To improve the security performance of SD-WAN, you need to do this

In order to do a good job in network security, SD-WAN technology providers not only continue to strengthen the inherent security features of their products, but also create a strong security ecosystem with network security partners. IT managers are also actively considering their branch network security needs and carefully evaluating the security capabilities of SD-WAN providers, including their own security features and their partnerships with network security providers.

Branch Network Security Threats

Cybersecurity is a constant concern for IT professionals, and surveys show that cybersecurity issues are getting worse. Branch security is a challenge as the number of devices attached to branch networks increases, including PCs, tablets, phones, point-of-sale devices, and IoT endpoints. All of these endpoints provide new opportunities for malware to infect corporate networks and hackers to access important data. Branch security issues are undoubtedly exacerbated by the lack of trained IT/security staff at remote locations and the complexity of managing multiple security devices (including IP VPNs, IDS/IPS, and firewalls).

[[237248]]

Another challenge with branch security is the need to coordinate security efforts across the entire network. Branch security systems need to communicate with endpoint security products and campus/data center network security systems. Branch traffic should be inspected, and any suspicious traffic can then be analyzed and flagged by a centralized or cloud-based security system. Ideally, branch security systems would be fully automated and employ cloud-based intelligence.

SD-WAN Security Features

The SD-WAN market is highly competitive, with dozens of vendors already on the market. A key selling point for SD-WAN is its ability to enable enterprises to leverage low-cost Internet circuits as secure enterprise-grade links. Network security is a key differentiator for SD-WAN technology, and each vendor should have its own unique approach to protecting traffic and identifying "safe" sites.

Almost all SD-WAN vendors now include basic firewall capabilities as a feature of their standard products. They use packet recognition to understand traffic, for example, to identify whether the source or destination of traffic is a trusted location or cloud-based service. In addition, SD-WAN vendors also include content filtering, endpoint identification and management, and policy enforcement in their products.

SD-WAN vendors are actively pursuing leading network security vendors, and companies such as Palo Alto, Z-Scaler, CheckPoint, and Fortinet are integrating SD-WAN technology with next-generation firewall and UTM capabilities. Because traffic switching between applications affects latency, this integration between SD-WAN and best-in-class network security vendors needs to be simplified to ensure high performance and low latency. The goal is to provide granular traffic inspection and effective whitelisting of cloud sites to securely prioritize critical traffic flows and applications.

Examples of SD-WAN security features

Aruba ClearPass Policy Manager provides users, devices, applications and WAN content to implement consistent policies in its SD-WAN solution. Its role-based enforcement, device profiling and access control features enable IT organizations to centrally implement LAN and WAN security policies at various branch locations. This simplifies the way policies are applied at different layers of the network and reduces the need for manual configuration.

Riverbed's SteelConnect supports native perimeter firewall, network address translation, and policy-based network segmentation, which help mitigate network intrusions and limit the further spread of threats. It automatically forms secure IPsec VPN tunnels, uses AES-256 encryption between sites, and provides deep packet inspection for encrypted applications such as SSL/HTTPS. SteelConnect Manager provides centralized management and visibility, allowing IT to specify application-based security and traffic paths.

Talari Networks’ fail-safe SD-WAN uses its integrated firewall to offload Internet traffic from branch offices, with trusted URL traffic automatically reconnected to the Internet. Talari supports RADIUS authentication for management of edge devices, and data packets are encrypted by default.

Example of an SD-WAN Security Ecosystem

A key aspect of SD-WAN security is whether the SD-WAN platform integrates and interoperates with leading network security products, including advanced firewalls, UTMs, secure web gateways, and cloud-based network security. The following are some examples of security ecosystems created by selected SD-WAN vendors.

• Cisco SD-WAN (Viptela): Cisco Security Solutions (various), Bluecoat, Palo Alto, Z-Scaler
• Cloud Genix: Palo Alto, Symantec, Z-Scaler
• Cradlepoint: Cisco, Trend Micro, Webroot, Z-Scaler
• Silver Peak: Check Point, Fortinet, Palo Alto, Z-Scaler
• VMware (VeloCloud): Check Point, Palo Alto, Symantec, Z-Scaler

SD-branch stands for software-located branch, which combines WAN and branches into a simplified network, security and WAN architecture by integrating multiple functions into a single software-based IP service platform. The advantage of SD-Branch is that it integrates multiple software/device modules from multiple vendors into one platform, making it easier to deploy and use. Many SD-WAN vendors have already or are about to launch SD-Branch solutions.

Recommendations for IT Managers

SD-WAN is a powerful technology for connecting distributed structures, and security should be a concern for vendors. Each vendor should have proprietary code for native security features. Customers should evaluate SD-WAN technology based on native security features in branches and clouds and the ability to develop a network security ecosystem. Vendors also need to further broaden and deepen integration with a variety of popular network security products through a partner ecosystem. IT managers should evaluate the security of SD-WAN to see if it can be easily integrated into their specific security environment and existing vendors.