Maksim Pasko - Fotolia

Securing the SD-WAN: The next network challenge

Every time an enterprise weighs up whether or not to try SD-WAN, security is an essential part of the picture

The arguments for deploying a software-defined wide area network (SD-WAN) are becoming better known as the technology continues its journey into the enterprise mainstream, even if there remains a bewildering plethora of networking setups that take the name.

But perhaps the essential question that arises when an enterprise is transitioning from traditional branch-and-datacentre connectivity, using multiprotocol label switching (MPLS) circuits most likely, and towards direct internet access and SD-WAN technologies is how to navigate the security risks. There’s a need for visibility, in particular, into all those service dependencies spread across the internet.

Alexander Anoufriev is CISO of network intelligence cloud platform ThousandEyes. He said SD-WAN adoption is frequently viewed as an easy way to take the sting out of the inherent unpredictability of internet transit because it uses metrics, such as overall latency, to execute defined policies.

“But while these metrics give SD-WAN a certain level of ‘internet awareness’ and enable it to make decisions based on path performance, it’s important to remind ourselves that an SD-WAN doesn’t control the internet,” Anoufriev. “If something goes wrong, SD-WAN can’t tell you what the problem is or who’s responsible.

“It can’t tell you if an upstream ISP is dropping packets, or if a Border Gateway Protocol (BGP) hijacking has put your users at risk. It can’t even tell you if your performance is in line with area norms.”

It’s a good point. And remember, too, all the external dependencies that are needed to reach applications and services. These include BGP routing, a variety of internet service providers (ISPs), DNS service, cloud security proxies, content delivery networks (CDNs), DDoS protectors, and others – so you need to see every hop in the network path, along with detailed loss, latency and jitter metrics.

“Relying on SD-WAN as your sole source of internet visibility is like relying on sunglasses as your sole source of sun protection,” said Anoufriev. “Sure, you have some limited coverage, and it will undoubtedly influence your perspective. But you’re in for a nasty burn if you’re going outside the shade of your datacentre or branch office unprotected.”

SD-WAN as a service

While we might expect Anoufriev, who works for a security-of-networks cloud platform, to emphasise the need for constant monitoring of the SD-WAN, he’s clearly not wrong that many flavours of SD-WAN seem to land with a certain amount of baggage in security terms.

Jan Hein Bakkers is a networks research manager for the analyst group IDC and said the immaturity of a fragmented marketplace shouldn’t be overlooked.

“There are so many products, propositions and players out there – DIY, managed services from different telcos, SD-WAN startups, networking companies that have moved into the space, and so on,” he said. “They are far from all being the same and there is no SD-WAN standard.

“In fact, I would go so far as to say interoperability and standardisation in the space is non-existent. Buyers need to understand that, and therefore take the trouble to understand fully just what they are tying themselves to when they do make a pick. Because they all have a different story to solve a familiar problem of networks reliability, performance and bandwidth.”

So these different plays in the SD-WAN marketplace need to navigated, for sure, and it’s this that will or should govern the security approach taken by an enterprise CISO or CIO.

Security proposition

We should recognise, too, that some parts of the marketplace for SD-WAN are heavily focused on the security proposition and are effectively selling secure SD-WAN as a service. The push is being made on the basis that the rise in cloud services has introduced complexity to the network that needs a security-related response to protect internet traffic.

The likes of Cato Networks, Zscaler, VeloCloud from VMware and Cisco’s SD-WAN offer are all offering a version of this kind of protection proposition, one way or another, and for some network buyers one of these offers could well deliver a drop-in solution to an otherwise knotty problem.

Zscaler’s proposition, for example, still requires an SD-WAN partner in the mix but has been set up to make it easy to migrate from hub-and-spoke to a cloud-enabled architecture by enabling secure local internet breakouts for branches.

“Simply route internet-bound traffic to Zscaler and immediately begin inspecting all traffic – all ports and protocols, including SSL,” it said. “You can define and immediately enforce access and security policies across all locations from a single console.”

Cato Networks, to take one more use case, posits the argument that SD-WAN’s introduction of  internet transports into MPLS WAN expands capacity and offloads internet-bound traffic at the branch, but fails to address the network security requirements of accessing internet and cloud resources.

Its proposition to make this safer is “a fully converged global SD-WAN with built-in network security, delivered as a cloud service”.

“SD-WAN edge device is the enabling network infrastructure and core capabilities, such as policy-based routing and transport-agnostic overlay, are extended to address problems with traditional SD-WAN.”

It’s complicated

Yet, these end-to-end, embedded-secure-SD-WAN-in-the-cloud offers are only a part of the picture, of course – and most CISOs would be wise to remind themselves of this.

Donna Johnson, vice-president of product marketing at 4G networks business Cradlepoint, said: “One thing SD-WAN has done poorly has been overselling the simplicity of SD-WAN insertion.

“While it might be straightforward for some, there’s lots to think about and many companies don’t have a good understanding even of the applications in their setup. For a more traditional SD-WAN deployment, that’s something that matters”

In terms of security, Johnson makes the point that SD-WAN projects should always be coordinated jointly by networks and security functions.

“For example, you might find that a firewall rule stops SD-WAN in its tracks, and many companies don’t understand their router set-ups, which can get quite complicated over several years of network changes and additions.”

Securing the network

What other kinds of SD-WAN security might be reviewed by an enterprise considering a deployment?

Paul Dawes is chief executive of Mode, which has a particular offer in the SD-WAN market – offering a “global overlay” for carrier-grade networks like Microsoft Azure to ensure a high-performing cloud private network. He said the starting point has to be deciding what kind of SD-WAN proposition is in the frame.

“Are you going to opt for a more traditional network deployment, with firewalls and web gateways, but with software delivering a new level of control and strategic visibility, or go down the outsourced model offered by Zscaler and the like? These two options are two among many, yes, but the point is they are worlds apart in terms of architecture and worlds apart in terms of the kind of attentions that will be needed for the new WAN to deliver and be secure.”

Mode itself is focused on the middle-mile of the network, and Dawes said its offer is important in the space in security terms because it offers a third way – a private core backbone – that’s an alternative to MPLS and the internet, delivering encryption and quality of service.

“The big question with security and network architecture is whether you can deliver end-to-end encryption of traffic? Are your keys exposed anywhere? You have to be able to trust the carrier when it comes to encryption.”

Attitudes to security will also vary a lot based on context. Where a really large enterprise (or perhaps a company working in a highly regulated space) will have a CISO conducting security audits and asking about vulnerabilities in a systematic way, including decrypted traffic, in many organisations there won’t be this kind of detailed scrutiny and red lines that cannot be crossed.

But enough theory. Let’s look at a couple of companies deploying SD-WAN in practice. 

SD-WAN and the global law firm

Mode has been working on an SD-WAN deployment with a large law firm with a global footprint. The firm has a sophisticated document management system, high-billing staff and demanding clients – and it needs a reliable and secure network to match, with a 15Gbps backbone and end-to-end encryption.

“With SD-WAN, their quality bar does not change,” said Dawes. “In this case, the firm ruled out the cloud-based SD-WAN security options because the way that encryption works in those contexts wasn’t quite right for their needs, with data being decrypted in another’s infrastructure.”

Instead, the firm opted for Mode’s private backbone allied to orchestration using SD-WAN.

“Once their CISO understood our private core offer it sped things up,” he said. “We have to show how we handle a DDoS or a compromised POP [point of presence], but the combination of SD-WAN and private core means that, for the firm, even in the worst case scenario, traffic just routes over the internet.”

Like most SD-WAN deployments, a phased roll-out is also an important part of the security picture, with trials before wider adoption.

“One nice thing about SD-WAN is the way the orchestration means you can selectively implement changes,” said Dawes. “That’s essential for a big enterprise, and over time, bandwidth growth can be managed dynamically, too.”

How Everyday Loans deployed SD-WAN

Another who has been on a journey with SD-WAN and security is Tony Sheehan, technology and infrastructure manager at UK-wide bad-credit loans provider Everyday Loans.

“The company is 12 years old, is a Citrix user and is a branch-based business with a head office and 40 branches,” said Sheehan. “The impetus for adoption of SD-WAN was reliability and the need for more bandwidth, even if our need in the branches isn’t that great, with just a few users in each location.”

The company was using MPLS over EFM copper, with apps delivered from a central datacentre. When an upgrade was on the cards, about 18 months ago, he said Cato Networks’ cloud-based SD-WAN was a good fit once he explored the service.

“We are quite a simple business and wanted a simple deployment. We don’t have the security dilemmas of some others, either. We are committed Citrix users, too, and ease-of-adoption without a big investment was very appealing. The IT networking integrator LAN3 has supported us on the journey at every step, and made it simple.”

Everyday Loans’ locations are in town centres, where the most reliable option is fibre in theory but there isn’t universal availability, said Sheehan.

“Our copper connections work for our needs, backed up by a 4G router, and with Cato providing secure tunnelling to Cato Cloud with its Cato Socket SD-WAN device,” he said. “Cloud datacentres are integrated via a tunnel from the Cato Cloud to the VPN Gateway, which is agent-less.”

Read more about SD-WAN technology

  • Take-up of software-defined networking in corporates is slower than expected. Where have we reached on the journey to software-controlled networks – and SD-WAN in particular – becoming the norm?
  • Software-defined wide area networking is well on its way to being a multi-billion dollar market. We assess the current state of the market and look at some of the options for enterprise CIOs and network managers.

When it comes to security, Sheehan said there was the potential for increased attack exposure with internet into the branches, but Cato’s services such as firewall-as-a-service and other security offers gives the protection that’s needed.

“Our security before was quite traditional, with everything coming back to the datacentres and with a tightly controlled perimeter,” he said. “That’s still there, but the SD-WAN setup has introduced different parameters that Cato’s services are able to cover off.”

Now the branches are using web interfaces, and Office365 and other cloud apps either back into the datacentre over private links or by using internet breakout that’s protected. 

“We’ve moved from hub-and-spoke to a multi-breakout network with a single admin interface,” said Sheehan. “It’s working well, though it is still relatively early days. There’s a security audit we’ve started, to establish some new baselines and some new exposures we need to fully understand as we embrace cloud more and more. We are using analytics to keep track of our connection reliability, too.”

As for encryption, he said he trusts Cato encrypts between points, with site-to-site standard tunnelling and internet breakout as per the browser request.

“I’m really pleased so far,” said Sheehan. “We’re not a fintech but a fairly traditional financial services company, so having a simple-to-manage infrastructure remains the key.

“We don’t want to have to employ an admin team to run a 100-point network, so easy administration and deployment is just the ticket,” he said. “Making better use of new network analytics capabilities from here is also on my to-do list.”

Read more on Software-defined networking (SDN)

Data Center
Data Management