What are the options for securing SD-WAN?

A key component of SD-WAN is its ability to secure unreliable Internet links and identify anomalous traffic flows.

SD-WAN technology providers are continuing to increase their native security features and to create robust ecosystems of network-security partners.

IT managers should consider their branch network security requirements and carefully evaluate the security capabilities of leading SD-WAN providers, include their native security features and their partnerships with network security providers.

Branch network security threats

Network security is a constant concern for IT professionals, and surveys indicate the problem is getting worse. Security at the branch is a challenge due to the increased number of devices, including PCs, tablets, phones, point of sale devices, and IoT end points, that are attached to the branch network. All of these endpoints provide new opportunities for malware to infect the corporate network and for hackers to access important data. Branch security concerns are exacerbated by the lack of trained IT/security staff at remote locations and the complexity of managing multiple security appliances including IP VPNs, IDS/IPS, and firewalls.

An additional challenge for branch security is the requirement to coordinate security efforts across the entire network. Security systems at the branch need to talk to endpoint security products and campus/data center network security systems. Traffic at the branch should be inspected, and any suspect traffic flagged there can then be analyzed by centralized or cloud-based security systems. Ideally, branch security systems will become fully automated and employ cloud-based intelligence.

SD-WAN security capabilities

The SD-WAN market is highly competitive with several dozen suppliers. A key selling factor for SD-WAN is its ability to enable organizations to leverage low-cost Internet circuits as secure business-class links. Network security is a key differentiating factor in SD-WAN technology, and each supplier has its own unique methods for securing traffic flows and identifying “safe” sites.

Almost all SD-WAN providers now offer basic firewall capabilities as a standard product feature. They employ packet identification to understand traffic flows. For example, is the traffic going to or coming from a trusted location or cloud-based service?  Additional features include content filtering, endpoint identification and management, and policy-enforcement capabilities.

SD-WAN suppliers are actively courting leading network security suppliers – Palo Alto, Z-Scaler, CheckPoint, and Fortinet among them – to integrate their SD-WAN technology with next generation firewall and UTM functionality. This integration between SD-WAN and best-in-breed network-security suppliers needs to be streamlined to guarantee high performance and low latency because traffic handoffs between applications can impact latency. The goal is to provide granular traffic inspection and effectively white list cloud