Considering an SD-WAN deployment? The best solution may already be in your network
When the internet goes down, business stops. Every business today relies on cloud applications to run day-to-day operations, including CRM applications like Salesforce, engineering collaboration tools such as JIRA and Confluence, and Office productivity tools like Office 365. IT departments need to deliver high-quality, reliable links for all applications that are core to the company’s business operations.
To meet this demand in a cost-effective way, businesses are looking to one of the hottest topics in networking right now – SD-WAN. In fact, analysts predict this market will grow to $2.5 billion by 2022. Businesses are excited about SD-WAN technology because it presents an opportunity to curtail the costs associated with expensive MPLS solutions, moving traffic to public internet lines and often using secure VPN solutions to communicate between sites. Network links without assured or guaranteed service can now be used to deliver business class services, including Voice over IP and video applications.
But with a crowded and growing market, what type of SD-WAN solution should companies look for and how will they affect the businesses’ overall security? As with any emerging technology, there’s no shortage of new vendors making bold claims about their product capabilities, and every vendor’s definition of the technology varies in order to match what they can deliver. That’s why it’s crucial for businesses to truly understand what SD-WAN is and what it isn’t before embarking on a new deployment. Surprisingly, in many cases firewall appliances are now able to provide SD-WAN services as well as network security in a single appliance.
The 4 key characteristics of SD-WAN
There are several important features and capabilities that should be included in any SD-WAN solution. These include:
1. The use of software to manage connections over different link or connection types – MPLS, cable modem, DSL, 4G and links from different ISPs. Every SD-WAN service should offer dynamic path selection between these different links based on predefined policies set to align with business priorities. They should test circuit performance in real time, measuring packet loss, latency, and jitter to determine if the line meets the acceptable level of quality for its application traffic.
2. Traffic management for applications. For example, be able to guarantee 10 Mbps for all Salesforce traffic.
3. Secure VPN capabilities for site-to-site tunnels with full IKEv2 level encryption or TLS level transport. When internet connections are used, businesses need to ensure that all data is private and none of the traffic can be viewed by third parties.
4. Zero-touch deployment options that allow SD-WAN appliances to be delivered to remote locations and configured automatically by simply powering on and connecting to the internet. This ease of deployment aspect is critical, as technical staff and network engineers are scarce, and businesses need to quickly deploy cloud solutions as they roll out new hybrid WAN architectures to distributed sites.
SD-WAN is typically delivered by placing a routing appliance or physical box in a branch location. Some SD-WAN solutions provide additional security capabilities like antivirus services or web content inspection. And in certain instances, the solution is even offered by the Telecom carrier as part of a monthly managed service. This is somewhat ironic since these are also the same organizations that sell expensive MPLS solutions.
SD-WAN solutions should not introduce new security risks or vulnerabilities
Another important point to consider is who will be installing the SD-WAN solution. Is it an experienced managed service provider than understands the security of your network and will take the time to understand your needs, or is it a Telcom provider looking to add some extra dollars to an existing sale? There are some common security pitfalls to be aware of when introducing a new SD-WAN capability:
- An inexperienced operator may install SD-WAN routing devices behind a next-gen firewall or UTM and bypass the firewall that is already in place for some or all traffic. This would be a major security vulnerability because it could expose the internal networks to public access, bypassing all malware inspection at the UTM.
- The security capabilities offered with the SD-WAN may offer a false sense of security for customers. Does the solution only rely on simple signature-based detections to find malware passing through the network? Advanced and evasive threats can easily circumvent basic antivirus solutions. This is why it’s critical to have layered, advanced security services like behavioral-based and artificial intelligence-enabled antivirus as a part of the overall SD-WAN solution deployed at remote sites.
- Managed SD-WAN solutions may claim to offer some basic firewall services, but they can also take days to respond to simple requests to implement or change basic rules. For example, if an application no longer needs to have a port open, a company should be able to immediately implement a change that no longer exposes it.
UTMs may offer an effective, economical SD-WAN solution
The solution to a problem can often be found directly under your nose! For many years, next-generation firewalls (NGFWs) and Unified Threat Management (UTM) solutions have evolved to consolidate network and security functions onto a single appliance strategically located at the network perimeter.
If you are already running a NGFW or UTM in your network, evaluate it against the four key characteristics of SD-WAN outlined in this article. You may be pleasantly surprised to learn that it already meets most or all of these capabilities. Plus, if your UTM offer SD-WAN and critical security functionality in a single appliance, that removes the need to purchase, deploy and manage multiple appliances. Next, compare the level of security offered by your UTM appliance against that of the pure SD-WAN solutions you might be considering. Many new SD-WAN providers are novices in the security space, so the level of protection they offer may not meet your requirements.
SD-WAN adoption will continue at a rapid pace of the foreseeable future. As you consider the best approach for your organization, take a second look at your security appliance. You may find that the best option for your SD-WAN deployment has been there all along.