So you want to modernize your organization to capitalize on all the leading-edge advantages of the digital era, big data, cloud efficiencies, AI, leading business apps, and partner and customer relationship opportunities? Achieving this business IT transformation requires a strong dose of change management including a willingness to transition on-premises servers to the cloud and switching from Web browser-only services to mobile-friendly apps and sites that facilitate new and more distributed connections. However, these promising modern system architectures won’t pay off without high-performance, highly scalable yet affordable networks to support them. Hence, a move to modernize networks and utilize the cloud is under way.
Why is the cloud so important in network modernization and wide area network (WAN) optimization? The biggest advantage is it enables organizations to leverage what’s already out there (namely, flexible networks, high-value application infrastructures, multitenant shared services, and outsourcing opportunities) so you don’t have to build or invest in the WAN infrastructure yourself.
But the underlying technologies in today’s network infrastructure consist of a hodgepodge of components such as traditional IP routers, multiprotocol label switching (MPLS), and software-defined networking, all of which offer differing ways of transporting data, creating a massive amount of complexity for organizations and managed service providers alike.
MPLS is a network technique that directs data from one node to the next based on the quickest path instead of relying on referencing IP routing tables. But when it comes to security and traffic orchestration in the cloud, MPLS is not fast, flexible or straightforward, requiring branch office-to-Internet service requests to pass through a core network before being delivered. This creates additional traffic over expensive MPLS lines, a utilization that doesn’t take advantage of the whole agile and ubiquitous nature of today’s cloud-centric business model.
A different networking approach drawing attention is software defined wide-area network (SD-WAN). SD-WAN is a transport-agnostic overlay that can route any type of traffic (LTE, 3G and broadband, as well as traffic over private MPLS circuits). The SD-WAN approach provides a network management and control layer to orchestrate ‘backhaul offload’ and WAN optimization. It should figure in enterprise considerations when trying to achieve faster deployment timetables for branch enablement and realizing cloud benefits such as availability and cost. But, as SD-WAN starts to complement today’s private MPLS networks and traditional IP routing, organizations should also consider a number of security questions.
Don’t Forget to Modernize Security as You Modernize Your Network Strategy
Just as there are compelling reasons to modernize your system architecture, business computing methods and networks, there are also compelling reasons for modernizing network security.
As you shift from backhauling all or most of your traffic through the core network in favor of more direct branch to cloud pathways, you are potentially losing some elements of centralized network and security policy.
SD-WAN – as a central enterprise WAN-traffic controller from which to easily apply policies across all devices – is not a security technology, per se. It allows you to avoid the cost of backhauling traffic through the core network, but with that comes the challenge of implementing enterprise-grade security policy across a distributed network.
So what do you do? Do you trade off some security at the branches by plugging in an SD-WAN device that offers only basic protection? Or do you pay for truck rolls (i.e., technicians to install and configure edge devices at every office) and then bear with lengthy deployment cycles? Do you team up with a managed security provider?
This is where the notion of security as a service (SECaaS) and network service insertion from the cloud can come in handy. With a single network and security cloud, you or your managed service provider can simply throw the switch to deploy smart centralized network policy and security at the branch level, extended VPNs, and mobile outliers. This cloud-based security approach, while reducing vulnerabilities at the branches and among mobile/remote users, can also reduce deployment times by up to 91 percent.
Five Key Security Considerations for SD-WAN and Hybrid Cloud Networks
A new white paper from OPAQ discusses five security imperatives companies should keep in mind as they modernize their network infrastructure. A few of these important considerations are to:
- Modernize security as you modernize your network. SD-WAN is a modern transport system, but isn’t necessarily an advanced security system. Protect your digital assets and your information with security solutions such as next-generation firewalls and leading-edge endpoint protection.
- Secure your branches as you enable them. As you fortify distributed users with direct access to Internet information and apps, the implementation of advanced security doesn’t have to create long delays and siphon from productivity.
- Ensure that backhaul offload doesn’t open Pandora’s Box. Mitigate the risks of infection, costly viral lateralization attacks, and the compromising of sensitive data by passing any direct branch office-to-cloud traffic through an agile and virtual firewall and fully encrypted network. Easily segment your network to limit the spread of a cyberattack.
As you modernize your networks, make sure you protect your data, users and business reputation with a fully integrated solution that incorporates an encrypted software-defined network, next-generation firewall and endpoint protection capabilities that can be applied in a matter of minutes, long before that next truck roll.
Network modernization, like any wave of innovation, is multifaceted in its good intentions. It’s about rearchitecting your network so it is better able to handle increasing traffic and high-bandwidth-consuming apps such as video, ensure availability and quality of experience, flex for the delivery of new revenue-generating service offerings, and reduce network and application maintenance and overall costs.
The much ballyhooed yet still somewhat enigmatic cloud, with its highly virtualized and outsourced infrastructure, has already delivered some of this modernization by enabling organizations to offload some traffic from today’s predominantly hair-pinned and expensive MPLS-based WANs in favor of direct user access to Internet services. The cloud ecosystem offers other network modernization enablers such as shared service economies of scale, ready-to-leverage network capabilities such as automation, and transport independence (i.e., the ability to use broadband, LTE, Carrier Ethernet and MPLS “lines”).
Software-defined WANs (SD-WANs) could occupy a complementary network management and orchestration role to relieve some of the cost of (and dependence on) today’s rigid and expensive private networks. However, the path to network modernization is not all neatly wrapped and tied in pink ribbons, and uncertainty exists from a security perspective as well. Every time a user, whether stationed at one of your branch offices or remote, accesses the Internet directly he or she is potentially opening Pandora’s Box or letting sensitive data out. MPLS schemes require this sort of risky traffic to first pass through the core network for networking protocol and security application, which is a good thing, but at what cost? Traffic over MPLS lines can be dozens of times the Mbps/month cost versus broadband and the public Internet, so you want to orchestrate traffic in a way that reserves private lines for high-priority traffic and utilizes the public Internet for lower-priority interactions. Although SD-WAN may be ideal for this role and faster enablement of branch office and mobile workers through software-as-a-service, it is not an advanced security solution.
Advanced Security for SD-WAN and Cloud Networks
SD-WAN, which can empower organizations to exercise centralized SaaS control over traffic to and from the cloud and the WAN as a whole, poses some vulnerability issues. Centralized security is more difficult to administer when traffic isn’t backhauled to the data center or network hub, and malicious code and hacker schemes can more easily pass through to your distributed users undetected (north-south traffic).
What’s more, without the intervention of advanced security mechanisms, infections can more easily spread laterally – from user to user, system to system, and office to office (east-west traffic).
If you’re going to capitalize on the potential efficiencies of the cloud and SD-WAN controllers, you must first secure the egressing of traffic directly between the Internet and remote sites as well as protect against lateralization attacks. This can be accomplished through an advanced security solution designed for the cloud, which includes fully integrated next-generation firewall and endpoint protection as-a-service.
Secure Network Modernization Webinar
These and other topics will be explored during a webinar titled, “Avoiding the Security Pitfalls of SD-WAN and Network Modernization,” moderated by Security Now, and presented by Rik Turner, Principal Analyst, Ovum, and Ken Ammon, Chief Strategy Officer, OPAQ.
By attending this webcast, you will:
- Understand the top security vulnerabilities plaguing companies as they modernize their networks
- Learn how critical security vulnerabilities can be easily addressed with security-as-a-service
- Discover how cloud and automation are enabling companies to simplify their ability to modernize their networks and security
Here at OPAQ we believe that SD-WAN technologies hold great promise as a toolset for making more efficient use of high performance Internet connectivity. However, like many new technologies, SD-WAN solutions are being adopted by organizations and put into production before they’ve learned how to navigate the security pitfalls associated with them. We’re seeing these solutions get deployed in the field ways that compromise information security or introduce new vulnerabilities. It’s important that organizations approach SD-WAN armed with an understanding of how to do it right.
SD-WAN Solutions Can Introduce Vulnerabilities
Last month at the 35th annual Chaos Communication Congress, Sergey Gordeychik gave an excellent presentation covering attack surface areas and vulnerabilities in a variety of SD-WAN products. A number of these products have shipped with default passwords, cross site scripting and command injection vulnerabilities in their management interfaces, as well as vulnerable versions of cryptography protocols such as SSL. Gordeychik and his research collaborators published a set of tools and resources including a tool called SD-WAN Harvester that can automatically enumerate SD-WAN nodes on the Internet. Using this tool, they discovered thousands of SD-WAN systems with known vulnerabilities exposed to the open internet.
SD-WAN Solutions Can Route Around Security Controls
Many organizations are using high-performance MPLS links to backhaul Internet bound traffic from satellite offices to security centers where next-generation firewalls can inspect that traffic for threats. SD-WAN solutions are often introduced for the express purpose of reducing load on MPLS links. The introduction of SD-WAN can result in some internet bound traffic leaving directly from satellite offices without being inspected. Sometimes this occurs because users don’t understand how their SD-WAN has been configured. In other cases, this is done intentionally in order to reduce MPLS backhaul, with the problem being that the kind of security inspection that can be performed by the SD-WAN devices themselves usually doesn’t measure up to the capabilities of a full next-generation firewall, with important capabilities such as SSL decryption, application awareness, and dynamic threat intelligence missing. Regardless of the reason, the result is that important security controls are bypassed, opening up an avenue for malware to reach inside the organization.
Asking the Right Questions
OPAQ recommends that organizations which have adopted or are considering the adoption of SD-WAN ask themselves a set of questions about their approach:
- Assess Your Vendors: How security savvy are they? Do they have a good track record of responding to security vulnerability disclosures?
- Assess Your Deployments: Do your SD-WAN nodes have services listening on the open Internet? Have you changed the default passwords? How is access controlled?
- Assess Your Usage: Are you sending traffic from your users directly to the Internet in a way that bypasses your security controls? Do you have a way to monitor for changes that might introduce that sort of condition in the future?
OPAQ believes that our ability to provide next-generation firewall services from the cloud can help customers who adopt SD-WAN avoid making security compromises. OPAQ’s Security-as-a-Service can be deployed in conjunction with SD-WAN, enabling customers to bypass MPLS backhaul for Internet-bound traffic by sending that traffic to the OPAQ Cloud instead. Our network of regional Pods and peering relationships enable us to deliver that traffic to its destination with minimal latency while providing the full protection of our cloud hosted next-generation firewalls. This architecture provides a best-of-both-worlds WAN optimization solution in which high performance MPLS links are reserved for the most latency sensitive voice and video traffic while the whole organization remains protected behind the best security infrastructure available.
Read the white paper.