2022/03/01 Unified Communications & Networking Solutions 392 visit(s)
In recent years most enterprises have turned into deploying SD-WAN technologies into their networks since it provides a sustainable alternative to high-latency hub-and-spoke network topology.
However, having a high-security level is the main concern to any enterprise, especially after recent attacks and breaches around the world that we all heard about.
So, the question remains, how secure is SD-WAN really?
Organizations used to count on hub-and-spoke networks, which backhaul branch office traffic into a centralized datacenter directly through Multiprotocol Label Switching or MPLS for short, with remote users connecting through VPN.
Companies favored this approach in the past because of its centralized management and security, and that worked perfectly when applications were installed on desktops and datacenter servers.
However, now with the unbelievable growth of cloud computing and applications, they are overloading MPLS circuits, as every little action a user takes in cloud applications must send traffic through the following steps:
That’s a combination of extreme latency and bad user experience, and that’s something you don’t want when dealing with the cloud.
SD-WAN helps in that case by taking the routing decisions for the traffic, based on factors like priority policies and QoS settings.
It builds a mesh of network links flexible to connect directly to the internet, to other branches, or to the datacenter based on the applications being used, using a range of transport services that include MPLS, LTE, and commodity broadband.
Since SD-WAN uses mesh network topology, it gives the ability to maximize application performance and reliability, not to mention that the flexibility of transport services helps lower IT costs. Additionally, an SD-WAN virtualized console still offers centralized management and visibility into these connections.
However, when talking about a security gap, we have to mention that the SD-WAN model breaks the existing centralized security inspection that enterprises usually build into their hub-and-spoke networks.
Today’s organizations tend to choose an architecture designed around the consolidation of data streams, having the traffic backhauled through a centralized “pipe” into the datacenter.
Using these methods, organizations are setting up a single security inspection point along with the traffic flow which examines packets before they make it into the datacenter.
However, this method doesn’t really work when using SD-WAN because most of the traffic is moving outside the bounds of the datacenter perimeter.
When remote workers connect directly to the cloud, IoT devices or any internet resource, then the traffic never meets the inspection point.
If your IT team wants to take real advantage of SD-WAN's distributed networking model, then they must rethink the way that security controls examine traffic for malicious behavior and apply content security policies on the traffic.
And what if they didn’t? Now you have turned branch offices and remote workers to vulnerabilities and gates for malicious users to take advantage of.
So, when turning to SD-WAN’s encrypted traffic capabilities it is secure by default at initial deployment! That is true somehow, but still not enough.
Of course, encryption adds a valuable layer of privacy and security protections, it still takes added inspection and filtering defenses to detect and block malware, botnets, and other web threats attacking distributed SD-WAN traffic.
When talking about secure web gateways, we are talking about visibility, control, and flexibility that an enterprise needs to deploy effective SD-WAN security.
Secure web gateways are web filters that protect outbound user traffic by inspecting for:
Secure web gateways offer traffic inspection for remote users, even through SD-WAN connections.
This type of protection initiates routing through secure web gateway infrastructure thanks to endpoint agents installed on mobile and branch office user devices, allowing efficient filtering even on distributed networks.
Additionally, secure web gateways typically centralize visibility across all users and devices into a single dashboard. In most instances, this can be integrated into a broader security portfolio that includes other traditional inspection technologies.
As you can see there is a security gap that you might miss when deploying SD-WAN, but you can easily hack your way around it with secure web gateways. As for deploying this technology into your network, Ctelecoms, being a Cisco partner provides full support for Meraki SD-WAN users. Let us support you with more info at: