Think Your SD-WAN Solution is Secure? Think Again

istock 865410626

Digital transformation is about much more than moving workflows to the cloud and adopting IoT. It is about retooling the entire network, from the data center to the branch office to mobile devices, to make it faster and more efficient, flexible, and cost-effective. That, in turn, drives the development of things like agile software and application development, and the rethinking of things like remote user and device access to network resources.

Because networks have become so expansive and interconnected, and businesses rely on real-time information to make critical decisions, organizations can no longer afford for branch offices to function as tiny satellites attached to, and dependent on, a remote, centralized network. Instead, today’s cloud-enabled branch offices need to be able to manage and track workflows directly, process transactions at digital speeds, easily participate in global collaboration. And most importantly, they need to provide end users with instant access to digital resources, whether they are located in a central data center, in the cloud, on a local server, or a remote or mobile device.

SD-WAN addresses the challenges of distributed organizations by extending the power and resources of today’s network to the next-generation branch office. It provides real-time access to distributed resources and ensures the optimal performance of the business applications and workflows that today's digital businesses depend upon.

The need for SD-WAN security

As organizations adopt and deploy these new infrastructures, however, each additional ecosystem brings with it its own set of unique security challenges, many of which that traditionally isolated security solutions just don't have the span of control to address. This is part of the reason why, according to a recent Gartner survey, 72% of executives see security as their biggest SD-WAN concern. Compounding the problem further, however, is that SD-WAN is often implemented by network teams that get so caught up in the efficiency and productivity benefits that they don’t even consider implementing security until after an SD-WAN solution has already been selected and deployed.

Unfortunately, SD-WAN vendors don’t make it easier. There are well over 60 different SD-WAN vendors in the market today, and while nearly all of them claim to provide some security, the vast majority only support IPSec VPN and basic stateful security. And given the state of the cybersecurity challenges organizations face today, these tools are not at all enough to protect your branch from attack. As a result, most organizations end up having to add additional layers of security after they have already deployed their SD-WAN solution.

The challenges of adding security to SD-WAN after deployment

To address the limited security embedded in most SD-WAN solutions, organizations are forced to consider how to add security to an existing deployment. But in today’s world where complexity is just as much a challenge as performance, advanced security can no longer be added as an afterthought. And yet, that is exactly what most vendors end up recommending. Generally speaking, bolting on an external firewall or deploying additional networking gear loaded with IPS or other security tools is simply not as secure as the security that has been deployed across the rest of the network. For example, SD-WAN security capabilities are generally restricted to basic Layer 3 controls, while advanced—and critical—Layer 4 to Layer 7 capabilities, such as URL filtering, application inspection, and content-specific controls are not provided.

Implementing security as an overlay is also increasingly challenging as many organizations simply do not have the IT resources needed to deploy, implement, fine tune, and manage these additional security elements—especially when deployed at a remote branch office. In addition, many of the legacy security solutions organizations try to add to their SD-WAN deployment have a difficult time adapting to today's dynamically shifting and highly elastic SD-WAN architectures.

In such an environment, the complexity of weaving security into an SD-WAN solution by hand introduces unnecessary overhead and risk. Simply handing off traffic inspection to an entirely separate security solution can also create challenges for latency and time-sensitive applications and workflows. And things like scalability and adaptability can be severely compromised by the inherent limitations of security devices that were just never designed for today's environments.

The power of a native Secure SD-WAN solution

In today’s interconnected environments, with new threats that can span multiple attack vectors, security can’t afford to be a collection of piecemeal solutions operating in isolation. For a security solution to meet the demands of an SD-WAN architecture, however, it needs to share many of the same design tenets, including speed, agility, flexibility, and scalability. Instead, SD-WAN and security need to be as tightly integrated as possible.

Just as important, security also needs to be part of your original SD-WAN planning so security can be thoroughly integrated into the SD-WAN functionality, as well as into and across other security tools, to better detect and prevent today’s advanced threats.Deploying SD-WAN that has been fully integrated into a robust security solution means that the full range of essential security functionality can occur at digital speeds, including:

  • Native NGFW functionality, including IPS inspection, flexible and scalable VPN, anti-malware, web filtering, sandboxing, and high-performance SSL inspection designed for SD-WAN environments
  • Centralized collection, correlation, and analysis for all threat intelligence
  • Consistent security deployment and protection across all interconnected ecosystems
  • Deep integration between all security elements for advanced threat detection
  • Automated synchronization between security elements regardless of where they are deployed
  • Continuous threat assessment to ensure it is able to see and respond to the latest threat vectors
  • Dynamic threat response that automatically leverages all relevant security technologies to address threats wherever they occur, and at digital speeds.

And because nearly three-fourths of network traffic is now SSL-encrypted—and because SSL inspection requires massive amounts of processing power cripples nearly every NGFW solution on the market today—relying on bolted-on solutions to inspect encrypted traffic forces organizations to either forfeit the performance advantages of their SD-WAN deployment in favor of security, or to simply not adequately inspect traffic.

Finally, true native management of remote VPN connectivity allows organizations to maintain appropriate levels of security protection and inspection, and ensure high levels of visibility and control not only for data and applications passing through the SD-WAN environment but that span the entire distributed network.

Summing up

The SD-WAN vendor community has not only done a poor job of integrating adequate and meaningful security, they have also not made it easy to integrate a comprehensive security framework into their solutions. This mistake not only puts the organization implementing unsecured SD-WAN at higher risk, but the process of bolting on security after the fact—often using legacy security tools that were never really designed for the complexities of an SD-WAN deployment—creates unnecessary complexity and overhead, not only increasing total cost of ownership but impacting much of the value of deploying an SD-WAN strategy in the first place.

Implementing consistent security without compromising SD-WAN performance and functionality is critical. Which means any secure SD-WAN solution not only needs to provide industry-leading protection and performance, but also integrate across hybrid, multi-ecosystem networks without adding additional complexity to overall security visibility, management, and orchestration.

Read more about the Fortinet Security Fabric and the Third Generation of Network Security

Read more about how Fortinet’s security-first approach to SD-WAN continues to gain momentum.