Your SD-WAN Solution is Not Secure!

By September 5, 2019 SD WAN

Your SD-WAN Solution is Not Secure!

Setting up your next-gen branch offices without thinking about security is like taking two pieces of string and trying to fashion a full suit with them: simply put, you’re going to end up with a myriad of gaping holes.

The main difference between the two situations in the analogy above is an obvious one – while you can still survive wearing a two-stringed suit (albeit quite the fashion statement), a business can be absolutely crippled forever due to one singular security vulnerability.

As this article will reveal, it can be very easy to be swayed by the marketing tactics of SD-WAN vendors, which focus on the many benefits of software-defined networking while downplaying the very real security issues. But any IT decision maker worth their salt will know that lip service only goes so far, and a stout security posture is absolutely vital to any business’ sustained success and safety.

By nature, the topic of cybersecurity makes people less secure. No one wants to hear that they have clear vulnerabilities or a large surface area of attack, especially if you’ve already put considerable time and money into fortifying your network. The reality is, though, that every

By bringing the Shamrock Consulting Group on board, we can together go through the fine details and make sure your business and its data are fully secured.

The Benefits of SD-WAN Deployment

Businesses are naturally being tempted into using SD-WAN due to the many benefits on offer.

One of the big selling points is the reduced cost of transport. SD-WAN reduces the reliance on expensive private circuits by selecting the most cost-effective route for data moving between your branch offices and into the cloud.

Then there are speed and reliability benefits which come from smart load balancing technology. In effect, the network looks ahead at areas of potential congestion and switches data routing accordingly, prioritizing those applications which need real-time support.

With real-time processing and more reliable connectivity, a business has greater agility, both in serving its existing user base and in the areas of both application and service development. Global collaboration becomes easier and more reliable. With no backhauling of data to a central office, customers and remote workers alike can get instant access to digital resources such as cloud-based SaaS applications.

Then there’s the single pane of glass management through which workloads can be tracked, routing policies can be updated and new branch offices brought online centrally without any time-consuming local provisioning. This frees up resources which can be redeployed to areas of IT which add value (e.g. DevOps, strategy, etc.)

These are all good things…

Except somebody probably forgot to mention security. Or, they spouted off a bit about IPsec encryption and hoped that would be the end of the conversation.

It shouldn’t be.

After all, it is the business owner who is responsible for what happens with the data they are entrusted with. Consider again that the whole point of SD-WAN technology is to reduce reliance on high-cost private MPLS circuits and to instead allow software to plan the fastest connection using a mixture of routes: MLPS, public broadband, cellular, etc.

If the word ‘public broadband’ hasn’t raised any red flags for you, it’s high time that it did.

Then there is also the fact that, with multiple paths from A to B, it becomes difficult to track where data resides and who is responsible for it at any one point.

Security Brushed Under the Carpet

Marketing success and complexity don’t make natural bedfellows.

Although the best of the 60+ SD-WAN vendors on the market do include robust next-generation security provision, many haven’t integrated security deeply enough into their products. After all, there are no formal standards. We’re still in the ‘wild west’ era of SD-WAN development.

Business without in-house expertise (or quality consultation provided by a top-rated company such as Shamrock Consulting Group), are typically fed lines about IPsec encryption without realizing that this only covers branch-office connectivity and works only on the network level.

Data routed to the cloud, especially via public broadband, is exposed to the full range of risks inherent in any non-private connection.

Marketers don’t like to talk about this because it’s complicated, and complexity reduces conversion rates.

For businesses using standalone SD-WAN products, this means adding another layer of security on top of your SD-WAN deployment. Not only does this require expertise and resources to implement, it also risks impacting the performance savings that SD-WAN inherently delivers.

Take SSL processing, for instance. Three-quarters of the internet now uses SSL encryption which, unlike IPsec, works across multiple levels of the OSI stack. To properly inspect traffic for security certificates, it needs to be diverted to an SSL proxy, decrypted and then subjected to policy rules.

This is a time-consuming — but critical — process. After all, SSL prevents espionage and man-in-the-middle attacks between the branch and the public internet. Bolting on SSL inspection could reduce the efficiency of your data routing. It can also present scalability and adaptability issues.

Then there’s firewall provisioning. Did you previously survive with one edge device at your main data center? Once you have a distributed SD-WAN architecture you will need to consider the gateway security at each of your branches. Many devices only offer a basic stateful firewall with limited threat detection abilities. So-called next-generation firewalls (NGFWs), on the other hand, will give you deep packet inspection (DPI) and intrusion detection/prevention (IDS/IPS) capability.

Whatever gateway device you install will need to be kept updated by promptly applying security patches. It only takes one branch to be neglected for a hacker to infiltrate the network through a vulnerability. They can then attack your business laterally, and IPsec encryption won’t help you there.

Other high-level security features that are not native to SD-WAN include URL filtering, application inspection and content-specific controls.

Business owners and CTOs can’t afford to be blasé about information security. Just because some SD-WAN vendors have failed to design their products with security in mind, doesn’t mean you should follow suit. In this age of sophisticated cybercriminals and tightening data protection regulations, you simply cannot afford to treat security as an afterthought.

You, or your trusted consultants, will need to find out exactly what security is included with your SD-WAN software of choice. If Next-gen UTM software is integrated and can be centrally administered, you won’t have to worry about diverting resources to branch security management.

The Value of Managed SD-WAN Services

At this point you might be wondering whether a managed (i.e. outsourced) SD-WAN service is potentially the best option. These services generally do offer security advantages over standalone products with next-generation firewalls, intrusion detection systems and application layer controls all deployed as integrated virtualized network functions (VNFs) on the same instance as your SD-WAN.

However, it is important to always trawl through the fine details and to check the reputation of the managed SD-WAN vendor. You also have to check whether outsourcing security to a third party is acceptable under your compliance arrangements, particularly if the MSP is located overseas. Some certifying bodies require that sensitive data be 100% under a business’s control while all international data protection regulations insist that any third-party must apply the same security and privacy standards when processing sensitive data.

Don’t Leave Security to Chance: Speak with an SD-WAN Expert at Shamrock

If this is starting to give you a headache, that’s okay. The subject matter is admittedly dense.

One thing you can do, though, is talk to a security expert at Shamrock making any decisions regarding SD-WAN deployment. We partner with all the leading SD-WAN vendors and are experienced in helping enterprise businesses find the network solution they need.

While we guarantee the best price on any product from any provider, we prioritize security and know exactly what questions to ask of your vendor, whether you use an ‘out-of-the-box’ product or sign up for a managed service. If you are already hooked up to an SD-WAN service, we can check that your existing security arrangements are sufficient.

With Shamrock at your side, you can have confidence that your SD-WAN solution is as secure as can be and there are no unpleasant experiences waiting around the corner.

Ben Ferguson

Ben Ferguson

Ben Ferguson is the Vice President and Senior Network Architect for Shamrock Consulting Group, an industry leader in digital transformation solutions. Since his departure from Biochemical research in 2004, Ben has built core competencies around cloud direct connects and cloud cost reduction, enterprise wide area network architecture, high density data center deployments, cybersecurity and Voice over IP telephony. Ben has designed hundreds of complex networks for some of the largest companies in the world and he’s helped Shamrock become a top partner of the 3 largest public cloud platforms for AWS, Azure and GCP consulting. When he takes the occasional break from designing networks, he enjoys surfing, golf, working out, trying new restaurants and spending time with his wife, Linsey, his son, Weston and his dog, Hamilton.