Network Evolution

Building the infrastructure for the changing face of IT

freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

SD-WAN helps secure hybrid networks

For all the gripes enterprises have about MPLS, one point of contention remains: Branches directly connected to the Internet don't feel safe. Is that still true in the age of SD-WAN?

S. Smith got one of those rare opportunities that most network engineers can only dream about -- the chance to completely redesign his company's legacy branch architecture.

All 3,000 branches belonging to the financial services company he works for had routed its wide area network (WAN) traffic over MPLS. An Internet connection was available as a backup, but only as a break-glass-in-case-of-emergency alternative if the MPLS link went down. While it met the company's strict security requirements, it was expensive to maintain.

As Smith and his team worked on how they could make their WAN more efficient without increasing their reliance on MPLS, software-defined WAN (SD-WAN) caught their attention. This new technology enables enterprises to create hybrid networks that aggregate multiple access technologies, including commercial Internet services, and dynamically route traffic across the best one depending on real-time availability and performance, or other custom policies.

After running lab tests and a small pilot in their production network with startup Viptela's SD-WAN platform, Smith and his team were sold. They are now in the process of rolling it out to all of their branches, deploying it with a mix of MPLS, broadband and wireless LTE connectivity at every location.

But for a company with six million customers, that's a lot of sensitive data flying around the Internet. How can an IT team in banking, of all industries, be on board with that? Many enterprise network engineers eyeing hybrid WAN architectures are asking themselves the same question: It can't be as safe as running everything on MPLS, right?

Although not as robust as a dedicated security appliance, SD-WAN platforms come with enough security features to finally make hybrid networks secure enough for widespread use, according to experts and early adopters. All of Smith's WAN traffic goes through end-to-end encrypted tunnels -- a feature he says was nonnegotiable when redesigning his branch architecture -- and a third party validated the platform's security in a penetration test.

"Broadband is kind of the Wild West, but we're doing what we can to ensure the integrity of our data over that transport," says Smith, an infrastructure engineer who spoke on the condition he and his company weren't fully identified, due to security concerns.

"It's a different way to think about it. MPLS was always deemed safer," he adds. "No one was using encryption originally over that, and then they started putting encryption on it. Once you start doing that over broadband and everything else, you start thinking, ‘Well, I guess it doesn't really matter what transport medium I'm actually using if I'm encrypted and tunneling end to end. It's just bandwidth.'"

Most of the hype around SD-WAN has been about its ability to boost WAN performance, availability and cost savings by simplifying the way hybrid networks are deployed and managed. Without these platforms, engineering a hybrid WAN from scratch was just too difficult for most enterprises, according to Andrew Lerner, a research director at Gartner. Security wasn't much of a consideration until SD-WAN made hybrid WANs practical.

"SD-WAN is an enabling technology that can actually expose the security problems associated with moving to a hybrid WAN," Lerner says. "It enables you to do something that was very difficult to do before, which opens up the opportunity to address a security issue that was masked because it just wasn't possible."

SD-WAN vendors deliver their security features through an on-premises appliance or a cloud-based security service, often providing the latter via third parties like Websense or Zscaler. But unless you're sending top-secret government files or high-value monetary transfers, that approach is probably good enough, Lerner says.

"While the conventional wisdom says [the Internet] may be less secure, the reality is that it's secure enough for nearly all enterprises to use, provided they put appropriate levels of encryption on their traffic," he says. 

On the safe side

A voice and data manager at a regional bank in New England, who requested only his initials, D.V., be used due to security concerns, was looking for a way to affordably improve the performance of his WAN last year. Nearly all of the bank's 100 branches used MPLS as the primary means of connectivity, with commercial Internet as a backup. But the amount of data traversing the WAN continued to grow, and the performance gains from his Riverbed Steelhead WAN optimization appliances were maxed out. Beefing up those private circuits with more bandwidth, however, was cost-prohibitive.

SD-WAN looked like the solution, but was he worried about security? Did it seem too risky?

"Oh, God, yes," D.V. says. "Security is networking. I object to the whole idea that security is separate. If you can't do networking, then you have no business in security, frankly -- and to some extent, the reverse is true. We have a very conservative security posture. We always have an auditor somewhere in my network trying to poke around and get at things, so we were certainly concerned about the security of the solution."

After evaluating SD-WAN platforms from Cisco, FatPipe Networks, Ipanema Technologies and Talari Networks, he was most impressed with Talari's packet-based approach to securing hybrid networks, as opposed to flow-based models from vendors like Ipanema.

Security is a top concern for enterprises considering SD-WAN.

D.V. tested Talari in his lab and performed some packet captures to see if the product lived up to its promises. As far as he could tell, it did. An auditor validated those findings with a penetration test. As of last December, the platform is deployed at all of the bank's locations.

"I was probably convinced as soon as I'd done my initial analysis. I have a strong security background, but I don't think I knew it was going to fly until I saw the report from our third-party vendor who did the pen test," D.V. says. "It's not just me or my colleagues. It's someone else saying, ‘Yes, this is OK.' At that point, you can go up to the information security group and say, ‘Here you go.'"

Although the public Internet always carries some risk, the reality is that MPLS is also a shared medium. The protections SD-WAN platforms provide put the two on level ground, D.V. says.

"The irony of an MPLS circuit is that the security is VLANs -- that's all it is. You have your traffic marked and put into a special VLAN, so it's running over the same pipe as everyone else's MPLS circuit," he says. "It's not a physical layer of security. There's no special inspection that a firewall might throw in, or an IDS or IPS. None of that is present in an SD-WAN solution, but none of that's really present in an MPLS solution unless you choose to put it in."

The idea that anything but an MPLS-only architecture is laden with risk is a tough misconception to overcome among enterprises with more conservative cultures, says Tim Coats, director of applied innovation at Trace3, a large systems integrator and reseller based in Irvine, Calif., that designs SD-WAN implementations using products from Cisco, CloudGenix and VeloCloud.

"We often hear, ‘I want the cost breaks of the Internet, but that opens up a whole new set of security worries for me and I get scared,'" Coats says. "We have huge companies [as clients] that are very risk-averse and favor traditional MPLS. We try to work with them to help them understand that using the Internet is fine, as long as it's used correctly -- and a hybrid approach is usually the best approach."

Balancing requirements in hybrid WANs

It's all about striking a balance, says D.V., the voice and data manager at a New England bank. His Talari units can support the strongest encryption standard, AES-256, and the bank's auditors would prefer he enable it. But he noticed the standard made his network performance suffer, so he's using AES-128 until the next generation of hardware resolves the issue.

"Neither one is crackable at this point. It's more about what a security auditor wants. The security auditor is always going to say, ‘Put a belt and suspenders on. I want everything you can possibly give me,' but that's their job," D.V. says. "It's not always reasonable, though."

We are able to say, 'We identify the risks, but now we have better, more proactive ways of mitigating those threats and vulnerabilities as they arise.'
S. Smithinfrastructure engineer

Smith, the infrastructure engineer using Viptela, runs most internal traffic -- not just guest Wi-Fi -- over his hybrid networks without much worry. Still, some highly sensitive data only traverses MPLS, and the SD-WAN platform enables him to separate that out at a granular level. He can define traffic engineering policies not only according to certain applications, but also to individual features within a given application.

"We are still utilizing MPLS, and within the financial sector, I don't see that going away. There are just too many requirements," Smith says. "But I think with the use of IPsec tunneling and other security features offered through our SD-WAN solution, and how easy it is to manage, we are able to say, ‘We identify the risks, but now we have better, more proactive ways of mitigating those threats and vulnerabilities as they arise.'"

While SD-WAN helps close the security gap for most enterprises, Gartner's Lerner cautions that it may not be the right strategy for everyone, depending on branch requirements.

"If you want to deploy a Swiss Army Knife gateway in your branches -- meaning, ‘I want a box that does wireless, that is a server, that does WAN optimization, firewalling and call management' -- that's not what SD-WAN is," Lerner says. "What I will say, though, is that the majority of enterprises I speak with can get away without applying that fully rich, deep feature set at a given set of branch locations." 

SD-WAN: Security made easy?

In fact, early adopters of SD-WAN like Smith and D.V. say their WANs are more secure now than ever.

"With a legacy solution, you'd have to worry about the overhead with maintaining numerous security components, such as certificate servers, PKI, DMVPN, VRF segmentation, GDOI key servers for GETVPN, and key and certificate rotation and expiration, along with many other components in your security stack," Smith says. "It's not hard when you have a small environment, but once you start scaling to a large enterprise and above, that's when you need people just to manage your security environment for networking."

The Viptela console simplifies that for administrators by automating those changes, he explains.

"I don't want to sound cheesy, but they make security easy," Smith says. "From a learning curve perspective, they're not introducing anything that's a completely new, revolutionary technology. They're taking stuff that already exists but doing it a lot more efficiently. It wasn't like I had to sit down with a textbook for a month to figure out what they heck they're doing."

At Trace3, the California-based systems integrator, SD-WAN is wrapped into a package it calls Connected Business Experience, which helps enterprises re-architect branch offices to support initiatives like mobility, cloud and the Internet of Things. The company was drawn to CloudGenix's technology because of the ease and utility of security controls based on the user's identity, location and the application he or she is using, rather than just routes, Coats says.

Coats would like to see SD-WAN vendors go one step further in simplifying how hybrid networks are secured by removing a lot of the manual labor and guesswork out of service chaining.

"Everyone is trying to solve this one little piece, and no one's looking at the whole picture. And the whole picture is I have users who are everywhere, and my services are distributed on different platforms. I need one place I can pull it all together," he says. "The part I still get frustrated with in this business is everyone still tries to do it ‘my way,' as opposed to what is the right way."

Article 1 of 7

Next Steps

Hybrid WAN vs. SD-WAN: What's the difference?

MPLS networks still rule the branch, but Internet as WAN makes gains

Developing a security strategy for Internet-connected branches

This was last published in March 2016

Dig Deeper on Software-defined WAN (SD-WAN)

Get More Network Evolution

Access to all of our back issues View All