Adopting SD-WAN Shouldn’t Mean Compromising Your Security

Here at OPAQ we believe that SD-WAN technologies hold great promise as a toolset for making more efficient use of high performance Internet connectivity. However, like many new technologies, SD-WAN solutions are being adopted by organizations and put into production before they’ve learned how to navigate the security pitfalls associated with them. We’re seeing these solutions get deployed in the field ways that compromise information security or introduce new vulnerabilities. It’s important that organizations approach SD-WAN armed with an understanding of how to do it right.


SD-WAN Solutions Can Introduce Vulnerabilities

Last month at the 35th annual Chaos Communication Congress, Sergey Gordeychik gave an excellent presentation covering attack surface areas and vulnerabilities in a variety of SD-WAN products. A number of these products have shipped with default passwords, cross site scripting and command injection vulnerabilities in their management interfaces, as well as vulnerable versions of cryptography protocols such as SSL. Gordeychik and his research collaborators published a set of tools and resources including a tool called SD-WAN Harvester that can automatically enumerate SD-WAN nodes on the Internet. Using this tool, they discovered thousands of SD-WAN systems with known vulnerabilities exposed to the open internet.


SD-WAN Solutions Can Route Around Security Controls

Many organizations are using high-performance MPLS links to backhaul Internet bound traffic from satellite offices to security centers where next-generation firewalls can inspect that traffic for threats. SD-WAN solutions are often introduced for the express purpose of reducing load on MPLS links. The introduction of SD-WAN can result in some internet bound traffic leaving directly from satellite offices without being inspected. Sometimes this occurs because users don’t understand how their SD-WAN has been configured. In other cases, this is done intentionally in order to reduce MPLS backhaul, with the problem being that the kind of security inspection that can be performed by the SD-WAN devices themselves usually doesn’t measure up to the capabilities of a full next-generation firewall, with important capabilities such as SSL decryption, application awareness, and dynamic threat intelligence missing. Regardless of the reason, the result is that important security controls are bypassed, opening up an avenue for malware to reach inside the organization.


Asking the Right Questions

OPAQ recommends that organizations which have adopted or are considering the adoption of SD-WAN ask themselves a set of questions about their approach:

  • Assess Your Vendors: How security savvy are they? Do they have a good track record of responding to security vulnerability disclosures?
  • Assess Your Deployments: Do your SD-WAN nodes have services listening on the open Internet? Have you changed the default passwords? How is access controlled?
  • Assess Your Usage: Are you sending traffic from your users directly to the Internet in a way that bypasses your security controls? Do you have a way to monitor for changes that might introduce that sort of condition in the future?

OPAQ believes that our ability to provide next-generation firewall services from the cloud can help customers who adopt SD-WAN avoid making security compromises. OPAQ’s Security-as-a-Service can be deployed in conjunction with SD-WAN, enabling customers to bypass MPLS backhaul for Internet-bound traffic by sending that traffic to the OPAQ Cloud instead. Our network of regional Pods and peering relationships enable us to deliver that traffic to its destination with minimal latency while providing the full protection of our cloud hosted next-generation firewalls. This architecture provides a best-of-both-worlds WAN optimization solution in which high performance MPLS links are reserved for the most latency sensitive voice and video traffic while the whole organization remains protected behind the best security infrastructure available.

Read the white paper.