Software-defined WAN technology, whether DIY or managed, can improve WAN security in a variety of ways. Simply migrating to a viable SD-WAN offering brings some benefits. But SD-WAN tools also provide security features to protect the traffic they manage, as well as features that protect the offerings themselves. Enterprises can fit these tools into a broader security ecosystem to better coordinate protections.
This article discusses four different areas where enterprises should consider SD-WAN and security, as well as the core capabilities to include in an SD-WAN security checklist.
Baseline SD-WAN boosts to WAN security
Centralized console. At its core, SD-WAN must provide a centralized, policy-based management console for the WAN. That console is the single point of management for the WAN, and modifications to policy are rolled out automatically.
The basic characteristics of SD-WAN provide solid improvements to WAN security for most organizations. Most legacy WANs suffer from a requirement to manually manage configurations for routers in every location, as well as any security appliances on-site, such as firewalls. Because traditional WAN management is manual, most organizations tend to minimize the number of times they update software. Consequently, branch network stacks tend to be old versions and are often unpatched for long periods of time.
Centralized and automated management ends all that. These same functions with SD-WAN make it easy to roll out new policies and configuration updates consistently and rapidly, making the network more agile in supporting business initiatives and transformative application deployments.
Traffic segmentation. Another significant core feature of SD-WAN is the ability to segment traffic in various ways, such as the following:
- by application and protocol
- by user and group
- by region
Segmentation serves both performance management and security. For example, SD-WAN can route traffic according to compliance requirements, such as staying within -- or avoiding -- certain geographies. With some offerings, SD-WAN can look deeply into applications and traffic and differentially deliver -- or block -- traffic based on user device and platform, user, group, application, protocol and even specific application features.
SD-WAN security functions
In Nemertes Research's Next-Generation Networking 2020-21 Research Study, SD-WAN users said they intend to have half their branches connected via internet links alone by the end of 2021 and to enable direct access to internet destinations from 75% of their branches -- thus including many users with both internet and private WAN connectivity. It's no surprise, then, that 66% of SD-WAN users said they intend their SD-WAN to serve as -- or replace existing -- branch firewalls in all branches.
Firewalls and more. Organizations looking for this level of security functionality require a basic stateful firewall at bare minimum. Full-on, context-aware and application-aware next-generation firewall features are even better.
IT teams should also look for intrusion detection system/intrusion prevention system functionality, unified threat management and even secure web gateway features. If the SD-WAN endpoint isn't doing this work itself, it should be able to service chain to tie in functions from another appliance or cloud service. A managed offering may provide these directly from the SD-WAN provider's own service cloud or chain in partners.
Encryption. SD-WAN should support strong encryption -- Advanced Encryption Standard 128 or AES 256 -- of data in motion among any endpoints, whether in the branch, data center or cloud. If the offering retains any data internally -- and most must -- it should also encrypt data at rest. Again, if it's a managed offering and incorporates provider cloud components, data it retains should also be encrypted.
Keys. The SD-WAN offering should also have a thorough and simple key management option, one that ideally integrates into an existing public key infrastructure and enables enterprise retention of the keys, even if the offering is managed.
Security features that protect the SD-WAN platform
IT teams must also evaluate the security of the SD-WAN platform when looking over an SD-WAN security checklist.
Trusted Platform Module (TPM) protection. Ideally, an SD-WAN offering will have a TPM that protects encryption keys, for example -- though many organizations do not require that in their platforms. It will also be built on a well-established, fully hardened platform that minimizes the attack surface of the system.
Access control and multifactor authentication (MFA). The SD-WAN platform should also support directory-driven, role-based access control and enable use of MFA. Operationally, IT teams should audit access regularly and apply a privileged account management tool if they have one.
Encrypted management channels. As with production data, management channels should be strongly encrypted.
Secure deployment. The platform should implement a secure model for low-touch or no-touch deployment. This will sometimes involve preconfiguring information about the company network into the SD-WAN devices before they ship so the devices know how to phone home for more configuration as soon as they're hooked up.
Fitting SD-WAN into a security ecosystem
Security information and event management (SIEM) integration. Lastly, the SD-WAN platform won't be the entire security infrastructure, so it has to fit into whatever else there is. Nemertes' security research has shown that organizations deploying a tight security ecosystem are vastly more successful in containing security threats than those that don't. So, the SD-WAN offering, at a minimum, has to feed logging info to a SIEM system. Ideally, it will also provide secure access via APIs to operational data.
Secure orchestration, automation and response (SOAR) integration. APIs will also be key to integrating an SD-WAN into a SOAR system so it can serve as a coordinated component in a broader software-defined perimeter or zero-trust environment.
IT teams can make enormous improvements to WAN security with SD-WAN, as long as they select an option with their security needs in mind.