SD-WAN security explained

June 25, 2020  |  Ericka Chickowski

This blog was written by a third party author and does not reflect the opinions of AT&T.

What is SD-WAN?

Software-defined wide area networking (SD-WAN) is a distributed networking approach that provides organizations a sustainable alternative to high latency hub-and-spoke network topologies.

How SD-WAN supports network performance

Legacy hub-and-spoke networks backhaul branch office traffic to a centralized data center directly through MLPS dedicated lines, with remote and home-based workers connecting through VPN. Organizations of the past favored this model for its centralized management and security, which worked reasonably well in an era when all applications were installed on the desktop or data center servers.

But the rapid proliferation of cloud applications and services overload MPLS circuits, as every little action a remote user takes in a cloud application must send traffic:

  1. First to the data center,
  2. Then out to the cloud
  3. Back through the data center again, and finally
  4. Out to the user again at the end of the trip.

It's a recipe for extreme latency and poor user experience, and a huge blocker to maximizing cloud benefits.

SD-WAN helps solve this pain point by enabling branch office and remote users to connect directly to the internet when the need for such a direct link is warranted. SD-WAN is essentially software that makes intelligent decisions on how to route traffic, based on factors like priority policies and QoS settings. It builds out a mesh of network links that have the flexibility to connect directly to the Internet, to other branches, or to the data center, based on the application being used, using a range of transport services that include not only MLPS, but also commodity broadband services and LTE.

Secure web gateway service

Fully managed web and Internet security for SD-WAN, mobility and cloud.

Learn more

The security gap with SD-WAN

The mesh networking topology of SD-WAN maximizes application performance and reliability, and the flexibility in transport services helps bring down IT costs. Additionally, an SD-WAN's virtualized console still offers centralized management and visibility into all of these connections.

However, the SD-WAN model breaks the existing centralized security inspection that most organizations have built into their hub-and-spoke network architectures.

How your network security approach should change

Many of today's security architectures are designed around the consolidation of data streams that happens when an organization backhauls traffic through a centralized 'pipe' into the data center. Using tools such as traditional premises-based firewalls, organizations set up a single security inspection point along that traffic flow, which examine packets before they make it into the data center.

This method of traffic filtering proves ineffective in an SD-WAN architecture because so much traffic is moving outside the bounds of the data center perimeter. When remote workers connect directly to the cloud, to IoT devices, and to other Internet resources, that traffic never crosses the traditional inspection point.

Demystifying SD-WAN and security controls

If security teams want to safely take advantage of the performance and cost benefits from SD-WAN's distributed networking model, they must rethink the way that their security controls examine traffic for malicious behavior and apply content security policies. Otherwise their remote users and branch offices become multiple, distributed Achilles heels for their cybersecurity posture.

IT decision-makers must keep this in mind as they listen to sales pitches about SD-WAN's inherent security benefits. One of the big misconceptions about SD-WAN today is that due to its encrypted traffic capabilities it is secure by default at initial deployment. While that encryption offers a valuable layer of privacy and security protections, it takes added inspection and filtering defenses to detect and block malware, botnets, and other web threats attacking distributed SD-WAN traffic.

All of this means that security inspection capabilities need to move to the network edge, rather than solely filtering in front of data center connections. At the same time, they need to be flexible enough that they can work seamlessly with existing traditional security mechanisms. This is because there will still remain plenty of traffic flowing directly to corporate HQ, and there's no reason to completely rip and replace the premises-based protections already defending that part of the network.

Where secure web gateways fit in

Secure web gateways offer the security visibility, control, and flexibility that organizations need to achieve effective SD-WAN security. Offered as hardware, software, or virtual appliances, secure web gateways are web filters that protect outbound user traffic by inspecting it for:

  • Malware and zero-day attacks
  • Restricted content based on corporate policies
  • Data loss of personally identifiable information or sensitive corporate IP

Secure web gateways can inspect traffic from remote users, even through SD-WAN connections. This protection is typically facilitated by endpoint agents installed on mobile and branch office user machines, which triggers routing through secure web gateway cloud infrastructure for filtering that works even on distributed networks.

Additionally, secure web gateways typically centralize visibility across all users and devices into a single dashboard. In most instances, this can be integrated into a broader security portfolio that includes other more traditional inspection technology.


Why can't premises-based firewalls inspect and filter SD WAN traffic?

Legacy firewalls depend on traffic being backhauled into the data center—which creates a latency nightmare for cloud applications. The direct-to-cloud connections established by SD-WAN improve application performance but demand a different security inspection method.

Aren't SD-WAN networks secure by default?

While SD-WAN architecture makes it easy to encrypt distributed traffic and centralizes network administration of that traffic, there is no default security inspection built into it. Organizations must add security inspection and filtering to protect against threats targeting SD-WAN traffic.

How can cloud-native secure web gateways improve SD-WAN security?

Cloud-native secure web gateway protection inspects and filters SD-WAN traffic for malware, botnets, and other web threats no matter where a user is located or how their traffic is routed.

Share this with others