Business & Technology

Refining SD-WAN Security: Considerations & Best Practices

By Nirav Shah | January 11, 2018

SD-WAN security is a multifaceted challenge facing network administrators. As organizations have demanded better security for their cloud applications, SD-WAN vendors have started to promote VPN tunnels, next-generation firewalls, microsegmentation, and various IPSec solutions. However, they often fail to confront the most significant challenge in SD-WAN security: Integrating these solutions in a meaningful way.

Many embedded security features rely on Layer 3 network controls and don’t provide the robust cloud security functions required in a modern IT environment. Instead, many embedded security solutions for SD-WAN-enabled appliances are only concerned with perfunctory specs and place a far greater emphasis on pumping out packets at breakneck speed.

This approach to SD-WAN security is no doubt incomplete and will heighten your organization’s attack surface. Instead, organizations need to take an integrated, centrally orchestrated approach to SD-WAN security as soon as possible.

What is SD-WAN?

With the escalating adoption of bandwidth-hungry SaaS applications, VPs of networking are having to rethink their wide area networking (WAN) strategies. Instead of accommodating increasing and variable demand with costly, inflexible WAN connections, network leaders have turned to software-defined wide area networks (SD-WAN). 

SD-WAN architecture is attractive not only because it provides more efficient and cost-effective bandwidth allocation, but also because it improves WAN performance, agility, and operational flexibility. As network leaders assess their SD-WAN options, however, what is often missing from their deliberations is how to adequately address security risks.

Diagram showing how SD-WAN security works

Why a Basic Approach to SD-WAN Security Isn’t Enough

Embedded security may seem like a moot point for many enterprises in which security and networking are handled by different functions in the organization. The networking team deploys an SD-WAN solution, and the security team is responsible for deploying a next-generation firewall (NGFW) as a gatekeeper for the SD-WAN-enabled appliance. But if implementing SD-WAN involves two teams, managing two types of products, using separate management consoles, the TCO of the solution may become more than what the CIO bargained for.

What’s more, a lack of integration between SD-WAN and NGFW products also heightens risk due to potential gaps between the disparate technologies that cybercriminals are highly motivated to exploit. Finally, and perhaps more importantly for some, network performance bottlenecks are almost guaranteed to ensue. For example, increasing SSL-encrypted enterprise traffic, which now comprises over 50% of all network traffic, must be thoroughly checked for hidden malware, a CPU-intensive process that results in significant overhead for many traditional NGFW solutions

What You Need from an Integrated Secure SD-WAN and NGFW Solution

In an attempt to address this challenge, a number of vendors have begun to offer advanced firewall features embedded into their SD-WAN appliances. It sounds promising until you realize they’re not really integrated: You must still manage separate security and networking domains, which hampers IT visibility and control.

So, what’s left? As is often the case, the answer is revealed through a change in perspective: Rather than trying to find an SD-WAN solution with security features, you might be better served by seeking to create a secure environment for implementing SD-WAN. One of the best available ways to do so is through an SD-WAN-enabled next-generation firewall.

For enterprises with high security requirements, an NGFW is essential to provide Layer 3 through Layer 7 protection. But what about SD-WAN functionality? Lest “SD-WAN-enabled NGFW” become a euphemism for SD-WAN compromise, candidate NGFWs claiming to provide SD-WAN functions should be assessed for several key capabilities:

  • Application and Path Awareness. As an SD-WAN-enabled appliance, the NGFW must have path awareness intelligence, automatically routing packets from each application according to application-level SLAs, prioritizing them by criticality, time of the day, and so on. It should also be application aware, enabling network admins to monitor the changing traffic patterns of the applications traversing the WAN so they can modify policies accordingly.

  • Integrated Security and Compliance. This secure environment should not only include key security features, such as high-throughput IPsec VPN and SSL inspection, but also compliance tracking and reporting. With applications dispersing packets across multiple WAN pathways in an SD-WAN, you don’t want to spend hours retracing the routes of suspect packets by toggling between multiple apps.

  • Automation. Advanced NGFW hardware design is key to ensuring that firewall functions do not compromise WAN path routing. Otherwise, the performance gains promised by SD-WAN may be negated by security-based latencies.

  • Multi-Broadband Support. Rather than relying on an erratic 4G/3G network as the only failover for multiprotocol label switching (MPLS) lines, the firewall should also be able to leverage the public internet in order to maximize WAN availability.

TCO-Reducing Features. Consolidated management almost goes without saying. It doesn’t pay to use an integrated solution if it needs to be managed through two different consoles. And furthermore, an SD-WAN-enabled firewall that offers zero-touch deployment will also relieve much of the burden associated with SD-WAN implementation.

Conclusion: Who Should Maintain Your SD-WAN—Networking or Security?

That’s up to you. A fully integrated secure SD-WAN solution should integrate both networking and security functions for simplified management through a single pane of glass. This not only reduces finger-pointing and wasted time, but also increases your flexibility in allocating FTE resources.

One thing is certain: A SD-WAN focused solely on network performance won’t provide the protection you need. However, by integrating your SD-WAN with crucial security features, you can lower TCO while meeting the needs of both your networking and security teams—if you know what to look for. 

Take a security-driven networking approach to improve user experience and simplify operations at the WAN edge with Fortinet Secure SD-WAN.