Secure SD-WAN - how does that work?
FYI, this story is more than a year old
With Software-Defined WAN (SD-WAN), lower costs and increased efficiency is the big payoff. What about security concerns?
Perhaps we exaggerate, but IT professionals, especially those involved in telecommunications, should always beware of anything that’s connected to the Internet, as well as services provided across the Internet.
That includes websites, email, cloud- based applications, and of course, WANs.
The bad news is that the wild, unfettered Internet can indeed be a dangerous place; it’s a good thing we have firewalls, universal threat defense, intrusion prevention systems, heavily encrypted VPNs, and endpoint security to protect us.
The good news is that SD- WAN, one of the fastest-growing technologies for connecting branch offices and remote locations, are perfectly safe.
While SD-WAN often routes traffic over the Internet, the underlying technologies are hardened, armoured, and fully protected. Y
ou can trust SD-WAN to provide the same or even better security as traditional dedicated WAN services such as Multiprotocol Label Switching (MPLS) at a much lower total cost of ownership (TCO).
A Software-Defined WAN (SD-WAN), in a nutshell, can be thought of as an overlay architecture that connects enterprise on-premises data centers, Infrastructure-as-a- Service (such as those hosted by Amazon Web Services or Microsoft Azure), cloud services (such as Software-as-a-Service) and remote locations and branch offices.
In some cases, those locations might be already linked by dedicated circuits using carrier-provided services like MPLS. Those services are usually reliable and secure, offering guaranteed bandwidth and mostly high availability.
On the flip side, they are extremely expensive, locked in by contracts, and slow to provision new locations or change service parameters for existing links and are not always immune to performance issues.
Other locations, particularly branch offices, may have dedicated lines, but those types of connections are overkill for the type of connectivity that remote sites need – which is fast, reliable access to enterprise applications and file sharing, as well as to corporate communications tools like on-premises applications, Voice over IP (VoIP) or video conferencing.
In many cases, those branch offices need simply need more raw bandwidth – and the least expensive bandwidth is a straightforward Internet connection or connections.
But the Internet isn’t inherently secure of the highest quality. The performance and reliability of wired and wireless Internet are unpredictable at best.
SD-WAN establishes communications overlay using software running inside an edge appliance, as a virtual instance, or on a virtual customer premises equipment (vCPE) and inside the branch office, data center, campus and headquarters.
Every industry leading SD-WAN leverages a cloud-based controller which coordinates communications and ensures business policy, priorities and criteria are propagated throughout the network.
The controller extends these instructions and changes to edge devices that will ensure the right traffic is sent, in a secure and reliable way, over the best means possible to its destination.
SD-WAN edges understand applications and priorities: A VoIP session is steered to the best available link with the least jitter and packet loss, and even if there is packet loss, the link impairments are remediated; lower priority applications such as chat applications or laptop data backups don’t receive the same gold-plated treatment.
But What about Security?
If SD-WAN sometimes sends data over virtual private MPLS links, and sometimes over the Internet, isn’t the organization at risk? No, not at all. SD-WAN technology uses industrial-grade, standards-based authentication and encryption, completely securing every bit of traffic end-to-end.
What’s more, as the enterprise SD-WAN is implemented and managed through the cloud, the security IT experts can monitor the quality of the connection and ensure that all communications meet corporate policies for security and reliability.
Leading edge cloud-delivered SD-WAN services are located in SSAE16 Type II data centers supporting SHA256 and encryption of sensitive data.
Activation of edges utilises a one-time activation key with limited life TLS along with an orchestrator certificate and tamper resistant toke.
When it comes to data and transport top tier SD-WAN solutions use technologies like IPSEC VPN, IKEv2 with certificate, end-to-end encryption using AES256, shared keys and PKI.
That’s only the start. Different organisations have different security needs - but they all have security needs that must be met. A medical institution must not only protect its intellectual property, but also patient data.
A bank has to protect its operational data, and also secure customer accounts and verify the integrity of transactions in order to meet U.S. and international requirements.
Technology companies must protect their patents, and perhaps secure source code, encryption algorithms and other key data against export laws.
In order to help an organisation enforce its security policies, a SD-WAN must be able to implement those types of policies – and be able to demonstrate that security to regulators or internal/external auditors.
That’s where the abstraction of an SD-WAN can actually be better than managing dozens of separate WAN systems – today’s best SD- WANs have a single, multi-tenant management tool for handling application and business policies across all connections, regardless of the underlying communications medium (like MPLS, Internet or wireless).
To summarise: By using a state-of-the-art SD-WAN platform, any and all external communications between data centers, remote office, and even public clouds are secured, using scalable, high-grade authentication and encryption.
Because of the abstraction, remote offices and cloud links can be centrally managed, with no need to visit those branches. And the SD-WAN not only monitors security, but it gives granular visibility to IT departments on a single pane of glass and gathers the data needed to demonstrate compliance with corporate policies.
Safe? Not safe? That depends.
Thank heavens for our firewalls, which protect the enterprise network perimeter against attack. Give praise for intrusion detection/prevention systems that guard against threats where the perimeter has been penetrated.
Those are necessities for every organisation. And for many businesses, enterprise and cloud security products are at the heart of data security.
Realising that SD-WAN is only one piece of an enterprise IT system, the best SD-WAN platforms integrate and interoperate with today’s leading enterprise/cloud security platforms, such as those from Palo Alto Networks, Zscaler or Raytheon’s Forcepoint. When it comes to security, everything must work together.
SD-WANs allow enterprises to use inexpensive, flexible, high bandwidth and pervasive Internet connections to securely implement wide-area networks to link branch offices and remote locations.
With SD-WAN, organisations are saving money while extending the bet-the-business security found in dedicated WAN links like MPLS to every location, even over the Internet, or cellular wireless.
Not only that, but with SD-WAN, it’s fast and easy to set up a trustworthy remote connection using the Internet in a matter of minutes – compared to the months it takes with dedicated carrier-based links.
Thanks to cloud-delivered SD-WAN platforms that offer integration with the industry’s leading security platforms, enterprise IT and security staff can ensure that corporate data is protected, and compliance regulations are met – even while employees in those field offices enjoy uncompromised application performance, quality of experience and reliable access to their corporate applications and resources.
An industry-leading cloud- delivered SD-WAN solution will also give you the option to bring all of these components onto your own premises and let you host the entire solution behind your own firewall.
So, SD-WAN, is perfectly safe for implementing wide-area networks affordably, efficiently and securely.
Article by Michael Wood, VP of Marketing at VeloCloud