This is a summary of a byline by Fortinet’s John Maddison that first appeared in SecurityWeek on October 25, 2018.
Traditionally, branch offices have been treated as a satellite to the core network, often receiving slower connections to the data center and delayed access to information. As organizations undergo digital transformation, however, its advantages need to be extended to the entire workforce, including branch offices. That’s because competing in today’s digital marketplace requires every worker to have real-time access to data, as well as the ability to use and manage business applications and workflows. They also need to support their own mobile workforce, leverage internet-based connections to cloud-based services, and maintain a dynamic infrastructure that includes connections to other networked systems.
Because of these needs, traditional, static MPLS connections simply no longer work for many of today’s next-gen branch offices. As a result, organizations are adopting SD-WAN to make their branch offices faster, more efficient, much more flexible, and cost-effective.
SD-WAN provides branch offices “with instant access to distributed resources, whether they are located in a central data center, in a multi-cloud deployment, or somewhere else across the connected network. And it does this without the rigid implementation requirements and expensive overhead of traditional MPLS connections.” — SecurityWeek, October 25, 2018
SD-WAN Security is Often Overlooked
Because SD-WAN tends to be an extension of the network, security teams are often not included in the process of selecting or implementing a solution. As a result, security teams are left with trying to retrofit existing security tools into this new environment, often with lackluster results. Part of the challenge is that few SD-WAN solutions include much more than basic stateful security and a VPN connection.
“Bolting on security after the fact – often using the legacy security tools in place that were never really designed for the complexities of an SD-WAN deployment — creates unnecessary complexity and overhead, thereby increasing total cost of ownership.” — SecurityWeek, October 25, 2018
Reasons include limited staffing resources to adequately implement, tune, and manage another security implementation, especially when they include the overly complicated security solutions being proposed by some vendors, such as relying entirely on third-party vendors or trying to deploy and manage an IPS solution loaded inside a of container that has been deployed inside of a router.
Essential SD-WAN Security Requirements
Addressing the challenges of securing SD-WAN requires addressing several essential security requirements. They include:
1. Insist on built-in NGFW protection — Native NGFW security in an SD-WAN solution enables consistent inspection, detection, and protection while providing essential security functions such as NGFW, IPS, web filtering, malware detection, sandboxing, VPN, and SSL/IPSec inspection.
2. Security solutions need to be integrated — Individual, isolated security tools limit visibility. Addressing this challenge requires security components that not only can see and work with each other, but that can be easily and seamlessly integrated into your existing security architecture.
3. Encrypt and inspect SD-WAN Traffic — Data passing over the public Internet needs to be protected. Unfortunately, inspecting SSL and IPSec traffic cripple the performance of nearly every legacy NGFW solution available. Instead, organizations need to ensure they select a solution that meets your performance and security requirements.
Security needs to be part of your SD-WAN strategy from Day One
SD-WAN allows organizations to compete more quickly and efficiently in today’s digital marketplace. However, given the growth of sophisticated and pervasive threats and malware, extra caution must be taken to avoid fundamental security errors when implementing SD-WAN security. This includes implementing advanced security functionality that is thoroughly and natively integrated into your SD-WAN solution so it can adapt and scale to changing network environments, while also detecting and preventing advanced threats, all at digital speeds.
For more information on common mistakes made when implementing SD-WAN security, read the full byline by Fortinet's John Maddison in SecurityWeek.
Visit Fortinet’s FortiGate Next-Generation Firewall homepage to learn more about this advanced security solution.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.