As organizations explore SD-WAN as a way to make their networks more configurable and efficient, some will inevitably have questions about the technology’s security.
In general, there are two schools of thought on SD-WAN security. One suggests that because many SD-WAN vendors use IPsec to protect data in transit, the technology is therefore secure. The second suggests that SD-WAN is not secure because it doesn’t scan network traffic for vulnerabilities before it’s sent. As with many things in life, there’s a bit of truth in both views. SD-WAN typically uses encrypted tunneling technology like IPsec to protect traffic from prying eyes and man-in-middle attacks while it’s in transit.
But SD-WAN technology, in itself, doesn’t scan traffic for malware and other vulnerabilities as it enters the network. For example, it doesn’t protect an organization when there’s a corrupted file on either end of the connection. So if an employee forwards an email containing ransomware to a co-worker, a bare-bones SD-WAN installation doesn’t have tools to pump the brakes. Without additional security tools, that email will be sent.
A big hole
In a sense, this is quite the gaping security hole. The edges are traditionally not intelligent enough to screen out bad traffic.
In addition, SD-WAN, like most other software packages, can ship with vulnerabilities. In recent months, some vendors have issued vulnerability alerts and advised users to update their software.
It’s worth noting, however, that SD-WAN in general is neither more secure nor less secure than traditional WAN technologies. The network isn’t a security tool. Like with traditional WAN services, there’s no determination of trusted traffic and sites. In most cases, organizations tend to consider their branch offices to be trusted.
As with older WAN technologies, the security vulnerability is at the existing sites, not with SD-WAN itself. The platform’s job is to secure the transport, and it does that using encrypted tunneling technology.
Better options through the cloud
But organizations adopting SD-WAN do have options to better secure their networks. Some SD-WAN and security vendors are now offering “secure” SD-WAN, which typically means a traffic screening service installed at the edge of the network. In many cases, this is a cloud-based service with digital firewalls, threat modeling, and related products scanning network traffic before it moves over the WAN.
Cloud-based security services make a lot of sense in an SD-WAN setting. With many organizations adopting SD-WAN to drive more efficiency in their networks, a heavyweight, appliance-based security system works against the reasons for installing SD-WAN in the first place. The security scan can’t slow down network traffic.
In addition, many organizations will not want to install new appliances at the branch office. This installation will slow down the adoption of SD-WAN and potentially limit the configurability of the network. With many employees working from home due to the COVID-19 pandemic, home offices are now branch offices. Who will install security appliances in every home office?
As networking and security teams work out the security measures a new SD-WAN installation requires, they should talk about centralized vs. distributed security management. The cloud-based security model described above is an example of a distributed approach, but some organizations may want a more centralized security system. For other organizations, security provided through a regional hub may be the best approach.
One of the advantages of SD-WAN is its configurability, and organizations can decide that some offices need a centralized security approach, to take advantage of a hardened security posture. Others can use a more distributed approach with cloud-based security installed at the edges. SD-WAN gives organizations the flexibility to choose which approach is best, depending on the traffic they see.
SD-WAN certainly offers organizations more network flexibility, visibility, and scalability. Organizations looking at the technology should, however, be aware of the security issues they will face as they adopt the technology. In many cases, working with a managed services provider will help ensure that the SD-WAN adoption is as secure as it can be.
Learn how to integrate SD-WAN securely into your network here.