Story image

The security challenges of SD-WAN - and how to defend against them

19 Apr 18

The primary job of the WAN is connecting distributed users to the applications they need to their jobs.

However, applications have changed significantly over the past handful of years and this is why Silver Peak says in its recent report that software-defined wide area networks (SD-WAN) are a much better fit than traditional router-centric WANs - particularly for businesses pursuing a cloud-first strategy for application delivery.

An example of this is the fact that the majority of applications are no longer hosted in a regional/centralised corporate data centre, with the percentage dwindling as modern organisations continue to embrace the cloud in general and SaaS applications in particular.

Higher quality demands from modern applications, the Internet of Things (IoT) and big data apps which are stretching the boundaries in terms of the growing volume of data today’s WAN must be able to handle.

Silver Peak says the impact of these changes to the application landscape is that the enterprise WAN needs to change too. For example, traditional, private line connectivity options (such as multi-protocol label switching, or MPLS) and routing practices – backhauling, in particular – are clearly a poor match for cloud-apps, burgeoning amounts of internet traffic, and peer-to-peer interactions.

Some of the key shortcomings include the high cost of such network services and architectures, the negative impact they have on performance as well as the fact they are too rigid.

SD-WAN in comparison enables enterprises to leverage multiple types of network connectivity - including broadband internet services - when connecting users to applications. However, this brings in another problem and that is the number of security challenges and issues that are introduced by or associated with SD-WAN.

The use of broadband internet as a low-cost connectivity options is core to the SD-WAN value proposition, however, Silver Peak says the fact that broadband is ‘public’ and not ‘private’ means there is a need to ensure the confidentiality and integrity of application traversing such connections.

And of course, inline deployment of SD-WAN devices places them ‘in the line of fire’ so to speak – at least compared to the scenario where a traditional WAN optimiser is implemented in an out-of-path configuration.

Silver Peak uses the example of internet breakout, essential for enhancing performance and reducing the bandwidth (i.e. dollars) needed for backhauling - but also able to expose branch users and their local networks directly to the internet and its myriad threats.

This brings about the need to limit outbound destinations, block unwanted/unsolicited inbound traffic and filter allowed/expected traffic for threats. However, not all web applications are created equal, and some web traffic can expose the enterprise to viruses, trojans, DDoS attacks and other vulnerabilities.

“To implement such a policy, web traffic must be steered granularly to its correct destination. This requires identifying the application on the first packet because once an application session has been established, it cannot be redirected to an alternate destination without breaking the flow resulting in application disruption,” Silver Peak states.

“And because IP address ranges utilised by SaaS applications change almost continuously, address table updates must be automated and implemented on a daily basis.”

There are a number of other areas areas where security is applicable to the success of an SD-WAN implementation including:

  • Enabling applications with different security requirements to share the same physical connectivity
  • Enabling faster deployment and more efficient management – for example, with secure, automated provisioning of SD-WAN devices, automated security policy enforcement, and a secure management plane
  • Enabling consistent enforcement of an application’s specific security policies regardless of where that application is located, or accessed from

So how can a business benefit from implementing SD-WAN without exposing themselves to the risks? Silver Peak EdgeConnect is the answer.

The industry’s most complete SD-WAN solution, EdgeConnect provides enterprises with the flexibility to use any combination of transport technologies to connect users to applications – including public broadband services – without compromising application performance or security.

Click here to read the full report on the benefits of SD-WAN, potential security challenges and how to fortify against them with EdgeConnect.

Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
APRA Prudential Standard CPS 234: How to communicate with the board
The Australian Prudential Regulation Authority’s standard, CPS 234, is aimed at minimising the threat of cyber attacks for APRA-regulated entities.
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.