And the answer? Security shall networking become.
When Yoda Became a Network Engineer
Uncovering the meaning of such Yoda-like wisdom required more than a simple Bash algorithm, PERL script, or even our handy Yoda translator. Clearly, we needed something more intelligent, more profound, more, more – oh, you get the point.
Could networking really replace security (or vice versa) in 2017? Should CIOs and CISOs prepare themselves for the inevitable assimilation (head nod to you aging Trekies)? How should, then, security and networking personnel prepare themselves for the inevitable onslaught?
We had our own ideas, of course, but we want to see what others thought, as well. So we “assimilated” a few SD-WAN vendors on our own at the end of galaxy (killer delay, but a few worm holes, zero packet loss in a vacuum, and awesome, optimized routing helped a ton). Here’s what we learned.
Does the “SD” of SD-WAN mean security disaster?
It should be clear to anyone that providing every office with direct internet access (DIA) as proscribed by SD-WANs in their full incarnation represents an enormous expansion of a company’s attack surface. Most of the enterprises we engage with have one or, at most, several regional secured internet access hubs. Putting DIA at the branch opens networks to the full range of threats we find on the internet: ransomware, phishing, drive-by-download sites and more.
To make matters worse, if you’re like many of our customers, chances are you have very limited existing security, if any, in your branch offices. Whether they rely on MPLS or internet-based IPSec VPNs, most companies we meet with still backhaul traffic to a secured internet access portal in a central or regional hubs. There’s probably no firewalling, malware detection or other security facilities at the branch.
In fact, a recent survey by Dimension Data (sponsored by Versa Networks, an SD-WAN supplier), spoke to this point. The survey found that 40 percent of enterprise branches don’t have even a basic stateful firewall. Half of all branches don’t have a Next-Generation Firewall (NGFW). SD-WANs and DIA at the branch represent a kind of double jeopardy. Not only do companies have more attack surface to secure, but they can’t even leverage existing tools and procedures to secure those points.
Different approaches to networking and security
SD-WAN vendors are well aware of the security challenges. You’ll see a lot of discussion about network-layer issues—encryption, IPsec, authentication and more. Network segmentation on the WAN isolates traffic in its own overlay, protecting the application in the overlay from threats on the WAN outside of the overlay. It’s roughly the same value of isolating applications in their own VMs on a host. Many now build a stateful firewall in their branch devices.
But the bigger security question is how to provide NGFW, malware detection, IDS/IPS, URL filtering and other application-level security mechanisms at the branch. And on this point, we’re seeing vendors take one of four approaches and often a mix of approaches.
Service chaining and cloud security
At the most basic level, SD-WAN providers such as Silver Peak, Viptela and Velocloud partner with “best-of-breed” security providers. (Don’t read too much in our missing an SD-WAN; time did not permit us to contact every company.) Service chaining allows security functions to be “stitched’ together. Deep Packet Inspection (DPI) at the edge is needed to identify and direct the relevant traffic to and from the relevant security devices that are still typically, though not necessarily, centralized in the data center.
But service chaining security devices still leaves organizations backhauling branch traffic to some location for inspection. To provide DIA without having to deploy a full stack of security devices at the branch, many SD-WAN vendors are partnering with a cloud security provider, notably Zscaler, among others. With Zscaler, all inbound and outbound TCP, UDP and ICMP traffic is sent to the Zscaler cloud for inspection before forwarding onto the destination.
Service chaining provides a framework to address the basic security issues, but enterprises still face the challenge of creating instances of that service across hundreds of application, user types and sites. A high-degree of policy integration and automation is needed to make that enterprise WAN management feasible. SD-WAN and security parameters should ideally be defined and delivered through one interface. The necessary tools should then be able to push those policies out across the infrastructure.
Many leading SD-WAN providers offer those capabilities, but even then the networking and security analytics remain separate. There is no way, for example, to minimize security alerts storms for security operations personnel by correlating security and networking information. The same is true with security device detecting a DDoS attack, for example, and blocking the segment’s ingress from the relevant location. Networking and security logs can always be exported to third-party tools, but these kinds of tight analytic and control functions are still beyond the scope of most SD-WAN – security partnerships.
Native SD-WAN and security integration
With the on-premises approach, organizations are still left with all of the management and operational complexity of maintaining security infrastructure. Firewall sizing, updates and patches are still necessary. With a cloud security service, organizations still must secure non-HTTP traffic. In both cases, policy integration can be limited and analytics integration usually non-existent.
For these reasons and more, some SD-WAN providers are going a step further and tightly coupling security and SD-WAN functions. Versa Networks uses NFV to run security functions on the site’s perimeter connecting into the SD-WAN. Cato Networks runs security as well as routing functions in its cloud.
By tightly coupling security and networking together, enterprises can gain some impressive gains. Versa, for example, correlates security and networking logs for deeper analytics, potentially reducing the event load on security operations. By moving all functions to its cloud, Cato unburdens IT teams from the operational costs of separate infrastructure.
Downsides? The biggest is the shift from relying on “best-of-breed” security players to still relatively young organizations. And while Versa will work with third-party security devices, it means giving up on integrating security and networking analytics.
Security shall networking become
Networking and security lines will blur in the next years, at least on a technical level, but discrete networking and security teams will persist for foreseeable future. SD-WANs also provide a way for security and networking teams to better collaborate together, which might just be their biggest contribution to IT security.