Pay Attention to SD-WAN Security

    Software-defined wide-area networks (SD-WANs) are the hottest new approach to networking. They are seen as a way to link geographically discrete locales in a manner that uses multiprotocol label switching (MPLS) for high-value and sensitive data and broadband internet for lower-value data.

    In short: SD-WAN will fluidly send company sales figures over expensive but highly secure MPLS links and the results of the corporate softball league over cheaper but less secure broadband connections. They are thought to be extremely secure. An InSpeed Networks blog references an IDC SD-WAN survey that said security, at 31 percent, was found to be the second biggest driver of SD-WAN adoption. It only trailed bandwidth optimization, which was the driver for 36 percent of respondents. Improved automation and self-provisioning followed at 28 percent.

    That security truism must be examined carefully, however. Steve Garson, the founder and president of SD-WAN Experts, writes at Network World that he and Nirvik Nandy, the CISO of Red Lantern, assessed the security of SD-WAN architectures. There are two interrelated bottom lines: One is that the security landscape of SD-WAN and the routers they replace are different. The second is that SD-WAN is a new technology and its unique security challenges may not be as well hashed out as those of the routing infrastructure it displaces.

    Garson and Nandy are by no means saying that SD-WANs are inherently insecure. Their message simply is to be very careful. The threats and, therefore, the care that should be given are greater in remote locations such as branch offices. In addition, SD-WANs are more open. This means that a breach can provide crackers with access to an entire network, not just where the problem occurred. Finally, SD-WANs are part of emerging virtualized environments and therefore are built upon lower-cost computer devices that can be problematic if not carefully secured:

    To uncover the vulnerabilities in appliances, we examined the security of the appliances from the bare metal on up. SD-WAN appliances often run on white-box servers, off the shelf server hardware, with microservices from various sources. Each of those microservices represent a potential point of attack. As such, you need to check everything from the chipset, BIOS, and firmware — on up.

    “Dynamic security” must be implemented because of the decentralization of critical information, the fluid nature of data transports in SD-WANs, and the proliferation of networks that will access the data, according to CCSI.

    It’s all about awareness. The site says that IT departments should inventory, classify and prioritize apps, run deep packet inspection (DPI); ensure that the SD-WAN enables end to end visibility; and that focus should be on the end user and his or her experience. The idea is that SD-WANs are highly distributed and dynamic. Security must be as well.

    SD-WANs bring tremendous potential benefits to telecommunications networks. They are a new and relatively untested approach, however. This means that security concerns must be taken even more seriously and dealt with more proactively than when more established and well understood approaches are being deployed.

    Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.

    Carl Weinschenk
    Carl Weinschenk
    Carl Weinschenk Carl Weinschenk Carl Weinschenk is a long-time IT and telecom journalist. His coverage areas include the IoT, artificial intelligence, artificial intelligence, drones, 3D printing LTE and 5G, SDN, NFV, net neutrality, municipal broadband, unified communications and business continuity/disaster recovery. Weinschenk has written about wireless and phone companies, cable operators and their vendor ecosystems. He also has written about alternative energy and runs a website, The Daily Music Break, as a hobby.

    Latest Articles