Post

SD-WAN Security – Challenges and Solution

The Challenge

SD-WAN addresses flexibility with transport independence, enabling connections over direct internet broadband, MPLS circuits, and LTE/5G. Multiple path types can carry traffic simultaneously so that the best path is automatically selected for optimal application experience. SD-WAN with multi-cloud connectivity has allowed the enterprises to seamlessly move data and workloads from data center to branch to the public cloud.  Thus, the reach of the network is from an enterprise datacenter to large number of branches and to the public clouds.

This flexibility and scalability come at a price – how to secure your data integrity across this end-to-end network? Security needs to be embedded in SD-WAN fabric along with analytics to measure and maintain application QoE. Security has become an important design and selection criterion for SD-WAN vendors and users alike as the branch (where SD-WAN plays an important role) has become a point of concern that can potentially open an entire enterprise to the security threats from outside. In a Gartner survey (Reference: Gartner November 2018) for WAN requirements, security was the biggest WAN concern with 72% respondents placing it their topmost concern.

With the network spanning from the branch to the datacenter to the cloud, enterprises must have a single governance model that spans the entire network that provides application visibility and control. With this governance model all the security policies can be programmed in advance. Having a network that is segmented in pieces across different orchestration systems will just not be enough.

The Solution

As a starting point, microsegmentation techniques can be used to protect the network resources from malicious application by creating private security zones within the network. While microsegmentation provides significant benefits in terms of reducing the attack surface by limiting lateral movement of malware inside datacenter and cloud, organizations need a comprehensive security model that is enterprise-wide: across hybrid cloud, datacenter and branch network.

The following are some additional complementary capabilities that are needed:

  • Comprehensive and embedded Security functions

As traffic traverses from the tightly-managed data centers and spreads to multiple cloud and SaaS platforms, security controls must be at the forefront of the network design. When considering the capabilities of an SD-WAN solution, look for a fully-integrated security functionality that includes

  • A distributed stateful L3-L4 firewall – A L3-L4 firewall can help filter on IP source and destination addresses as well as specific port (layer 4) and a stateful firewall can watch traffic streams from end to end and provide visibility to the administrator.
  • Layer-7 application control with comprehensive DPI engine With the ability to recognize 1900+ applications with DPI, each application traffic flow is recognized, and that traffic flow’s vital statistics are logged and displayed. The administrator can also define security policies that restrict or allow any of the recognized applications for any user.
  • Web/URL filtering – Users spend increasing time on the web, surfing their favorite sites, clicking on email links, or utilizing a variety of web-based SaaS applications for both personal and business use. While incredibly useful to drive business productivity, this kind of unfettered web activity­ exposes organizations to a range of security and business risks, such as propagation of threats, possible data loss, and potential lack of compliance. With Web/URL filtering, firms enable secure web access and protection from increasingly sophisticated threats, including malware and phishing sites.
  • On-premises and Cloud-based Security

Another important consideration is the deployment flexibility – where and how is the security functionality deployed. A holistic end-to-end solution that encompasses on-premise as well as cloud security—including integration with third-party security vendors – provides maximum flexibility.

  • On-CPE security at each branch, for example, provides flexibility to customize each branch instance to branch-specific security and access policies – internet permissions, user and application based access controls—to meet business requirements.
  • On-CPE hosting of third-party security VNFs such as Palo Alto Networks, Fortinet or CheckPoint provides choice to customers to choose an external third-party security vendor.
  • Cloud hosted security services from ZScaler or Palo Alto Networks.
  • Network Analytics

Extensive network analytics can be used proactively to detect threats and policies can be established to trigger dynamic remedial actions such as service insertion, quarantine a specific application flow, or even block a flow. Network analytics and proactive threat remediation are essential for networks of the near future and only by having full visibility and control across the entire network from a single platform will enterprises be able to scale their security for the future of IoT and the deluge of the next generation of services.

Conclusion

In the Digital Transformation journey of an enterprise IT, deploying a flexible and scalable SD-WAN solution is a given tenet. But without due considerations of built-in and cloud-enabled security, every connected resource is at risk. Likewise, installing the best security solutions without a flexible and scalable SD-WAN, to optimize application performance doesn’t provide the enterprise with the right solutions for flexibility, performance or cost benefits.

To successfully transition enterprise resources to cloud and SaaS computing, an SD-WAN architecture must encompass the best of security, SDN and SD-WAN solution. Nuage Networks, with its pedigree in enterprise DC with its industry-leading SDN solution, carrier-class networking and SD-WAN solutions and end-to-end security is an ideal partner for your secure digital transformation journey.

No Comments

Post a Comment

Comments are moderated and will be published/addressed upon review. Your email address will not be published.

Required fields are marked *