Perhaps more than in any other part of your network, a software-defined WAN strategy needs to be equal measures networking and security.
By definition, software-defined WAN (SD-WAN) interfaces with and runs across external, often public, networks, which could attract many threats. Additionally, the site networks are likely multifaceted -- and that traffic flows across the SD-WAN. Each site probably handles critical business applications, provides access to cloud services, manages common web browsing and receives internet traffic from visitors. Each of these traffic flows has different security needs, and enterprises also need to secure the SD-WAN infrastructure itself.
Security is an essential part of SD-WAN. But when enterprises research SD-WAN security considerations, they're often perplexed. Unsurprisingly, many vendors prefer to build security into their bigger vision for cloud architecture. This is expected because vendors find it easier to get customers to buy into the top-down vision than to sell bottom-up features and capabilities. But a vision won't protect your corporate network -- features will.
As a starting point to evaluate SD-WAN security considerations, let's look at the steps to secure SD-WAN infrastructure.
For years, IT's main concern when adding a switch or router to the network was to ensure a quick and easy process. Many end users assumed a person with physical access to the wiring closet and LAN and WAN connections had authorization to add the network device. These days, that isn't a safe assumption.
Network infrastructure gear could reside in a shared space or in a service provider's rack where you don't know the physical security and access requirements. So, you want a secure device onboarding process for your SD-WAN. The last thing you need is a rogue device that masquerades as a legitimate part of your network and has access to all traffic flowing across it.
This article is part of
Another SD-WAN security consideration is to make sure your vendor blocks new infrastructure devices from joining your network until they are authenticated. This doesn't include blocking user devices like phones and laptops, which a captive portal handles.
Authentication can take place via a registration or serial number or another security token. If you plan to have a dynamic network with frequent infrastructure changes, make sure the authentication method doesn't cause logistical problems.
Data plane security
The data plane is probably the one area that automatically comes to mind when thinking of SD-WAN security considerations. The data plane carries the user traffic, which needs to be encrypted. Encryption methods can include Secure Sockets Layer, Transport Layer Security or IPsec VPN tunnels.
But keep in mind data plane encryption isn't simply a checkbox item. Vendors include different methods for encryption and key exchanges. Shorter key rotation intervals are inherently more secure because they reduce the time a hacker has to use a key.
When speaking with vendors, the Tolly Group found at least one vendor rotates keys about every 10 minutes. Other vendors said they provide further security by using the Diffie-Hellman key exchanges, which enable users to share secret keys over insecure channels. Because security vendors are always trying to stay one step ahead of hackers, encryption is an area of constant change.
Control plane security
An equally important -- but sometimes overlooked -- SD-WAN security consideration is control plane security. This is the messaging path among your network's control elements -- those that reside in the routers and switching devices throughout the SD-WAN.
It's just as important to encrypt this traffic so a hacker can't intercept or compromise the management and configuration functions of your SD-WAN. Most, but not all, vendors encrypt the control plane. Make sure your vendor does.
After you tackle these SD-WAN security considerations, you'll want basic firewall functionality as part of your SD-WAN. You might even want more capabilities, such as malware protection and other higher-layer functions. You'll also want to look at the microsegments of your network -- at a minimum, consider corporate versus guest traffic -- and implement security strategies appropriate for the traffic that runs on each segment.
Editor's note: This article was updated to improve the reader experience.