Secure SD-WAN

Expanding on SD-WAN and security: the cloud and other factors

Zabrina Doerck
Nov. 6 2020

This blog post is #2 of a four-part series answering the question “What is SD-WAN security?” In our introductory post, we talked about intrinsic security characteristics of SD-WAN, as a foundation for future discussions around why Branch Security is best served from the cloud, and how a well-defined security posture is essential for an SD-WAN vendor to be credible. In this second instalment, we expand on those topics.

Last time, we started with references to two big fines recently levied on companies for security breaches – one of £20 million; the other for a whopping $80 million – but we needn’t labor the point with more scare stories, compelling though they are as object lessons in why we should take this subject seriously.

Instead, let’s get straight down to business with specific SD-WAN-related considerations for your security mix in a piece that covers:

  • Questions you should ask when appraising your shadow IT picture;
  • Web security gateways, if you’re looking for an extra layer of security;
  • Different types of firewall; and
  • At the bleeding edge of SD-WAN, service-chaining.

Shadow IT

Let’s start with shadow IT.

While it’s easy to define – applications generating traffic on the corporate WAN without the knowledge and/or approval of corporate IT – it’s much harder to tackle. But trust me, you really need to tackle it. .

You might think you know what’s on your network, but most of our customers discover anywhere from 300 to 3,000 unknown applications lurking in the shadows on their WAN when they turn on our monitoring systems. .

According to our market research, as well as data from Gartner and EMC, the number of unknown apps on your network isn’t our customers’ only concern; consider also that:

  • 71% of employees across the board use unsanctioned apps;
  • In large enterprises, shadow IT accounts for 30 to 40% of technology spending;
  • Fully half of businesses are constrained by their WAN capacity; and
  • Downtime costs as a result of shadow IT amount to an eyewatering annual cost of $1.7 trillion.

Don’t be one of those stats. Imagine all those unsanctioned applications and ask yourself these questions:

  • What resources are they using?
  • Who runs them and what is their purpose? Can you be sure it’s benevolent? Hmm.
  • How secure are they?
  • What are people using them for?
  • Are they sharing company data in an unauthorized vehicle? What if they’re storing files in a sketchy free cloud storage app?
  • Are they putting the company at risk by using apps that IT hasn’t sanctioned?
  • Are they opening the door for nefarious Cyber Crimers?

Last but certainly not least, shadow IT represents applications consuming bandwidth and competing for bandwidth resources with your legitimate, business-critical applications. At best they represent wasted resources for the business, and at worst they represent unacceptable risk. .

Wouldn’t it be great if you could know for sure what’s there and get rid of all the stuff you don’t want? SD-WAN – well, some SD-WANs – let you see all the applications on your network that you don’t know about. Don’t even think about buying one without this level of application visibility and control, because this is a MAJOR issue.

SD-WAN security protecting a laptop

Web security gateways

So, what about the WSG in relation to SD-WAN and security?

If you’re looking for the gold standard in branch security, that’s where WSGs come in. Standing for ‘web security gateway’, it’s sometimes referred to as ‘secure web gateway’, but ‘WSG’ is the usual acronym.

With a WSG, a network security suite delivered by a security vendor sits between your users and the internet. A WSG inspects web traffic and compares it to your policies, monitoring for malicious or suspicious behavior. A WSG focuses on web traffic and in certain situations it can filter entire traffic profiles.

WSGs have a pre-set feature profile: Web App Control (https inspection), URL Filtering, DLP, IPS, and malware protection/antivirus, all of which combine to provide top-notch protection against a broad spectrum of cyber security risks. What’s more, you can pile on any additional security layers you want by ‘service-chaining’ (more on this below) with other cloud-based technology vendors, cloud service-chaining being the practice of taking a whole bunch of cloud-based network services and ‘integrating’ them into your network solution. (We’ll discuss the distinction here between cloud-based service chaining and Network Function Virtualization (NFV) in a future post.)

Speaking of the cloud, I want to emphasize the importance of cloud delivery here. Many solutions out there deliver security as a singular on-premises service. On-prem security defeats the purpose of SD-WAN for a variety of reasons. Take a look at any datasheet for an on-premises security provider and they clearly state that your application performance will be impacted if you add security into your hardware appliance. On-prem security solutions (e.g. Next Gen Firewall (NGFW) – more on this in a minute) not only degrade application performance, they can’t deliver real-time updates as a cloud-based security service can. So you can’t be sure you always have the latest and most robust protection against security threats.

Firewalls, SD-WAN and security

There’s a wealth of technology services designed to improve your security. Beyond the intrinsic security aspects of SD-WAN, there are many additional security capabilities, not least of all, firewalls. Let’s take a look at three key types of firewall.

Zone-based firewalls

A zone-based firewall is one that centralizes and automates security. But didn’t I say that SD-WAN in general is already centralized and automated? Indeed I did, but a zone-based firewall:

  • Applies security policies at a highly granular and regimented level;
  • Is application-aware; and
  • Can also integrate with your WSG. In other words, some application traffic goes through your firewall while some goes through your WSG.

Furthermore, a good ZBF can do all this at the session level, and:

  • Lets you apply permissions based on topology and application-driven zones;
  • By default, denies all traffic trying to use DTI (what we call a ‘zero trust’ policy) unless specified as an exception with application-aware granularity; and
  • Offers the unique capability to backhaul traffic over the data center if the Network Team determines some traffic requires filtering using the main Internet Edge firewalls.

Another incredible advantage of ZBF is that it delivers policy-based topology isolation without the burden of network segmentation. (Wait, what?) Toplogy isolation happens when an enterprise wants to separate the network between different parts of the business. For instance, let’s say we don’t want traffic from Marketing to cross paths with Accounting. Segmenting the network in such a way requires tons of configuration as IT must create multiple routing tables. With ZBF the network can be segmented via policy, avoiding excessive and painstaking configuration.

I could go on and get into some seriously technical details about how we’ve approached ZBF, but I will save that for a future date. Long story short, ZBF is all about automating and centralizing security, while maintaining a minimal attack surface. In our own ‘security posture’ documentation for Ipanema SD-WAN, we state in relation to the “attack surface and potential exposure” that:

“One of the top design concepts of Ipanema SD-WAN is to reduce the attack surface by minimizing the exposed interfaces and processes as well as keeping a minimal set of critical data stored on public facing network elements; more sensitive data are kept and processed inside trusted zones secured by cloud-grade firewalls.”

When considering your zone-based firewall needs, adopting a similar approach is a must.

Next-generation firewalls

Some SD-WAN vendors provide next-generation firewalls (NGFW) instead of integrating with WSG partners.

A next-generation firewall is, as Gartner defines it, a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall”.

The advent of NGFWs led to firewalls being able to recognize applications for the first time. This was revolutionary. However, NGFWs have limitations compared to cloud-delivered security, predominantly because they are delivered through on-premises hardware.

At Infovista, we prefer cloud-delivered security for a number of reasons, some of which we addressed in the WSG section. We covered the deficiencies with respect to network performance. And we talked about how on-premises security will not always deliver the most current capabilities (remember with cloud security you have real-time updates).

Delivering security from an appliance significantly limits scalability. Deploying new hardware takes time. NGFW also means the business has multiple interfaces to manage its network and security. Meanwhile, cloud-security lets the business manage it all from a single pane of glass. This is not to mention the broad spectrum of cloud-based security capabilities, including:

  • Per-site cloud-based network threat prevention, which minimizes the threat to the wide attack surface resulting from a geographically distributed Internet breakout environment;
  • Outbound network firewall, DTI, app control;
  • WSG interoperability: Web App Control (https inspection) URL filtering, DLP, IPS and malware protection/antivirus;
  • Sandboxing (threat simulation);
  • Automated provisioning of CloudSec tunnels topology through the orchestrator; and
  • Automated selection of the closest CloudSec PoP (point of presence) and secondary PoP for high availability purposes.

Admittedly, that went into a bit more technical detail than I originally intended, but let me summarize it as this:

Delivering cloud-based security with a global security leader means you have ‘cloud-grade’ security – hence security technologies custom-built for cloud environments. Cloud delivery also gives access to an extremely robust security toolkit, whose cloud-delivery ensures instant versioning updates and eliminates latency caused by security policy-based routing – in other words, security will never be an obstacle to seamless user experience.

Firewall as a service – NGFW in the cloud

Firewall as a service – or FWaaS – is an emerging, cloud-based type of firewall. Offering advanced, NGFW capabilities – including access controls and advanced threat prevention and DNS security – FWaaS is all about helping companies eliminate firewall appliances in their IT infrastructure and data centers, for all the reasons I’ve described in the WSG and NGFW sections

At its heart, it’s about simplification, so it’s very much a technology to watch.

Cloud service-chaining

I promised we’d return to cloud service-chaining, and it’s a hot new trend, right at the bleeding edge of SD-WAN.

Cloud service-chaining basically refers to the integration of cloud-based services into your network solution. As we’ve addressed, CloudSec capabilities are endless, ensuring that you’ll always have the latest and greatest in cyber security technology built directly into your SD-WAN. This brings the customer the benefit of a single pane of glass with advanced security SD-WAN. (Importantly, the MSP, reseller and VAD also get this benefit.) And it can scale effortlessly with the business.

The most enterprising vendors are partnering with cloud security experts to integrate their solutions directly into the fiber of their product. This makes it unnecessary and, in fact, unwise to seek SD-WAN directly from a security vendor who whipped it up as an afterthought. For example: enter into the market recently a certain security company (mentioning no names) which is ‘selling’ ‘SD-WAN’. And by ‘selling,’ we mean ‘giving it away for free’. And by ‘SD-WAN,’ we mean it’s ‘barely SD-WAN’. I won’t bore you with a monologue about its deficiencies right now; for me, the biggest problem is that security should be layered on top of SD-WAN, not the other way around. The idea should be to establish connectivity and then secure it. With a security-first approach, you’re jeopardizing application performance and defeating the purpose of SD-WAN.

So, beware. Security has always been important, but in the past couple years it’s taken center stage and beat out application performance and cost control as the number one purchase trigger for SD-WAN adoption. This can lead a business to compromise the latter two, but it doesn’t have to be that way.

In later instalments in this short series of blog posts, we’ll look at remote workers and securing the extended edge, and how everything we’ve talked about so far comes together into an elegant edge-centric approach to networking. So, look out for that! (And don’t forget the introductory blog post in this series on SD-WAN and security, if you haven’t already read it.) You can also download the eBook, which combines Parts 1 and 2 of this series.

Read about Ipanema SD-WAN.