IDC: SD-WAN market spend to top $5B in 2023 The 5 steps to a successful MPLS-to-SD-WAN migration

3 important SD-WAN security considerations and features

Device onboarding, control plane security and data plane security are three crucial SD-WAN security considerations enterprises should research when choosing an SD-WAN vendor.

Perhaps more than in any other part of your network, a software-defined WAN strategy needs to be equal measures networking and security.

By definition, software-defined WAN (SD-WAN) interfaces with and runs across external, often public, networks, which could attract many threats. Additionally, the site networks are likely multifaceted -- and that traffic flows across the SD-WAN. Each site probably handles critical business applications, provides access to cloud services, manages common web browsing and receives internet traffic generated by visitors and guests. Each of these traffic flows has different security needs, and enterprises also need to secure the SD-WAN infrastructure itself.

Security is an essential aspect of SD-WAN. But when enterprises start to research SD-WAN security considerations, they often face bewilderment. Unsurprisingly, many vendors prefer to build security into their bigger vision for cloud architecture. This is expected because vendors often find it easier to get customers to buy into the top-down vision than to sell bottom-up features and capabilities. But a vision won't protect your corporate network -- features will.

While a single article won't provide a complete guide to SD-WAN security considerations, it can offer a good starting point. Let's begin with steps to secure SD-WAN infrastructure.


For years, IT's primary concern when adding a switch or router to the network was to ensure a quick and easy process. Many of us generally assumed a person with physical access to the wiring closet and LAN and WAN connections had authorization to add the network device. These days, that isn't a safe assumption.

Network infrastructure gear could reside in a shared space or in a service provider's rack where you don't know the physical security and access requirements. So, you want a secure device onboarding process for your SD-WAN. The last thing you need is a rogue device that masquerades as a legitimate part of your network and has access to all traffic flowing across it.

Another SD-WAN security consideration is to make sure your vendor blocks new infrastructure devices from joining your network until they are authenticated. Editor's note: This doesn't include blocking user devices like phones and laptops, which a captive portal handles. Authentication can take place via a registration or serial number or another security token. If you plan to have a dynamic network with frequent infrastructure changes, make sure the authentication method doesn't cause logistical problems.

Data plane security

The data plane is probably the one area that automatically comes to mind when thinking of SD-WAN security considerations. The data plane carries the user traffic, which needs to be encrypted. Encryption methods can include Secure Sockets Layer, Transport Layer Security or IPsec VPN tunnels.

Because security vendors are always trying to stay one step ahead of hackers, encryption is an area of constant change.

But keep in mind data plane encryption isn't simply a checkbox item. Vendors include different methods for encryption and key exchanges. Shorter key rotation intervals are inherently more secure because they reduce the time a hacker has available to use a key.

When speaking with vendors, the Tolly Group found that at least one vendor rotates keys about every 10 minutes. Other vendors mentioned they provide further security by using the Diffie-Hellman key exchanges, which enable users to share secret keys over insecure channels. Because security vendors are always trying to stay one step ahead of hackers, encryption is an area of constant change.

Control plane security

An equally important -- but sometimes overlooked -- SD-WAN security consideration is control plane security. This is the messaging path among your network's control elements -- those that reside in the routers and switching devices comprising your SD-WAN.

It's just as important to encrypt this traffic so an attacker can't intercept, hack or compromise the management and configuration functions of your SD-WAN. Most, but not all, vendors encrypt the control plane. Make sure your vendor does.

After you tackle these SD-WAN security considerations, you will want basic firewall functionality as part of your SD-WAN -- you might even want more capabilities, such as malware protection and other higher-layer functions. You will also want to look at the microsegments of your network -- at a minimum, consider corporate vs. guest traffic -- and implement security strategies appropriate for the traffic that runs on each segment.

Next Steps

SD-WAN vendor lock-in is unavoidable, but not necessarily bad

This was last published in June 2019

Dig Deeper on SD-WAN

Unified Communications
Mobile Computing
Data Center