How SD-WANs Can Help Secure Endpoints

MSSPs must understand SD-WAN in order to be successful at securing endpoints.

April 22, 2019

6 Min Read
Endpoint Security

By Derek Handova

With Silicon Valley constantly in search of the new, new thing, everyone from vendor bloggers to conference organizers to research firm analysts have touted the next big thing as SD-WAN (software-defined wide area networking). For example, researchers at IDC project that the market for SD-WAN will grow by a compounded average of 40 percent between 2018 and 2021, reaching $4.5 billion in 2022. One of the drivers for SD-WAN is the proliferation of endpoints, according to IBM, which can only be supported if MSSPs know how SD-WANs can help secure endpoints.


Teneo’s Marc Sollars

“Where SD-WAN helps is with encryption authentication at the WAN edge,” said Marc Sollars, CTO, Teneo, a specialist integrator of next-generation technology. “It can make sure that traffic sourced at the endpoint is encrypted and that you can employ policy to ensure that only traffic originating from authenticated endpoints is allowed to traverse the WAN.”

Most SD-WAN solutions encrypt on-premises endpoint traffic, but as for how SD-WANs can help secure endpoints, encryption by itself does not suffice in the current threat era that requires deep packet inspection for malware, according to telecom security experts.

“Next-generation firewall, intrusion prevention system, and secure web gateway services embedded in the same envelope as app reliability and network performance services go way beyond encryption,” said Robert McBride, director of enterprise and telco solutions, Versa Networks, a software-defined networking vendor. “In fact, the entire stack of security services and associated policies should be distributed across the on-premises, colocation and cloud locations, including inspection for ransomware.

Security, Priority and QoS for SD-WAN Endpoint Traffic

In accordance with business needs, SD-WAN traffic to the endpoint has to meet the requirements set by the enterprise for security, priority and quality of service. And it’s important for MSSPs to understand these three requirements for how SD-WANs can secure endpoints when working with customers and how different customers might have different priorities. For example, certain SD-WAN technologies provide for enhanced security by restricting traffic flow between segments.


Windstream’s Mike Frane

“SD-WAN technologies handle prioritization differently but they all allow a prioritization of application traffic and segmentation,” said Mike Frane, vice president of product management for SD-WAN, Windstream Enterprise, the business communications giant. “Policies governing the business needs of various traffic types are set in the SD-WAN controller/orchestrator. Policies are then distributed to applicable network endpoints for a consistent application experience.”

Standards-Based Security in SD-WAN-Endpoint Traffic

By providing a secure network overlay, SD-WAN can connect branches, data centers and cloud computing instances, according to experts, so that’s how SD-WAN can help secure endpoints at those locations.

“Strong encryption standards such as AES-128 and AES-256 provide the best protection of data in transit against eavesdropping and unauthorized access,” said Chalan Aras, VP, SD-WAN and intelligent traffic management, Citrix. “They enable traffic to and from different types of endpoints to be safely tunneled across the WAN.”

But digital authentication and encryption aren’t enough, according to other SD-WAN insiders.

“Modern SD-WAN should reduce the attack surface and avoid a …

… single point of payload vulnerability by dispersing the session traffic across multiple encrypted streams,” said Chris Swan, CRO at Dispersive Networks, a provider of programmable networking. “SD-WAN should also obfuscate the network, user data, source/destination relationships, TLS headers and certificates.” 

That’s because networks and their vulnerabilities are much more difficult to attack when they are hidden.

SD-WAN, Endpoints, Network Edge and Internet Access

While MPLS networking has been the backbone of internet routing for a decade or more, some in the space have begun to categorize it with the rigid internet access technologies of yore, including T1, frame relay and ATM. But SD-WAN has the promise to extend MPLS for endpoint direct internet access by provisioning to the network edge, which is usually the case with traditional WANs switching from WAN to SD-WAN using existing networks elements, networking experts say.


Voxility’s Maria Sirbu

“In this case, SD-WAN becomes a virtual overlay added to an existing dark fiber network,” said Maria Sirbu, VP of business development, global operations, at Voxility, an infrastructure-as-a-service provider. “And every new endpoint is treated via SD-WAN technology; however, that’s easier said than done, which is why adoption of SD-WAN among Tier 1 telecom providers is still low.”

In order to accomplish this, SD-WAN can be used in a hybrid fashion, leveraging both MPLS and internet as underlays to provide the best possible performance.

“Then SD-WAN can provide local breakout for some or all cloud applications via the SD-WAN firewall and application recognition capabilities,” said Niko O’Hara, engineering manager at Avant Communications, the master agent. “This allows a customer to avoid the backhaul or hairpin to a hub site, as you might see in a traditional MPLS network, eliminating unnecessary latency and high-cost MPLS usage.”

SD-WANs for Endpoint Outages

To immediately detect outages at the endpoint and reroute traffic over an LTE backup and also maintain endpoint security, an SD-WAN solution can do this by constantly measuring latency, jitter and packet loss on all connected links, according to Prashant Kumar, co-founder and VP of product management at 128 Technology.

“The measurement packets are also used to detect link failures,” Kumar says. “These measurement packets are sent in subsecond intervals, allowing an SD-WAN network to detect outages and switch over to LTE in a subsecond time period.”

But subsecond failover isn’t achievable in most cases with most SD-WAN solutions unless leveraging more complex routing topologies using protocols like BGP and bidirectional forwarding detection (BFD) on all links, says Mike Butash, a solutions architect at Mosaic451, a managed cybersecurity service provider.

So in the case of an outage detection on an internet or MPLS link, traffic could be rerouted over an LTE connection as soon as detected, but this would require the ability to detect the degraded circuit in subsecond increments – which is possible – and remediating by redirecting to another connection, according to Neil Anderson, practice director, network solutions at World Wide Technology

“However, you have to be careful in doing so as small, intermittent issues could lead to what we call ‘flapping,’ or very fast switching back and forth of traffic between connections,” Anderson said. “It takes careful configuration of the SD-WAN solution to balance the detection time and remediation time.”

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like