Migrating to software-defined wide area networking (SD-WAN) comes with an improvement in security due to its inherent design. In order to maximize SD-WAN security, enterprises should be looking for features that secure the traffic SD-WAN manages and fit into a broader security policy governing the network.
Any time an enterprise migrates to SD-WAN, they can expect some improvement to network security, simply because it is centrally managed and offers policy-based administration of security policy. Any modifications to policy are rolled out through the centralized console: a vast improvement over the location router-based implementation of security configurations necessary with a traditional WAN. Enterprises often underestimate the number of updates necessary to the WAN, and the time-consuming nature of updates means that the network often goes unpatched for lengthy periods of time.
SD-WAN security is also superior due to traffic segmentation, allowing network professionals to direct traffic based on application and protocol, by user, or by region. This allows traffic to meet geography-based compliance requirements or block traffic that is identified as an anomaly that needs further examination.
Getting Beyond Basic SD-WAN Security
When evaluating SD-WAN options, look for security that has been integrated into the design of the solution, rather than one where features were added after it was developed. Because many enterprises intend SD-WAN to serve as or replace branch firewalls, security must be robust.
Firewalls: At minimum, enterprises must look for a basic stateful firewall, but next-generation firewalls that are context and application aware are a much better option. There should also be intrusion detection and prevention, as well as unified threat management and a secure web gateway system. If the SD-WAN endpoint can’t manage these features, there should be a capability to service chain with another appliance of cloud service.
Encryption: SD-WAN should offer encryption of data in motion between any set of endpoints in the data center, branch, or cloud. If the solution retains data internally, it needs to encrypt data at rest.
Keys: SD-WAN security must include a key management feature that is simple and integrates into a broader, enterprise-wide infrastructure. The enterprise should maintain the keys, even if the solution is through a managed services provider.
Platform Security Features: There should be platform security features included in an evaluation checklist for SD-WAN security. Look for trusted platform module (TPM) protection, as well as access control and authentication with the use of multi-factor authentication. Management channels should offer strong encryption and secure deployment through low- or no-touch features.
Enterprises also need to ensure that the solution fits neatly into a broader security ecosystem with security information and event management (SIEM) integration. The SD-WAN solution doesn’t handle the entire enterprise security spectrum, so it needs to fit into the existing infrastructure. Application programming interfaces (APIs) will be necessary for fitting the SD-WAN solution into a secure orchestration, automation, and response (SOAR) system.
IT teams have a lot to manage when it comes to SD-WAN security and choosing the right solution. Contact us at eXemplify for guidance in the SD-WAN selection process.