As a follow-up to the RSA San Francisco security show, it’s important to think about SD-WANs and security. In a previous post, we spoke about security and the future of networking, with an emphasis on various vendors’ approaches to securing SD-WAN internet connections. We didn’t, however, speak about the WAN itself.
New WAN, New Security
To solve the security issues inherent in SD-WAN, you need to decide how you want to segment traffic across the WAN and secure it. The security measures taken by MPLS and DMVPN networks are not enough; network-layer segmentation is a must. As time goes on, vendors will build security services and firewalls into their SD-WAN solutions, making their solutions more both more attractive and more secure.
The Importance of Firewalls and segmenting
Today, many WANs allow for network segmentation. This is important, but it doesn’t provide enough granularity. To solve this issue, some providers will allow you to segment down to the endpoint. Essentially, this granularity is what you would see on a firewall vs a VLAN. SD-WAN vendors integrate security elements and firewalls into their solution, and claim to create a single security
policy which covers both the WAN and the LAN. In general, application classification is done five-tuple (source and destination addresses, source and destination port number, plus layer-three protocol type) or six-tuple (five-tuple plus DSCP or ToS value). Neither of these provides the granularity necessary to identify services and users at the application layer; in fact, SD-WAN vendors often struggle to provide the level of detail necessary to accomplish it. :
Vendors of SD-WAN and WAN Firewalls
- Cato Networks provides a WAN firewall in its Cato Cloud service. Its WAN firewall inspects all traffic traveling across the service’s privately run backbone, and allows the application of the same security policies for both mobile users and those in the office.
- Versa Networks offers a Network Function Virtualization (NFV) function allowing the deployment of a NFV-compliant firewall within the SD-WAN solution.
- Nuage Networks is the only vendor I know of which includes a layer 2-4 firewall as part of its Virtual Security Services (VSS) portfolio and extends its software-defined network (SDN) across the WAN.
How Do Attackers Get at Your WAN?
For many SD-WAN vendors, security integration means inspecting outgoing and incoming internet traffic to ensure safety. However, inspecting HTTP traffic bound for the internet (such as what Zscaler offers) does not solve the problem of dangerous site-to-site traffic, which requires its own protection and inspection. Most of my clients already use next-generation firewalls (NGFW), secure web gateways (SWG), firewalls, and other security gear segmenting your network from the internet. On premises, ACLs and VLANs segment one resource from another. But most of my clients don’t worry about segmenting the actual WAN itself.
L3 WAN architecture is a challenge to segment. Though IP routing can be used to accomplish nearly anything, segmenting IPs across an MPLS environment is incredibly complicated, and requires expertise in VRFs, MPLS/LDP, and MP BGP – not just expertise in IP routing. That said, WAN segmentation is important, since it prevents attacks affecting one office from spreading across an entire enterprise. Since most security threats originate from within an enterprise itself, WAN segmentation has become indispensable for those organizations needing optimal security. SD-WANs offer controller-based networks and simplify WAN segmentation.
In general, SD-WAN solutions allow users to define a policy for the underlying network, then distribute the policy across the nodes. When defining each policy, users will include addressing, network configuration, application characteristics, and more. Usually via IPsec, this policy-based system creates multi-point tunnels which link the offices defined in each policy. In each segment, traffic is limited to the destinations and sources associated within the segment. Companies usually break their WAN into 5-7 groups of applications, based on use case. As an example, these applications may include guest Wi-Fi, mission-critical applications, file transfer, real-time applications, and everything else. Though some SD-WAN vendors may claim to have a separate SD-WAN segment for each application, I haven’t met anyone deploying an SD-WAN solution actually go that far.