bluebay2014 - Fotolia
To paraphrase Sir Isaac Newton's third law, for every action there is a reaction. In the case of deploying software-defined WANs, his law applies directly to some security consequences.
SD-WANs increasingly are becoming an option for enterprises that want to combat the expense of using Multiprotocol Label Switching, which offers high-quality service and a hefty price tag. Enterprises can implement SD-WANs and not sacrifice quality, but the technology can open organizations to the vulnerabilities found in any data exchange over the internet. As a result, companies have to focus on SD-WAN security to be sure they aren't creating unwanted or unintended vulnerabilities.
The big advantage is that SD-WANs can save companies money on costly MPLS lines and help them add and manage bandwidth and applications more efficiently, according to Gartner analyst Andrew Lerner. Instead of sending out network managers to run firmware updates or fix problems, most routine setup and maintenance can be done remotely over a central console.
The challenge is SD-WAN security. Once companies start using SD-WANs, they are more dependent on the internet and more open to its vulnerabilities. In response, network managers are finding ways to more effectively encrypt, filter and manage traffic.
"For the most part, companies now opt for a firewall at the branch or a cloud-based security option," Lerner said.
The case for SD-WAN security
Network managers looking to lock down SD-WAN security have some excellent options. Some companies may be better off taking a broader approach with legacy equipment. Cost pressure being what it is, the average company can't afford to swap out its security infrastructure on top of transitioning its WAN technologies, so the option to get more use out of existing firewalls is appealing.
Eyvonne Sharpconsulting network engineer and team lead, Kindred Healthcare
Keep in mind that vendors and service providers are moving to an approach where customers can opt to install the firewall as a virtual machine at a branch instead of as a hardware device. Over time, many others will take the full-cloud approach, but networking and security managers typically are risk averse, so it remains to be seen how all this will play out.
For now, some companies are opting for a multistep approach to SD-WAN security.
Justin Horne, director of IT at Goldberg & Osborne, a Phoenix-based law firm with 23 sites running on Silver Peak's SD-WAN appliances, said Silver Peak encrypts every packet as it transmits across the WAN. The law firm has used Fortinet firewalls for some time, and since Silver Peak formed a strategic alliance with the firewall maker, it uses Fortinet firewalls for the company's MPLS and internet virtual private network (VPN) connections.
"The combination of the encryption and the firewalling works well with negligible performance degradation," Horne said.
By moving to SD-WAN and creating a VPN internet connection at every branch, Horne said the law firm will have redundancy it couldn't have afforded previously. Remote sites had just one MPLS connection in the past, which could cost up to $3,000 a month. He said the company plans to reduce the need for expensive long-haul MPLS services by adding less-costly cable or DSL lines, depending on the branch's needs and the services available in the local areas where they do business. Silver Peak's overlay technology uses multiple links for more responsive packet delivery, negating the need to use MPLS for smaller, more remote branch offices, he added.
Horne estimated that the company can cut its network communications expenses in half by the end of the year while maintaining high-quality service.
Healthcare provider Kindred Healthcare in Louisville, Ky., plans to migrate 800 connections over the next 12 to 18 months, according to Eyvonne Sharp, consulting network engineer and team lead. The existing connections will be transferred to a new MPLS network running Viptela's SD-WAN appliance as an overlay.
Instead of purchasing the organization's full bandwidth needs via MPLS, Sharp said the company will augment its MPLS lines with broadband to reduce costs and improve reliability.
Guy Pearsonglobal network architecture manager, IPG
"In the past, if we had a redundant connection, we could only use it when the primary connection went down," she said. "Now with SD-WAN, we'll be able to use bandwidth more efficiently."
On the security front, Sharp said Viptela takes a comprehensive approach that includes built-in certificates and keys on the appliance's chip, encryption across the WAN and network segmentation -- features that are important to Kindred Healthcare.
"We work in a healthcare environment with a lot of regulations and a need to protect sensitive data," Sharp said.
She added that Viptela's multipronged SD-WAN security approach starts with the trusted platform module (TPM) chips that are built into the appliances. The TPM chips come with preinstalled security certificates and keys, which eliminate the need to install them by hand. In the past, the manually-intensive nature of key management exposed the network to misconfigurations, one of the leading causes of security breaches.
Kindred Healthcare now runs network segments for each of its devices, such as security cameras, telemedicine equipment and radiology machines. They are secure because Kindred can set policies for traffic to run only on that specific network segment. And rather than have to push the configurations to each machine individually by hand, they can now manage all the devices from Viptela's central console, Sharp said.
"We no longer have to touch all the devices," she said. "And all the communications from one of our facilities to our headquarters are encrypted. Traffic that needs additional scrubbing is routed through centralized Palo Alto firewalls."
A gradual approach to SD-WAN security
Advertising company Interpublic Group (IPG) also has been taking a gradual approach to its SD-WAN deployment at its more than 400 locations.
Guy Pearson, global network architecture manager at IPG, said the company has a pilot about to go into production, and over the course of the next 18 months, will deploy Cisco's Intelligent WAN (IWAN).
"We use less-costly Metro Ethernet at a lot of the main markets we do business in such as Chicago, Detroit, Los Angeles, New York and San Francisco," Pearson said. "So the SD-WAN appliances will mainly be for sites in locations [where] we have MPLS connections. For the time being, MPLS isn't going away, so we'll use MPLS with the SD-WAN internet VPN connections, both of which the Cisco IWAN encrypts with IPsec."
Tools, vendor and technology partnerships often promise security, but until companies have more experience with SD-WAN, time will tell if network and security teams can stay one step ahead of the hackers.
What you need to know about SD-WAN
The latest SD-WAN trends
Performing risk assessments before implementing SD-WAN infrastructure