Security Experts:

Overcoming Common SD-WAN Security Mistakes

Digital transformation is about much more than moving workflows to the cloud and adopting IoT. It is about retooling the entire network to make it faster, more efficient, much more flexible, and cost-effective. Which means it also includes things like agile software and application development, rethinking access and onboarding, and creating dynamic and adaptable network environments.

Top of the list for many organizations is the adoption of SD-WAN, which extends the advantages of digital transformation to branch offices. It provides them with instant access to distributed resources, whether they are located in a central data center, in a multi-cloud deployment, or somewhere else across the connected network. And it does this without the rigid implementation requirements and expensive overhead of traditional MPLS connections. 

Common SD-WAN Security Mistakes

The challenge is that SD-WAN is often adopted with only a cursory consideration of security. SD-WAN projects tend to be driven by the networking team, and a lot of organizations get so swept up in the cost-saving benefits of SD-WAN that they completely forget about security. 

Part of the problem is that the vendor community has done a poor job of integrating meaningful security into their solutions. There are currently over 60 vendors offering SD-WAN solutions, and nearly all of them only support IPSec VPN and basic stateful security, which is not at all enough to protect your branch against evolving cyberattacks. As a result, organizations having to add additional layers of effective security after their SD-WAN solution has already been deployed. This mistake not only puts the organization at risk due to their running an unsecured solution, but the process of bolting on security after the fact – often using the legacy security tools in place that were never really designed for the complexities of an SD-WAN deployment - creates unnecessary complexity and overhead, thereby increasing total cost of ownership.

Essential SD-WAN Security Requirements

To address these challenges, here are four security strategies that need to be part of any SD-WAN solution and strategy:

1. Insist on Native NGFW Protection

To begin, organizations must choose an SD-WAN solution with built-in NGFW security. This advanced security enables consistent inspection, detection, and protection across the entire SD-WAN, from branch to cloud to core, as an integrated function of any SD-WAN deployment. It also enables protection to natively follow workflows, data, and applications even as the SD-WAN network shifts and adapts to changing networking demands – a function that most legacy security solutions struggle to perform. Of course, not all security solutions are the same, so it is even better if that integrated NGFW security solutions has been verified by a third party for its security effectiveness. 

2. Integration is Fundamental

The other challenge is that you don’t want to deploy yet another stand-alone security solution. Fractured visibility and device-by-device policy orchestration simply adds more complexity to an already complicated challenge of securing today’s distributed digital networks. So the next thing you need to ensure is that the security strategy you choose for your SD-WAN deployment can be easily and seamlessly integrated into your existing security architecture. Choosing a solution that functions as part of a broader security fabric gives your organization a stronger security posture by providing transparent views of network security, centralized management controls, and threat intelligence sharing and correlation.

3. SD-WAN Traffic Must Be Encrypted

The challenge of replacing MPLS with a broadband connection is that public Internet is generally less reliable, which can be a serious issue for digital businesses and users that demand instant access to resources and data. In addition, nearly 90% of all organizations have implemented a multi-cloud strategy, which each require their own separate connection. As a result, most organizations deploying SD-WAN use multiple broadband links to connect the enterprise branch to the core network as well as to reach the multi-cloud. Every such connection, however, also expands your potential attack surface.

In addition, organizations are increasingly deploying cloud-based SaaS applications such as Office365 and Salesforce so their entire workforce is able to collaborate with maximum efficiency. These connections may often include critical information that needs to be protected. This is why using VPN as a transport security overlay is a fundamental component of any SD-WAN solution, and why it’s also essential that these VPN solutions provide very high performance combined with dynamic scalability. 

4. Encrypted Traffic Must Be Inspected

Secure connectivity, however, isn’t enough in digital business environments that measure success in microseconds. As SSL (HTTPS) traffic increases, attackers are hiding malware inside encrypted tunnels to evade detection. Unfortunately, most SD-WAN vendors that only offer basic security do not provide SSL inspection, or if they do, it is woefully inadequate. This is the most common mistake we see when enterprises deploy SD-WAN. 

One of the challenges is that even if security teams do manage to bolt on security to their SD-WAN deployment, SSL inspection will cripple the performance of nearly every legacy NGFW solution on the market. It’s so bad, in fact, that most security vendors won’t even publish their SSL inspection performance numbers. However, few organizations competing in today’s digital marketplace are willing to sacrifice performance. So real SSL inspection is either applied haphazardly or not at all. This is why it’s essential that in addition to scalable VPN connectivity, you also take a close look at SSL inspection numbers provided by third-party testing labs to ensure you select a solution that meets your performance and security requirements.

Summing Up

SD-WAN is quickly becoming an essential component of any network transformation effort, allowing organizations to compete more quickly and efficiently in today’s digital marketplace. However, given the growth of sophisticated and pervasive threats and malware, extra caution must be taken to compensate for the security protections inherent in traditional MPLS connections. 

To do this, advanced security functionality needs to not only be part of your original SD-WAN conversation rather than an afterthought, but it must also be as thoroughly and natively integrated as possible to better detect and prevent today’s advanced threats. This includes native NGFW functionality, flexible and scalable VPN, and high-performance SSL inspection. To help you select these solutions, look for third-party testing that includes security performance and functionality as part of its evaluation and scoring process.

view counter
John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.