When looking to upgrade their WAN infrastructure, many organizations are tempted by the benefits provided by software-defined wide area networking, as SD-WAN can help to dramatically decrease the cost of WAN compared to multiprotocol label switching (MPLS). When purchasing an SD-WAN appliance, the only thing that is guaranteed across the board is networking functionality; however, this is only half of the puzzle. When shopping for an SD-WAN solution, it is vital to also consider SD-WAN security.
Challenges of WAN Security
Historically, organizations have had two choices when it comes to WAN infrastructure: MPLS and appliance-based SD-WAN. Both of these networking solutions have their pros and cons, but either of them can be a viable option for an organization’s WAN infrastructure.
However, just because a solution provides the functionality needed to build an organization’s network does not mean that it can secure it. Appliance-based SD-WAN is slightly better than MPLS since SD-WAN appliances can include built-in encryption. However, both solutions may lack any built-in security features. Any security protections that an organization wishes to deploy on their WAN, like a next-generation firewall (NGFW), means deploying, configuring, and monitoring additional, standalone appliances.
Solving Security Challenges Through Integration
Deploying multiple point security products is a possible solution for an organization wishing to build a WAN using MPLS or appliance-based SD-WAN and add security after the fact. However, the proliferation of point security solutions can make an organization’s network much more complex and difficult to secure.
The average enterprise uses 75 different security products to protect their network, often from a variety of different vendors. Each of these products must be individually purchased, configured, monitored, and maintained. Since many of these appliances will not talk to one another, an organization’s security team must individually monitor each one and manually aggregate data across them to have a holistic view of the state of the network.
Finding the manpower to accomplish this can be a challenge with tight cybersecurity budgets and a global cybersecurity skills shortage of over 4 million. Keeping up with business growth and an evolving threat landscape makes integration of an organization’s networking and security infrastructure a priority.
What to Look for in a Secure SD-WAN Solution
WAN solutions like MPLS and many appliance-based SD-WAN are effective at solving networking problems. However, they do little or nothing to secure the traffic flowing over the infrastructure that they provide. WAN security requires layering on additional appliances to provide the necessary protections.
Organizations don’t need to settle for this unintegrated network and security infrastructure. SD-WAN solutions are available that provide both networking and security functionality. When evaluating SD-WAN options, it’s important to look for one that has the following features built-in.
- TLS Encryption
Built-in Transport Layer Security (TLS) encryption is essential for any SD-WAN appliance. With SD-WAN, an organization is treating a network that is not under their control as part of their internal network. To ensure that an eavesdropper cannot read or modify traffic flowing over the WAN infrastructure, any SD-WAN appliance should have built-in TLS encryption.
- Firewall as a Service/NGFW
A next-generation firewall is vital to securing any WAN. The role of the NGFW is to perform deep packet inspection of all traffic passing over the WAN infrastructure. This allows the NGFW to limit unauthorized access to the network and to classify traffic from different applications to allow additional security policies or controls to be enforced.
In many cases, an organization will choose to add a standalone NGFW to MPLS or SD-WAN. However, the lack of integration between the devices can force a tradeoff between network performance and security. An SD-WAN with integrated NGFW will be designed to minimize the impact of security functionality upon network performance.
- Intrusion Prevention/Detection System
An intrusion detection system (IDS) or intrusion prevention system (IPS) is designed to identify and respond to potential threats attempting to enter the network. The type of response can range from raising an alert, in the case of an IDS, to taking action to block the malicious traffic, in the case of an IPS.
Integration of an IDS/IPS into the SD-WAN appliance provides similar advantages to NGFW integration. An organization no longer needs to acquire and maintain a separate appliance, and the networking and security infrastructure are designed to work together efficiently. Since an inefficient IPS can have a significant impact on network performance, integrating the two is an important step in minimizing this impact.
- Secure Web Gateway
Many malware attacks originate on the Web. A phishing email may contain a link to a malicious site or an advertisement may have embedded malicious code designed to download and run malware on vulnerable computers. A secure web gateway (SGW) is designed to help protect against these types of attacks by identifying and blocking downloads of malicious content to a machine. Using an SD-WAN with an integrated SGW means that an organization doesn’t have to deploy an additional appliance at each branch location to protect against these types of attacks.
- Anti-Malware Engines
Identifying and blocking all types of malware that may be attempting to enter or spread across an organization’s network requires a strong anti-malware engine. Many anti-malware engines rely solely on signature-based detection; however, this is not always effective. Look for an anti-malware solution that combines signature-based and AI-driven malware detection.
Choosing a Secure SD-WAN Solution
A wide variety of SD-WAN offerings are available on the market. When looking for an SD-WAN solution, it is important to consider security as well as networking. Deploying additional security solutions to address gaps in an SD-WAN appliance’s security protections can rapidly drive up the cost of an organization’s WAN.