How Secure Are SD-WANs?

Protecting your data in the new wide-area landscape.
Greater agility and lower transport costs throughout your branch-office network are the biggest promises of software-defined WANs (SD-WANs). But what happens to security when you move some of your traffic off your structured, private MPLS VPN and onto public broadband links?

The newly opened broadband routes on the public Internet present greater levels of exposure to malware and hackers than your single-carrier MPLS network. The cost and performance benefits of SD-WAN might not seem worth it if that means becoming burdened with new security woes. What you need is a way to take advantage of SD-WAN technology without falling prey to increased threats. Better still would be a way to achieve that through the assurance of a managed service.

Deployment Musts
Juniper believes that your ability to avoid risk depends on how you deploy your SD-WAN. Different deployment approaches exist because there are no formal standards for SD-WANs. And without standards, there’s no guarantee of the capabilities that your solution will inherently support, including security.

Comprehensive security that includes IPsec transport encryption and next-generation firewalls (NGFWs) with unified threat management (UTM) is one of the top criteria to successfully deploying an SD-WAN—or any Network Functions Virtualization (NFV) implementation. Indeed, a 2017 study conducted by Heavy Reading revealed that communications service providers ranked security service as their number one priority for their customers with NFV.1

Other must-haves include support for all the main routing protocols you might be running across your branch-office network, including MPLS, BGP, and GRE. They should run at scale without compromising stability and availability. Also, be sure to support multiple WAN interfaces, including T1, GbE, and LTE (cellular), to meet your various wide-area needs. And you need application-based policy routing to deliver optimal routing for each class of application with visibility and analytics to support your business. You should also have the benefit of zero-touch provisioning at the branch, with no truck rolls or new boxes required for every new capability you wish to deploy.

You’re likely to find most criteria met in many of the solutions you explore. But the first criterion, security, is a little trickier, so it’s at the heart of our discussion. Ideally, security is a facet addressed through a managed service.

Often, SD-WANs virtualize network infrastructure functions such as routing and firewalls so they can be quickly and easily deployed in software as virtual network functions (VNFs) across a vast, distributed branch office infrastructure when they’re needed. From there, SD-WANs load-balance traffic dynamically at each site among different link types, such as MPLS, public Internet, and high-speed cellular links. Optimal routing policies are provisioned by a centralized controller function. You can pretty well expect these functions—virtualized routing and optimized route selection—to be in any SD-WAN solution you choose.

Many organizations are turning to SD-WAN to offload Internet traffic from MPLS so they can use less-expensive broadband services for direct branch-to-cloud and branch-to-Internet connectivity. Traditionally, most businesses have relied on higher-cost MPLS VPN connections to funnel all traffic back to a central site, such as a corporate data center, to apply security policies and safeguards. From there, the MPLS network forwards the traffic on to its intended destination. With so much branch traffic now headed to the cloud and the Internet, though, it’s faster and more efficient to send it directly to these destinations, and broadband services do the job more cost-effectively.

But now that your traffic no longer passes through a centralized location for security filtering and policy enforcement, it is protected only if holistic security procedures are in place at each SD-WAN location. That requires knowing what features your SD-WAN solution supports, and filling in any security gaps that might exist.

IPsec Alone Is Not Enough
Most SD-WAN implementations offer a way to encrypt your branch-to-branch corporate traffic using IPsec, which protects the data in transit. Because most SD-WAN vendors offer IPsec, it’s common thinking that SD-WANs are inherently secure. It’s true that IPsec handles protecting the data as it traverses the network. But it has no impact on break-ins and malware for direct branch-to-cloud traffic.

In addition, without standards for how IPsec encryption gets deployed in the SD-WAN, what’s required to get it up and running will vary. In some cases, for example, you need to deploy additional devices at the branch-office premises and at the cloud head-end to create an IPsec VPN overlay. That, of course, requires additional infrastructure and separate management tools.

In cases involving managed services from a service provider, the software for SD-WAN and IPsec are deployed together in a single VNF instance, taking advantage of existing IPsec infrastructure, with no administrative overhead required to turn encryption on over the SD-WAN.

As long as you have IPsec running properly to protect data in transit, your data is effectively secure. But you might want to consider any necessary additional deployment and infrastructure requirements as you design your SD-WAN. Those aspects should be figured into your total cost of ownership (TCO). Also, it’s possible that if your IPsec deployment is not automated, human errors could diminish the protection level of your IPsec VPN.

Juniper recommends coupling SD-WAN and IPsec into a fully integrated solution through a managed service provider. Because this approach is the simplest to deploy and manage, it also has the distinction of being the most secure.

Network Firewalling and UTM
By removing the centralized location for running all corporate security, you’ve removed the other areas of security needed to provide holistic security. Those areas protect against break-ins, man-in-the-middle attacks, and malware that can cause denial of service or data theft.

For example, you still need stateful firewall capabilities between the public Internet and your WAN edge device to grant or deny access. Most NGFWs also incorporate a variety of UTM functions, including intrusion detection and prevention (IDS/IPS), quarantining or otherwise deflecting detected malware, and web filtering, which knows about risky Internet sites and prevents your users from visiting them. Since every branch constitutes a WAN edge with exposure to the Internet, you need all these capabilities at each one.

This is an area where we think SD-WAN has the potential to radically alter the complexity of a branch network. While it’s always an option to deploy specific appliances for each of the network security functions described at your many distributed branch sites, it’s more economical to deploy a generic SD-WAN “box” upon which you can load VNFs for each of these functions or even a NGFW VNF instance that contains them all. If your SD-WAN vendor offers such a solution, you can procure and operate the needed security VNF(s) there. VNFs are also becoming available from third-party security vendors that don’t offer SD-WAN software per se.

Juniper also believes that having a choice in VNF supplier is important, a freedom that requires an open SD-WAN platform. With an open platform, you can choose the router, NGFW suite of security capabilities, and other VNFs from the vendor you deem best and run them together under one management umbrella.

A lack of standards mandating UTM in SD-WAN software puts your network at risk. Security isn’t optional, and your WAN edge has simply moved from a centralized location to many distributed locations. So when it comes to protecting your network, take nothing for granted. Make sure you get the comprehensive array of security functions you need to mitigate the different types of risks out there. Then determine which method of deploying them is the most economic, simple, and agile.

The simpler, the better, and ultimately that means the most secure.

Learn more about how to develop this solution in the resources for this article.

1 “SD-WAN Implementation & Differentiation Layer Strategies,” Heavy Reading, February 2017.