learn

SD-WAN Security

Software-defined wide area networks, or SD-WANs, have become the industry standard for larger corporations that need to connect their systems across multiple physical and logical locations. SD-WAN technology offers many essential benefits that previous generations of WAN configuration lacked. e of the most important is security.

SD-WAN security uses a multi-tiered approach to help to combat every type of cybersecurity threat. When set up and configured correctly, an organization can properly manage the security of their network quickly and effectively, all from one centralized location. Whether you are considering an SD-WAN solution or already have one in place, it is important to understand how its security works so your organization can take full advantage of this technology.

Security through centralized management

An SD-WAN network uses multiple layers and types of security, which will be outlined below. However, one thing that helps make all of these security technologies effective is that SD-WANs are centrally managed.

In the past, IT teams needed to plan and configure every piece of equipment throughout the network with device-specific security settings. Even with templates and automation tools, this could be very time-consuming and difficult. It also introduced a huge number of potential opportunities for mistakes, which could leave the network vulnerable.

SD-WAN was designed with centralization in mind. An IT team at one central office can create a comprehensive security profile, which will then be automatically distributed to devices throughout the network. The security rules and settings can be formatted automatically for each type of device, to get the results you are looking for without creating dozens of different security profiles manually. 

This type of centralized network security offers many benefits, including:

  • Reduced staging time – You can create security policies for your network one time, have them reviewed for accuracy, then roll them out to the entire network far more quickly than would be possible with other network configurations.
  • Unified security strategy – By keeping the security planning standardized, SD-WAN environments benefit from a unified security strategy that is easier to manage.
  • Rapid rollout of key fixes – When a vulnerability is discovered, it can be patched across the environment quickly, rather than having each device updated individually.
  • Fewer opportunities for mistakes – Making changes once and distributing them throughout the network leaves far fewer opportunities for errors than performing changes on each system separately.

Centralized network security management makes SD-WAN easier and more effective in most situations. The real power behind SD-WAN security, however, comes from the technologies built into this type of system.

{{banner-25="/design/banners"}}

Keeping your traffic private

One of the biggest reasons SD-WAN is such an effective option for networking is that it combines the benefits of passing traffic through the public Internet with the safety of using internal networking. It is this ability that sets SD-WAN apart from traditional WANs. In order to be able to pass traffic through the public Internet safely, however, SD-WAN has to use a variety of solutions to keep your data secure.

Understanding IP Security (IPsec)

SD-WAN was developed to be in full compliance with all required IPsec standards. This layer of security provides advanced data encryption, packet authentication, and more. 

While IPsec has been around for a long time, it continues to be modernized and used in a variety of different environments. When passing traffic over the public internet, IPsec is the best way to handle it safely. It protects your data using multiple different components, including:

  • Internet Key Exchange (IKE) – The Internet key exchange is where a new security association (SA) is established between the sending and receiving systems. All cryptographic information and algorithms will be agreed upon by the systems using this standard, and they will be followed throughout the session.
  • Authentication Headers (AH) – IPsec adds authentication headers to each packet of data. These headers can then be used to confirm that the data has not been modified in any way during its transmission.
  • Encapsulating Security Payload (ESP) – Encapsulating security payload prevents data from being retransmitted, which is a common tactic used by hackers and other bad actors. By adding a sequence number to each packet header, the system receiving the data can determine if it is being sent in the expected order. If it isn’t, it will end the transmission until a secured connection can be established.

IPsec is, of course, a very advanced system that would require an entire book to cover properly. Knowing about these three key components of IPsec, however, will provide a basic introduction and a sufficient level of knowledge to understand how SD-WAN uses this technology effectively.

Since SD-WAN works in large part by creating virtual private networks (VPNs) that transverse both the public Internet and private networks, it makes sense that IPsec is used. IPsec has long been one of the primary security components of VPNs. Adding this proven technology to the VPNs used within SD-WAN isextremely effective.

Microsegmentation through VPNs

Many people compare SD-WAN and VPNs as two separate options for establishing connections and transmitting data across systems. While they can be used in this way, secure SD-WANs actually use VPN solutions to ensure your data is safe while being transmitted across public networks. This is done using microsegmentation. 

The network will create virtual private networks based on the characteristics of the data that is being transmitted. This not only allows the network to establish a secure connection across the public Internet, but it also helps to keep your data separated internally. This which further minimizes the risk of compromising your data.

When an application needs to transmit data from one system to another, the SD-WAN system looks at what type of data it is, the application it is coming from, and any other factors configured. Based on this information, it will determine the best route for the data to take from the following options:

  • Fastest Route Possible – This is what most data uses. SD-WAN creates a virtual private network that may include both internal networks and the Internet. Data is kept safe using advanced security, while still being very fast, since it cuts out the need to route traffic to a centralized data center before going to its final destination.

SD-WAN Architecture (source)

  • Fastest Route Using Internal Networks – If certain types of data should not pass over the public Internet, SD-WAN can create a path from source to destination that only travels over the internal network. This will introduce some latency due to the added distance and other factors, but does add some additional layers of security.
  • System Defined Path – While rarely used, you can configure SD-WAN so certain types of data will only be transmitted over specific paths. This is often used for highly sensitive data that needs to use a dedicated circuit for both security and capacity. If this circuit is down, however, the transmission could fail unless a backup route is identified.

{{banner-3="/design/banners"}}

Integrated Next-Generation Firewall

SD-WAN networks natively support next-generation firewall technology. This is the third generation of firewalls that provide a front line of defense from unauthorized access. The next-gen firewalls are able to not only inspect the state of traffic entering or exiting the network, but also offer a variety of additional layers of security. 

In addition to all of the security features offered by traditional firewalls, next-generation firewalls can perform the following functions:

  • Application Awareness and Control
  • Secure Socket Layer (SSL) Inspection
  • Secure Shell (SSH) Control
  • Cloud-Delivered Threat Intelligence
  • Sandbox Integration
  • Intrusion Detection and Prevention through Integrated Intrusion Protection System (IPS)
  • Antivirus, Antimalware, Anti-Spam Support
  • Deep Packet Inspection (DPI)
  • Advanced Web Filtering

Example of Advanced Firewall Settings (source

Having the ability to use and manage next-generation firewalls natively will make it much easier for IT teams to secure the edge of the network. This can be done on both the physical and virtual network points, which is essential when using this type of modern networking solution.

Built with cloud integration in mind

One last thing to note about SD-WAN security is that it is designed specifically to integrate properly with cloud applications and infrastructure. One of the biggest benefits of an SD-WAN is that it allows remote offices to communicate directly with cloud systems, without having to first connect to an internal central office. As cloud services continue to grow in popularity, this helps companies that need a way to be able to efficiently access these services without compromising security.

There are a variety of SD-WAN security suites and options available on all major cloud services, including Amazon Web Services (AWS), Microsoft Azure, and more. Having the ability to confidently begin using cloud apps without making major modifications to your existing security profile is a huge benefit. The fact that this type of integration is natively possible with SD-WAN networking solutions makes it the obvious choice.

The specific configuration options that are used depends on a number of factors, including the networking hardware you are using, what type of data circuits are available, and to which cloud service you are connecting. One of the most common configurations includes using Cisco networking hardware to connect to the AWS cloud, which you can learn more about here.

Modern WAN Architecture With Multiple Integrations (source)

{{banner-sre="/design/banners"}}

Maintaining SD-WAN security

Perhaps more than any type of networking solution in the past, SD-WAN technology was built with security in mind. While this dramatically strengthens the native security profile of the network in a variety of ways, including those listed above, it does not mean your company can take a hands-off approach.

If you use SD-WAN solutions for your organization, your team must have an active role in developing and maintaining your network security strategy. This means implementing the right security configuration settings upfront and maintaining your security using constantly evolving best practices including compartmentalizing traffic, carefully choosing what data enters the public Internet, and more. 

Investing in the right team and tools to set up and maintain your SD-WAN security is essential for the long-term protection of your organization’s data. Experienced security professionals will ensure things like traffic encryption, threat intelligence, microsegmentation, and other proven strategies are always effectively implemented.

Chapters