Security and SD-WAN Integration

Should you trust your SD-WAN vendor for security features?

SD-WAN is interpreted differently by enterprise IT, vendors and service providers. Which “pure” SD-WAN features should be included in a solution, which additional services should come along with an SD-WAN service and what should be the level of integration of these services. All these differ based on the solution vendor and service provider offering it.

The service that is in the spotlight of this debate is security.

Next week, on April 12, I will be charring the SD-WAN and security related sessions at the Upperside MPLS+SDN+NFV World Summit, one of these sessions will be a panel I will moderate about security and SD-WAN. The main discussion points I will bring up to the panel participants will be around the need to integrate security with an SD-WAN service, should it be a best of bread approach using an SD-WAN vendor for the network related part and a security vendor for the security features or should it all come bundled as one solution from a single vendor.

To kick-off this discussion, I asked the panel participant to provide their view on the following question:

How do you view security integrated with SD-WAN, do you think security should be provided by the SD-WAN vendor or by a security company (best of bread security and SD-WAN selection)? What are the pros and cons you see in each of these options?

Here are the answers I received.

Stuart Borgman, Director, System Engineering, Palo Alto Networks

A more fundamental question is what you are trying to achieve through security in your SD-WAN deployment? The cyber security threat landscape continues to change at rapid pace. Cyber security attacks are wide spread and can be read about in most national newspapers on a daily basis. These threats take on many forms, with varying levels of sophistication. A successful cyber attack typically requires planning, where the attacker gathers intelligence before executing the attack. The attacker will want to silently execute the attack, infecting the target without being noticed. Attacks can take on multiple phases; exploiting vulnerabilities in an application or operating system, malware execution, establishment of command and control channels and off course achieving the objective, such as stealing data or malicious damage. New attacks are continually emerging, some are new and some are mutations. Palo Alto Network Unit 42 Threat research team continually analyse cyber security threats and share latest threat intelligence information.

If the customer is buying a secure service, then their objective is to prevent a security violation. Building and designing the correct securityposture should be the primary objective. This means they need to be able to protect against both the known and unknown attack. Selection criteria should be based on the security requirements and whether it has the correct design and elements. Just because a device comes pre-installed with a security solution, it does not automatically mean it meets the correct security posture requirements. Recovering from a data loss can very expensive and this should not be forgotten when designing the security posture.

Rachna Srivastava, Sr. Product Marketing Manager, VeloCloud by VMware

The Complete Package: SD–WAN and Security

SD-WAN is bringing about a new wave of transformation to networking and WAN management by delivering agility, scalability and operational efficiencies. A critical choice in the move towards this digital transformation is how critical services like security will be delivered alongside SD-WAN. SD-WAN delivers on the promise of reducing number of devices in an enterprise branch. For example, leveraging a uCPE (universal Customer Premises Equipment) to run network services including SD-WAN and security, to provide optimization and security from the same device. Customers can also choose to enable cloud-based security for their branches. To achieve this, the SD-WAN software must be able to efficiently and automatically connect to the cloud security provider, without manual intervention. End-to-end visibility is extremely important for any security solution, in the LAN, as well as across the WAN. As SD-WAN continues to evolve and grow, SD-WAN vendors must continue to partner with best-of-breed security vendors as well as incorporating embedded security to protect enterprises from increasingly complex threats.

Robert McBride, Head of Product Marketing, Versa Networks

Advanced security must be embedded with SD-WAN. The value of embedded SD-WAN and security provided by the SD-WAN supplier/vendor is simpler management and flexibility. The integrated and embedded approach by the SD-WAN vendor provides an inline and unified experience to networking and security while simplifying event correlation and business policies for networking and security associated to applications, users, devices and locations.

Pros of an integrated approach: One platform for all branch sizes. With embedded advanced security in the SD-WAN platform, operators can bind both security policies and application SLA’s policies and manage everything from a unified management platform.

Cons: Vendor selection is limited as the majority of SD-WAN vendors only provide basic firewall or not at all, while vendors like Versa Networks provide both networking and next-generation security (NGFW/UTM) in the platform.

Pros of multi-vendor and security vendor function approach: Potentially leverage existing vendor for security and familiarity with existing security tool sets.

Cons: Higher cost and more complex architecture as most solutions are multi-layer and multi-appliance with separate tools for each layer (virtualization, SD-WAN, security).