The Security Capabilities of Software-Defined WAN
In our last post [Software-Defined WAN: Cheaper, Faster, More Secure], we discussed how software-defined WAN (SD-WAN) solutions enable you to reduce WAN cost and complexity while increasing performance, reliability and security. The software-defined component of SD-WAN lies in a smart centralized controller capable of differentiating and segmenting traffic and making routing decisions on the fly.
The WAN component is a hybrid architecture that can combine multiprotocol label switching (MPLS), broadband and even LTE wireless links.
Security is the top motivator for businesses.
Interestingly, an extensive worldwide SD-WAN survey by IDC found that “consistent security” is the top motivator identified by organizations considering SD-WAN adoption. “Price” and “reduced complexity” came in second and third, respectively. While SD-WAN is touted for its ability to create a more cost-efficient WAN infrastructure, the technology also enables organizations to evolve their security strategy to address the realities of WAN access today.
MPLS is expensive, but organizations have stuck with it, in part, because it’s secure. A properly configured MPLS connection creates a “virtual circuit” that’s not visible to third parties or the Internet. Virtual private networks (VPNs) can also be used to further secure site-to-site connections. In addition, service providers employ a variety of techniques to harden their routers and the customer’s premises equipment.
Greater Organizational Risks on the Open Internet
The Internet, by contrast, is the Wild West. Organizations that use broadband Internet links to connect branch locations run a far greater risk of a security breach.
That is, unless you encrypt the connection. SD-WAN makes it easier to set up a dynamic multipoint VPN using IP-Security (IP-Sec), creating an end-to-end encrypted tunnel over broadband between branch locations and headquarters. Once traffic is encrypted the underlying transport mechanism becomes less relevant. In fact, given that the network perimeter has become porous, every connection should be treated as untrusted and all traffic encrypted to protect sensitive data. SD-WAN facilitates that.
SD-WAN also enables network segmentation across the WAN. As the name implies, network segmentation divides the network into subnetworks, with the goal of controlling access to specific systems, applications and data. Sensitive corporate information can be isolated from common attack vectors such as guest Wi-Fi, Internet of Things (IoT) devices and business partner connections. Network segmentation also supports regulatory compliance and makes it possible to contain an attack within the smallest possible area.
It’s relatively easy to establish network segmentation in the LAN but extending that to the WAN has traditionally been very difficult. SD-WAN, on the other hand, includes innate segmentation capabilities as well as the ability to enforce security, governance and compliance policies across multiple sites.
SD-WAN makes it easier to set up a dynamic multipoint VPN using IP-Security (IP-Sec), creating an end-to-end encrypted tunnel over broadband between branch locations and headquarters.
SW-WAN Can Help Mitigate Attacks More Quickly
If an attack does occur, SD-WAN can help the IT team find and mitigate it more quickly. Legacy WAN architectures provide very little visibility into the traffic moving across the network. You can’t secure what you can’t see, as the saying goes. SD-WAN by its nature provides application and network visibility. Best-in-Class solutions also include advanced threat detection and prevention features to enhance security while reducing IT complexity at branch locations.
The GDS Next-Generation Connectivity (NGC) SD-WAN solution takes a layered security approach that incorporates antimalware protection, next-generation firewall and intrusion prevention, content filtering, and more. These tools work together seamlessly to prevent, detect and respond to attacks. Contact us to learn how NGC can help you improve WAN security and meet regulatory compliance requirements.