As Software Defined Wide Area Network (SD-WAN) has grown in popularity with businesses, it has been increasingly used to connect public and hybrid cloud services to the enterprise network and secure home-based teleworking. This brings its own security risks. Roque Lozano, Vice President of IP & Optics for Middle East and Africa at Nokia, explains how it is surprisingly straightforward to distribute a centralised approach to security in an SD-WAN.
When SD-WAN was first introduced, how was it adopted by businesses and how is that changing?
In its first iteration, it was adopted by many enterprises for branch connectivity, especially where costly IP/MPLS leased line services had been deployed. It continued to evolve as enterprises embraced the cloud and Software-as-a-Service.
Today, SD-WAN is increasingly used to connect public and hybrid cloud services to the enterprise network, support direct to Software-as-a-Service (SaaS) from any branch, and for the emerging need for secured tele-working at the employees’ home.
An important impact of SD-WAN is the changing needs for security in this more distributed, open relationship between the LAN, WAN and cloud that have emerged with enterprises embarking on Digital Transformation.
Traditionally, branch offices connected to the Internet and public clouds via a centrally managed connection point (firewall) at the business’s head office. Protecting every branch office, each with its own subtle differences in employee type and application usage proved inefficient and expensive. With SD-WAN, public cloud and SaaS, there’s a growing need for branches to securely ‘breakout’ to the Internet directly to access business applications. This local breakout can significantly improve SaaS application response times over the more traditional approaches via head office connections.
How easy is it to ensure a Software Defined Network (SDN) is secure?
A key principle of SDN is the use of a centrally managed policy engine that is the authoritative point for all network, business and security decisions in the wide area network. This is a major change from traditional IP WANs where individual routing elements were programmed one by one. To make a change in the traditional network an operator would need to connect and change the running configuration at each of the branch locations.
With SD-WAN’s centralised approach these manual tasks are removed, as is any localised access to the running configurations at the branch. The only system in the SD-WAN that can affect a change is the policy engine. This means no console or remote access to the branch routers is allowed, which instantly increases the security of the enterprise network.
SD-WAN also supports service-chaining directly into the service path to and from each branch. This allows enterprises to implement either centralised or on-premise (inside the SD-WAN gateway device) virtualised network functions (VNFs), such as firewalls. These provide flexibility to implement the exact security framework the business requires with enhanced visibility and control over the traditional approach, which used multiple network appliances at the branch.
How is Digital Transformation driving the changes in SD-WAN security?
Gartner is predicting that the WAN Edge and network security markets will converge into one over the next decade, driven by enterprise Digital Transformation – including the mainstreaming of cloud-based IT. Gartner refers to this as Secure Access Service Edge (SASE).
From this standpoint, any endpoint is equal to another. It could be an enterprise campus, a branch office or a Multi-Edge Computing (MEC) function that supports localised Artificial Intelligence (AI), Machine Learning (ML) or analytics functions, in support of an automated process. Security policies for a specific service instance can be spun up at any single or multiple WAN access points using appropriate security functions.
What other trends are pushing the shift to a SASE model?
The need to protect the network from known threats and identifying new threats in real or near-real-time. In traditional perimeter security models, enterprises relied on databases of identified threats to configure firewalls. Practices show certain kinds of attacks, like DDoS and malware, can infect machines inside and outside the network from malicious insiders. Once inside, perimeter security will never see them.
How are newer security models spotting anomalies?
Newer models of security use AI/ML to spot anomalies, which constructs a model for normal behaviour on the network, as well as the WAN connection. Deviance from the norm triggers a threshold alert requiring investigation by a human being; if the anomaly is identified as normal, AI/ML security analytics ‘learns’ to ignore it. Otherwise, it’s treated as a threat.
This makes the security system more sensitive to context. The model of normal behaviour for a branch might be different from head office, a data centre or an MEC running a local IoT network. SD-WAN can virtualise, distribute and run these analytics functions, providing embedded security for any endpoint.
Ideally, local enterprise anomaly detection is integrated with Security-as-a-Service (Sec-aaS) to track globally known threats, while monitoring the WAN for anomalies based on behaviour models in the larger network. Anomalous behaviour picked up on an enterprise endpoint can be correlated to awareness at a global level of a current DDoS attack, which can then direct the appropriate enterprise SD-WAN or SASE function to isolate or remove infected traffic in real-time.
How will SASE change the way security models work?
These new security models are in the works with efforts on multiple fronts. Even Gartner has called out that SASE is a five-10-year technology journey, and an architectural framework for implementation, not a product.
The bets however at this point are that perimeter security as we know it today needs to adapt to the more ‘direct to cloud’ nature of SaaS and public cloud use at the branch, and the combination of SD-WAN and SASE are the strongest option available today.
What should enterprises take into account if they are considering using a SD-WAN?
Enterprises considering SD-WAN should be thinking beyond branch connectivity and pure bandwidth cost savings. They need to rethink the function of the network for their business and adopt a universal network fabric that connects employees regardless of location (in the office, at home, on the road) to their business applications, regardless of their location (on-premises data center, in the cloud, in multiple clouds).
SD-WAN is the go-to technology to enable enterprises to manage their digital transformation, along with their user, network and application security, with much greater simplicity, scalability and flexibility. When enterprises evolve their IT environment for the future SD-WAN should be at the top of the priority list.