Just as you would with all other technologies in enterprise telecommunications, you must take cybersecurity into consideration when adopting a software-defined wide-area networking (SD-WAN) solution or considering doing so. While some measures commonly used to safeguard SD-WAN should be familiar even to those new to the virtualized network solution, others will be new and require some explanation.
In today’s Techtorial blog post, we’ll look at the security methods used to protect the traffic passing through SD-WAN networks — and how they do their job without infringing on performance or quality of service.
What are the key security features of SD-WAN?
SD-WAN security begins with the essential IP security (IPsec) framework common to most modern internet traffic, as developed by the Internet Engineering Task Force (IETF). This involves the encryption of packets via authentication headers, the internet key exchange (IKE) and the encapsulating security payload (ESP) protocol.
Packets — the building blocks that form all internet transmissions — are delivered back and forth via a process called tunneling. Whether the tunnels are formed per standard IPsec standards or as virtualized private networks (VPNs), they’re essential for creating a baseline of security for any information traveling over the public internet. Advanced Encryption Standard (AES) encryption in either the 128 or 256 iteration is recommended to protect data in motion through the branch, data center, cloud or any other key endpoints. Meanwhile, authentication headers and the ESP framework ensure that all packets come from trusted sources and haven’t been tampered with while in transit, respectively.
The increased visibility of network traffic that an SD-WAN deployment allows for is also critically important to ensuring its security. Network administrators have a centralized and fully transparent view of the activity therein, enabling them to quickly identify unusual patterns or inconsistencies that could be indicative of unauthorized access (whether attempted or successful). However, to leverage visibility as successfully as possible, an SD-WAN solution must be able to cover all applications, users and devices — application-level insight won’t be sufficient on its own.
Microsegmentation is another SD-WAN feature that uses a core aspect of the network solution’s general functionality — the ability to redirect traffic in real time based on operational priorities — to contribute to security. This process separates the traffic originating from different applications into individual components, so if one app is compromised via something in its traffic, this doesn’t by default put other apps at risk. Admins can also adjust the security policies for individual segments of app traffic, applying more rigorous standards to apps that need the tightest possible protection.
Finally, an SD-WAN solution worth its salt should include next-generation firewalls (NGFWs). These can be either hardware-based (like traditional firewalls) or virtualized, and should provide malware detection, anti-virus measures, application monitoring, SSL inspection, web content filtering and intrusion detection and prevention.
How secure is SD-WAN vs. traditional WAN?
The security features common to SD-WAN solutions offer a level of protection for the WAN architecture underneath its overlay — usually cable or cellular broadband circuits or multiprotocol label switching (MPLS) infrastructure; sometimes both — that the WAN might not include on its own. This is particularly true of old-fashioned WANs protected only by stateful firewalls as opposed to NGFWs.
That said, lower-budget SD-WAN deployments, which have predictably emerged in the market to undercut the leading sellers, may not include all of the security features a premium SD-WAN solution typically has. Also, if the network has all of its traffic traveling solely across the public internet (as some SD-WAN deployments do) instead of over MPLS or other private cloud connections, there will always be a certain degree of vulnerability.
Choosing an SD-WAN solution from a vendor that has a strong reputation for its security capabilities is one key way to mitigate this risk. Enterprises can compound such protection by working with a managed services provider (MSP) that offers a wide selection of access points for that SD-WAN, such as parallel broadband networks, MPLS alongside a parallel broadband circuit, Ethernet over fiber and other options. Selecting a method of access that keeps some traffic off of the public internet, and ensuring that NGFWs and microsegmentation are included in the deployment, will ultimately help ensure that SD-WAN is more secure than traditional WAN.
What are the best practices for ensuring SD-WAN security?
Along with all of the native features and practices described above, enterprises must leverage the rest of their cybersecurity infrastructure to protect their SD-WAN deployments as thoroughly as possible.
Integration with prominent security systems such as security information and event management (SIEM) and secure orchestration, automation and response (SOAR) is key; this can be easily accomplished by using APIs to share SD-WAN operational data with both systems. (The SIEM should also collect SD-WAN logging information.) Additionally, because SD-WAN’s successful operation is so dependent on the proper function of its software stack, patch discipline — ensuring application and firmware updates are applied as soon as they become available — is especially important.
Keeping track of devices and verifying their veracity (or unknown provenance) is just as fundamental to SD-WAN security as it is for any other WAN. Using zero-touch provisioning in conjunction with a two-factor authentication process is an effective way to manage this responsibility. Other common practices that can benefit the networking solution’s security include vulnerability assessment, penetration testing, threat modeling and unified threat management.
Last but not least, enterprises have to consider the physical security of SD-WAN devices in place at branch offices. This can involve restricting access to the hardware itself by keeping it in a secured location, or selecting devices with features that bolster their physical resistance to tampering or sabotage.
As your MSP for SD-WAN, GTT Communications can help your organization find the perfect combination of SD-WAN vendors and connectivity options to maximize your deployment’s security strengths, while ensuring consistent performance via our global Tier 1 network backbone. Contact us today to learn more.