A recent survey of IT decision-makers found that replacing MPLS (Multiprotocol Label Switching) with an affordable alternative like SD-WAN and providing secure Internet access from any location top the list of use cases IT organizations will focus on in 2020. Given the advantages of SD-WAN over MPLS and the importance of a strong security posture, these choices may come as no surprise.
While several SD-WAN solutions claim to help enterprises achieve enterprise-grade performance, the security challenges facing modern enterprises make finding the right solution difficult. Here, we’ll dive into the security challenges facing SD-WAN solutions and explain how enterprises are solving them.
SD-WAN’s security problem
SD-WAN appliances provide virtual overlays that allow enterprises to abstract the applications from the underlying network transport services. While SD-WAN appliances encrypt traffic they don’t protect against malware or other network-based threats. They lack features, such as NGFW (Next-Generation Firewall), IPS (Intrusion Prevention System), SWG (Secure Web Gateway), or anti-malware detection engines.
This becomes a problem because SD-WAN adoption often goes hand-in-hand with an increase in Internet-bound traffic. Without direct Internet access at the branch, SD-WAN loses much of its cost-savings and cloud performance benefits. At the same time, without advanced security SD-WAN exposes the company to Internet-borne threats. It also helps explain why one study found enterprises with completed SD-WAN implementations in the last year were 30% more likely to experience a breach at a branch office.
Security appliances as a solution
For many enterprises, efforts to improve security posture with SD-WAN start with adding security appliances at branch locations. This means sourcing, licensing, and maintaining a set of physical or virtual appliances for each branch. At a small scale, appliances alone may be enough. However, as businesses scale and the number of locations grow, appliance sprawl and complexity create operational and security challenges of their own.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut et elementum ligula. Sed leo lacus, cursus in ante vitae, euismod.For most enterprises, network traffic increases and resource demands grow over time. As a result, security appliances need to account for these realities. This means patching, configuring, and replacing security appliances is costly and time-consuming. Further, as more and more appliances are added to the network, the more complex the topology becomes. With each appliance, the opportunity for oversight or misconfigurations to lead to a breach increase. Support for mobile users and cloud services is also severely limited with an appliance-based approach to security. Appliances are designed with physical branch locations in mind and integrating support for mobile and cloud is often impractical or impossible.
Managed security solutions
To avoid the complexity of dealing with security appliances across multiple sites, many enterprises have turned to telco-managed services. Doing so eliminates the maintenance and management burden on in-house IT staff but doesn’t solve the underlying appliance scalability problems or directly address mobile and cloud. Further, change-management with telco-provided services can be slow enough to hamstring productivity. A simple firewall policy change may take days to implement. In other words, by enabling businesses to offload the work to a third party and focus on core business, telco-managed solutions solve a problem, but they don’t directly address the inherent problems and threats related to appliance sprawl.
SD-WAN and cloud-based SWG: the pros and cons
Another approach to SD-WAN security is to combine SD-WAN appliances with a cloud-based SWG (secure web gateway). This paradigm addresses the issues of security appliance sprawl as the SWG resides in the cloud. It also provides an effective solution for inspecting site-to-Internet traffic.
The downside to this approach is that it is limited in security capabilities and lacks an underlying global network backbone. For example, some cloud-based SWG lack next-gen antivirus to ward off zero-day threats. SWGs are also incapable of site-to-site packet inspection. As a result, to achieve enterprise-grade security, businesses must integrate additional third-party solutions, which increases capex, opex, and management complexity.
SD-WAN Vendors
Evaluation Wizard
Shifting security inspection to the cloud
Another approach that enterprises are taking to address the security challenges of SD-WAN is adopting solutions that converge security and network infrastructure in the cloud. One popular approach is SASE (Secure Access Service Edge). With SASE, the SD-WAN is converged into a broader solution that includes security features, such as NGFW, SWG, IPS, and intelligent anti-malware engines built into a global, cloud-native platform.
This enables all users, including mobile users, and applications connected to the WAN to receive enterprise-grade protection without the need for individual appliances at each branch location. Additionally, because the secure network infrastructure resides in the cloud, connecting to cloud-services and ensuring mobile users receive the same protection as on-premises users is simple. As a result, enterprises can move closer to Zero Trust Network Access (ZTNA) and limit risk without sacrificing performance.
While the SASE model makes implementing security simpler, there are many businesses that still may not have the in-house expertise to proactively monitor for breaches. To fill this need, SASE vendors have begun to offer Managed Threat Detection and Response (MDR) services to enable proactive hunting of network threats and detection of compromised endpoints.
One of the potential downsides of this cloud-based SD-WAN approach to integrating security to the underlying network is enterprises receive vendor’s security services. They can integrate their existing security solutions but fail to receive the full capabilities of the SASE model. However, competitive pressures and strategic partnerships have kept leading cloud-based SD-WAN vendors mostly ahead of the curve when it comes to WAN security. For example, early last year, Cato Networks announced the integration of Zero-Day Threat Prevention from infosec industry-leader SentinalOne.
Final thoughts: securing your network in the SD-WAN era
There’s no single silver bullet when it comes to securing an enterprise network. Enterprises must select an approach that meets their needs from a performance, budget, and risk perspective. SD-WAN can play a part in finding the right balance. In fact, 89% of respondents to the aforementioned survey indicated they have or expect to achieve (or partially achieve) secure data delivery across the WAN or Internet after their SD-WAN deployment. The key to making the right decision is understanding the pros and cons of each approach to SD-WAN, and what they mean to your business.