Four security hurdles with SD-WAN (and how to avoid them)
Software-defined WAN (SD-WAN) has been reshaping the way enterprises construct their networks for the past few years. SD-WAN allows companies to intelligently route their traffic so that internet-bound traffic can be routed directly over inexpensive broadband links rather than sending it over costly MPLS networks and through centralized data centers. Such direct connections are essential in the era of cloud applications and BYOD.
Yet companies that choose the wrong SD-WAN platform, such as one that offers inadequate security, might have to bolt on additional solutions and will not realize the cost savings they’d anticipated or achieve the performance they’d desired. To avoid surprises and ensure that cybersecurity for each branch is as comprehensive as the security in the centralized gateway, we’ve found that there are four hurdles organizations must overcome. In doing so, they can also make SD-WAN as efficient and cost-effective as possible.
Hurdle 1: The firewall in your SD-WAN edge device is not enough
Firewalls are a vital part of making SD-WAN secure, but the firewalls that come with SD-WAN edge devices do not provide the extensive protection companies need. Generally, built-in firewalls only include packet filtering and Layer 3 protection. While these protections allow companies to restrict access based on IP addresses and ports, or when traffic uses specific protocols, it fails to offer next-generation firewall capabilities, with sandboxing, advanced threat prevention, data loss protection, IPS, and other vital services.
With attackers constantly improving their techniques, zone-based firewalls are insufficient. By adding application-aware, cloud-based firewall capabilities to complement the built-in stateful firewall in an SD-WAN edge device, companies can inspect traffic on-network and off for all users, applications, devices, and locations.
Hurdle 2: Traditional security approaches are not up to the task
When moving away from routing everything via MPLS through a centralized location, your approach to cybersecurity must obviously change. Think of it this way: you are not going to implement the cybersecurity stack housed in the central data center in each of the branch locations. It would be as exorbitant as it is unworkable. But local connections must be secured just as extensively as those traversing the data center. The trick is to do so without adding complexities that ultimately drive up staffing and resource costs.
Using security appliances at every location negates many of SD-WAN’s benefits, including cost reduction, reduced complexity, and increased business agility. And trying to cut corners is a mistake. When companies compromise by deploying smaller firewall or unified threat management (UTM) appliances locally, they end up with a maze of security point products that adds complexity and requires device management at every branch—while still failing to provide comprehensive security.
Moving security to the cloud enables local connections to be just as secure as connections through the central data center. A cloud solution empowers companies to break out and inspect traffic for all ports and protocols while offering a full stack of integrated security and access services. Such a solution will also protect mobile users connecting at home or on the road, using public Wi-Fi or mobile networks.
Ultimately, cloud-based security is preferable because it enables you to provide the same protections that would be found in the data center in every location without the cost or complexities of deploying appliances everywhere—and without compromising on security.
Hurdle 3: Attacks hide in encrypted traffic
Companies by now should recognize that maintaining security requires them to inspect all traffic. The problem is that SSL-encrypted traffic makes up an increasing majority of internet-bound traffic and is difficult to inspect at scale. Attackers, knowing that many businesses allow at least some encrypted traffic to go uninspected, hide threats in this traffic. In fact, more than 41 percent of network attacks use encryption to evade detection.1
To fully inspect SSL-encrypted traffic while ensuring the performance benefits of SD-WAN, companies need a security solution that uses a proxy-based architecture that inspects SSL-encrypted traffic at scale with centralized certificate management.
Hurdle 4: The trap of multiple security management platforms
A great benefit of SD-WAN is that it offers centralized network management and orchestration. If security adds complexity, it undermines that SD-WAN benefit. And added complexity means additional costs.
A comprehensive SD-WAN security platform must offer real-time visibility by user, application, and location. Managing logs should be streamlined and efficient. Using appliances at every branch location fails to meet these demands because attempting to manage and coordinate visibility across so many locations and devices is time- and resource-intensive. It’s also unrealistic, leaving companies with security gaps and fragmented policy configurations.
Regardless of the number of branches a company has, centralized policy control is essential to efficient and cost-effective SD-WAN security. But, this can only occur with a cloud-based solution. Cloud-based security enables companies to push uniform policy changes to multiple locations instantly. Such a solution also allows you to stream—to the SIEM of your choice—a collection of all web, DNS, and cloud firewall logs and store them for up to six months, which is significantly longer than next-generation firewall and UTM solutions.
The move to SD-WAN can seem a bit overwhelming at first, particularly if you try to deploy and secure it on a traditional hub-and-spoke network with regional or centralized gateways. The key to cloud application performance is providing direct access to those apps. This makes local breakouts the key to SD-WAN success and makes a holistic approach to securing your local breakouts a critical step in your implementation. Having a single cloud-based security platform helps you overcome the four common hurdles to secure SD-WAN adoption. This approach is more secure and less costly than the alternatives and improves app performance and the user experience.
1 Ponemon Institute, “Hidden Threats in Encrypted Traffic: A Study of North America and EMEA."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jen Toscano is a senior product marketing manager at Zscaler