A key component of SD-WAN is its ability to secure unreliable Internet links and identify anomalous traffic flows.
SD-WAN technology providers are continuing to increase their native security features and to create robust ecosystems of network-security partners.
IT managers should consider their branch network security requirements and carefully evaluate the security capabilities of leading SD-WAN providers, include their native security features and their partnerships with network security providers.
Branch network security threats
Network security is a constant concern for IT professionals, and surveys indicate the problem is getting worse. Security at the branch is a challenge due to the increased number of devices, including PCs, tablets, phones, point of sale devices, and IoT end points, that are attached to the branch network. All of these endpoints provide new opportunities for malware to infect the corporate network and for hackers to access important data. Branch security concerns are exacerbated by the lack of trained IT/security staff at remote locations and the complexity of managing multiple security appliances including IP VPNs, IDS/IPS, and firewalls.
An additional challenge for branch security is the requirement to coordinate security efforts across the entire network. Security systems at the branch need to talk to endpoint security products and campus/data center network security systems. Traffic at the branch should be inspected, and any suspect traffic flagged there can then be analyzed by centralized or cloud-based security systems. Ideally, branch security systems will become fully automated and employ cloud-based intelligence.
SD-WAN security capabilities
The SD-WAN market is highly competitive with several dozen suppliers. A key selling factor for SD-WAN is its ability to enable organizations to leverage low-cost Internet circuits as secure business-class links. Network security is a key differentiating factor in SD-WAN technology, and each supplier has its own unique methods for securing traffic flows and identifying “safe” sites.
Almost all SD-WAN providers now offer basic firewall capabilities as a standard product feature. They employ packet identification to understand traffic flows. For example, is the traffic going to or coming from a trusted location or cloud-based service? Additional features include content filtering, endpoint identification and management, and policy-enforcement capabilities.
SD-WAN suppliers are actively courting leading network security suppliers – Palo Alto, Z-Scaler, CheckPoint, and Fortinet among them – to integrate their SD-WAN technology with next generation firewall and UTM functionality. This integration between SD-WAN and best-in-breed network-security suppliers needs to be streamlined to guarantee high performance and low latency because traffic handoffs between applications can impact latency. The goal is to provide granular traffic inspection and effectively white list cloud sites to securely prioritize critical traffic flows and applications.
Examples of SD-WAN security features
Aruba ClearPass Policy Manager provides user, device, application and WAN context for consistent policy enforcement across its SD-WAN solution. Its role-based enforcement, device profiling and access controls enable IT organizations to centrally enforce LAN and WAN security policies across branch locations. This simplifies how policies are applied across different layers of the network and reduces the need for manual configurations.
Riverbed’s SteelConnect supports a native perimeter firewall, network address translation and policy-based network zoning that helps to mitigate network intrusion and limits further propagation of threats. It automatically forms secure IPsec VPN tunnels with AES-256 encryption between sites and offers deep-packet inspection for encrypted applications such as SSL/HTTPS. SteelConnect Manager provides centralized management and visibility that allows IT to specify application-based security and traffic path.
Talari Networks’ Failsafe SD-WAN offloads Internet traffic at the branch using its integrated firewall and trusted-URL traffic can automatically be redirected to the Internet. Talari supports RADIUS authentication for management access to its edge appliances, and packets are encrypted by default.
Examples of SD-WAN security ecosystems
A critical aspect of SD-WAN security is whether SD-WAN platforms integrate and interoperate with leading network security products, including advanced firewalls, UTM, secure web gateways and cloud-based network security. Here are some examples of security ecosystems created by selected SD-WAN suppliers.
Cisco SD-WAN (Viptela): Cisco Security solutions (various), Bluecoat, Palo Alto, Z-Scaler
Cloud Genix: Palo Alto, Symantec, Z-Scaler
Cradlepoint: Cisco, Trend Micro, Webroot, Z-Scaler
Silver Peak: Check Point, Fortinet, Palo Alto, Z-Scaler
VMware (VeloCloud): Check Point, Palo Alto, Symantec, Z-Scaler
(Disclosure: Aruba, Cisco, Cloud Genix, Cradlepoint, Riverbed, Silver Peak, Talari, and VMware are clients of Doyle Research.)
SD-Branch is defined as having SD-WAN, routing, network security and LAN/Wi-Fi functions all in one platform with integrated, centralized management. The advantage of SD-Branch is that it consolidates multiple software/appliance modules from multiple vendors into one platform to make it easier to deploy and use. Many SD-WAN suppliers have or will soon introduce SD-Branch solutions.
Recommendations for IT managers
SD-WAN is powerful technology to connect distributed organizations and security is critical point of supplier differentiation. Each supplier has proprietary code for its native security capabilities. Customers should evaluate SD-WAN technologies based on both their native security capabilities at the branch and the cloud as well as their capabilities to develop a broad network-security ecosystem.
Suppliers also need to further broaden and deepen their integration with a wide range of popular network-security products via their partner ecosystems.
IT managers should evaluate SD-WAN security on its ability to easily enhance and integrate with their specific security environment and incumbent suppliers.