If your organization hasn’t heard of a software-defined wide area network (SD-WAN) yet, it will soon. SD-WAN is an exciting, relatively new mainstream technology designed to help organizations manage WAN traffic to reduce costs, improve performance, and become more agile.
As with all new IT innovations, organizations will have to understand and mitigate the new risks and vulnerabilities the technology brings to their environments. Since security teams and IT decision-makers will need to understand SD-WAN and secure SD-WAN in the coming years, it’s an excellent time to begin examining some of the top questions they might have. To learn more about the topic, we interviewed Joe Hopp, Firewall & Technology Management Product Manager at Trustwave, whose areas of expertise include SD-WAN, next generation firewalls (NGFW), and identity-based security protocol (IDSP).
What is SD-WAN?
As a general overview, SD-WAN is a technology that helps organizations reduce their utilization of expensive links like multiprotocol label switching (MPLS) in favor of lower-cost connections like broadband or cellular, and dramatically simplifies WAN management. SD-WAN potentially produces enormous cost-savings since it will enable the IT department to reduce its dependence on more-expensive routing technologies and reduce WAN management overhead. In addition, it can help dramatically decrease workloads through automation.
“SD-WAN is a great option for many organizations since it abstracts the hardware layer for network teams,” said Joe. “So, what you’re looking at is gaining control of your operational costs on the network side by reducing hardware dependencies and having to go to each device and make WAN changes via CLI or scripting.”
With SD-WAN, organizations can route non-sensitive traffic and Software as a Service (SaaS) over the local public internet connection, thereby eliminating or reducing their reliance on expenses like MPLS – an attractive benefit driving an increasing adaptation of this technology.
“SD-WAN is still in a planning phase for many organizations,” Joe added. “The conversations are starting now – and the industry will see a very high implementation rate in the coming years. With our current situation, almost everyone is working from home, which has put enormous stress on VPN solutions. Many SD-WAN solutions can provide the same quality of service (QoS) to remote workers like those in your office locations while securing these communications.”
What type of organizations will benefit most from SD-WAN?
Will your organizations benefit from the cost-savings SD-WAN promises? According to Joe, that depends on the number of locations, the number of users and your network traffic.
“SD-WAN will be of most benefit to larger organizations – or those with a large number of locations,” Joe said. “If you look at the traditional setup, your network might have been sending all of its traffic through an MPLS connection to a central data center or headquarters so you could inspect the traffic and manage it.”
But with SD-WAN, you can route that traffic locally, removing the need to centralize all of it back to one location. Depending on your technology and implementation, you might even be able to distinguish traffic on a user by user basis. So, the benefits for larger organizations – or those with a large remote user base — can really add up.
Specifically, business verticals that will most likely begin adopting this technology first include banking and finance, technology companies, and those with many locations, like retail operations.
“Over the years, banks have been embracing Voice over Internet Protocol (VOIP), video conferencing, and cloud document management software,” Joe said. “Due to the sensitive data, bank security and networking teams have routed all traffic through an MPLS or private link. VOIP and video conferencing generate a lot of traffic while the Software as a Service (SaaS) more than likely is not inspected by an intrusion detection and prevention system (IDPS) that only increases the private link’s cost. Taking advantage of SD-WAN to route that traffic through the local broadband connection will reduce MPLS costs anywhere from 30% to 60%.”
The cost benefits for large organizations can be even more substantial, since some next-generation firewall technologies provide network teams and security teams a single device for security and networking. Organizations with sites into the hundreds or thousands will save on buying all of those devices, while their network teams will be able to greatly reduce time spent on network changes – along with a reduction in potential for errors or outages.
What are the security vulnerabilities?
Because organizations are now moving things through their local links, they will be sending traffic through uncontrolled channels and local interfaces that could be unmonitored. Essentially, they are expanding their network perimeter to the point where there really is no perimeter anymore – and attackers have a vastly expanded number of entry points.
“With SD-WAN implementation, organizations really need to start looking at protecting their locations in a different way. The emphasis needs to be on smarter, more proactive security solutions that allow them to realize the cost-savings without creating a whole new vulnerability area. Secure SD-WAN – with the emphasis on secure – will be a top priority for organizations.”
With an SD-WAN rollout, the best posture for an organization to adopt is proactive threat hunting. Since NFGWs are including SD-WAN capabilities in their platforms, your network and security considerations should become almost as one. Consider bundling that with solutions like managed security services (MSS), managed detection and response services (MDR) – and if an organization just needs help getting started, consider a consulting session with Trustwave.
