Building a secure SD-WAN architecture
Thu 25 May 2017 | Michael Wood
Michael Wood, VP at VeloCloud, discusses the top requirements for a comprehensive SD-WAN security strategy…
Security is often the single biggest concern that CIOs and CISOs have when they are contemplating a new networking architecture. They want to be sure that moving from a traditional WAN architecture to one that is software-defined (SD-WAN) improves security, especially in an environment where they need the business agility to get remote sites up and running quickly.
An SD-WAN is a logical overlay network that encompasses any WAN transport – public, private, even LTE – and is independent of any particular carrier or service provider. The overlay occurs between any two SD-WAN nodes, called edges, which can be deployed at the branches and/or data centers. A cloud- delivered variation extends the overlay to any cloud Point-of-Presence (PoP) or data center.
A key value is that SD-WAN unifies secure connectivity over all transports while supporting transport independence. There’s no need to use or provision a different security mechanism for different transport types, or to depend on the transport provider for their secure network.
The network overlay can support a wide variety of security capabilities. That said, here are the top requirements that should be on every SD-WAN security checklist.
With SD-WAN, there is end-to-end encryption across any network type, including the Internet. Everything that is part of this system needs to be completely and securely authenticated. SD-WAN has a unique model for key exchange that is massively scalable and easy to manage. It enables direct and secure communication among branches and data centers, as well as communication to the cloud via gateways. Not only are all devices and components being fully authenticated in the network, but the underlying traffic transported across that network is also encrypted.
SD-WAN is able to do deep application recognition, which enables very granular control over how specific traffic is routed
Most enterprises today have a need for segmentation to isolate different types of traffic for regulatory reasons – PCI data, for example – or to give different business groups like Finance, Marketing and HR their own network segments. Enterprises can address these needs the same way a service provider would using either virtual LANs (VLANs) or virtual routing and forwarding (VRF). SD-WAN can drive segmentation and do it in a much more secure manner than even MPLS because MPLS doesn’t encrypt any traffic at all, whereas SD-WAN automatically encrypts all traffic.
Secure services insertion
An SD-WAN solution will have built-in foundational security capabilities such as a next generation Layer 7 firewall in the edge devices, but the SD-WAN solution isn’t necessarily going to be a best-of-breed security solution. Additional security services can be inserted at various locations as necessary to provide all the security capabilities and enterprise needs.
There are several places where security services can be inserted into the network: at the branch, in the cloud, and on-premise at the data center or corporate headquarters. The flexibility of service insertion allows an enterprise to put functions such as virus scanning and data loss prevention as close to the appropriate traffic as possible. The SD-WAN is able to do deep application recognition, which enables very granular control over how specific traffic is routed through security services.
A traditional WAN deployment often requires an IT visit to the branch to physically install and configure the equipment. This isn’t a very scalable practice. An alternative is to send a fully configured device to the branch, but this isn’t very secure. In contract, SD-WAN allows the enterprise to drop-ship an edge device to a branch. The box can be installed – essentially plugged in – by local non-IT personnel.
IT centrally creates a configuration, typically using a group profile, that can be pulled down by the box following authentication of a unique activation key, or pushed to the box from a cloud redirector after the box “calls home”. Either way, no IT visit is required, no pre-staging is necessary, and there is no security risk if the box is lost en route to the branch. Setup and configuration are simple, allowing a branch to come onboard in hours or days rather than weeks or months.
Visibility and compliance
A significant attribute to an SD-WAN overlay that also extends back to the cloud is the ability to recognize thousands of different applications. From a security perspective, there is much to gain from that level of detail by combining the deep application recognition with analytics, monitoring and metrics that an orchestrator and controller can collect from each of the edge and gateway devices. For example, the enterprise can look for anomalies in application usage, screen for unsanctioned applications, drop the packets of unwanted applications, and so on.
The enterprise can apply policies around specific applications, such as routing them through a firewall or a secure web gateway. What’s more, traffic steering and segmentation can help meet regulatory or internal compliance requirements.
Security is a top priority for any networking architecture — especially as enterprises move more applications to the cloud. A flexible SD-WAN solution that can address on-premise needs as well as cloud-centric needs, or a combination of both, can offer a full range of capabilities on the SD-WAN security checklist and provide a more secure architecture than a traditional WAN.