Secure SD-WAN moves up on the enterprise priority list

Software-Defined Wide Area Network (SD-WAN) has emerged as a preferred option for the enterprises to manage and optimize the Wide Area Networks for a distributed and remote work environment in this new digital era. The virtual WAN architecture of SD-WAN allows enterprises to intelligently direct traffic across the WAN, and leverage any combination of transport services including Multiprotocol Label Switching (MPLS), cellular, and broadband internet services to securely connect users to applications hosted across on-premise data centers, and public, or private clouds.  

SD-WAN has expanded the boundaries of enterprise IT infrastructure across branches, the internet, and the cloud, augmented application performance and the user experience. It has enhanced the control, visibility and insights on the application as well. The added flexibility and scalability, however, come at a price. The virtualisation, sprawl, and visibility often play out as a slippery, complex and expanded attack surface for them. As the traffic no longer passes through a centralized location for policy enforcement and security filtering, it leaves enterprises extremely vulnerable to cyber threats.  

Dealing with a complex and expanded attack surface  

SD-WAN along with MPLS, and VPNs have already helped enterprises with their varied networking requirements. SD-WAN is often considered to be a cheaper alternative in terms of the capex and opex associated with adding new sites to the network, but is it any better than MPLS and VPNs in terms of security?  “The benefits of SD-WAN, whether its cost or performance can be completely overshadowed and burdened with the fast-evolving cyber attack vectors,” pointed out Rohit Sawhney, Systems Engineering Manager, Juniper Networks India as he gave a comparative view of the risks associated with each of them:   

“Earlier enterprises didn’t have many choices when it came to the WAN. MPLS was pretty much the de facto choice of the last decade. Fundamentally, private MPLS provides secured and managed links between locations through the service provider’s internal network. That is the reason many enterprises do not encrypt their MPLS connections or inspect traffic for security threats.   

But enterprises have got more choices for connecting their branch and distribution locations nowadays. As the cloud adoption and connectivity requirements grew further, enterprises started relying on Virtual Private Networks (VPN) over a direct internet connection as it provides a considerable degree of privacy and security with encryption, varying authentication mechanisms and data integrity checks. But VPNs are also prone to cybersecurity threats like Spoofing, Session and Device Hijacks and they cannot prevent viruses, malware, or physical threats from stealing information.    

SD-WAN also promised to offer more WAN choice and flexibility while providing better visibility and easier management of WAN resources. But connecting through the cloud can limit an organization’s opportunity for packet inspection and increase exposure to security threats.”  

DDoS attacks are also a real concern once enterprise locations start leveraging the internet for connectivity. Locations previously protected by private IP on MPLS VPN services are prone to such attacks, especially when concepts like local-breakout kicks in and expose the branch to attackers. SD-WAN management interfaces are exposed to the internet as the solution moves to cloud. This often leads to Web UI threat exposure e.g. HTTP DDoS-attacks, said Sawhney.      

No, SD-WAN isn’t foolproof  

SD-WAN systems form a network perimeter and connect the internet, WAN, extranet, and branches and that makes them an attractive target for attackers as well. The attack surface also grows considerably as organizations switch from a single or limited set of centrally managed secure internet gateways to a distributed set of internet gateways.  

The mesh networking topology of SD-WAN brings flexibility in transport services, agility and reliability of application performance, and SD-WAN's virtualized console offers centralized management and visibility into all of these connections. However, the approach still breaks the centralized security posture that most organizations have built into their hub-and-spoke network topologies. Also as SD-WAN appliances are fully-meshed unlike the regular routers, therefore compromising one SD-WAN device can give attackers visibility into the traffic flow from across the organization, leaving the critical enterprise data at stake.  

Although a real-time inspection, identification, and policy classification on the user and application traffic is foundational to secure SD-WAN, a basic SD-WAN will not always have security integrated deeply enough into their products leaving enterprises to solve security separately. Now that is no doubt a daunting task given the rapid changes in the cyber threat landscape in this digital era.  

Now, if you want to protect your organizational data with comprehensive security and compliance measures you have to add them as an overlay which used to be handled by the security solutions deployed at the core earlier. Also this overlay approach creates another set of problems. First, these point security products generally do not interoperate with each other, which can reduce visibility while leading to acute management and logistical burdens and overhead. And second, point security solutions are too disconnected from SD-WAN functions to do much more than react to connectivity changes creating critical defensive gaps at the network edge.   

Last but not the least, the ability of service providers to deliver scalable commercial SD-WAN and security services traditionally requires significant investment in time and resources and may require complex integration and testing resulting in a long time to market and high costs as well.  

Weaker links in SD-WAN   

The weaker links in SD-WAN also make it susceptible to various attacks.  

First, systems and components deployed as part of an SD-WAN solution often become a target of attack. SD-WAN hardware appliances generally use commercially available off-the-shelf (COTS) platforms. Operating systems of SD-WAN nodes are mostly built on general-purpose Linux distributions. Outdated and unsupported open source software make them even more vulnerable to attacks, indicate experts in the domain.  

In an SD-WAN architecture, threats may exploit weaknesses of the data plane, control plane, management, or the orchestration plane. These include fragile and weaker links such as southbound protocols, datacenter interconnects (DCI), controllers, along with network fuzzing challenges, and DDOS loopholes also.    

The Southbound interface is used by controllers to communicate with Customer Premises Equipment (CPE) in SD-WAN. Southbound protocols like OpenFlow, Netconf, REST API, MP-BGP and proprietary protocols are key in programming SD-WAN end devices like routers. This communication channel is vulnerable to security threats like non-legitimate access to a process or operating system resources via any exposed interface.  

Solidifying SD-WAN security  

Digital innovations continue to outstrips the ability of security to protect the expanding attack surface, leaving organizations exposed to new risks every day. Today’s distributed enterprises require a solution that ensures uninterrupted connectivity, accelerates the cloud on-ramp, improves application performance and user experience, provides advanced security to protect against evolving cyber threats, and enables unified analytics and reporting for improved visibility and control.   

“It is a fundamental requirement to do a risk analysis and assessment that considers your organization’s risk profile at the outset of designing your SD-WAN and selecting appropriate security controls. Threat modeling is a process that can help you to identify possible threats and vulnerable areas across your architecture. But it should be conducted early in the development stage of your SD-WAN, so issues can be remediated early to avoid much costlier fixes later. It can lead to proactive design decisions, which reduce the threat at the outset, helping your architecture to be secure by design,” suggests Raghuveer HR, Senior Director- Sales, NTT India.  

The roadmap to firming up security will depend on how you decide to deploy security as part of your SD-WAN solution. “A centralized model will provide ‘absolute security’, but the trade-off lies in application performance. A decentralized model provides security controls at each branch office location for flexibility and autonomy. However, this tends to result in inconsistent security across the organization and is costlier to deploy and manage. A cloud-based Secure Access Service Edge (SASE) combines WAN capabilities with cloud-native security functions like secure web gateways, cloud access security brokers, firewalls, and zero-trust network access. However, to be truly effective, it requires close collaboration between networking, security, and DevOps team,” explained he.  

SASE capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies, clarifies Gartner. What SASE does differently is decentralize the network. Instead of the hub-and-spoke topology typical of SD-WAN, irrespective of the users’ locations, SASE securely connects them to the nearest network point of presence (PoP) where security and networking functions are executed. 

SD-WAN needs to be looked at with security at the center of the architecture, and should not be an after-thought, reminds Ritesh Doshi, Director-Enterprise Networking, Cisco India and SAARC. “The solution should provide one-click native integrations with secure internet gateways to provide end-to-end security. This ensures we deliver application experiences and build enterprise scale. This modern-day architectural concept is often called SASE. It reflects the reality that the WAN security and features of today must be distributed, cloud-based, flexible, and agile. We believe that edge-level security is further tightened with an additional level of granularity and visibility that is required in today's distributed enterprise. In addition to this, it is critical to build a robust security foundation by deploying a Zero Trust architecture that implements a regime of continuous verification, prioritizing identity authentication, and end-to-end encryption,” said he.     

The approach to security is always considered best when it's pervasive, feels Rohit Sawhney of  Juniper Networks India. Because unlike any point product or component, SD-WAN is a framework incorporating locations, network, users, applications, devices, internet, public cloud and policies, which in turn can potentially open up threat vectors that are spread across the enterprise infrastructure and boundaries. “Although enterprises exploring and deploying a SD-WAN solution are somewhat familiar with common security threats, it remains crucial to have an understanding of the overall framework and components in the architecture. This will surely help security experts to build a more robust security implementation strategy for SD-WAN deployments,” said he.     

Transitioning to a security-driven networking approach ensures that security is always an integrated function of any network development or expansion project. In such an approach, security becomes an integral part of the new network – adapting and scaling along with the network, even as it expands into new cloud environments, provides more nimble services to branch offices, and moves to the rapidly growing edge. Explaining this further Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet says, “An integrated management solution that takes a security-driven networking approach and weaves SD-WAN and security functionality into a single console can decrease threat remediation time from months to minutes. It does this by coordinating policy-based automated responses across the distributed security architecture, unlocking security workflows, and threat intelligence gathering and implementation. As a result, any detected incident alert sent with contextual awareness data from a branch allows a network administrator to quickly determine a course of action to protect the entire enterprise against a potential coordinated attack.”  

Considering the expanded attack surface and attack vectors, secure SD-WAN is emerging as the most significant WAN service for enterprise organizations for its ability to facilitate business-aware connectivity in a growing hybrid environment. A secure SD-WAN must have the ability to prevent malicious access and attacks, along with the capabilities such as content filtering, network segmentation to secure specific areas of the network reduce or slow the spread of attacks, data encryption and VPN to ensure confidentiality of data traversing the network. This has created an opportunity for the service providers to deliver flexible, scalable and secure SD-WAN solutions and many SD-WAN vendors have joined hands with the leading security vendors to sell integrated solutions to their customers. While integration of multiple point solutions certainly helps in solving specific security issues, but, when you think about it, they also add up an extra layer of complexity, contradicting one of the selling points of SD-WAN in the first place, i.e. reduced WAN complexity and costs. But that’s another story for another time.