of their cybersecurity infrastructure to protect their SD-WAN deployments as thoroughly as possible.

    Integration with prominent security systems such as security information and event management (SIEM) and secure orchestration, automation and response (SOAR) is key; this can be easily accomplished by using APIs to share SD-WAN operational data with both systems. (The SIEM should also collect SD-WAN logging information.) Additionally, because SD-WAN's successful operation is so dependent on the proper function of its software stack, patch discipline - ensuring application and firmware updates are applied as soon as they become available - is especially important.

    Keeping track of devices and verifying their veracity (or unknown provenance) is just as fundamental to SD-WAN security as it is for any other WAN. Using zero-touch provisioning in conjunction with a two-factor authentication process is an effective way to manage this responsibility. Other common practices that can benefit the networking solution’s security include vulnerability assessment, penetration testing, threat modeling and unified threat management.

    Last but not least, enterprises have to consider the physical security of SD-WAN devices in place at branch offices. This can involve restricting access to the hardware itself by keeping it in a secured location, or selecting devices with features that bolster their physical resistance to tampering or sabotage.

    As your MSP for SD-WAN, GTT Communications can help your organization find the perfect combination of SD-WAN vendors and connectivity options to maximize your deployment’s security strengths, while ensuring consistent performance via our global Tier 1 network backbone. Contact us today to learn more.

    JUMP TO
      Add a header to begin generating the table of contents

      FAQs ABOUT SD-WAN

      Unable to find the answers you’re seeking? Contact our customer support team for assistance.

      Below are some common mistakes organisations make when deciding whether SD-WAN is for them and when choosing a provider:

       

      Overestimating cost savings It is common to compare SD-WAN to what they perceive to be alternative options, particularly MPLS, and look at this from a purecost perspective. While there are potential cost savings that can result from SD-WAN deployment, the main benefit is that it improves the performance of networks. There is of course an advantage to using MPLS as an underlay for SD-WAN, as this gives both the performance advantages of SD-WAN and the isolation from Internet-based threats offered by MPLS. 

       

      Forgetting about security SD-WAN may result in data being carried across the public internet, meaning security is imperative. While there are data security features included, such as strong encryption, it is important that SD-WAN is deployed in tandem with a robust security solution to meet your business needs and mitigate potential threats.

       

      Not giving enough thought to the integration of SD-WAN with legacy systems SD-WAN needs to be able to work with your existing network and systems. It is important that your implementation strategy takes into consideration any difficulties that may be caused by legacy systems to avoid a integration challenges.

       

      Choosing between DIY options and managed service providers It can be tempting for organisations to opt for the cost savings that come with a DIY service. While this might work for some, particularly large enterprises with an experienced and highly skilled IT team, this may not be the right choice for the majority. A managed service provider will be able to help develop an SD-WAN strategy and deploy the solution to meet your requirements. There are also options that fall between DIY and fully managed solutions where certain aspects of management may be opened up to you.

       

      Choosing between the range of choices Many new SD-WAN providers have come into the market in recent years. It is therefore important to consider exactly what your requirements are before you start engaging with providers.

      With an SD-WAN solution, data can travel across a range of network connections, some of which will be more secure than others. As this will include the use of public internet connections, organisations naturally have questions about the security implications.

       

      With SD-WAN there is a perceived security concern compared to legacy private networks due to the introduction of Internet as transport. In reality this risk is neither more nor less with SD-WAN, and as has always been the case the assessed risk to data in transit should be determined by the underlying access type used. SD-WAN offers a level of built-in security, including strong encryption, but it is important that an SD-WAN solution is complemented by a robust security solution.

       

      For those with security concerns, a managed service provider, with a security product portfolio, might be the best option. These providers can assist in designing a full solution that incorporates SD-WAN and security.

       

      Examples of security products that may be used in conjunction with SD-WAN are:

      –  Next Generation Firewall (NGFW) –  Advanced Detection and Response (ADR) –  Managed Detection and Response (MDR) –  Security Information and Event Management (SIEM) –  Cyber Security Risk Assessment (SRA) –  SOC Services –  Web Application Firewall (WAF) –  Endpoint Protection –  Proxy Servers

      The primary goal of an SD-WAN deployment shouldn't be to save money, but to provide an enhanced user experience across your network. Whether costs are (or should be) reduced depends on a wide range of factors.

       

      SD-WAN does not replace wide area networks, meaning budget is still required for MPLS, for example. However, there are potential cost savings, as well as productivity improvements, that can be achieved with an SD-WAN deployment. These include the following examples:

       

      Network costs While SD-WAN won’t replace MPLS, it can result in less reliance on it, therefore reducing outlay

       

      Network management As SD-WAN uses software to make intelligent decisions on traffic routing, it can lead to savings on the physical time it takes to manage networks

       

      Faster network speeds Via fuller use of what were previously backup connections – leading to increased employee productivity

       

      Downtime avoidance SD-WAN can optimise networks to reduce downtime, again increasing employee productivity

      Latency reduction With SD-WAN making decisions on the best way of routing data, it can lead to data travelling an alternative route to reduce latency where possible

       

      Flexibility The flexibility on offer means updates can be made quicker

      There are various steps that should be taken when deploying your SD-WAN solution. Obviously if you're planning to go down the 'Managed Service Provider' route, you should opt for a provider with multiple technology options and they will help you to navigate their different offerings to determine the most appropriate technology. The below is an example of a deployment process:

       

      Planning –  Think about integration with legacy systems –  Assess your current setup and your expectations of the improvements SD-WAN will provide –  Put together a clear statement of your requirements before you start talking to providers

       

      Initial search for providers –  Consider at least three providers based on your requirements –  With each provider discuss the problems you are looking to solve and the enhancements you expect to achieve. This will provide them with an opportunity to explain how they can help you meet these objectives –  Ensure you choose a provider with access to multiple technology vendors who can talk you through the different options and help you to choose a vendor solution that is right for your specific needs

       

      Design phase –  Once you have decided on a provider, involve them in the design of your SD-WAN solution. They are experts in their field so you can benefit from their experience –  Discuss security concerns and required security solutions with your chosen provider –  Discuss your plan with internal stakeholders and consider feedback

       

      Deployment –  Consider deploying your SD-WAN solution on some parts of your network first so you can test it and become familiar with it before full deployment –  Ensure thorough training is provided to anyone who will be hands-on with the SD-WAN solution –  Roll out further only once you are ready

      People often ask what the differences are between SD-WAN and MPLS. However, SD-WAN is not an alternative to MPLS, but it may use MPLS, as well as other connections such as the public internet, as a way of delivering traffic over the most efficient route. To a degree, therefore, SD-WAN and MPLS should be seen as complementary technologies.

       

      An SD-WAN solution will make decisions on the most appropriate connection for data transfer in any particular scenario. In some instances, for example for sensitive data, MPLS will be the preferred route, but in other instances a public internet connection will be suitable. As opposed to exclusively routing data across MPLS connections, this can result in less reliance, and therefore lower spend, on MPLS.

      With an increasing number of providers having entered the SD-WAN market in recent years, choosing the right one for you is not an easy task. Things to consider include:

       

      Geographic reach For multinational organisations it is important that the solution you choose is able to cope with your international reach, as well as the range of connections (e.g. leased lines, ethernet, broadband/xdsl, 4G/LTE/5G, etc…) you use to carry your data

       

      DIY vs. managed service offerings Do you wish to implement and manage your SD-WAN solution in-house or do you need the support of a managed service provider? If the former, you need to be confident you have the required expertise and resources (proactive monitoring, troubleshooting, 24/7 support, etc…) in-house. A managed service will be the preferred choice for many, but it is still important to make sure your provider is able to offer all the support you need

       

      Flexibility For some organisations, flexibility is important. For example, you might want the flexibility to re-configure your setup due to changing priorities or changes to your network in future

       

      SLA & performance Having a service level agreement in place can provide you with the confidence that you will receive the level of performance you require

       

      Price While making a choice simply based on cost is rarely the best strategy, it is important that you are getting good value for money. You need to get the right balance between a solution that meets all your business requirements, while avoiding paying for things you don’t need

      Talk to an Expert

      Interested in learning more about GTT products & services? Please complete this short form to schedule a call with one of our sales consultants.

      Thank you for your information. One of our sales consultants will be in touch with you.

      Everything you need to know
      ABOUT DDoS ATTACK:

      • DDoS attacks have a drastic impact on enterprises, leading to substantial losses in revenue and reputation.
      • $218K USD is the average cost of a DDoS attack to a business
      • 15.4M DDoS attacks occurred worldwide in 2023
      • The best way for organizations to mitigate DDoS attacks is through the latest generation of always-on, real-time, automatic DDoS protection.
      gtt-and-corero-solution-guide.png

      Related Services

      SD-WAN

      Transform your WAN with dynamic network traffic management.

      Learn More

      Firewall as a Service (FWaaS)

      Leverage anti-virus, firewall and anti-malware services all in one scalable solution.

      Learn More

      Secure Web Gateway (SWG)

      Defend against cyberthreats and block access to malicious sites.

      Learn More

      Cloud Access Security Broker (CASB)

      Monitor your cloud environment, enforce policies and mitigate shadow IT.

      Learn More

      related products

      SD-WAN

      Transform your WAN with dynamic network traffic management.

      Learn More

      Firewall as a Service (FWaaS)

      Leverage anti-virus, firewall and anti-malware services all in one scalable solution.

      Learn More

      Secure Web Gateway (SWG)

      Defend against cyberthreats and block access to malicious sites.

      Learn More

      Cloud Access Security Broker (CASB)

      Monitor your cloud environment, enforce policies and mitigate shadow IT.

      Learn More

      OUR GARTNER RATING

      Gartner Peer Insights Reviews
       
       
      As of 7 September, 2024
      GTT

      Subscribe to our newsletter

      Get the latest news, articles and resources, about our products and services.

      Don’t miss it, subscribe Now!

      Services

      Solutions

      Resources

      About GTT

      Partners

      Investor Relations

      Support

      Contact Us

      Facebook Youtube Linkedin

      © GTT Communications, Inc. 2024. All rights reserved

      Main Menu
      Scroll to Top