Blog » SD-WAN Security: The promise of Multidimensionality
The pace of software-defined wide-area networks (SD-WANs) developments continues to accelerate for several reasons. Not only in terms of commercial adoption, but also in the scope of services supported.
One area that has undoubtedly fueled this growth is the integration of powerful security capabilities. In order to fully understand the impact of security services on SD-WAN implementation, in 4Q 2019, Heavy Reading, in collaboration with Amdocs, Fortinet, Lavelle Networks, and Nuage Networks, created and fielded a comprehensive SD-WAN security-focused survey designed to provide granular insights into the state of SD-WAN security services.
This webinar provided a readout of several key survey findings. Topics addressed included:
SD-WAN security service implementation timeline and anticipated growth metrics
SD-WAN security service integration models
Location preferences for deploying SD-WAN security services
Specific security service implementation priorities
Implementation challenges as well as service differentiation opportunities
Security VNF orchestration preferences
The role of analytics to enhance SD-WAN security service delivery
Shyamal Kumar Founder and CEO Lavelle Networks, shared insights on Deployment Location Preferences, Branch Considerations based on our customer experiences. The survey highlighted SD-WAN Security Service implementation priorities like virtual Firewall, Intrusion Prevention, Packet Filtering, DDoS protection, etc., which is extremely important to important for 69% of the respondents. This trend is seen among Lavelle Networks customers as they are moving away from MPLS and more towards broadband adoption model, the idea of centralized security is fading away, and there is more and more demand of SD-WAN edge security. While this transition is happening, it is often confusing for enterprises to wisely choose the Security Services that will be the best fit given their network requirements. This is where picking the right set of security solutions becomes crucial as we are in an era of customizations and the concept of one size fits all is long gone from the enterprise world.
SD-WAN for Enterprise Apps (95-100%), very less/negligible internet facing traffic (5-10%)
Enterprise Apps (50%), wisely chosen SaaS like Office 365, Salesforce, GSuite, etc (50%)
Internet based traffic (80-90%), negligible enterprise traffic (10-20%)
The first category where branch traffic is almost 100% enterprise traffic, and the internet is just bandwidth medium, customers are comfortable turning on the firewall, packet filtering, and application control.
The second category of customers using enterprise apps and some carefully chosen Large enterprise SaaS apps like Office 365, Salesforce, etc., which are fairly protected services.
The third category of customers is having more internet facing traffic and hence, it makes more sense to have advanced protection with a secure SD-Branch deployment.
Irrespective of these categories and many more that might exist based on various parameters and perspectives, since the internet is being used as a WAN transport medium, it is vital to have basic security like firewalls which validates the intent of traffic.
While it is crucial to have security services integrated with SD-WAN, one should not forget that the fundamental promise of SD-WAN was to improve performance and lower cost, and that is kind of hard to do at the same time. And this came out evidently in the survey.
“Based on “major challenge” responses, the top three areas of concerns revolve around the performance implications on devices when security capabilities are added (27%), lack of security certification for devices (25%), and the diverse set of devices that must be secured (19%).
When the “challenge” responses are added to those three inputs, it equates to a range of 70%, 58%, and 56% of respondents anticipating significant challenges associated with deploying SD-WAN security services in the branch office.”
As seen in the below figure, all the standard SD-WAN security services fared well based on the level of “extremely important” and “important responses.” However, looking at the “extremely important” responses, three capabilities stand out. The highest-ranked of these is the ability to utilize SD-WAN security policies to steer applications to multiple scanners based on specific application requirements (38%).
We believe the high ranking of this capability highlights the realities and challenges associated with moving to an application-centric cloud. Very close behind at 37% is signature-based detection in SD-WAN devices. This is significant because it not only confirms that devices remain an area of concern for end-users, it also reinforces that CSPs are looking for any unique attack identifiers that can help with the detection of future attack vectors.
The third-ranked advanced capability is branch-specific. In this case, the focus is on applying SD-WAN security policies in the branch to first ensure the devices and applications in the branch are fully compliant to the clouds they will run in (32%).
This is where one has to leverage the flexibility of steering anything anywhere provided by SD-WAN architecture, like the ability to utilize SD-WAN security policies to steer applications to multiple scanners based on specific application requirements. Security is a complex space and with SD-WAN customers can take certain traffic to a certain cloud platform and examine it for threats, this approach helps the edge be high performing device and inspection happens in the cloud or any other place in the infrastructure. Device performance becomes very important, as most of the customers we are working with use a lot of handheld in their networks, and the ability to see what is happening to all these different devices in your network becomes extremely important, especially when you are upgrading software and patches. And SD-WAN is crucial to deliver a lot more software capabilities like these as it is not proprietary hardware-based anymore.