SD-WAN FEATURED ARTICLE

Heightened Security: Networking Software Addressing Growing Threats

April 15, 2019

By Shrey Fadia, Analyst & Consultant

Even as enterprises are increasingly adopting SD-WAN for all the obvious benefits, including simplifying operations and reducing costs, IT leaders are focusing on ensuring their private networks are secure, including those which leverage the Internet to reach locations and devices where private connections are economically infeasible. 




As enterprises add more and more digital services, whether enhancing point-of-sale systems in retail locations, building and supporting IoT deployments including digital energy meters, or ensuring mobile workers are able to connect to valuable corporate systems, databases and applications, the benefits of an SD-WAN approach are obvious: more productivity, more efficiency, less cost. 

Given all that, there is no IT decision maker who will opt for any of those benefits if he or she cannot guarantee security, and this is where Software Define Networking (SDN – as opposed to SD-WAN) starts to get interesting. 

An IDC (News - Alert) SD-WAN survey reports that the highest-ranking WAN challenge was “security requirements related to web and Internet applications,” and while cutting circuit spend is getting a lot of attention, clearly secure cloud connectivity is top of mind.  In its survey, IDC writes: 

“In the absence of SD-WAN, connecting users securely to public cloud apps is complex and expensive. In most cases, enterprises haul cloud traffic emanating from the branch back to a central Internet security point in the corporate datacenter over expensive MPLS links. This also has an impact on app performance for all apps within the enterprise that may be leveraging the MPLS links. In cases where the enterprise accesses cloud apps directly from the branch (leveraging IPSec firewalls), in the absence of SD-WAN, the security paradigm is not ideal either. All cloud-bound traffic from a branch is transported over the same IPSec tunnel with no isolation for traffic originating from different business units or traffic intended for different public cloud segments. Application-specific network policy is then applied at either of the two endpoints.”

Some argue, however, that SD-WAN is a transitional technology that is successfully weaning enterprises off MPLS to reduce expenses but is not as easy to deploy, manage, or scale. 

For the Communications Service Providers (who are at risk of their MPLS service line revenues collapsing), SD-WAN simplifies the deployment, delivery, and management of WAN connectivity services, and allows them to capitalize on the opportunity to securely connect multiple applications and multiple clouds.

But, as those SD-WAN connections increase, the need for integrated security is mission critical as MPLS private network architectures have been inherently secure.

By adding Internet overlay to make private networks more attractive, CSPs realize they must provide for equal or better security measures.  While SD-WAN will certainly help, some industry leaders say CSPs need to be thinking long term on their own behalf, and on behalf of the enterprises and businesses they serve.

“CSPs need to be strategizing today on how they will deliver a broader portfolio including industry relevant solutions that are cost effective yet provide security and resiliency, consistently across all end points whether that be branch, IOT or cloud applications,” said Ed Wood, CEO, Dispersive Networks, a network software, technology and services company who approach secure virtualization differently. “SD-WAN is a completely commoditized business at this point, and for CSPs and MSPs to be competitive, they know they need to roll out secure managed solutions that embrace the ubiquity of the Internet and enable their customers global digital transformation. If service providers don’t focus on the applications and security of those applications, they will once again be relegated to selling commoditized broadband versus premium application-centric, ultra-secure and performant solutions.”

The dramatic growth of SD-WAN solutions, enhancing or completely replacing expensive MPLS networks and complicated, unreliable VPNs, is a leading indicator that enterprises are ready to make the move to new and better technologies to keep their businesses operating globally. With many competitors in the crowded space, including start-ups who have been acquired by giants like Cisco (News - Alert) and VMWare, CSPs who have rolled out SD-WAN offerings need to cut through the fragmentation and pay very close attention to how secure their SD-WAN offerings are, and how security approaches might diminish network response time and resiliency.

“As more and more applications are served from the cloud, as more data is stored in the cloud, and as more real-time human communications is delivered ‘as-a-service’ from the cloud, CIOs are making CFOs happier – the economics are that good, and with advances in access and identity management security, enterprises are less fearful of virtualized networking working,” Wood said. “Yet, performance across many enterprise networks has been degrading, voice calls are dropping, video streams are lagging, file sharing is slow, users are frustrated, and CIOs are left walking a tightrope between performance and cost.”

Wood says the biggest issue, however, is not cost-management, but risk management. 

“One line no CIO is willing to cross is that of security,” he says.  “With more and more endpoints being added to enterprise networks – whether more technology inside the business due to the digitization of every company, sensors and cameras for surveillance and security, lighting and other energy management devices, access systems, room counters, and more – or simply more and more mobile devices including those brought to work by employees – the attack surface is growing exponentially.”

Even VoIP networks are being hacked, Wood said, causing havoc in contact center environments, and IoT devices used in Mirai botnet style attacks, where sophisticated hackers use automated bots to find a vulnerability and pivot into the entire corporate network. 

“Even worse, entire service networks have been brought to a halt as part of ransomware attacks, with major payouts from companies who need to get their businesses back online after cybercriminals seize control of essentially everything from productivity applications to e-commerce sites, hosted real time business applications and more,” according to Wood.

“We’ve learned over the decade developing our platform, working with the smartest data scientists, security experts, network engineers, and leaders at the highest levels of government and military ops, as well as critical infrastructure teams and high stakes enterprises that there had to be a better way to run private networks securely – but without compromising on security.”

Dispersive Networks’  technology has been designed to help CSPs commercialize their investments in Network Function Virtualization (NFV) and, while its platform has powered a number of SD-WAN deployments, Wood said the company’s programmable networking technology, which is cloud- and security-native and purpose-built for mission critical communications, goes beyond SD-WAN’s cobbled together approach.

“We’re proud to have developed and continue to innovate communications network software that makes offering premium, industrial grade and military proven secure and performant network services to large enterprises that are simpler for service providers to offer and manage,” Wood explained. “We did not create our software for small or non-mission-critical companies. We’ve always been laser focused on solving the challenges of complex, globally dispersed companies across the highest stakes industries: electrical power and smart grid, financial services institutions, government and military agencies, healthcare and pharma companies, retailers and the oil and gas industry.”

These industries depend on resilient, fast, real time and near real time data exchange, voice, video and messaging and IoT networks that cannot be breached.

“Service providers appreciate that our technology eliminates the need for manual reconfigurations and replaces traditional routing approaches as deflects built into the network instantaneously and automatically roll sessions over in the event of an outage or congestion along multiple pathways,” Wood said. “Basic SD-WAN platforms simply don’t operate that way.”

The IDC report also said, “Early adopters of SD-WAN appear to have achieved a reasonable degree of control over these problems of providing seamless, secure connectivity to cloud apps at the branch. With integrated Layer 4–7 firewalls, SD-WAN makes direct internet access from the branch a nonissue. More importantly, SD-WAN enables an enterprise to segment WAN traffic based on its origin or its destination. Typically, all enterprise apps are segmented into virtual private clouds (VPCs) and traffic into virtual networks (VNETs) to achieve the necessary isolation that the business units owning the apps demand. SD-WAN enables pervasive segmentation to be achieved on the WAN by isolating traffic into specific WAN segments and mapping these WAN segments onto the specific VPCs and VNETs. Application policy can now be applied to each WAN segment, thus achieving seamless, end-to-end, secure cloud connectivity for all apps.”

Rick Conklin, CTO at Dispersive, said in response to IDC’s positioning: 

“A reasonable degree of control” is accurate, but is it enough? The ability to create multiple private networks for specific applications is an important advancement when we look at the transformation of networking over the last few years, but based on our work with the most demanding government agencies and critical infrastructure providers, including energy and communications grid leaders, SD-WAN does not address edge security requirements, particularly for widely distributed organizations where Internet access is the logical transmission network – not only for economic reasons but for resiliency. The Internet is the most resilient network in the world, and with technologies that provide features including encryption, software defined perimeter, authentication before access, and micro-segmentation with managed attribution, all executing on software agents that can secure any electronic device at the growing edge, companies are extending their SD-WANs and opting for more robust solutions which are redefining the future of private networking once again.  Security is a must-have for SD-WAN going forward, and it must be easy to deploy, maintain, monitor and upgrade while integrating with the existing tools, capabilities and architectures of the corporate private network(s), cloud presence, and mobile workforce.”

From a networking perspective, the importance of cloud usage as a driver of WAN technology choice is also growing. Considering that “security requirements related to web and internet applications” and “complexity associated with interconnecting multiple transport types” are the top two WAN challenges in the enterprise, it comes as no surprise that SD-WAN momentum is on the rise.

But is SD-WAN, like so many other networking technologies we’ve seen evolve over the last few decades, a bridge not far enough? Time – and experience – will tell.

This will be only one of the many topics you’ll have a chance to dig into at SD-WAN Expo 2020, taking place February 12-14, 2020 in Ft. Lauderdale, Florida, part of the #TechSuperShow.  Among the areas of focus will be hearing directly from the enterprise users exactly why enterprises are adoption SD-WAN and what their real experiences are.  




Edited by Erik Linask