top of page

Security of SD-WAN (Flaws and consideration points)

Is SD-WAN really secure ???????!!!!!! SD-WAN security is really necessary! Maybe we exaggerate a little bit, but security experts , especially those who are involved in telecommunications, should always beware of anything that's connected to the Internet, also all the services provided across the Internet. That includes websites, email, cloud-based applications, and of course, WANs.

Unfortunately the bad news is that the wild, unfettered Internet can indeed be a dangerous place; it's a good thing we have firewalls, universal threat defense, intrusion prevention (IPS/IDS) systems , heavily encrypted VPNs and endpoint security to protect us. The good news is that SD-WAN, one of the fastest-growing technologies for connecting branch offices, data centers, cloud services and remote locations, are perfectly safe.

It would be a big mistake not to consider adopting SD-WAN due to security concerns. While the explosive growth of SD-WAN is recent, SD-WAN technology is the convergence of trusted VPN, data compression, and traffic management technologies all wrapped in slick cloud-based provisioning, But everything has its advantages and disadvantages in life and SD-WAN is not an exception indeed!

Here is a list of some of the biggest mistakes in SD-WAN security, and how to not to fall victim to them:

1. Failing to determine and deploy the appropriate SD-WAN solution architecture for your organization’s risk profile:

The SD-WAN market is still relatively new, and not all SD-WAN solutions are created equal. It's important to select a solution with security tools that match an organization's specific needs. "SD-WAN’s basic security offerings alone are not sufficient for an organization, especially with the growing cybersecurity threats faced today,

"Additional threat management and network security requirement capabilities are usually needed ... such as those found with secure web gateway services or with next-generation firewalls (NGFWs) with intrusion prevention, SSL inspection, web filtering, and anti-malware protection.

2. Assuming that SD-WAN eliminates the need for other wide-area networking security and resilience best practices:

Explanation (WHY?) SD-WAN should not be viewed as a standalone solution. The technology needs to be subject to the same rigorous security standards as other IT infrastructure elements.

It's important to keep the software stack updated with the latest security patches. Having the ability to automate patching doesn't change the fact that modifications will get applied frequently.

3. Not having a nice security fashion:

Explanation (WHY?): Network security is only as strong as its weakest link.

SSL-encrypted traffic is now the majority of all Internet traffic. "A failure to adequately proxy, decrypt, and enforce organizational policy on this type of traffic in the branches increases the risk to the entire organization,. Inconsistent enforcement weakens an organization's security posture. "If a malicious user gains unauthorized access to a branch, it becomes a stepping stone to move laterally, undetected, into the organization's main locations and expose them to attacks or data breaches,

4. Not fully understanding which security features are built into in the solution and which are missing:

It's easy for organizations to not fully understand the specific security features a particular SD-WAN solution provides, especially when evaluating multiple solutions. "As with most things in technology, if you don't fully understand a solution, it will likely cause more problems than it solves,

Not understanding which security features are part of a solution will often lead organizations to expose themselves to risks.

A missing security feature might not be detected until it's too late. For instance in companies which adopt an SD-WAN solution move from centralized Internet egress in their primary data center, where their UTM (unified threat management) appliances reside, to a distributed Internet egress model. "Most SD-WAN solutions only offer a simple, stateful firewall, which does not provide the same protection as the next-gen UTM that controls access in their centralized model,. This oversight can place users in remote locations at risk, as well as the entire network. One unsecured entry point is all that's needed for a breach to happen!



ONE-CLICK DEPLOYMENT!” Every vendor’s marketing has focused on how easy it seems to be to deploy a remote branch office or bring a connection up to the Cloud. And yes, in a fully greenfield environment I’d agree with this. BUT out of experience and observation of some real world scenarios in working with companies that have multiples sites and mature legacy networks, you’re going to have the same challenges you faced when you first deployed MPLS. Implementing an SD-WAN network means replacing your current network. Remember how long it took you to implement your last MPLS network? The design work and planning is key. Ask yourself, how do sites on the underlay network talk to the sites on the new SD-WAN network? How is traffic to be segmented? Is local internet breakout going to be implemented and how is that going to be kept secure?

Sufficient consultancy services need to be factored into any SD-WAN project, no matter how much control you want to keep internally. But these services will only help you to achieve your SD-WAN goals.

Approaching SD-WAN security with a completely hands-off attitude can lead directly to trouble. "Data, which might or might not be encrypted, travels across broadband Internet nodes operated by entities not known to the company, "This job requires extra security checks and technologies to encrypt the data in transit across IP networks."

TRADEMARK LEGAL NOTICE All product names, logos, and brands are property of their respective owners in the Austria or other countries.All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.Use of these names, logos, and brands does not imply endorsement.The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.

bottom of page