Business & Technology

IT Leaders Are Concerned About SD-WAN Security

By Nirav Shah | December 20, 2018

SD-WAN Experiencing Dynamic Growth

Gartner recently completed a survey that highlights key concerns organizations face as they implement an SD-WAN solution, and strategies for addressing those challenges. SD-WAN has been seeing rapid growth over the past two years, with the total addressable market ballooning from $225 million in 2015 to $1.3 billion this year, with some experts predicting that it will jump to as much as $4.6 billion in 2022.

The driver behind this growth is exactly what you’d expect—digital transformation. Branch offices can no longer simply function as a satellite connected to a central network. Today’s next-gen branch leverages multiple connections, from SaaS and IaaS multi-cloud connections to direct internet connectivity from corporate-owned and BYOD assets. It also relies on high-speed connectivity to the core network, but with local awareness of things like business applications and the need for real-time data.

Traditional MPLS connections are not only expensive in some markets like the US, but they are also quite rigid—which means that digital business development efforts can often accelerate beyond the ability of a traditional branch office connection to keep up.

Adding Security to SD-WAN can be a Serious Challenge

While the power and agility that SD-WAN provides is what is driving its adoption, it is the need to protect that environment that keeps executives up at night. According to the same Gartner survey, “72% of the respondents said that security was their topmost concern when it comes to their WAN.”1 This growing concern for SD-WAN security, in large part, is due to the glaring lack of adequate security being provided by WAN equipment vendors. As networks and networked devices become more interconnected through the use of business applications and workflows that span and cross environments, any element of the network, from cloud connections to remote end user and IoT devices to branch SD-WAN connections can become the weak link that exposes the entire organization to threats.

Currently, however, most of the over 60 SD-WAN vendors operating in the market today only support basic capabilities such as stateful firewalling and VPN. Unfortunately, given the state of the cybersecurity challenges organizations face today, these are not at all enough to protect a remote branch from attack.

This requires organizations to resort to bolting on security after the fact. Protecting a branch office requires things like intrusion prevention, malware analysis, web filtering, sandboxing, and SSL traffic inspection. But to provide these services, organizations need to create and implement complex strategies, including the deployment of networking or security gear at the branch, while vendors are doing things like adding IPS as a container inside their SD-WAN solution. All of this can be very complicated to manage.

That’s especially true as many organizations simply do not have the IT resources needed to deploy, implement, fine tune, and manage these additional security elements—especially when deployed at a remote branch office where few IT resources exist. In addition, many of the legacy security solutions organizations try to add to their SD-WAN deployment have a difficult time adapting to today's dynamically shifting and highly elastic SD-WAN architectures.

The Value of Deploying Secure SD-WAN

For a security solution to meet the demands of an SD-WAN architecture, security needs to be part of your original SD-WAN planning so security can be thoroughly integrated into WAN functionality, as well as tie into and across other security tools to better detect and prevent today’s advanced threats.

Just as important, it needs to share many of the same design tenets as the WAN, including speed, agility, flexibility, and scalability so that SD-WAN and security can be as tightly integrated as possible. Deploying SD-WAN that has been natively integrated with a robust security strategy means that the full range of essential security functionality can occur at digital speeds, and with manageable overhead.

Fortinet’s Secure SD-WAN solution is fully integrated into the FortiGate Next-Gen Firewall solution to provide:

  • Native NGFW functionality, including IPS inspection, flexible and scalable VPN, anti-malware, web filtering, sandboxing, and high-performance SSL inspection designed for SD-WAN environments
  • Centralized collection, correlation, and analysis for all threat intelligence
  • Consistent security deployment and protection across all interconnected ecosystems
  • Deep integration between all security elements for advanced threat detection
  • Automated synchronization between security elements regardless of where they are deployed
  • Continuous threat assessment to ensure it is able to see and respond to the latest threat vectors
  • Dynamic threat response that automatically leverages all relevant security technologies to address threats wherever they occur, and at digital speeds.

In addition, Fortinet’s Secure SD-WAN solution includes engineered processors that accelerate its ability to perform critical security functions such as SSL-encrypted traffic inspection. Nearly three-fourths of all network traffic is now SSL-encrypted—and because SSL inspection requires massive amounts of processing power (that cripples nearly every NGFW solution on the market today)—relying on bolted-on solutions to inspect encrypted traffic forces organizations to either forfeit the performance advantages of their SD-WAN deployment in favor of security, or to simply not adequately inspect traffic. In side-by-side comparisons, however, Fortinet devices provide SSL-inspection speeds that dwarf the competition. Which is why we are also the only vendor to publicly publish our SSL inspection performance numbers.

Finally, Fortinet’s Secure SD-WAN provides native management of remote VPN connectivity to allow organizations to maintain appropriate levels of security protection and inspection, and ensure high levels of visibility and control not only for data and applications passing through the SD-WAN environment but that span the entire distributed network.

The SD-WAN vendor community has not only done a poor job of integrating adequate and meaningful security, they have also not made it easy to integrate a comprehensive security framework into their solutions. This mistake not only puts the organization implementing unsecured SD-WAN at higher risk, but the process of bolting on security after the fact—often using legacy security tools that were never really designed for the complexities of an SD-WAN deployment—creates unnecessary complexity and overhead, not only increasing total cost of ownership but impacting much of the value of deploying an SD-WAN strategy in the first place.

Implementing consistent security without compromising SD-WAN performance and functionality is critical. Which means any secure SD-WAN solution not only needs to provide industry-leading protection and performance, but also integrate across hybrid, multi-ecosystem networks without adding additional complexity to overall security visibility, management, and orchestration.

Gartner, “Survey Analysis: Address Security and Digital Concerns to Maintain Rapid SD-WAN Growth,” 12 November 2018.

Read more about the Fortinet Security Fabric and the Third Generation of Network Security