SD-WAN brings new security challenges

Security is one of the top concerns for organizations deploying SD-WAN. Fortinet's John Maddison explains what SD-WAN security challenges are and how to address them.

[[258364]]

SD-WAN products have been on the market for more than five years. Early adopters of the technology focused primarily on transport-related issues, such as replacing or augmenting MPLS with broadband. As the technology matures and moves beyond the early adopter phase, purchasing criteria change—and SD-WAN is no exception.

In 2018, a ZK Research survey asked respondents to rank their SD-WAN purchasing criteria, and security ranked first, far ahead of technology innovation and price. (Note: The original author of this question is an employee of ZK Research.) To better understand this trend and what it means for network professionals, I spoke with John Maddison, Fortinet's executive vice president of products and solutions, who develops the company's product strategy, making him well-versed in SD-WAN and security.

What is the current state of SD-WAN?

John Maddison: As digital technology has evolved, it has become clear that traditional branch-to-branch connections are no longer sufficient for the sophisticated connectivity that today’s businesses require. Something as simple as a separate tunnel with a dedicated connection between a branch office and corporate headquarters and a live connection to the internet could compromise the security of the entire organization.

SD-WAN offers features like support for advanced business applications, the ability to move latency-sensitive data such as voice or video over reliable, high-speed links, and combining multiple connections together, such as links to the core network, connections to multiple cloud networks and services, and live connections to the Internet and mobile devices — into a complete package.

John Maddison, Executive Vice President, Fortinet

The challenge we see organizations facing is trying to apply a consistent security framework to this new environment. Not only does it need to protect the primary SD-WAN connection, but it also needs to integrate into any security solutions deployed elsewhere, such as in the cloud or remote networks. This allows organizations to implement a single security policy that includes application protection, web filtering, sandboxing, network access control, SSL inspection, and solutions such as NGFW, IPS, etc., thereby protecting applications, workflows, and dynamic data.

How will the market change as it moves from early adopters to mainstream users?

The initial wave of SD-WAN was primarily transport-centric. Its main driver was the shift from MPLS to a combination of MPLS and broadband to allow for greater flexibility in adopting new applications and services to support digital business needs. However, as enterprises use SD-WAN in production, there is a greater focus on security. Branch offices cannot become the new weak link in today's interconnected distributed network model. There is also growing interest in extending SD-WAN to the LAN and redefining the entire branch with SD-Branch to provide consistent security, unified policies, and unified management.

Since security is a core requirement of SD-WAN, what new challenges does it bring?

The big challenge is that traditional security solutions just don’t cut it anymore. Traditional security solutions don’t have the performance, flexibility or interconnectivity required for SD-WAN connectivity. Even more challenging, they often can’t see edge connectivity. That’s why we’ve been developing intent-based segmentation. This type of policy can isolate users, applications, workflows or data based on a number of parameters, providing security across the entire transaction path. Traffic can be forced to follow specific behaviors or isolated to specific users or destinations to ensure consistent policy application and enforcement at all times.

Can you tell us more about user- and intent-based segmentation: what it is and what benefits it can provide?

When a user initiates or receives a transaction, it needs to be transmitted over a public network. Traditional security tools can harden connections, inspect traffic, identify malware, and prevent traffic hijacking, but this is often not enough. Given the growth of traffic and the density of other devices on these same connections, it is easy to lose track of traffic.

Isolating users, applications or workflows allows organizations to see and control the devices that can interact with that connection, making it more difficult for criminals and insiders to intercept, steal or damage that data, and helps ensure that managed data and resources are protected as they cross an increasingly connected ecosystem network. Intent-based segmentation is the intelligent segmentation of IT assets based on the intent of business goals and required security processes, with granular access controls to prevent the spread of lateral threats that propagate across the network.

What threats does this protect against?

Intent-based segmentation protects against a wide range of security issues, including insider threats and even malware spillovers that may have infected other parts of the network. Intent-based segmentation ensures that cybercriminals that infiltrate the network are detected quickly to prevent the lateral spread of security threats.

One of the challenges facing security teams is that they are already inundated with too many security tools. Doesn’t this exacerbate the problem?

The real problem is trying to protect a distributed network with tools that were never designed for it. What often happens is that security is applied only to the gateway, which reduces deep visibility into the network, or different tools are selected and deployed for different parts of the network. IT teams can quickly become overwhelmed by security sprawl, and as a result, tools are not updated or optimized, or are implemented inconsistently.

What is needed is a single security platform that can provide consistent policy enforcement no matter where the security solution is deployed, and then be managed with a unified management and orchestration console. Security at the core, cloud, and branch offices needs to be deployed, enforced, managed, and optimized like a single, monolithic system. Of course, this is easier said than done. For example, native controls in different cloud environments can vary greatly. Security solutions need to be carefully selected based on their ability to be applied and managed regardless of where they are deployed.

Is there anything else you’d like to share with our readers regarding SD-WAN?

One of the great challenges facing organizations considering an SD-WAN solution is how to deal with all the marketing hype. New platforms are often not well defined, resulting in vendor solutions that can be very different from one another. Security is a particularly challenging issue, as it has recently been identified as one of the top concerns for organizations deploying an SD-WAN strategy.

Of the more than 60 vendors currently offering SD-WAN solutions, few offer integrated security strategies of all types. While most offer some simple stateful security, they do not address most security issues facing today's digital enterprises. Instead, they rely on other vendors to provide features such as security prevention, next-generation firewalls, web filtering, malware analysis, SSL and IPSec inspection and sandboxing.

But given the current security skills gap, this could be a disaster waiting to happen. Deploying advanced security to next-generation branch offices over public networks is no easy feat. Deployment, configuration, and optimization alone create personnel and financial overhead that many organizations don’t have the resources to manage. But any gaps in there could leave SD-WAN connections vulnerable.

Instead, organizations should look for solutions that meet resource constraints by bundling simple, integrated security and SD-WAN solutions into a single platform.