SD-WAN Security: Your Top Questions Answered

SD-WAN and Security: Facts vs. Fiction
Q&A with Frontier’s Scott Irwin, Senior Director Product Management, SD-WAN

Scott has over 20 years of experience in IT and telecom across companies. He joined Frontier from Nuage Networks, an SDN Division within Nokia, where he operated as a director of business development for North America. Prior to Nuage, Scott led the solution architects over enterprise and carrier networks for US West at IBM. Scott brings a wealth of knowledge in datacenter and cloud virtualization, networking and software-defined environments.

When we talk to IT and business leaders in the professional and financial services industries about SD-WAN, the conversation quickly turns to security. And for good reason. Not only is it a critical component of their network infrastructure, but with all the misconceptions out there, their search for answers often leads to more uncertainty. We sat down with our resident SD-WAN expert, Scott Irwin, to answer the questions we’re hearing from our customers.

Is SD-WAN really secure?
We get this question a lot. While SD-WAN delivers on its promise of performance, control and connectivity, it does place new demands on security. That’s because the more applications you virtualize and host in the cloud, the more your network perimeter expands, which can create points of compromise. But despite those increased demands, SD-WAN is secure because it encrypts traffic through IPSec tunnels between sites, which protects it in transit. This means that whether that traffic is traversing over an MPLS or EVPL connection or out to the public internet, it’s authenticating the sender, receiver and packets to make sure they haven’t been tampered with. Additionally, micro-segmentation can separate traffic coming from different applications or users at a granular level based on network security policy requirements.

Another major benefit of SD-WAN over traditional WAN is the level of visibility it provides into your whole network. SD-WAN gives administrators the oversight necessary to ensure your security protocols are running optimally and that your traffic is coming from trusted sources.

The bottom line here is that security is as important as connectivity in an SD-WAN strategy. Threats are constantly evolving, which is why many of our customers choose to virtualize their network security functions. This way, software updates are installed as needed on existing hardware, adding security while saving both time and money. 

What are the most common mistakes professional service organizations make with their SD-WAN security?
We advise our customers against sacrificing security for upfront cost savings. That’s never going to play out well. Without adequate proxy, decryption and an enforced policy on SSL-encrypted traffic, for example, your security could be weakened enterprise wide.

Another common mistake we see companies make is assuming SD-WAN is a replacement for a full security solution and therefore relying too much on the basics. For example, just because SD-WAN offers automatic updates doesn’t mean you don’t still need to keep your stack current with the latest security patches at scale. More often than not, you will need more protection than a simple, stateful firewall. 

And finally, just because SD-WAN is supposedly “one click” and “zero touch,” it’s not just “one and done.” You need to monitor and maintain the system 24/7/365 to keep up with the highest risks, like securing USB ports and shutting down network access for unauthorized computers. 

In a PwC survey1, 69% of financial services CEOs reported that they are either somewhat or extremely concerned about cyber threats. What is driving this heightened concern?
Digital disruption is radically changing the landscape of the financial services industry. They’re facing a rising tide of cyber threats as bad actors become more emboldened and their attack methods more sophisticated. These things introduce a new set of risks and challenges that financial firms must consider. For example, partnering with third-party vendors to enable mobile payments through wearable technologies may expose the network in a new way. Other factors include cross-border data exchanges, insecure attack surfaces and perimeter defense, consumer data privacy concerns and device management.

What’s the best way to enhance security?
At a multi-site institution like a bank or credit union, each branch has numerous and varied traffic flows, each with different security needs. On top of that, the entire SD-WAN infrastructure needs to be protected. If an SD-WAN provider doesn’t integrate security up front, they have to add it on after the fact, often with legacy systems that lack the capabilities required for SD-WAN. That ends up being more complicated and expensive at best, and leaving your network exposed at worst.

Are firewalling, encryption and VPN enough to protect against cyber threats with SD-WAN?
No. Firewalling can effectively ward off network intrusion, and encryption and VPN can help secure your connection between sites, but they don’t include identity theft or DDOS prevention, or other critical protections like malware and virus spread. A complete SD-WAN security solution recognizes threats that can get overlooked by stateful access control lists (ACLs), which filter packet flow.

What should I ask SD-WAN providers about their security solutions?
Here are a few of the most important areas to discuss:
  • Stateful ACLs and number of ACLs they can support without compromising network performance
  • Application intelligence for traffic steering and prioritization 
  • Agility to add third-party security solutions with life-cycle management as an option
  • Dynamic routing like BGP to address the automation of distributing subnets to the rest of the organization
What are the best practices for securing network micro-segments in a financial institution?
While SD-WAN can provide for simple ACLs with both network protocols and application signatures, it cannot protect against malware and lateral movement of threats. SD-WAN has its strengths, but security needs to be left to the next-generation players in the market. While security branch-to-branch connectivity can be handled with on-prem or cloud-based security, or by forcing communication to a centralized security platform, datacenters and private cloud environments need direct on-prem application protection.

What is the best way to manage branch security and coordinate across the network?
Depending on the number of sites, your remote users can manage branch security. But it becomes more difficult to manage, maintain and monitor when you have numerous sites if you don’t have single-pane-of-glass visibility from a central location. That’s where a managed service provider comes in, offering full line of sight into the network from a central location and 24/7/365 proactive monitoring with alert generation.

Are the risks greater in my branches or in the cloud?
Public cloud platforms are pretty good at securing the applications they house. But at your branch locations, you need IT experts to handle routine tasks like maintaining patches and updating signatures. That’s why many customers find that a managed services provider actually saves them money in the long run by providing ongoing monitoring and maintenance without the expense of an IT expert on site at each location.

Is it possible to provide SSL-encrypted traffic inspections without compromising SD-WAN’s speed and performance?
Unfortunately, no. But you can reduce the performance hit by working with an SD-WAN provider who uses offloading like DPDK or SR-IOV technologies. For example, Frontier Managed SD-WAN uses DPDK to increase performance by more than 50% with acceleration enabled.

What are the best practices for encryption, key exchange and key rotation?
The industry standard uses IPSec for encryption with a key rotation frequency using 256-bit encryption.

How does centralizing the network with managed SD-WAN make it more secure?
When you have a full view of current network activity, analytics and performance—along with an application-layer view from a single, centralized location—you can quickly assess traffic patterns and proactively address issues and possible threats. This is true for any organization that requires highly secure, next-generation application encryptions. For example, a financial firm can redirect unrecognized traffic to a centralized IDS/IPS system for additional inspection before allowing it to move forward. That’s why, given the limitations of most SD-WAN security solutions, managed SD-WAN is really the best option for securing your WAN in a comprehensive, meaningful and cost-effective way.
Simplify the way you network with Managed SD-WAN
Call 844.354.6106 to learn more about Frontier’s IT solutions for service firms or request a live demo of Frontier Managed SD-WAN.

1 PwC’s Global State of Information Security Survey 2016: