rvlsoft - Fotolia
Enterprises of all sizes are rapidly adopting software-defined WAN technology to improve connectivity among their branches and other wide area network sites, especially as more workloads shift to the cloud. But that flexible connectivity comes with a price. Using multiple network connections means offering multiple places for hackers to attack the corporate network. In response, network professionals are busily assessing the best SD-WAN security tools to protect corporate WANs from a growing threat landscape.
WAN security isn't new; enterprises have had to protect their WANs for decades, using common tools like encryption, VPNs, tunneling protocols, IPsec and others. SD-WAN -- which adds less-secure broadband internet connections and 4G to existing MPLS pipes -- resets the stage and forces enterprises to reconsider the best ways to defend their rapidly growing distributed networks.
The need for SD-WAN security will only continue as SD-WAN adoption gains traction. IDC, for one, forecasts that SD-WAN infrastructure and services revenues worldwide will total $8.05 billion in 2021, a compounded annual growth rate of almost 70%.
Stitched together with SD-WAN
Sea salt and mineral products retailer Redmond Inc., in Heber City, Utah, wasn't focused on security when it implemented VeloCloud SD-WAN. But as the retailer has expanded into different locations across the western United States, security has become a prime consideration, according to its CTO Aaron Gabrielson.
"We have the whole business stitched together on SD-WAN," he said, adding that one infected device in a remote office can affect corporate headquarters. "The surface area [for potential threats] is expanded.
"Any computer on any site can talk to any other site. It's all meshed together," he said. "The security implication is that now your network is a lot bigger. You have more places you can be attacked from within."
Redmond has a centralized IT organization that supports its 17 brands of sea salt and mineral products for agriculture, personal care and construction industries, which operate separately. The company operates retail markets in Utah, as well as 16 manufacturing and warehouse facilities with branches in Utah and Colorado.
Aaron GabrielsonCTO, Redmond
Gabrielson said various ransomware attacks in the news in the last year were an eye-opener for the company. "When you're doing SD-WAN, you look at all the benefits, but [security] is definitely something we have to put in our planning," he said.
To reduce the potential impact of threats, Redmond relies on VeloCloud's built-in WAN encryption features and has also incorporated endpoint security products for its devices and branch locations, including Proofpoint email security and Webroot antivirus tools. All of these tools work in tandem as the company conducts security policy.
Redmond uses policies and Active Directory security groups to manage permissions, but the company doesn't segment devices and user access at the network level, Gabrielson said. "We're doing it more at the application layer."
SD-WAN flexibility boosts security options
Enterprises have to be more aware of security at all network layers. In 2017, the WannaCry ransomware and cyberattacks on corporations like Virgin Airlines and Equifax -- which exposed millions of customers' personal data to hackers and potential misuse -- demonstrated how widespread threats to the corporate network have become.
As enterprise networks become even more distributed and cloud computing becomes more prevalent, "each location and user has to be protected," said Rohit Mehra, an IDC analyst.
Fortunately, SD-WAN offers some built-in protection, Mehra said. By its very nature, SD-WAN optimizes connectivity and increases network visibility. Its dynamic capabilities allow network managers to more rapidly respond to threats as they happen. And SD-WAN offers microsegmentation, through which companies can further protect traffic with user-defined policies that dictate how an application is delivered and isolate infected machines if a breach occurs.
SD-WAN and security should operate hand-in-glove, he added. "You want one with the other" to get the best of both worlds.
Most vendors integrate SD-WAN security components into their products either themselves or by partnering with security companies like Zscaler or Check Point Software Technologies to integrate tools such as firewalls and network segmentation support.
For example, in addition to network encryption, VeloCloud offers firewall and role-based access services. Riverbed, which recently announced new security integration into its SD-WAN service, has user- and application-based security policies. Talari Networks' SD-WAN product integrates firewall and secure packet tagging while Silver Peak offers microsegmentation and encryption.
Still, enterprises continue looking for more SD-WAN security options, according to Gartner's "Four Architectures to Secure SD-WAN." Greg Young, a Gartner analyst, said enterprises are questioning their security needs.
Network managers becoming more aware of security issues are looking for help in identifying the appropriate security solutions for all their branch offices, Young said.
Current SD-WAN products do not support some advanced security features like intrusion prevention systems, content specific controls and antimalware protection, Young added. In the cases where enterprises have high-security needs, they need to incorporate traditional security products in addition to what's used in the SD-WAN product.
It comes down to use cases, he said. "Look at what the branches are doing."
For example, if an enterprise has smaller branches with noncritical functions, the security embedded in the SD-WAN product is probably good. "For those use cases, you don't need a high-security deployment," Young said.
As more enterprises turn to SD-WAN to give them more flexible and efficient bandwidth to connect across distributed locations and to the internet, they are increasingly aware they need to beef up their SD-WAN security options that include integrated firewalls and microsegmentation to better protect users and devices from whatever hackers try to throw at them.
Security a top concern for SD-WAN
The new edge: SD-WAN
Shopping for SD-WAN providers
- CW Buyer's Guide: Optimising networks for cloud computing and virtualisation –ComputerWeekly.com
- Ensure Your Enterprise Makes It Through the Great Applications Migration –Mosaic Networx
- Network Purchasing Intentions 2013 –ComputerWeekly.com
- Microscope June 2016 –MicroScope