Exclusives FutureWAN18 Tech Talks Viptela

SD-WAN in Enterprise Networks – Security Emphasized

Software Defined Wide Area Network (SD-WAN) is the next big thing. In fact, it is already mature. Thousands of companies have deployed it for various reasons.SD-WAN can be considered as an overlay architecture that connects enterprise on-premises data centers, infrastructure-as-a-service (such as those hosted by AWS or Azure), cloud services (such as software-as-a-service), HQ and Remote offices.

SD-WAN brings Enhanced Application Experience, Security, Faster WAN Link Deployment, Simpler Management and overall Agility to the IT Operations.

Let’s have a look at the main reasons for SD-WAN deployments in the Enterprise networks.

According to many researchers in this industry, security is the top reason by enterprises for considering SD-WAN deployment. Other benefits of SD-WAN compared to traditional WAN deployment are simpler management, better load balancing, increased application performance due to live traffic steering, cost optimization due to usage of Internet links rather than MPLS private circuits. However, let’s focus on security for now.

The ability to reduce risk depends on how SD-WAN is deployed. Different deployment approaches exist because there are no formal standards for SD-WANs. And without standards, there is no guarantee of the capabilities that your solution will inherently support, including security.

Comprehensive security includes IPsec transport encryption and next-generation firewalls (NGFWs) with unified threat management (UTM), IPS, AMP, URL filtering, Antivirus and SSL decryption are some capabilities which Enterprises are looking for while comparing the SD-WAN Solutions.

Microsoft reported that more than 50% of its commercial Office customers are now in the cloud and by July 2018, the beginning of Microsoft’s fiscal 2019, the company expected that number to jump to two-thirds. Having Office in the cloud, such as Office 365, comes with the performance challenge.

Depending on how many packet hops there are between the end user and the Office 365 servers, there could be congestion, packet loss, latency and jitter effects on application performance. Microsoft recommends having a Direct Internet Attached (DIA) option which is having an Internet access from the branch office to the Office 365 instance.

Having DIA comes with its own security challenges though. Traditionally, enterprises bring their branch office traffic to the centralized datacenter for security reasons. In the datacenter, they deploy Firewall, IPS, IDS, Anomaly Detection, proxy devices and so on, instead of deploying all these security and optimization devices at each and every branch office.

Deploying these solutions at the datacenter simplifies the management of these appliances but bringing the network traffic from each branch office to the datacenter increases the latency/delay between the packets which results in degraded application performance. Also, carrying the traffic over WAN links to the datacenter comes with an extra WAN cost.

Many SD-WAN vendors bring Firewall, IPS, Proxy and other Security functions to the branch offices to support the applications which require direct Internet access from the branch site. If WAN optimization, load balancing, security and other capabilities can be monitored and managed through a single pane of glass, it simplifies the entire WAN management. Many vendor solutions provide single management IP address, which provides, WAN circuit performance characteristics, security parameters, overall status of the system, device and circuit health and so on.

Below is the list you might be looking from the security point of view when you evaluate SD-WAN vendors:

  • Secure Web Gateway: Content and URL filtering, Web access Policy Enforcement
  • Next-Generation Firewall (NGFW)
  • Advanced Threat Prevention: Anti-Malware, IDS/IPS

Most of these features can come within a UTM (Unified Threat Management) appliance.

Security in control plane, data plane and management plane should be considered holistically when SD-WAN solution vendor is evaluated.

Authorization and acceptance of the Edge devices to the WAN, IPSEC VPNs for data plane security, TLS, SSL for the Control Plane security are the common security features which most if not all SD-WAN vendor support as of 2018.

I personally believe, many SME (Small Medium Enterprise), future is SD-WAN which simplify the IT operation, provides better performance, security and bring cost reduction to the Wide Area Networks. I will be covering many different aspects of SD-WAN and my next article on SD-WAN will be the SD-WAN in Service Provider networks.

About the author

Orhan Ergun

Leave a Comment