SD-WAN Security: How Gartner Got it Wrong

SASE Secure Access Service Edge

A new Gartner report accurately identifies the major macro shift in the SD-WAN market —  the transition from pure networking architectures to one intimately tied into broader SD-WAN security designs. It’s a shift we’ve been speaking about for some time.

But while Gartner got the basic market change correct, it’s in the details that the report was mistaken. I say this having personally deployed many of the vendor’s products mentioned in the report.

Here then is my corrected version.

Security is Essential to SD-WAN

From the very beginning, SD-WAN was meant to fix the legacy WAN. And fundamental to that goal was the seamless and easy integration of Internet services into the WAN. With Internet access services, bandwidth costs could be lowered, deployment and configuration times shortened, and Internet performance improved.

To those ends, SD-WAN appliances looked to simplify the branch, replacing branch routers and incorporating the necessary firewall features. Enabling site-to-site access across the Internet could be done by including basic firewall capabilities. Gartner accurately points out that minimally, SD-WAN edge appliances should provide:

  • Role-based access control (RBAC) and the detailed logging of firewalls supported by security information and event management (SIEM)
  • Secure tunnels based on secure key exchange, and unique codes for identifying and activating SD-WAN appliances.
  • An integrated certificate server to automate tunnel configuration and key rotation for each tunnel.

But to access the public Internet, enterprises would have to deploy additional security appliances with layer 4 – layer 7 security controls or backhaul traffic to a central Internet security point at a different location. Neither approach is particularly attractive, the former adding complexity and cost, and the latter adding latency to Internet-based sessions.  As such, increasingly, vendors are incorporating layer 4 to layer 7 security controls into the SD-WAN.

The 4 SD-WAN Security  Architectures

More specifically, vendors fall into four groups in how they bring security to SD-WAN. These can be described  as:

  • SD-WAN appliances with basic firewalling
  • SD-WAN appliance with advanced firewalls
  • Firewall appliances with SD-WAN capabilities
  • Secure SD-WAN as a Service

(These categories are similar to, but not identical to the break out you’ll find in the Gartner report.)

SD-WAN Appliances with Basic Firewall

Many SD-WAN vendors deliver basic firewalling capabilities in their SD-WAN appliances. These firewalls are roughly equivalent to the stateful firewalls you might see in a branch office router. Capabilities will include policy-based filtering and blocking applications based on port or IP addresses. Examples include Cisco (Viptela), Silver Peak and Velocloud.

Basic stateful firewalls might be sufficient as phase 1 connectivity for connecting location across the Internet to specific SaaS IPs, but not for broader Internet access. For that, you’ll need capabilities such as—  next-generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more. It’s for that reason that SD-WAN appliance vendors have partnered with third-party security providers, such as Zscaler and Palo Alto, emphasizing the ability to direct traffic from across the SD-WAN to the security resources using service insertion and service chaining.

Security is improved over the basic firewalls included in their appliances and organizations avoid the deployment and operational challenges of a security appliance at the branch.   Care must be still be taken that site-to-Internet and site-to-site traffic are secured. (Zscaler is only widely used for the former.) Companies are also left deploying and managing two entities  — the SD-WAN and the firewall (appliance or service).

SD-WAN Appliances with Advanced Firewall

To those ends, some vendors are including NGFW capabilities within their SD-WAN appliances. Some vendors are selecting and repackaging specific third-party NGFWs in their appliances. Open Systems, for example, claims to repackage best-of-breed, third-party services as part of its Managed Secure SD-WAN appliance. Its Mission Control Network Security service includes a distributed, enterprise-grade firewall; network security monitoring; distributed network intrusion prevention, and WiFi security.

Other vendors are able to run third-party virtual network functions (VNFs) within their appliance. Versa Networks claims its  SD-Branch solution provides a full set of integrated networking (routing, SD-WAN, Ethernet, Wi-Fi) and security (NG firewall, secure web gateway, AV, IPS) functions. The virtual customer premises equipment (vCPE) can also run third-party VNFs.

Organizations gain one physical device to deploy, but they are still left managing separate security and networking domains, though its through a single GUI. It’s precisely that kind of fragmentation that has obscured IT visibility and control.

There’s also the question about the appliance form factor. Appliances come with their lifecycle carrying significant OPEX cost involved with testing, deploying, maintaining, and managing the appliance, unless you have a managed services agreement that includes appliance upgrades. The limited resources of an appliance can often force unexpected hardware upgrades as traffic levels jump or when enabling compute-intensive features, such as IPS or SSL intercept. Appliances are also limited to protecting the sites they secure. They do nothing for protecting mobile users unless they VPN back to the site, which often introduces performance problems.

Firewall Appliances with SD-WAN

At the same time, several security vendors have announced SD-WAN capabilities for their NGFW appliances.  These include Barracuda, Fortinet, and Cisco Meraki, according to the Gartner report.

With SD-WAN-enabled firewall appliances, security is far better than the basic firewalls included in SD-WAN appliances. However, organizations are still limited by the constraints of appliances. More importantly, while many of these appliances appear good on paper, they lack the maturity of a seasoned SD-WAN offering.

SD-WAN should be able to switch to a secondary connection in seconds and, ideally, sub-second, which is fast enough to maintain session state. It’s a fundamental difference between SD-WAN and basic IP routing that can take 40 seconds to converge on an alternate IP connection. However, some security vendors offering SD-WAN capabilities, such as Cisco Meraki, can take as much as 300 seconds to switch between connections. For that reason, in our lexicon, we don’t consider them SD-WAN.

Meraki SD-WANCollecting performance metrics is also important for SD-WAN edge appliances. It allows them to select the optimum path for a given application and is one of the fundamental differences from link aggregators. However, some security solutions, such as Fortinet SD-WAN 5.6, lack path metrics. Note: Fortinet is currently upgrading its SD-WAN and is expected to address this and other SD-WAN issues in its next release.

Secure SD-WAN as a Service

Instead, several vendors are eliminating appliances by shifting SD-WAN, and in some cases, security capabilities. Cato Networks is the best example of this approach, providing a fully integrated security and SD-WAN service. (The Cato Cloud also runs over its own backbone, eliminating Internet backbone problems.)

Other services are pieces of the secure SD-WAN as a service approach. Aryaka, offers basic firewall capabilities, with its SD-WAN service, but fails to provide L4 to L7 controls, such as NGFW, IPS, URL filtering, and antivirus.

In both cases, vendors can continue to work with legacy firewalls but for organizations that want to realize the full benefits of the approach, they must be willing to transition their networking and security architecture to a new vendor.

The Right Approach

It would be too easy to say that there’s one right approach to SD-WAN security. Each architecture has its strengths and weaknesses. The key is aligning those strengths to your needs.

If we can help you, know where to reach me.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email