SD-WAN cloud security

On-prem is dead. Long live SD-WAN cloud security!

Zabrina Doerck
Dec. 4 2020

In case you missed it, recently a couple of major SD-WAN vendors (notably both featured on the Gartner Magic Quadrant, ahem) experienced some major issues in their orchestration that affected a large portion of their customer base, exposing those businesses to security risks, as well as forcing the customers to implement the bug fixes themselves.

These events not only underscore the limitations of on-premises orchestration, but also demonstrate the superiority of a cloud-based approach to both security and orchestration. As enterprise adoption of multi-cloud infrastructures increases amidst the market disruption of Covid19, the challenges of the newly remote workforce, and the corresponding acceleration of digital transformation, cloud delivery is going to come in clutch.

But what of SD-WAN security and the cloud?

SD-WAN cloud security is a big topic, and in the first three parts of a four-part series we asked what secure SD-WAN is, we expanded into a more detailed discussion on the cloud and we gave the lowdown on Extended Edge security, focusing on web security gateways (WSG).

In this fourth and final part, we conclude our quest to cover the great many factors you should consider when seeking to secure the enterprise SD-WAN, including and especially related to the advantages of cloud-delivery, and the benefits of Web Secure Gateways (WSG).

In this post, we will:

  • Define many of the remaining aspects of SD-WAN security you should be aware of;
  • Expand on firewalls as a software service (FWaaS), which we touched on in Part 3.

Let’s start by diving straight into some crucial definitions, the many components of WSGs within the context of SD-WAN.

Definitions for elements of the WSG suite


Pronounced ‘dee-doss’, DDoS is a 'distributed denial of service' attack, something that is executed against websites and networks of selected victims. The attackers use multiple systems to flood the bandwidth or resources of the targeted system – usually one or more website – causing it to crash or be unavailable.

It usually can’t be traced to a single source because the traffic comes from many sources.

Anti-DDoS is a set of techniques for mitigating the impact of a DDoS attack by limiting the potential for the website to be flooded using threat detection, alerting, filtering, deep packet inspection (DPI), rate limiting, blacklisting and the like.

It’s important to note that successful DDoS protection is pretty much only achievable through cloud-delivered security. Due to limitations of firewall hardware performance and Internet uplink capacity, on-prem/onsite anti-DDoS technology is not effective. The ideal techniques are tied to actual Internet routing table management.

Application-level control

Application-level control is a security practice that blocks or restricts applications from executing in ways that put data at risk. It can detect patterns in the Layer 7 application stream to prevent protocol fuzzing, a technique where hackers send large amounts of invalid data to detect security vulnerabilities.

Data leakage/loss prevention (DLP)

DLP is software that detects potential data breaches or data ex-filtration transmissions, and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.


We mentioned firewalls last time. We’ll also talk more about them below. But first, a quick definition: a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls typically establish a barrier between a

trusted network and an untrusted network, such as the internet.

Identity awareness

Identity awareness in a WSG enables you to monitor traffic while giving you insight into user and computer identities. It lets you enforce access and audit data based on identity. It also maps users and

computer identities, allowing for access to be granted or denied based on identity.

Intrusion prevention system

An IPS is network security technology that examines network traffic flows to detect and prevent vulnerability exploits.

URL filtering

URL filtering helps businesses control their users’ and guests’ ability to access certain content on the web. It may also be used to stop employees from going to phishing pages, or sites that have sketchy security certificates (be honest, I bet this has happened to you).

Virtual firewalls on public or private cloud

These are virtual network security devices deployed in the cloud. Virtual private cloud is an on-demand configurable pool of computing resources allocated within a public cloud environment. For a public cloud-delivered WSG, a cloud subscription (e.g. Azure, AWS or GCP) is treated as a site, and traffic can be filtered as such.

Virtual private network (VPN)

A VPN extends a private network across a public network and enables users to send and receive data across shared or public networks as if their devices were directly connected to the private network.

Virus/malware code detection

This is software that checks for the presence of a virus or malware signature in a given program. Commercial anti-virus products maintain large databases of these signatures and scan every file for signatures of viruses and worms that they know of.

Security guard

Firewalls and FWaaS, and SD-WAN cloud security

So there’s obviously a whole lot that a WSG can do, and you can probably now see why for our SD-WAN solution we prefer to partner with a WSG partner and give you all the best money can buy when it comes to security.

But what does that have to do with FWaaS?

The firewall as a software service is a next-gen firewall (NGFW) delivered as a cloud service, which:

  • Is based on simpler architecture than regular NGFW;
  • Is more scalable;
  • Is a unified security product;
  • Offers full visibility of your network traffic; and
  • Is easier to maintain.

Last but not least – in fact probably the most important characteristic of cloud-delivered security – is that threat detection should always up-to-date without the need to upgrade firmware, antivirus fingerprints, intrusion prevention systems (IPS) definitions, etc.

In an ideal world, FWaaS pairs with WSG to protect both internet and WAN traffic (remember, WSG is mostly focused on web traffic).

And by the way, at the risk of being cliché, say it with me now: “not all WSGs are created equal”.

But seriously, everything I listed above are examples of features that WSGs deliver. However, not all security providers deliver everything I’ve described, and not all of them are as capable as others.

We would namecheck some of the ones we like, but actually we integrate with several major WSG providers, and businesses have different needs that they’re trying to address. So we work with our customers to figure out which one is going to be best for them OR take advantage of what they already have in place.

But, as the above demonstrates, we won’t hesitate to share our thoughts on what best-in-class looks like. As for security, we cannot emphasize this enough – it’s cloud delivery all the way – from orchestration to WSG to FWaaS and beyond, there is no substitute. It’s all about SD-WAN cloud security. On-prem is over, my friends.