Integrated end-to-end security in your SD-WAN deployment

Malevolent actors are continuously looking for ways into your network. While SD-WAN brings major benefits in terms of flexibility, scalability and agility, it can also open up new vulnerabilities around the network and applications. Integrated end-to-end security must therefore be a priority.

Enterprises should not underestimate the challenge in securing an SD-WAN implementation. SD-WAN connects an enterprise’s management platform and routers to the Internet. With direct Internet access (DIA), data traffic does not have to go through an enterprise’s data center, where security has traditionally been centralized. In other words, the enterprise no longer has total control of the data journey. Thus, securing a software-defined network requires knowledge and expertise to ensure data and applications stay as safe as possible.

Getting security right from the start

Some SD-WAN vendors have yet to evolve their security offerings as part of their portfolios. In these cases, security capabilities are only offered in the cloud and not available on-premise as well. As a result, SD-WAN security can end up being an enormous challenge for in-house security teams who may not have the skills required.

Enterprises should instead look for SD-WAN solutions that incorporate security by design. Examples include Cisco SD-WAN (powered by Viptela) and Cisco Meraki. Here, firewalls, intrusion prevention systems (IPS), and URL filtering are integrated directly into the platforms. It is vital for enterprises to fully understand their SD-WAN’s security capabilities and ensure they deliver end-to-end security.

Consistent security policies are paramount

Direct cloud connectivity opens up the threat vista to malware and other Internet-borne threats. By re-architecting an enterprise network to adopt SD-WAN, it is imperative to have consistent security policies across branches, clouds and users. Micro-segmentation in the SD-WAN overlay, for example, can help to create policies to limit traffic between workloads in a zero trust approach. Zero trust is an approach to security that requires the verification of every person or device trying to access the network, irrespective of location.

Overall, the SD-WAN landscape is still a work in progress regarding strong WAN and cloud edge security. It is therefore paramount that enterprises assess the security features their SD-WAN vendor is offering. Many still only offer basic firewall and VPN capabilities, for example. Major security holes often include intrusion protection on VPN connections and cloud security features. In addition, with threats coming from the application level, firewalls need an enhanced security level that can identify rogue content and applications.

This analysis will allow enterprises to identify any gaps and what additional solutions are needed to plug them. However, note that additional physical security devices or third-party security services can make deployment and ongoing management complex.

Partner with Cisco

Our SD-WAN partner Cisco integrates a full security stack and highly secure SD-WAN fabric from the branch to the cloud edge. Enterprises can set automated policies at a global level with single pane of glass visibility. Cisco Meraki, for example, houses universal threat management capabilities in one box. These can be extended using Cisco Umbrella’s flexible cloud-delivered security, protecting office-based and mobile users.

Cisco SD-WAN (powered by Viptela) and Umbrella integration enables enterprises to deploy Umbrella across the SD-WAN to hundreds of devices within minutes to get web and Domain Name System-layer (DNS) protection against threats. Enterprises benefit from the improved performance of direct Internet access at branch offices without sacrificing security or the arduous task of managing individual devices. Administrators can create security policies and view detailed feature reports, for example.

Preparing to defend against increasing vulnerabilities

Enterprises need the capability to drive policies and configurations within their SD-WAN to reduce network complexity and make security management easier. Examples include centralized orchestration of security services and devices. Security monitoring is also essential to analyze alerts generated by SD-WAN firewalls.

It is also key to understand if the SD-WAN solution allows for secure local Internet breakouts and how this is achieved. Secure local Internet breakouts with cloud-based security can provide identical protection to users if they are in the central office, at local branches or working remotely. In addition, consider if the security platform prevents unauthorized devices from being added to the network.

Don’t forget security and analytics tools. Does your vendor, for example, offer an analytics engine that provides you with a global view of the network? This provides valuable data that the system can act upon in real time.

Security analytics can reduce the number of overall alerts that in-house IT teams have to attend by focusing on high-priority areas for an enterprise. Analytics in Cisco Meraki, for example, offer telemetry data capabilities between SD-WAN platforms and the cloud to monitor that systems are operating correctly. Analytics can also help determine which transports, such as MPLS or Internet links, are best suited for a particular application.

Working with the right partner

If enterprises feel overwhelmed by SD-WAN implementation and associated security, they should consider managed SD-WAN and security services. Together with managed detection and response solutions, it can take the pressure off in-house resources in terms of time, skills and budget.

Enterprises need to appreciate that managing the implementation and lifecycle can be just as complex as managing security. The more devices that are added, the greater the complexity. Having an integrated way of managing the network and security can reduce both workloads and costs.

An experienced partner allows an enterprise to be more proactive in their security posture. Orange Business Services, for example, combines dedicated expert teams in both connectivity and security together with in-depth knowledge of flagship SD-WAN solutions. This is reinforced with the expertise of Orange Cyberdefense to ensure a secure end-to-end SD-WAN solution. Orange Cyberdefense has the largest penetration testing team in Europe and operates a proprietary threat intelligence database.

Mitigating SD-WAN security threats

The majority of SD-WAN solutions offered today come with built-in security features. But with the threat landscape expanding by the day, it is important that enterprises reinforce their SD-WAN defenses as far as possible with additional security tools and formulate best practices that best fit their business requirements.

The combination of security-by-design, best practices and additional features will help to keep the door closed on network cyberattacks.

We are very pleased to be a Premier Sponsor of Cisco Live 2021, March 30 – April 1. To find out more, visit the event website.

Pierre-Marie Binvel
Pierre-Marie Binvel

Pierre-Marie is the Head of the Connectivity Business Unit for Europe at Orange Business Services. His team is responsible for accompanying Orange Business Services customers in their business digital transformation through the development of innovative, versatile and future-proof, global connectivity solutions.