SD-WAN Security

Five factors of intrinsic SD-WAN security that solve threats to the distributed enterprise

Zabrina Doerck
Apr. 24 2020

Every company in the world is (or at least should be) concerned about protecting their data, and the customer and employee data they collect and store. As companies begin to migrate beyond their private networks, the questions about security become broader and more complex.

As businesses transition their private WAN to Internet and mobile transport, and connect more users to clouds and SaaS application hosting environments, WAN traffic increases, as do the number of attack surfaces. Malware attacks, including spyware, ransomware, and viruses are targeting laptops, desktop computers, mobile users and IoT devices.

While there are many security challenges that confront businesses with digital assets, one that lurks within the data centers and branch offices of nearly all businesses, is how to effectively manage the complexity of their network and security infrastructure, and minimize attack surfaces. Hackers have a field day with disjointed IT environments, and they present a real threat to enterprise security.

The key to reducing the security risk associated with infrastructure complexity is planning and deploying technology solutions that streamline and simplify infrastructure. Simplicity brings control. When things are complex, we tend to lose control. Networking and security devices can become misconfigured and forgotten, creating security holes that become fair game for unauthorized users looking to steal, change or destroy data. They install malware without company knowledge, and use clever tactics to access company and customer information.

SD-WAN Security for front-line protection

SD-WAN makes business networks more secure and agile, while providing essential visibility across the entire network. Users benefit from a secure , quailty application experience, while IT benefits from a software-defined network that makes it easy to secure and manage their distributed WAN from a single-pane-of-glass interface.

SD-WAN includes intrinsic security and resilience benefits, using responsive traffic steering specified by application policy, WAN availability and state of application layer performance to ensure QoE regardless of network conditions, as well as stateful firewall and standard-based encryption, to deliver secure connectivity over any type of circuit. Most solutions ensure connectivity with SD-WAN branch (edge) appliances that are authenticated to the SD-WAN orchestrator through a software-defined management plane. After the SD-WAN edge device is authenticated, it receives the traffic management policies, including access to the secure WAN. Security and other network services can be provisioned within the cloud or on premises.

Beyond these fundamental SD-WAN security tenets, SD-WAN solutions are increasingly adding new security capabilities, including zone-based firewalls (ZBF)s. For instance, the Ipanema SD-WAN solution protects the network from cyber threats, without requiring additional security devices, although it may also leverage a Web Security Gateway (WSG) as required. The ZBF is an innovative approach to security that centralizes and automates security policies domain-wide, dramatically simplifying security management by eliminating the need for device-by-device configuration of firewall policy, and ensuring consistency across the WAN. Ipanema SD-WAN’s ZBF is unique in that it brings application intelligence to firewall policy, enabling the business to specify security protocols at the application level. Additionally, the ZBF is able to provide orchestrator level reporting rather than being limited to device level, and detection of threats is automated domain wide as well. Also of critical importance is that it minimizes the attack surface through product hardening, removing unnecessary elements and running only essential processes. At a foundational level, the security posture of Ipanema SD-WAN incorporates continuous vulnerability testing and two way authentication of PKI (public key infrastructure).

Keeping in mind that the goal of SD-WAN is to enable digital transformation, intrinsic and incremental security features like ZBF ensure that digital transformation efforts and cloud migrations take place securely. However, it is also important to empower the businesses to upgrade the network non-disruptively, at the pace the business requires. New transparent hybrid WAN capabilities enable businesses to secure the network while incorporating cloud-delivered connectivity, and transforming their WAN in phases, without incurring risk. Importantly, Ipanema SD-WAN is the only solution that delivers this transparent hybrid capability, enabling the business to deploy SD-WAN incrementally, gaining immediate application visibility and control of a full-featured SD-WAN but without requiring network re-engineering, due to its unique transparent capabilities. (More on that in a future blog.)

The intrinsic SD-WAN Security benefits

  1. Automated
  2. Centralized
  3. Domain-wide
  4. Minimal attack surface
  5. Application-Aware

As we’ve discussed, one of the core values of Ipanema SD-WAN is its granular application-aware capabilities, which dynamically and automatically route application flows to appropriate WAN links based on priority of the application to the business. Uniquely, Ipanema SD-WAN does so based on real-time, dynamic network conditions, at the session level. From an SD-WAN security perspective, application flows run over IPsec VPN tunnels encrypted with AES 128, 256 or Triple DES. This enables provisioning over any type of WAN circuit, without specialized single-function security devices to terminate the VPNs at branch locations.

Direct-to-Internet rule exceptions can be defined as part of the network security and policy strategy. By default, the WAN interfaces deny all in/out traffic to traverse the Ipanema SD-WAN edge appliances toward untrusted WAN interfaces. An administrator can activate exceptions to allow specific web traffic to break out to Internet at the branch or backhaul back to the datacenter for security processing in central firewall. I say all this not just by way of highlighting the unique capabilities of Ipanema SD-WAN , but also to say that these attributes constitute the core requirements a business should evaluate when considering implementing SD-WAN. Security will (or should) always be a priority for all businesses, and SD-WAN is delivering the automated defense necessary to protect business and customer data. But as we’ve said before, some solutions do so more effectively and seamlessly than others.

Ipanema SD-WAN delivers unrivalled application intelligence and control, while preserving enterprise confidentiality and security. WAN deployments for IT are simplified, by activating WAN security without additional specialized appliances, eliminating the need for configuration of additional firewalls within branch offices. Beyond this, Ipanema SD-WAN enables enterprises to immediately gain all the benefits of a full-featured SD-WAN, while upgrading the core network at a pace that suits their needs without requiring re-engineering of the network, thereby eliminating risk and ensuring that business is not disrupted, neither by means of the SD-WAN project itself, nor network security threats.


Written By

Remote workers shouldn't have to compete with Netflix traffic on the VPN

Launch today