Introduced in 2014, software-defined WAN or SD-WAN is a relatively new concept that rose to prominence in recent years because of the surge in remote work. Organizations need to secure their networks and IT systems from threats that target their new working setup.
VPNs used to be the main method of securing remote workstations to create private tunnels that enable secure access to files and applications at work. However, the growing number of remote employees presents new challenges especially when it comes to scalability, manageability, performance, and cost. VPNs require a physical device or a virtual machine at the headquarters, which can become costly at scale. Meanwhile, third-party VPN solutions are charged on a per-seat basis, which can also be quite expensive.
This is why organizations are exploring new options to secure telecommuting arrangements with better cost efficiency and manageability. VPNs are still being widely used, and they have also evolved in their functions and the way they are provisioned to address current needs. However, it is not a bad idea to consider other options.
Making sense of SD-WAN security
SD-WAN security is about protecting networks or connections that are no longer secured by perimeter-centered solutions. It calls for defenses that are more suitable when using SaaS applications, as branch locations already connect directly to the public internet without making traffic go through the secured corporate LAN.
SD-WAN security is not discussed as often in many consumer cybersecurity and corporate tech blogs. In fact, this post is the first to tackle SD-WAN on this site. There are many challenges in securing software-defined WAN, which many unwittingly encounter. It is important to be aware of these and to know how to address them effectively.
One of the biggest challenges in SD-WAN protection is visibility. The traffic of the applications used in an SD-WAN setup achieves high performance by passing through the best route available. This means that it is unlikely to go through an organization’s networking tracking tools and other related cyber defenses. This entails a lack of security visibility and the inability to take advantage of existing protections.
Inconsistency in security policies and differences in service delivery also makes it difficult to secure software-defined WAN. Different rules, procedures, and methods for cybersecurity and service provisioning make it difficult to protect traffic, connections, and the network. Different branch locations tend to vary with their security requirements and abilities when it comes to hosting security solutions. Add to this the existence of different security operations centers (SOCs) and separate network operations centers. Reconciling responsibilities and priorities can be quite challenging.
Moreover, scalability and manageability are never going to be easy with multiple distributed systems to deal with. To ensure adequate security, it is necessary to have a system specifically created to handle this challenge and the others mentioned above.
A paper entitled “SD-WAN Threat Landscape” by researchers from the Inception Institute of Artificial Intelligence and Tomsk State University published in Cornell University’s Arxiv open-access archive shows that the threats affecting SD-WAN are basically all the traditional network and SDN threats as well as product-specific threats.
The SD-WAN environment does not make it less prone to specific kinds of threats. It is exposed to a wide range of risks including brute force attacks, denial of service, API leaks, XSS, arbitrary file reading through path reversal, password reset spoofing, OpenSSH leaks, and bot attacks on the TLS server.
Some organizations can even be exposed to more threats if they turn to providers of legacy SD-WAN solutions, which are mired by the same security weaknesses and inefficiencies associated with a hub and spoke architecture. SD-WAN providers that are not cloud-based usually use the same legacy WAN optimization methods that are not capable of providing adequate security at the edge. They may only provide WAN encryption solutions that are derived from the vulnerability-ridden IKE-based IP-SEC protocol.
Organizations may be in the process of deciding to move towards SD-WAN without getting acquainted with the risks that come with it. They may be conscious about the need for enhanced security, but they may not be aware of what specific tactics or strategies to employ.
What SD-WAN security should have
Securing SD-WAN requires four key attributes, namely an enhanced firewall system, prevention-driven security, unified monitoring and management, and flexible deployment. These features address security needs in a perimeter-less setup, which is crucial in providing adequate protection for headquarters and branch location connections.
- Next-Generation Firewall (NGFW) – Firewalls are conventionally perimeter-centric cyber defenses. To make them applicable in the SD-WAN setting, they have to be upgraded with new features particularly anti-bot, antivirus, URL filtering, app control, intrusion prevention system (IPS), and identity management. These ensure comprehensive defense versus a wide spectrum of online attacks.
- Emphasis on prevention – SD-WAN is inherently predisposed to attacks from all sides given that it does not have the advantage of perimeter protection. It is crucial to make sure that attacks are prevented instead of relying on detection and response mechanisms. This requires access to the latest cybersecurity intelligence and a sandbox function for analyzing and containing suspicious activities.
- Unified security control and policy implementation – Monitoring and managing SD-WAN is expectedly highly complex because of the kinds of connections involved. To optimize the effectiveness of the security solutions employed to protect the different devices, accounts, and networks in SD-WAN, it is advisable to bring everything together through a unified monitoring and management platform. It is also recommended to ensure consistent security policies and unified enforcement.
- Flexibility – Again, SD-WAN involves various users, accounts, devices, file storage, and locations. It is only logical for the security system protecting it to have flexible deployment options including cloud network security as a service, secure gateway appliances, and virtual network functions.
Advancing next-generation security
In a post on Forbes, cybersecurity expert Tim Liu cites the benefits of security solutions specifically intended for SD-WAN. He also notes how they help advance next-gen security with its centralized management and cloud-based nature, flexibility, and productivity-enhancing features.
“SD-WAN is one of the elements of the secure access service edge (SASE), a framework promoted by industry analysts at Gartner. SASE proposes a natural progression—from NGFW to SD-WAN to SASE—that can offer benefits for enterprises at each step of the path as the technologies mature,” Liu explains.
It is time for organizations to learn more about SD-WAN and how to ensure its proper protection. This is not only for the sake of improved efficiency and taking advantage of new and better technologies. The implementation of SD-WAN is a step toward the modernization of WAN and SD-WAN security is a path toward the adoption of SASE, which is dubbed by some pundits as the future of network security.