October 24, 2022

Evolving your SD-WAN security for a cloud-first world

Traditional SD-WAN security has consisted of encryption and IPsec tunnels with support for VPNs and stateful firewalls – but it still relied on corporate firewalls and perimeter-based centralised security to be robust enough for enterprise applications. The historical argument was that SD-WAN was no less secure than traditional WAN technologies, and the primary drivers for SD-WAN initially were focused on cost, flexibility and agility. Securing data in transit was seen as enough, given the investments in centralised security and the default architecture of funnelling all traffic back through the data centre. This included traffic that was destined for the cloud.

This data-centre-centric view has quickly become obsolete, though, with the rise of cloud services, hybrid cloud architectures, and the impact of the hybrid workplace shift. Now users need to connect from any device, in any location, to any app in any location – cloud or on-premises. Traditional SD-WAN security isn’t enough for securing enterprise workloads over such a widely distributed network.

To enable this shift, security needs to move from the data centre to the edge and the cloud – effectively making the data centre just another endpoint in your network architecture.

Understanding the problem

Encrypting SD-WAN traffic in transit may prevent your data from being intercepted once it hits the internet, but it doesn’t help if malicious traffic is injected into the network before it is transmitted. e.g. a user sending a ransomware-corrupted email to a co-worker.

When you then consider that moving from the data centre-centric, hub-and-spoke architecture to a meshed architecture adds a very distributed set of internet gateways at each remote location, you realise how quickly the potential attack space grows. Routers in the hub-and-spoke model are battle-tested devices so compromising a branch office router at worse provides access to the traffic between the branch office and the data centre. Even then though, the centralised firewall would stop that data from being extracted.

However, with SD-WAN appliances connected directly to the internet, compromising one device can give attackers visibility into the traffic flow from across the company – and without a centralised firewall, attackers can extract the data undetected.

Instead, you need to shift security to the edge.

One option is to send all traffic to a cloud-hosted security service for scanning before it continues to its destination over the WAN. However, this is just a slight variation on the data centre-centric model. Some traffic could be still destined for the data centre, or to trusted and secure IaaS locations – so relying on just cloud-hosted security isn’t the best solution.

Alternatively, you could deploy firewalls at every remote location, but a key advantage of SD-WAN is that it’s application-aware, so it knows where app traffic needs to go. This requires next-generation firewalls to be deployed as they are also application-aware, allowing or denying passage of traffic based on traffic characteristics – not just IP origins and destinations. However, this option would quickly get expensive and cumbersome to manage, so also not the best solution.

A smarter security solution is needed for SD-WAN. One that can take advantage of that application awareness to enable intelligent, granular traffic steering to send enterprise data centre-hosted traffic directly to your data centre; trusted traffic like Microsoft 365 directly to your provider’s cloud service; and all other internet-bound traffic to a cloud-hosted security service first.

Unifying security at the edge

Advanced secure SD-WAN solutions have emerged to fill this security gap and include the highest threat protection capabilities. Advanced SD-WAN solutions like Aruba EdgeConnect have incorporated next-generation firewall capabilities, fine-grained segmentation with identity and role-based access control, anti-spoofing, attack detection and protection, as well as DDoS defence and IDS/IPS. All of this allows organisations to perform simple and quick deployments without compromising security.

These solutions leverage the flexibility offered by SD-WAN virtual overlays combined with firewall capabilities, providing security across the LAN, the WAN, and into the cloud. With these advanced solutions, network administrators can:

  • Create zones and restrict access between zones to segment the network based on identity and role
  • Detect and prevent intrusions and DDoS attacks
  • Perform deep packet inspection and filter packets based on applications
  • Monitor the full state of active network connections
  • Secure connections through data encryption
  • Tightly integrate with security functions best performed in the cloud, such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA)
  • Log security events.

This secure SD-WAN fabric approach provides comprehensive edge-to-cloud security, tightly integrated with leading cloud-hosted security providers to deliver on the principles of SASE and zero trust.

It can deliver broad security services – deep packet inspection, intrusion prevention, DDoS protection, application and access control – through identity-based policies, and events logging.

It helps simplify operations with advanced WAN capabilities, zero touch provisioning, zero touch configuration, and automation for integration and single-click deployment with public cloud.

Aruba EdgeConnect Enterprise also helps secure IoT devices using micro-segmentation. This advanced secure SD-WAN solution can go beyond what is defined by SASE with its next-generation firewall capabilities. It can implement zero trust network segmentation – based on identity and role-based access control – ensuring that users and IoT devices can only reach network destinations consistent with their role in the business.

For more information on Aruba EdgeConnect SD-WAN features check out this infographic.

The bigger picture

SD-WAN doesn’t exist in a bubble, it’s obviously a part of your broader network architecture including LAN, switching and branch solutions. So, SD-WAN security also needs to be thought of as part of this bigger picture. As a long-term platinum partner of Aruba, and the current National Partner of the Year, Data#3 has the specific product knowledge and expertise to guide you and help you optimise your network performance and security.

Contact one of our networking specialists today.