Talking about the "security gate" of Facebook and Google: the "cheese" and "traps" of SD-WAN

On September 28, hackers used Facebook's security loopholes to steal security tokens related to user profiles, resulting in the destruction of nearly 50 million user accounts; on October 9, Google announced the closure of the consumer version of its social networking site Google+ because Google+ had a software vulnerability for more than two years, which may have exposed the data of up to 500,000 users to external developers. From large-scale data leaks of global organizations to explosive ransomware attacks, the importance of security to enterprises is self-evident.

[[251398]]

Today, software-defined wide area networks (SD-WANs) are on fire, and SD-WANs have become a new threat vector for hackers to exploit. In the past, centralized access and data center processing ensured the security of Internet access. However, the emergence of SD-WANs and the shift to hybrid connections have made it impossible for some branch offices to avoid being affected by a new wave of sophisticated attacks. SD-WANs have inadvertently created new attack surfaces, using direct Internet access to facilitate ransomware, APTs, virus worms, and other malware.

Security mindset change

Many companies adopt SD-WAN without giving security much thought. SD-WAN projects are usually implemented by network operations teams, but too many companies are so immersed in the benefits of SD-WAN that they forget about security altogether. Part of the problem also stems from vendors not integrating proper security measures into their solutions. Most SD-WAN solution vendors on the market today only support IPSec VPN and basic stateful security, which is not enough to protect companies from evolving cyberattacks. Therefore, companies have to add additional security protections after deploying SD-WAN.

1. Dilemma: Safety should be the primary consideration

SD-WAN vendors that lack security awareness not only put enterprises at risk by running their insecure solutions, but also add unnecessary complexity and overhead to complex SD-WAN deployments, leading to an increase in the overall cost of maintaining SD-WAN. SD-WANs are often prone to security issues in the following areas:

• Device vulnerabilities: SD-WAN and the Internet increase the risk of physical access to devices, and the attack surface increases when we move from a single or limited centrally managed, secure Internet gateway to a distributed set of Internet gateways. Especially when branch offices are directly connected to the Internet. SD-WAN devices are fully meshed, which means that it is possible to see the entire company's traffic through a single device. With direct access to the Internet, attackers are more likely to steal data without being detected.
• Branch Office Threats: The growing complexity of network management due to the expansion of multi-cloud infrastructure, the rapid increase in the number of SaaS applications, and the increasing dispersion of the mobile world is the biggest challenge in managing network security at branch offices. The traditional branch office connection system relies on expensive routing equipment and dedicated WAN circuits to backhaul traffic to a centralized firewall located at the company headquarters or data center before accessing the Internet. Although direct access to applications over the Internet is inexpensive, it does not provide enterprise-level application performance and leaves the network vulnerable to attacks.

2. Solution: How SD-WAN can enhance security functions

However, enterprises can meet this new security challenge by moving the inspection and enforcement point from the data center to the branch office or cloud. Security administrators need to evaluate whether they need a new security layer that goes beyond encryption and general stateful firewall services. After that, security administrators need to verify whether there are more risk factors in the branch office or cloud environment to help them determine the security layer they actually need.

SD-WAN supports end-to-end encryption and segmentation by application or organizational level, which can provide embedded security mechanisms. However, a considerable number of SD-WAN vendors do not provide comprehensive enterprise-level security solutions.

Companies can choose from the following methods:

• Advanced security integrated into SD-WAN solutions.
• Third-party SaaS solutions.
• An in-house appliance-based solution from an existing or new supplier.

Each method has its own advantages and considerations. Some vendors also provide stateful firewalls, and many current routers already support this common service. Most SD-WANs on the market still lack support for next-generation and secure gateway (UTM) functions.

1. Integrate security into SD-WAN

Benefits: Integrated branch security solutions bring SD-WAN to the next level of branch connectivity and can be delivered in multiple ways. These solutions enable a single vendor, simpler management, internal traffic protection, and intelligent traffic management and steering. This will allow enterprises to gain more powerful security protection without having to deal with additional stacks or devices. SD-WAN and built-in security mechanisms also provide a single management pane for all event correlations, such as users, applications, devices, locations and networks.

Disadvantages: The level of security may not be as "deep" as traditional "defense in depth" solutions, and it is usually necessary to rely on multiple vendors to cover various layers in the security infrastructure, rather than simply "one size fits all".

2. Third-party Software as a Service (SaaS) solutions

Advantages: Third-party SaaS solutions can effectively reduce the trouble of management. Its consumption model is characterized by lightweight and even no need for any on-site deployment. It is more agile and easy to implement and manage. SaaS security solutions can insert new inspection mechanisms to achieve data protection, thereby preventing the high costs caused by potential hidden and accidental attacks.

Disadvantages: Most of its services can only identify HTTP-based traffic, which means that enterprises cannot determine how to handle other traffic. In addition, these services may also lack the ability to detect threat vectors that are introduced through alternative protocols. And from a management perspective, SaaS solutions separate management interfaces and touch points and bring additional steps to administrators, which means that operations will be further complicated and the time required will increase accordingly.

3. Deploy existing or new suppliers

Advantages: Many enterprises rely on certified existing vendors to implement appliance-based internal protection solutions. The advantage of this approach is that enterprises are very familiar with the relevant products: these solutions have been resident in the internal environment for a long time, and security administrators can take care of them personally and are familiar with them. Due to the long service life of these products, internal protection solutions can exist in the infrastructure of branch offices for a long time and have a certain degree of effectiveness.

Disadvantages: Dedicated appliance solutions are likely to be costly from both a procurement and operations perspective. They are complex, labor-intensive to implement, and require more resources to manage their operation within the enterprise. Multiple data-intensive devices in each branch further complicate the issue. Such complexity can lead to potential integration and/or interoperability issues, which can be a serious impediment to productivity. In addition, a significant number of devices do not have a single point of correlation between events, which can allow some threats and other anomalous activities to slip into the enterprise through the “gaps” between devices.

III. "Weapon List": A comprehensive review of SD-WAN security products

The SD-WAN market is highly competitive, with dozens of vendors already on the market. A key selling point for SD-WAN is that it enables enterprises to leverage low-cost Internet as a secure, enterprise-grade link. Network security is a key differentiator for SD-WAN technology, and each vendor should have its own unique approach to protecting traffic and identifying "safe" sites.

Almost all SD-WAN vendors now include basic firewall capabilities as a feature of their standard products. They use packet identification to understand traffic, for example, by identifying the source or destination of traffic to determine whether it is a trusted or cloud-based service. In addition, SD-WAN vendors also provide products that include content filtering, endpoint identification and management, and policy enforcement. Their products can be divided into the following four types.

1. SD-WAN appliances with basic firewall capabilities

Many SD-WAN vendors offer basic firewall capabilities in their SD-WAN devices. These firewalls are roughly equivalent to the stateful firewalls you see in branch office routers. Features include policy-based filtering and blocking applications based on ports or IP addresses. Regarding SD-WAN products with basic firewall capabilities, here are Cisco (Viptela), Silver Peak, Velocloud.

In August this year, Cisco (Viptela) announced that it has been able to integrate Viptela SD-WAN software into IOS XE. Cisco is trying to strengthen its SD-WAN security by integrating firewalls, intrusion prevention and URL filtering into Viptela. Secure Scalable Network (SEN) is Viptela's SD-WAN solution, which contains five key architectural elements to achieve transmission independence, automatically protect any routed endpoints, provide end-to-end network segmentation, use centralized controllers to implement policies, and enable network service advertising. SEN can provide secure end-to-end network virtualization and is used by enterprises to build large-scale networks, and fully integrates routing, security, centralized policies and orchestration.

In June this year, Silver Peak's Unity EdgeConnect launched a segmentation and security service chain SD-WAN solution. These new features enable distributed enterprises to centrally divide users, applications, and WAN services into security zones and automate application traffic control across LAN and WAN based on predefined security policies, regulatory requirements, and business intent. For enterprises with multi-vendor security architectures, EdgeConnect can now provide seamless drag-and-drop service links to next-generation security infrastructure and services.

VMware NSX SD-WAN for VeloCloud has a unique and flexible architecture that protects cloud-destination traffic through the data center and can be used for managed security facilities, VPN termination, and can also be used to insert other services including firewall and cloud-based security (such as Zscaler). The VNF capabilities supported by NSX SD-WAN Edge also allow for the insertion of security services in the branch.

2. SD-WAN appliances with advanced firewalls

A basic stateful firewall may be sufficient as a Phase 1 connection for connecting to a specific SaaS IP, but not for broader Internet access. For this reason, some vendors have added NGFW capabilities to their SD-WAN devices.

Open Systems started offering SD-WAN related services before the term was created, their solution offers security as a service, their fully managed service provides a complete security stack and cloud management on their edge devices. Open Systems claims to repackage its third-party services as part of a managed secure SD-WAN appliance. Its mission is to control network security services, including distributed enterprise-grade firewalls; CASB, endpoint detection and response, network security monitoring; distributed network intrusion prevention and WiFi security.

Versa Networks' SD-WAN enhances protection for branch offices, and its SD-WAN security solution provides software-based security features, including stateful and next-generation firewalls, malware protection, URL and content filtering, IPS and antivirus, DDoS and VPN/next-generation VPN. Versa Networks claims that its SD-Branch solution provides a complete set of integrated network (routing, SD-WAN, Ethernet, Wi-Fi) and security (NG firewall, secure web gateway, AV, IPS) functions. Virtual customer premise equipment (vCPE) can also run third-party VNFs.

3. Firewall devices with SD-WAN capabilities

Meanwhile, several security vendors have announced SD-WAN capabilities for their NGFW appliances, including Barracuda, Fortinet and Cisco Meraki, according to Gartner.

Barracuda CloudGen Firewall provides a unique combination of scalable centralized management, local security enforcement, and advanced uplink intelligence and QoS for each branch office. This enables direct Internet breakout through direct VPN tunnels, enabling cloud deployments and applications at each branch office. Barracuda CloudGen Firewall includes WAN compression and deduplication, failover and link balancing, dynamic bandwidth and latency detection, adaptive session balancing of multiple transports across VPN tunnels, adaptive bandwidth reservation, and more.

Fortinet is an NGFW vendor that provides native SD-WAN and integrated advanced threat protection. Fortinet SD-WAN has built-in advanced SD-WAN capabilities and is integrated into the FortiGate next-generation firewall, enabling branch offices to detect SSL traffic for malware by using URL filtering, IPS, antivirus, and sandbox to detect malware attacks. FortiGate SD-WAN replaces separate WAN routers, WAN optimization, and security devices with a single application-aware solution, providing automatic WAN path control and multi-bandwidth support. It can improve application performance, reduce WAN operating costs, and minimize management complexity.

Cisco Meraki MX is an enterprise security and SD-WAN device designed for distributed deployments that require remote management. The device is equipped with SD-WAN features that enable administrators to maximize network resiliency and bandwidth efficiency. The device provides security features such as content filtering and threat protection, firewall and traffic shaping, NAT and port forwarding, using site-to-site VPN to create secure encrypted tunnels between Cisco Meraki devices and other non-Meraki endpoints, group policies and blacklists.

With SD-WAN-enabled firewall appliances, security is far superior to the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the limitations of the appliances. What’s more, while many of these appliances appear great on paper, they lack the maturity of more experienced SD-WAN products.

4. Secure SD-WAN as a Service

Instead, some vendors are reducing the number of devices by offloading SD-WAN and certain security functions. Cato Networks is the best example of this approach, providing fully integrated security and SD-WAN services. Cato Cloud converges networking and security, extending the WAN with policy-based routing, an SLA-backed global backbone, enterprise-grade network security, and cloud and mobile support. Cato is designed to connect all enterprise resources to the WAN, including physical locations, cloud resources, and fixed and mobile users. With Cato, network and security functions are available everywhere and across all resources without the need to introduce point solutions.

Other services are part of the secure SD-WAN as a service approach. For example, Aryaka provides basic firewall capabilities through its SD-WAN service, but cannot provide L4 to L7 controls such as NGFW, IPS, URL filtering and antivirus. The same is true for Bigleaf Networks. Aryaka has partnered with Radware to provide DDoS protection through patented behavior-based detection. Providing a border security solution at the edge of the network and building it into the SD-WAN appliance [ANAP]. Aryaka's SD-WAN security platform PASSPORT provides multi-layered, defense-in-depth security. Aryaka offers a virtual stateful firewall as part of its SD-WAN, as well as a simplified insertion model to prevent packet loss and latency common on the public Internet.

SD-WAN Security: What to Expect in the Future

To achieve a higher standard of security performance, certain features are non-negotiable for branch and WAN connectivity solutions. For example, organizations should require stateful firewalls and application firewalls, as well as dynamic IPSec tunnels and site-to-site pairing. Security features should also include secure key management and dynamic key updates, as well as malware and x-ware inline detection and protection. Of course, standard security features such as antivirus and DDoS protection and detection should naturally be included.

The benefits of a secure SD-WAN are unquestionable, and in order to function effectively in today's security environment, SD-WAN security should not be an afterthought. Instead, organizations need to change the paradigm and make security an inherent part of the SD-WAN structure, ensuring it becomes a strong, critical, and necessary pillar element of the enterprise's comprehensive security infrastructure.