There is no doubt that SD-WAN has become one of the most widespread paradigm shift in the technology field over the past few years. Indeed, SD-WAN offers multiple advantages for enterprise WAN management, including the simplicity in traffic routing, lowered dependence on MPLS, and the cost-effectiveness through implementation on existing traditional WAN hardware. However, like all the widespread technological trends, security becomes the primary concern once the market reaches maturity.
In the early stage, adopters of SD-WAN implement this technology to enhance direct network access for branch offices, as it is highly difficult for traditional WAN architecture to accommodate mobile connectivity. SD-WAN also allows IT personnel to rout traffic through software instructions and reduce their dependence on MPLS.
In the current stage, SD-WAN is about to reach its market maturity due to the availability ZTP (zero-touch provisioning). SD-WAN vendors can offer configurability to their customers and all the requested software can be pre-installed onto a white-box hardware upon shipment. In fact, real-time software updates are available through network ports or management ports. In short, ZTP offers the unprecedented customization or integration of their vCPE networkhardware to address today’s sophisticated applications, such as VoIP, video conferencing, high-performance data transfer, mobile connectivity and multiple cloud management.
However, despite the technological advantages, SD-WAN presents new security considerations. There are evolved threats that can penetrate the SD-WAN architecture.
- External Threat – The use of public Internet in most of today’s SD-WAN deployments can easily attract potential attacks, such as DDoS in most cases.
- Internal Threat – Since SD-WAN is used an integration of multiple network and connectivity, it is possible that data is sent to malicious sources, like malware and spyware, through the public Internet, and this is frequently conducted internally.
Since SD-WAN is widely deployed to address the edges and multi-cloud applications, the primary concern is to implement a cross-cloud, universally compatible security solution that can interoperate with all the network environments under the same SD-WAN architecture. The following suggestions may provide some degree of relief, even though each SD-WAN deployment is unique on its own.
- A pre-configured white-box vCPE acts as firewall, IPS (intrusion prevention system), DPI (deep packet inspection), IPsec and traffic filter. The reason to choose a white-box hardware is to ensure the interoperability to implement a single security instruction without compatibility issue wherever it is deployed. Lately, leading SD-WAN vendors have implemented VNFs (virtualized network functions) as security measures across the service-chaining and network orchestration within a single SD-WAN architecture.
- Software-defined segmentation is currently one of the most common methods. SD-WAN is innately built with this visibility to rout and isolate certain traffic towards the networks where sensitive data is stored and exchanged, such as SaaS and IaaS. This can prevent the inception of confidential data from breach. In recent years, intent-based networking has been adopted to enhance the segmentation
- Cryptographic encryption for traffic can effectively secure SD-WAN architecture. However, crypto encryption/decryption process may compromise compute performance, as it consumes volume computing resources. Thus, it is necessary to have hardware-assisted crypto acceleration mechanism installed in the SD-WAN architecture.