How SD-WANs Can Help Secure Endpoints
… single point of payload vulnerability by dispersing the session traffic across multiple encrypted streams,” said Chris Swan, CRO at Dispersive Networks, a provider of programmable networking. “SD-WAN should also obfuscate the network, user data, source/destination relationships, TLS headers and certificates.”
That’s because networks and their vulnerabilities are much more difficult to attack when they are hidden.
SD-WAN, Endpoints, Network Edge and Internet Access
While MPLS networking has been the backbone of internet routing for a decade or more, some in the space have begun to categorize it with the rigid internet access technologies of yore, including T1, frame relay and ATM. But SD-WAN has the promise to extend MPLS for endpoint direct internet access by provisioning to the network edge, which is usually the case with traditional WANs switching from WAN to SD-WAN using existing networks elements, networking experts say.
“In this case, SD-WAN becomes a virtual overlay added to an existing dark fiber network,” said Maria Sirbu, VP of business development, global operations, at Voxility, an infrastructure-as-a-service provider. “And every new endpoint is treated via SD-WAN technology; however, that’s easier said than done, which is why adoption of SD-WAN among Tier 1 telecom providers is still low.”
In order to accomplish this, SD-WAN can be used in a hybrid fashion, leveraging both MPLS and internet as underlays to provide the best possible performance.
“Then SD-WAN can provide local breakout for some or all cloud applications via the SD-WAN firewall and application recognition capabilities,” said Niko O’Hara, engineering manager at Avant Communications, the master agent. “This allows a customer to avoid the backhaul or hairpin to a hub site, as you might see in a traditional MPLS network, eliminating unnecessary latency and high-cost MPLS usage.”
SD-WANs for Endpoint Outages
To immediately detect outages at the endpoint and reroute traffic over an LTE backup and also maintain endpoint security, an SD-WAN solution can do this by constantly measuring latency, jitter and packet loss on all connected links, according to Prashant Kumar, co-founder and VP of product management at 128 Technology.
“The measurement packets are also used to detect link failures,” Kumar says. “These measurement packets are sent in subsecond intervals, allowing an SD-WAN network to detect outages and switch over to LTE in a subsecond time period.”
But subsecond failover isn’t achievable in most cases with most SD-WAN solutions unless leveraging more complex routing topologies using protocols like BGP and bidirectional forwarding detection (BFD) on all links, says Mike Butash, a solutions architect at Mosaic451, a managed cybersecurity service provider.
So in the case of an outage detection on an internet or MPLS link, traffic could be rerouted over an LTE connection as soon as detected, but this would require the ability to detect the degraded circuit in subsecond increments – which is possible – and remediating by redirecting to another connection, according to Neil Anderson, practice director, network solutions at World Wide Technology.
“However, you have to be careful in doing so as small, intermittent issues could lead to what we call ‘flapping,’ or very fast switching back and forth of traffic between connections,” Anderson said. “It takes careful configuration of the SD-WAN solution to balance the detection time and remediation time.”