SD-WAN security benefits go beyond improved network visibility, especially in a 5G environment
In the throes of digital transformation, IT organizations must adjust their operations to rapidly deploy new applications and deliver a high quality of experience (QoE), whether in the data center or the cloud. Wide Area Networks (WAN) play a crucial role in connecting a distributed workforce to these mission-critical applications and maintaining business continuity. To adapt to these (and other) requirements, a growing number of businesses are implementing SD-WAN strategies.
As organizations look at SD-WAN, they're addressing critical concerns including how to reduce attack surface growth stemming from the rapid expansion of IoT and wireless edge computing. Wired and wireless networks have been dealing with many of these issues for some time. However, enterprises need to be aware of applying security technology and methods. Let’s look at common SD-WAN security questions for hybrid WAN networking.
What is SD-WAN?
A Software-Defined Wide Area Network (SD-WAN) is a WAN architecture that makes network configuration more efficient and enables organizations to securely link users to applications by leveraging multiple mixed transport services, including MPLS, cellular, and broadband internet services, thus enabling the network to match the needs of the business.
An SD-WAN router understands that not all applications are the same and not all networks are equal. Therefore, SD-WANs rely on a centralized control function to securely and intelligently route traffic across the WAN and directly to trusted SaaS and IaaS providers using the best path to achieve the desired outcome. This improves application performance and provides a high QoE, boosting corporate productivity and agility while reducing costly ongoing operating costs associated with MPLS lines.
What is hybrid SD-WAN?
Most SD-WAN offerings rely on two wired connections to allocate traffic across the WAN. Relying solely on wired connections exposes the enterprise to potential downtime when natural or manmade disasters, like backhoes cutting through the underground wires, could make both wired links go down simultaneously. Alternatively, cellular is a reliable SD-WAN link, whether serving as two primary links or as a second or third link to combine with wired connections. Because of this, the mixed wired and wireless approach to segregating traffic is called hybrid SD-WAN.
How does SD-WAN improve security for internet traffic?
Many organizations are implementing Secure Access Service Edge (SASE) security strategies, but are in different stages of adoption. In other instances, conditions in distributed networks may call for security measures that need localized or embedded security solutions. SD-WAN brings intelligence to the network and helps your business respond quickly to environmental shifts and external threats.
- Access control: The ability to configure granular access levels on a per-site basis helps restrict the types of traffic that flow through the network, creating a secure edge in addition to foundational firewall and URL filtering capabilities determined through policies. Network administrators can also establish security policies for what applications or IP addresses users can access.
- Tunnels: One ubiquitous component for security with SD-WAN is that traffic is typically sent over a secure, end-to-end encrypted tunnel, such as Internet Protocol Security (IPsec) and Generic Routing Encapsulation (GRE) used in virtual private networks (VPNs). The bottom line is every well-known SD-WAN encrypts traffic. Data traveling over an internet-based SD-WAN is secured in the same way as traffic traveling through an internet-based VPN tunnel, and WAN VPN capabilities will continue to evolve into agile, intuitive VPN solutions.
- Visibility into the network: SD-WAN can improve network visibility by identifying and monitoring the users, equipment, and applications on the network to easily locate anomalies or security issues. Network administrators can also use this feature to check on the performance of applications, solve network issues, and ensure that security features and rules are functioning properly.
- Ability to service chain with third-party cloud-delivered security solutions: Where needed, SD-WAN provides access to cloud access security brokers (CASB) and Secure Web Gateways (SWG) to complete the security ecosystem.
SD-WAN router features are further complemented by cellular broadband improvements, especially when it comes to 5G security characteristics. Enhancements to the 5G network include added security at the transport and application layers, making 5G SD-WAN an even more reliable, secure mechanism for traffic transport.
How does SD-WAN leverage cloud-based security intelligence?
When IT and security staff are responsible for maintaining multiple distributed sites, cloud-based SD-WAN management means the staff no longer needs to be physically on site to administer security and networking updates. Security policies can be quickly and easily provisioned within a cloud-based, centralized management system to thousands of edge devices, and comprehensive security dashboards with alerting and log data help keep administrators informed of relevant security events and attempted attacks.
A next-generation firewall (NGFW) is a complementary component of SD-WAN security that is often sent to firewall-as-a-service (FWaaS) in the cloud, but in some cases is used on site. When comparing a next-gen firewall vs. a traditional firewall, NGFW is a virtualized and upgraded version of classic hardware-based firewalls.
A NGFW can perform a wide range of services, including application awareness, intrusion detection/prevention (IDS/IPS), web content filtering, malware detection, and antivirus protection. NGFWs also run multiple virtual network functions (VNFs) that can be based in the cloud in addition to on premises, creating additional benefits for the enterprise. creating additional benefits for the enterprise.
How secure are SD-WAN endpoints?
Each SD-WAN connection end must have some form of client whose architecture safeguards it against hacking or unauthorized remote configuration. SD-WAN endpoints are, by definition, secured in both the cloud and the data center to ensure traffic is encrypted. Additionally, service edge devices are protected by an embedded business firewall, IDS/IPS, and URL filtering, and VPN tunnels between the end-user device and cloud or data center are secured with a combination of IPsec encryption and GRE.
What should businesses consider when implementing an SD-WAN security solution?
When developing an SD-WAN implementation or improvement strategy, enterprise IT managers should ensure the following questions are addressed:
- Does the level of security at the network edge meet the needs of business?
- How are tunnels encrypted across the network?
- Are there instances within the enterprise network that may require local firewalls instead of applying security from a data center or cloud?
- What are my critical applications?
- Where are they located?
- Do they have specific security parameters that need to be met? Move FirstNet infographic to word doc
- Do the latency ranges offered by SD-WAN vendors meet my needs for latency-sensitive applications and intra-location traffic segmentation?
- Are there instances where I should apply zero trust network access (ZTNA) principles?
SD-WAN, 5G, and the shift in security
Network security and connectivity are becoming increasingly intertwined and moving closer to the network edge and into the cloud as the technology evolves. Simultaneously, 5G network security is redefining WAN security expectations. Parallel to these changes, SD-WAN routers are evolving from data manipulation solutions to security service edge (SSE) solutions, emphasizing the router's intelligent processing capabilities.
An edge appliance such as a Cradlepoint 5G router can provide secure access to cloud-based applications and services. In addition to user authentication, improved SD-WAN router security features in the 5G environment such as ZTNA and help safeguard the network from malicious actors.