Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Security is a Top Concern for SD-WAN. Is Your Solution Ready?

The Necessity of Native Security Controls in an SD-WAN Environment Cannot be Overstated

The Necessity of Native Security Controls in an SD-WAN Environment Cannot be Overstated

According to a recent report from Gartner, security is the top concern for organizations updating their wide-area networks (WANs). This is followed by wanting to ensure high-performance connectivity to their branch offices and managing escalating costs associated with traditional connections such as MPLS.

Part of the challenge is that today’s networks are highly interconnected, with data moving across and between different ecosystems and devices. Both core data centers and cloud environments need to connect to branch offices and IoT devices to meet new digital business requirements. To address the growing need for agile and scalable connections, organizations are replacing their traditional WAN connections to their remote locations with SD-WAN.

SD-WAN security is harder than it looks

As a result of digital transformation efforts, many organizations have had to implement a hybrid security strategy in order to secure each of the ecosystems they adopt and connect to. Unfortunately, few security solutions can support every new networked environment, and even when they can, they don’t provide consistent functionality across each of them. This problem is compounded when they try to extend the complex, multi-vendor security strategy they have deployed inside their core networks to their cloud, mobility, and SD-WAN environments. Not only do these hybrid, multi-vendor architectures fail to provide consistent levels of protections in different environments, they also fail to provide seamless security for the data, applications, and workflows moving between these environments.

And because all of these environments are interconnected, the potential attack surface is rapidly expanding exponentially. As a result, a weak security profile in any area of the extended network becomes a threat to the entire organization. This risk increases further as organizations leverage the Internet to enable more efficient cloud connections directly from the branch. While these connections may address network latency and traffic congestion challenges to increase performance, they also introduce security concerns that can’t be addressed with traditional security tools and gateways.

SD-WAN vendors tend to not do security

Unfortunately, of the more than 60 vendors currently providing SD-WAN solutions, almost none of them provide a truly integrated security strategy. While many provide basic VPN connections and some simple stateful security for Layer 2 and 3 protections, they do not address the range of Layer 4-7 security issues that today’s digital businesses are increasingly exposed to. Instead, the depend on other vendors to provide advanced security functions such as intrusion prevention, web filtering, malware analysis, SSL and IPSec inspection, and sandboxing.

A big part of the issue is that SD-WAN solutions tend to be chosen and implemented by networking teams to address the issues of performance and cost, which means that security tends to be a concern that only gets addressed after the fact. But as security resources remain constrained and the security skills gap continues to widen, bolting on security solutions after an SD-WAN solution is in place is a strategy that rarely meets its intended goals. There are simply not enough resources to design, deploy, implement, optimize, and manage yet another set of security tools, especially not ones located at the branch end of the connection.

Traditional security solutions aren’t much better

However, attempting to use any of the existing security solutions already deployed inside the core network creates an entirely new problem. Many of these devices, whether physical or virtual, were never designed for the sort of scalability, elasticity, and performance requirements of SD-WAN. 

For example, data and transactions that move through the public Internet between the branch and other destinations—whether the core data center, other branch offices, mobile users, or one of several cloud environments—must be encrypted. But inspecting encrypted traffic is the Achilles Heel of most security devices, forcing most NGFWs to drop to their knees. The resulting impact on performance can actually negate the advantages achieved by adopting an SD-WAN solution.

Likewise, they don’t interoperate with similar solutions—or even solutions from the exact same vendor—that have been deployed in the cloud. As a result, those few vendors who recognize the need for integrated security across environments are going to extreme lengths to provide it, such as deploying IPS inside a container inside a network device. Strategies that try to wedge a traditional security solution into the middle of a highly elastic environment have many of the exact problems that trying to extend existing security solutions to SD-WAN have: they tend to fail due to issues around scalability and management complexity.

To preserve SD-WAN functionality, you need native security controls 

To help organizations avoid the challenges created by having to adopt a fragmented, multi-vendor security strategy to protect their SD-WAN deployments, SD-WAN providers need to deliver threat protection at the cloud’s edge as well as the customer’s WAN gateway points. Unfortunately, few SD-WAN vendors have risen to the challenge.

What’s needed are security tools that provide the full range of security solutions today’s digital businesses need that are also natively integrated into the SD-WAN solution. In this way, security can dynamically adapt to changes in connectivity and support business-critical applications and transactions. Those tools also need to seamlessly interoperate with tools deployed in other environments, whether in the core network, in the cloud, or deployed in endpoint and IoT devices. And finally, they all need to be managed through a single management and analysis console to ensure that policies can be easily deployed, orchestrated, and updated wherever data and workflows need to travel.

The necessity of native security controls cannot be overstated, regardless of where security is being deployed. In an SD-WAN environment, security needs to not only protect data and resources, but also ensure that its two primary objectives—performance and controlling costs—are preserved. This includes maintaining security without impacting latency-sensitive communications, supporting constantly evolving applications, integrating with DevSecOps strategies, and seamlessly straddling different networked environments.

Written By

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).