What constitutes a true, secure SD-WAN?

Read time 5min 20sec
Paul Stuttard is director at Duxbury Networking.
Paul Stuttard is director at Duxbury Networking.

The worldwide digital transformation, which is integrating digital technology into all areas of business, is fundamentally changing how organisations operate and deliver value to their customers.

It is also fuelling a significant change in the design and function of corporate networks.

Disruptive technologies such as the cloud, the Internet of things and software-as-a-service are calling for a complete and comprehensive enterprise-wide network overhaul.

In their efforts to build higher-performance wide area networks (WANs) capable of delivering the applications and services required to perform business functions in today’s digitally evolving world, organisations are increasingly turning to software-defined WAN (SD-WAN) technology.

SD-WAN technology is widely accepted as the next step in the evolution of the network and is closely associated with how users leverage digitisation. It is capable of a broad range of cost-saving and performance enhancements, including the ability to dynamically share network bandwidth across multiple connection points, provide zero-touch provisioning, integrated analytics, on-demand circuit provisioning and more.

Increasingly applied to cloud platforms, SD-WAN products can be physical or virtual appliances addressing broad-ranging business needs in remote offices and sites, branch offices as well as corporate headquarters and data centres.

Against this backdrop, it is obvious that tight security needs to be high on the wish list of any organisation looking to an SD-WAN-linked investment. Security must be one of the most critical components of this new network architecture and a fundamental feature of any SD-WAN product put into service. 

Recently, a respected research firm found that respondents ranked security well ahead of technology innovation and price when it comes to SD-WAN buying criteria.

Not all SD-WANs are created equal.

However, before addressing the security features crucial to an SD-WAN infrastructure, it is imperative to first focus on one of the challenges facing organisations. This is to choose a “true” SD-WAN solution.

With more than 40 vendors currently competing for a slice of what is becoming an increasingly lucrative pie, some offerings are in danger of being promoted beyond their actual capabilities. Not all SD-WANs are created equal.

From a technical perspective, a true SD-WAN must provide four required functions:  

  • The WAN connection should be virtualised. There must be a layer of abstraction between the WAN functions and the physical device. When virtualised, the WAN layer runs as an overlay, above the physical WAN hardware, enabling this connection to be easily moved across different physical devices – or managed remotely without having to reprogram the physical underlying device.
  • Policy oversight should be centralised and the policies managed in a central repository, from which they can be distributed to the different SD-WAN devices as needed.
  • Orchestration is essential. With the WAN virtualised and policies centralised, the SD-WAN should have the ability to orchestrate changes from a single location. It is not beneficial or practical to have a centralised repository if each connection must be maintained individually.
  • The capacity to dynamically manage traffic is obligatory. This function permits traffic to be routed over multiple physical connections as needed, based on rules that can be simply set and maintained. Although manual overrides may be feasible, the true SD-WAN should be able to manage itself, based on often-changing network parameters.

Because an SD-WAN’s central function is to connect users to applications with the highest levels of performance and availability via the use of Internet connections and across external often public networks in the WAN transport mix, an updated approach to WAN security is mandated. 

While SD-WAN products do feature various levels of embedded security, a number of more advanced network features can remain unsupported and unprotected.

For example, in certain instances, embedded security is absent when it comes to intrusion prevention systems, content-specific controls, URL filtering. “sandboxing” (for advanced malware protection) and e-mail gateway functions. Incident detection and response capabilities may not be present or as effective as they could be.

Because some vendors omit, limit or pay lip-service to embedded security functions, SD-WAN solutions can be vulnerable and could easily attract threats from cyber criminals.

What are some of the fundamental characteristics of a true, secure SD-WAN?

Firstly, new infrastructure devices should be blocked from joining a secure SD-WAN until they are authenticated. Edge devices should support secure tunnels to the controller (and other edge devices) based on key exchanges and provide a unique device identification and activation code.

A “certificate server” is ideally included in the solution in order to automate tunnel setup and key rotation for each tunnel.

In a secure SD-WAN, the data plane must be encrypted (as it carries user traffic). Encryption methods often include Secure Sockets Layer or IPsec VPN tunnels, among other options.

A secure SD-WAN also provides encryption for traffic on the control plane, the messaging path among the network's control elements, including routers and switching devices. This prevents attackers from intercepting or compromising the management and configuration functions of the SD-WAN.

While basic firewall functionality is common to most SD-WANs, growing cyber security threats faced today may dictate that even a true SD-WAN’s security offering could be augmented.

This is where an appropriately accredited SD-WAN reseller is able to step in and propose additional higher-layer threat management and network security functions.

These functions may include the micro-segmenting of the network and the implementation of security strategies tailored to meet the perhaps-unique requirements of each segment.

Enhanced functions may also include capabilities such as those associated with secure Web gateway services or with next-generation firewalls. They may be linked to the latest in intrusion detection/prevention, policy-based Web filtering and cloud-based security-as-a-service solutions.

Importantly, a true SD-WAN will tie all security solutions together, connect them to a common platform and relate them to the four required functions listed above.

The goal is to create an entirely secure business environment that is trusted by staff, management. customers, suppliers and all other stakeholders.

Paul Stuttard

Director, Duxbury Networking.

Paul Stuttard is a director of specialist distributor Duxbury Networking. Currently Cape-based, he has been with the company for 29 years and has extensive experience in the IT industry, particularly within the value-added distribution arena. His focus is on the formulation of future-oriented network optimisation strategies and business development objectives in collaboration with resellers and end-users in Southern Africa.

See also