SD-WAN Security, an introduction

SD-WAN, short for Software-Defined Wide Area Networking, revolutionizes networking by offering a decentralized approach. It provides organizations with a viable alternative to traditional high-latency hub-and-spoke network topologies. In the conventional model, branch office traffic was routed through a centralized data center using dedicated MPLS lines. This setup, efficient in an era where applications were primarily desktop-based or housed in data center servers, faced challenges with the advent of cloud technology.

The rise of cloud applications caused significant strain on MPLS circuits, leading to inefficient traffic patterns. Remote user actions in cloud applications necessitated a roundabout journey: first to the data center, then to the cloud, back through the data center, and finally to the user. This resulted in increased latency, poor user experience, and failed to leverage the full potential of cloud applications.

The rapid proliferation of cloud applications and services, caused the OVERLOADS of your MPLS circuits. How?

Because now every little action a remote user was taking in any cloud application, was forcing the following pattern of traffic to happen:

First to the data center → Then out to the cloud → Back through the data center again → finally, out to your user again at the end of the trip.

Now, you can CLEARLY see that —

1. This is a longer trip of traffic
2. It is a recipe for extreme latency
3. It would result in poor user experience
4. It would surely not allow to maximize the benefits of your cloud apps

Enter SD-WAN, the solution to these challenges. SD-WAN enables branch offices and remote users to connect directly to the internet when required. Functioning as intelligent software, SD-WAN makes routing decisions based on factors such as priority policies and Quality of Service (QoS) settings, optimizing network links. Unlike traditional hub-and-spoke networks, SD-WAN embraces a mesh topology, utilizing various transport services including MPLS, broadband, and LTE/5G.

While offering enhanced performance and reliability, SD-WAN introduces a shift in security paradigms. The decentralized nature of SD-WAN architecture bypasses the centralized security inspection typical of hub-and-spoke networks. This prompts a reevaluation of security strategies, necessitating considerations for traffic examination, content security policies, and protection against potential threats.

Contrary to common misconceptions, SD-WAN is not inherently secure just because it encrypts traffic. While encryption adds a layer of security, it is not exhaustive. To bolster security, additional measures such as inspection, filtering, and the use of IPsec, VPN tunnels, and next-generation firewalls (NGFWs) are essential. Granular visibility into the network is crucial for effective security policies.

NGFWs play a pivotal role in SD-WAN security, offering virtualized functionalities such as application awareness, intrusion detection and prevention, web content filtering, malware detection, and antivirus protection. Deployed both on-premises and in the cloud, NGFWs enhance security measures in the evolving landscape of SD-WAN.

Microsegmentation, another vital aspect, involves creating virtual networks within SD-WAN’s overlay. This practice allows the segregation of traffic from different applications, enhancing security policy implementation and quality of service. Microsegmentation operates at a granular level, down to individual workloads, preventing potential attack vectors.

In conclusion, a robust security strategy for SD-WAN involves a combination of IPsec, VPNs, NGFWs, and microsegmentation, tailored to the specific visibility and control requirements of the organization.

References: Cisco, Cybersecurity Prism