SD-WAN: How to Leverage Next-Gen Networks Without Adding Cyber Risk

Digital transformation was helping businesses to streamline processes long before the pandemic.

January 25, 2021

5 Min Read
Network Security

By Michael Rezek


Michael Rezek

Digital transformation was helping businesses to streamline processes and create innovative customer experiences long before the pandemic. But over recent months it’s become absolutely critical in helping channel organizations support their clients’ efforts to react with agility to unprecedented conditions.

Cloud-based applications are right at the heart of the value that digital projects can add here. But how do you deliver these bandwidth-hungry apps to employees as cost efficiently as possible, without impacting performance? This is where software-defined wide area networking comes in.

However, as much promise as SD-WAN holds for the IT channel, there’s one important caveat; it also expands the attack surface. Security must therefore be baked into any projects from the start, security by design — and viable enough to run across hundreds or even thousands of remote sites.

Defining SD-WAN

SD-WAN has been picking up momentum for several years now, but we may finally have reached a tipping point. According to one study, adoption jumped from 35% in 2017 to 54% two years later. Gartner’s 2019 Hype Cycle report for enterprise networking claimed that it “continues rapid movement as a mainstream technology.”

It’s not hard to see why. By decoupling the networking hardware from its control layer and virtualizing the WAN, the technology works to simplify configuration and traffic routing. Network operations (NetOps) teams can manage policies and bandwidth centrally rather than being forced to send engineers out to manually configure networks. Traffic from business-critical applications can be prioritized and because it’s all routed over the internet, it offers cost savings over legacy MPLS. IDC also believes the technology can play a key role in supporting remote workers in a post-pandemic world. In this scenario, every home office is effectively a branch office.

False Sense of Security

However, if managed service providers, system integrators and other channel players want to leverage these kinds of benefits, they must pay close attention to the unique security risks SD-WAN also introduces. Although traffic is end-to-end encrypted by default, and security and policy can be integrated directly into connectivity, there are challenges. Whereas traffic used to be sent back via a private MPLS line to a secure site, now internet-connected corporate assets and data are exposed to remote and insider threats.

Further challenges come if providers are managing multiple SD-WAN deployments from different vendors across highly distributed architectures. Without adequate security orchestration and control across the entire environment, dangerous blind spots may appear. Unfortunately, legacy monitoring tools weren’t designed with SD-WAN in mind.

NetOps managers in channel organizations should also be aware that firewalls only go so far in mitigating cyber risk. Don’t be lulled into a false sense of security: perimeter security is only one layer of the defenses you need in place and will do little to stop attackers that have been able to breach the perimeter by using …

… stolen or guessed access credentials, for example.

Get Proactive

It’s vital that channel firms looking to support customers with SD-WAN deployments clearly understand these potential security implications before starting projects. Always consult the relevant subject matter experts on your team right at the outset to anticipate and address any problems. So where do you go from here?

Perimeter protection is a great first step, but it must be enhanced with next-generation intrusion detection (IDS), which offers full visibility into network traffic, wherever it flows, and network detection and response (NDR) capabilities to rapidly detect suspicious behavior such as lateral movement. It’s important here to find a provider capable of logging data for up to a year, to enhance forensics and visibility of attacks, in a way that is economically viable and operationally feasible. This isn’t necessarily the case with all providers and will depend on whether they capture micro-detail per packet intelligence in the form of metadata or full packets, for example. Once that’s in place, also consider web filtering, SSL, IPSec inspection and sandboxing.

The final blend of security technologies you choose will depend on your specific risk appetite and the kind of customers you’re managing. But defence-in-depth is always the right strategy. Digital transformation is helping many organizations to weather the worst of the pandemic, and it will continue to drive growth after the crisis has receded. To support customer demands for optimized, cloud-delivered application experiences for their employees, secure SD-WAN is an increasingly compelling option.

Michael Rezek is vice president of business development and cybersecurity strategy at Accedian Networks, where he is responsible for Accedian’s cybersecurity strategy. He has more than 20 years senior sales and business development experience, including 15 years at Cisco where he led cross-functional and cross-organizational teams to drive complex infrastructure, network and managed service solutions for carriers and enterprise accounts. Rezek has cybersecurity and networking expertise in L1-3 networking and L2-7 performance management and an analytical and creative problem-solving skill set developed during his engineering career. He earned his master’s in electrical engineering at Georgia Institute of Technology and is licensed as a professional engineer. You may follow him on LinkedIn or @Accedian on Twitter.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like