Five security myths about SD-WAN that you must know

In order to save money and reduce the use of MPLS private lines, enterprises are beginning to prefer hybrid deployment of software-defined wide area network (SD-WAN) technology. However, many enterprises do not understand SD-WAN and may even be misled by some solution vendors, which leads to SD-WAN abuse and even continuous security pitfalls. For example, the following five SD-WAN security misunderstandings must be avoided.

Myth 1: SD-WAN is secure

SD-WAN technology mainly uses software advantages to improve network performance, reduce costs, and ensure security and stability while taking into account the convenience of deployment. However, replacing MPLS dedicated lines with SD-WAN just for network security considerations is a security risk.

Because even though SD-WAN has shown explosive growth recently, SD-WAN also supports end-to-end encryption and segmentation by application or organizational level, providing embedded security mechanisms. However, in fact, a considerable number of SD-WAN vendors do not provide comprehensive enterprise-level security solutions.

However, many enterprises may not fully understand the SD-WAN solution architecture and rush to launch projects, which also lays hidden dangers for security threats. Therefore, it is very important to choose an SD-WAN security solution that meets the specific needs of the enterprise.

[[243067]]

Myth 2: Save as much as possible on safety investment

For enterprises that hold this concept, when faced with SD-WAN solutions, they often spend money in any way they can to save money. However, the side effect of cutting investment is that the security policy effect that SD-WAN should have after deployment cannot be achieved.

Because some SD-WAN solutions also integrate security features or policies, some enterprises have taken a chance and believe that SD-WAN technology also uses VPN for transmission and integrates data compression and traffic management technologies, and its own security performance has been improved. In addition, SD-WAN has its own security features, so can the investment in other security equipment be saved?

This is obviously a security misunderstanding. In the face of the increasing network security threats today, it is obviously not enough for an enterprise to rely solely on the basic security products of SD-WAN. Because enterprises that want to adopt SD-WAN technology also need network security equipment and corresponding threat management strategies, such as security gateway services or next-generation firewalls (NGFW), including intrusion prevention, SSL inspection, Web filtering and anti-malware protection, etc. Otherwise, it will be a matter of minutes to fall into the trap.

Myth 3: Thinking that branch routers are also safe

SD-WAN technology is subject to the same stringent security standards as other IT infrastructure elements. In particular, special attention should be paid to the use of branch routers in the SD-WAN process. While for traditional branch router deployments, once installed, the hardware device may not need to be checked for several months, this situation does not apply to SD-WAN routers.

Because for SD-WAN routers, it is very important to ensure that the device firmware is updated with the latest security patches. Even if some SD-WAN routers have intelligent automatic repair functions, it cannot change the fact that security configurations need to be changed at any time according to the application environment.

[[243068]]

Beware of SD-WAN security misconceptions

Misconception 4: Not knowing what safety features are available or missing

When enterprises evaluate multiple SD-WAN solutions, the security features supported by a particular SD-WAN solution are often overlooked. But like most things in technology, if you don’t fully understand the solution, it can cause more problems, and not understanding what security features are available in an SD-WAN often puts the enterprise at risk because this can lead to missing security features not being detected.

For example, it is common to see companies that adopt SD-WAN solutions migrate UTM devices from centralized Internet egress in their data centers to a distributed Internet egress model. However, most SD-WAN solutions only provide a simple stateful firewall, which does not actually provide the same protection as the next-generation UTM that controls access to its centralized model. This oversight may put users at risk of network threats without knowing it.

Myth 5: Everything in the marketing brochure is true

Obviously, you should take what the solution vendors say in their marketing brochures with a grain of salt. SD-WAN marketing brochures often mention that its selling point is that it does not require adopters to pre-configure routing or network paths. However, this attitude can create major SD-WAN security vulnerabilities. Without a pre-determined path, companies will not be able to answer several key questions, such as the path that data takes from point A to point B, who owns the network it passes through, and more importantly, what happens to the data in transit.

Data is transmitted through broadband Internet nodes that are not controlled by the enterprise, and additional security controls and technologies are obviously needed to encrypt data transmitted over IP networks. However, if you only believe what the marketing manual says, you will undoubtedly dig a hole for your own security.

Conclusion

From this we can see that relying solely on the security of SD-WAN itself is not enough. Only by building security defenses in the right way and avoiding the above five cognitive misunderstandings can a secure network be created for the enterprise.