SD-WAN is one of the hottest networking technologies, and as we head into 2019 its growth is only expected to continue. As a matter of fact, IDC predictsthe SD-WAN infrastructure will reach $4.5 billion by 2022. With more and more organizations relying on cloud applications to run day-to-day operations (such as Salesforce, JIRA, Confluence, Office 365, etc.), IT departments are under pressure to deliver high-quality, reliable links across the network. SD-WAN enables organizations to do this by curtailing expensive MPLS solutions, moving traffic to public internet lines, and often using secure VPN solutions to communicate between sites. This dramatically reduces transport costs, and in many cases increases performance. Network links without assured or guaranteed service can now be used to deliver business class services, including Voice over IP and video applications.
But as this market blossoms, what type of SD-WAN solution should companies be looking for and how could they impact a businesses’ overall security? As with any emerging technology, there’s no shortage of new vendors making bold claims, and every vendor’s definition of the technology varies in order to match what they can deliver.That’s why it’s crucial for businesses to truly understand what SD-WAN is and what it isn’t before embarking on a new deployment. And, in many cases, firewall appliances actually provide SD-WAN services now.
The ABCs of SD-WAN
When considering SD-WAN solutions, there are some key criteria every buyer should look for. The first is theuse of software to manage connections over different link or connection types – MPLS, cable modem, DSL, 4G and links from different ISPs. Every SD-WAN service should offer dynamic path selection between these different links based on predefined policies set to align with business priorities. They should test circuit performance in real time, measuring packet loss, latency, and jitter to determine if the line meets the acceptable level of quality for its application traffic. Second, you need traffic management for applications. For example, being able to guarantee 10 Mbps for all Salesforce traffic.
Third, when internet connections are used, businesses need to ensure that all data is private and none of the traffic can be viewed by third parties. This requires secure VPN capabilities for site-to-site tunnels with full IKEv2 level encryption or TLS level transport. And finally, “Zero-touch” deployment options allow SD-WAN appliances to be delivered to remote locations, and configured automatically by simply powering on and connecting to the internet. This ease of deployment aspect is critical, as technical staff and network engineers are scarce, and businesses need to quickly deploy cloud solutions as they roll out new hybrid WAN architectures to distributed sites.
(Note: SD-WAN is typically delivered by placing a routing appliance or physical box in a branch location. Some SD-WAN solutions provide additional security capabilities like antivirus services or web content inspection. And in certain instances, the solution is even offered by the Telecom carrier as part of a monthly managed service.)
“Who” is as important as “what” when it comes to SD-WAN deployment
It’s important that additional risk is not introduced when rolling out SD-WANs. Therefore, it matters if you’re using an experienced managed service provider than understands the security of your network and will take the time to understand your needs, versus using a Telcom provider. Keep in mind that an inexperienced operator may install SD-WAN routing devices behind a next-gen firewall or Unified Threat Management (UTM) appliance, and bypass the firewall that’s already in place for some or all traffic. This would be a major security vulnerability because it could expose the internal networks to public access, bypassing all malware inspection at the UTM.
In addition, the security capabilities offered with the SD-WAN may offer a false sense of security for customers. Does the solution only rely on simple signature-based detections to find malware passing through the network? Advanced and evasive threats can easily circumvent basic antivirus solutions. This is why it’s critical to have layered, advanced security services like behavioral-based and artificial intelligence-enabled antivirus as a part of the overall SD-WAN solution deployed at remote sites. Managed SD-WAN solutions may claim to offer some basic firewall services, but they can also take days to respond to simple requests to implement or change basic rules. For example, if an application no longer needs to have a port open, a company should be able to immediately implement a change that no longer exposes it.
Consider looking at new SD-WAN functionality in UTM appliances
If you’re already running a next-generation firewall and/or a UTM appliance in your network, consider leveraging the SD-WAN capabilities on those devices to streamline and consolidate functionality. This is often a better approach than relying on new SD-WAN providers that lack security expertise. You may be surprised at the rich functionality that’s been added in the last 12 months from security vendors.
Meet the Author:
Brendan Patterson, VP of Product Management, WatchGuard Technologies
Brendan Patterson is a Director of Product Management at WatchGuard Technologies, with responsibility for the Fireware operating system, security services, and more. A Certified Information Systems Security Professional (CISSP) Brendan has more than 15 years of experience working with security and networking technologies. Prior to WatchGuard, Brendan was Vice President of Marketing and Product Management at The PowerTech Group, the leader in enterprise security solutions for IBM mid-range servers. Brendan has a master’s degree in the Management of Technology from the Massachusetts Institute of Technology, Cambridge, Mass., and a bachelor’s degree in mechanical engineering from the National University of Ireland.