SD-WAN security remains customer and vendor focus

Most SD-WAN vendors offer common features when it comes to SD-WAN security, but some tout security differentiators embedded in their services.

Software-defined WAN has come a long way since it emerged in 2014, bringing with it concerns and promises about SD-WAN security.

Multiple research firms predict SD-WAN will continue its ascent in the next few years, especially as more enterprises extend their applications and networks into the cloud.

The parallel transition to move workloads to the cloud has, in turn, changed customer requirements and concerns. For example, according to a recent IDC report examining SD-WAN's momentum among early adopters, security requirements related to web and internet applications was the top WAN concern among survey respondents.

Network security has always been a major concern for enterprises, but as network threats evolve and adapt, it stands to reason that network security needs to evolve, as well.

"Considering that the security threat vector continues to become more aggressive, and considering that the migration of enterprise apps significantly enhances the cyberattack surface for any enterprise, the need for comprehensive 'multilayered' security is likely to become critical in the future," IDC's report said.

According to IDC, SD-WAN can address these security issues.

Top SD-WAN adoption considerations

SD-WAN security grows as a product differentiator

In a market teeming with vendors offering similar products, SD-WAN security features are quickly turning into a differentiating factor.

Most SD-WAN products contain inherent security features like IPsec and application firewalls. Integrated firewalls lessen concerns about accessing internet traffic directly from a branch site, IDC said.

SD-WAN security also touts the ability to segment network traffic. This means certain traffic can be isolated based on where it's going or where it came from. Users can also create policies to enforce security requirements for specific application traffic, like voice over IP (VoIP).

But some vendors approach SD-WAN security beyond these more widespread security features.

Many SD-WAN vendors choose to further supplement their SD-WAN services with security virtual network functions (VNFs). VeloCloud, for example, created an SD-WAN security partnership program to develop SD-WAN security VNFs that are interoperable with security companies like Zscaler and Fortinet.

Other vendors have moved in this VNF direction, as well, said Jim Duffy, senior analyst of networking at 451 Research.

Versa Networks and FatPipe are offering SD-WAN as a feature on a VNF platform that also offers security, WAN optimization and other functions, Duffy said. "So, SD-WAN is now a VNF feature instead of a sole specific offering."

The move toward consolidating multiple network functions -- like security, WAN optimization and firewalls -- onto universal customer premises equipment (CPE) has increased recently, the IDC report said.

"In this vision, IDC views SD-WAN as a broader platform for several virtual network functions at the branch edge," the report said.

SD-WAN security according to Cato Networks

For Shlomo Kramer, CEO and co-founder of Cato Networks -- an SD-WAN company founded in 2015 and based in Tel Aviv, Israel -- moving to universal CPE won't solve the problems related to the WAN and cloud traffic.

"Coming from the security world, the problem today is not whether these are separate boxes or multiple blades on the same box," Kramer said. "The problem is 70% of traffic is encrypted and it [takes] heavy lifting to handle the traffic. You can't afford putting such boxes in each of your locations."

Cato's answer to this problem is to move the workloads, the control and the security to the cloud, Kramer added.

"With us, you have a cloud console [using Cato Cloud], in which you control all of the elements of your wide area network," he said. "You control the policy; you have all the analytics. Everything is at your hands, like any other modern cloud solution."

From the beginning, Cato Networks concentrated on cloud and security. But to Kramer, Cato's true differentiator is its global backbone embedded with a full network security stack. The result includes what customers have come to expect from SD-WAN, he said, but with built-in security that runs in the cloud.

"Cato is unique in that it is branching into SD-WAN from its cloud-based security service offering," 451 Research's Duffy said. Not only did Cato originate from cloud-based security, but its founders -- Kramer and Gur Shatz -- were also at Check Point Software Technologies and Imperva, companies focused on security, data centers and cloud networking.

"We've got both the security background and the cloud networking background," Kramer said. "And Cato is the combination of both."

Dig Deeper on SD-WAN

Unified Communications
Mobile Computing
Data Center