According to the latest network trends such as digital transformation and the rapid emergence and adoption of cloud services, companies now have to open their internal IT to the public internet.
However, we all know that the internet is not really secure, certainly not secure enough to transport your private data - because the internet is ‘open’ by its nature - and most IT managers would not naturally design their network across the web.
Indeed, every time we mention the word “internet”, the question of security is fatally put onto the table. The recent massive global ransomware attack which impacted multiple companies in more than 100 countries worldwide strengthened the necessity to build a strong secured network to protect business and privacy. Network managers need to provide web connectivity to their internal end-users while security managers require strong commitments about the overall infrastructure. Obviously they can implement lots of security features through physical appliances such as Firewalls, IPS/IDS, security probes, cyphering and proxies but it will definitely lead to several constraints such as management and monitoring of all these dedicated devices linked to prohibitive operational costs.
Furthermore, new security regulations such as the new European legislation named GDPR (General Data Protection Regulation) reinforces the necessity for network and security managers to secure their infrastructure to protect data privacy.
To overcome this challenge, one solution that can improve security is through the applied use of a Software Defined-Wide Area Network (SD-WAN) to act as a first shield again external attacks by:
- Cyphering WAN traffic: SD-WAN’s design is based on an encrypted tunnel from device to device (branch to branch) thus all traffic going through SD-WAN architecture will be cyphered using both MPLS and internet networks.
- Segregating the network: by implementing virtual overlays on top of the physical underlay infrastructure, you will limit the impact of a potential threat or attack on your internal network. If a breach occurs, you will be able to limit the expansion into a staked perimeter.
- Securing direct internet access at the branch: SD-WAN will process local internet traffic and you will be able to control the connectivity to the web at a remote site level. Most SD-WAN solutions embed security features to act as a first firewall against external threats.
- Providing better visibility of your WAN: if you cannot have global visibility of your network and you cannot figure out what’s going on in your network then how can you secure your infrastructure? An SD-WAN architecture can enable a very deep level of visibility through its monitoring and reporting tools. These tools can help you to identify and even alert you to suspicious behavior that is for example, different from your standard routing — which might be due to an abnormal situation caused by a security breach in your infrastructure.
Beyond these SD-WAN enabled security features, we must also consider that the management of the global customer’s WAN is controlled through the SD-WAN orchestrator. What happens if someone with malicious intent takes control of this centralized tool? It could jeopardize the customer’s business by disrupting the routing rules of their WAN. SD-WAN providers have to deliver strong security mechanisms to allow access to the orchestrator in order to protect the global WAN architecture from such external threats.
Additional security features can be provided through Virtual Network Functions, (VNFs). Actually, SD-WAN + VNF can be embedded in the same physical appliances (virtual CPE or dedicated boxes) at the branch level to enable the coupling of security features brought by VNFs such as Firewall, IPS/IDS or Proxy with those provided by SD-WAN as noted above.
Moreover, these VNF features can be implemented on the provider’s backbone infrastructure (Telco carrier or Cloud providers) thus SD-WAN security features can be chained from the remote site (on premises delivery) to cloud-based mode. This allows network and security managers to build the best technical architecture while keeping costs under control.
Initially, SD-WAN was designed to provide smart routing features to the global WAN and to enhance quality of service. However, it can also bring security functions that strengthen your global IT environment through the activation of VNFs, adding additional layers of security. Network and security managers can leverage both technologies to provide an improved quality of experience to their end-user while applying stronger levels of security to protect against external threats.