With so much enterprise network traffic now destined for the cloud, backhauling traffic across an expensive MPLS connection to a data center to apply security policy no longer makes sense. Software-defined WANs (SD-WAN) promise lower transport costs with direct, higher-performing connections to cloud and Internet resources. But what are the security implications of moving traffic off of private MPLS VPNs and onto public broadband links?
This article tackles the above and many more questions around enterprise WAN network connectivity options and the different type of SD-WAN network implementations along with their advantages and disadvantages.
Directly connecting branch offices to the cloud increases your exposure to malware and Internet-borne attacks, expanding your attack surface across many sites. If not adequately addressed, these risks could outweigh the cost and performance benefits of SD-WAN. Let’s take a look at the SD-WAN options for securing your sites.
There are a few SD-WAN options available. Each requires a different approach to branch security:
- Do it yourself (DIY): It’s possible to build and manage your own SD-WAN by deploying firewalling and unified threat management (UTM) capabilities yourself at each branch site. You can install separate physical appliances for each type of security you need or run the security tasks as virtual network functions (VNFs) in software. VNFs usually run in a special CPE appliance, but it may also be possible to run the VNFs in your branch router, depending on which router vendor you use.
- Telco managed SD-WAN services: This option mirrors the DIY approach above; however, a telco resells the needed SD-WAN appliances and software to you and manages the installation on your behalf. The SD-WAN setup is the same but lightens the load on your IT staff and reduces the need for specialized SD-WAN skill sets in-house.
- SD-WAN as a cloud service (“SD-WANaaS”) from a software-defined carrier (SDC): With this option, most SD-WAN functions run as a distributed, multi-tenant software stack in a global, private cloud maintained by your SDC. The provider integrates multiple levels of security into the network in the cloud, and your traffic traverses the SDC provider’s own IP backbone, avoiding the risk and best-effort performance challenges of the public Internet.
Let’s take a closer look at each approach.
SD-WAN solutions encrypt branch traffic in transit, but they don’t protect against Internet-borne threats, such as malware. To tackle those risks, you’ll require an array of security functions, these include next-generation firewalling, intrusion detection and prevention (IDS/IPS), quarantining or otherwise deflecting detected malware, and web filtering.
Those security functions can be deployed as standalone appliances, VNFs running on a vCPE, or a secure web gateway (SWG) service. Regardless, your deployment becomes more complex and your capital costs far more than simply your SD-WAN appliance costs. Also, keep in mind that as traffic volumes grow, appliances and VNFs will require more processing power to keep pace with increased traffic loads, requiring appliance hardware upgrades. And while SWG will inspect Internet traffic, they don’t inspect site-to-site traffic, opening the way for malware to move laterally once entering the enterprise.
By turning to a telco to install and manage your SD-WAN equipment, you alleviate the need for special SD-WAN skillsets in-house. The telco maintains the security edge devices and services; there’s no software patching, updating, and upgrading to worry about.
But at the same time, you’re left dependent on the telco. The telco is responsible for making network upgrades and changes and will often take far longer than if you had made those changes yourself. You’ll also be paying more each month for all of that support and integration work offloaded onto the telco.
And you’re still left with the same technical limitations of an appliance-based approach. This means that with the telco must reflect all of the costs of the design and maintenance of the security and networking infrastructure in their price to you. And as with a DIY approach, you’ll still be left with periodically scaling your appliance as traffic loads grow, further disrupting your IT processes and increasing costs.
Integrating SD-WAN with UTM by using a Software-Defined Carrier (SDC) is the simplest solution to deploy and manage and quite possibly the most secure.
Here’s why: When you use an SD-WAN-as-a-service, security is converged into the network and delivered from the cloud. You don’t have to concern yourself with scaling network security as your implementation grows. Your cloud provider has infinite, elastic resources at its disposal, far more than what a small appliance on your premises can handle.
Services offered by a complete fully-managed SD-WAN network provider
SDC services usually involve integrating the software for SD-WAN, IPsec, firewalling, and UTM into a single, software stack. By collapsing multiple security solutions into a cloud service, the provider can enforce your unified policy across all your corporate locations, users, and data.
In addition, you will be running your traffic over a higher-grade IP network than the best-effort Internet. SDCs run their own Tier-1 IP backbones with service-level agreements (SLAs) attached to them. There are both security and performance benefits inherent in using the SDC’s network infrastructure compared to the Internet.
If you’re short on SD-WAN or in your organization security expertise, DIY might introduce cracks into your WAN and leave you vulnerable. Complexity usually increases the potential for human error, which contributes to risk. If you subscribe to that philosophy, you’re better suited to the managed service or as-a-service cloud approach.
If you’re anticipating growth, both in the number of sites and per-site volume, the cloud service is a better fit to your needs. It brings the scalability benefits to the table and provides extra security by transporting your traffic on a private IP backbone, which also provides a performance benefit compared to public Internet links.
The benefits of a secure SD-WAN, however you choose to achieve it, are many. You’ll reduce infrastructure and circuit costs while improving performance with direct-connected links to cloud and Internet resources. You just need to be sure the t’s are crossed and the i’s are dotted on security so you can enjoy SD-WAN’s many advantages with a clean conscience.