Four Security Issues To Avoid While Migrating to SD-WAN

June 25, 2019

By Special Guest
Ben Brobak, CISSP and Sr. Technical Product Manager at WatchGuard Technologies,

The growth of the SD-WAN market presents an especially attractive option for midmarket businesses and distributed enterprises looking to cut costs and make their networks more efficient. As a CISSP I’ve been working with these organizations for years helping them secure their networks. The shift to SD-WAN, while offering great business benefits, also presents new security risks for companies with networks that spans many distributed locations. In fact, research in 2019 found that 43% of attacks target small businesses, so these organizations are just as at risk as large enterprises. If you’re interested in implementing SD-WAN, here are four common security mistakes you should be aware of and work to avoid.

Exposing New Attack Surface

Imagine a collection of remote offices with an MPLS (Multi-Protocol Label Switching) connection that routes all traffic to HQ, where it then passes through a corporate firewall. Since none of the remote locations are exposed to the open internet and the connection is secured at headquarters, it’s fairly safe overall. However, if that company moves to an SD-WAN model, each of those locations now has a physical connection to the internet, exposing them to a staggering number of attacks. For example, in one research trial, a fake AWS server was online for less than a minute before automated hacks began targeting it.

This creates new risk even if all of their traffic is still being routed to headquarters and through a firewall via VPN tunnels. Perhaps an attacker could exploit an open network service vulnerability through that internet connection to gain some access, and then move laterally across the SD-WAN connection into other systems. By its nature, SD-WAN increase the attack surface for many companies if not implemented with additional security controls like firewalls. In my experience, most businesses are unprepared for this extra risk, especially if they are not used to protecting branch sites from the open internet prior to SD-WAN transition, and don’t take the necessary steps to increase security.

Forgetting About Firewalls

Next, companies that rely heavily on basic router security and MPLS lines to protect their data often forget to update their security hardware or practices when they move to SD-WAN. For example, consider an organization, also with many remote locations, that uses MPLS for its corporate traffic plus a small internet connect protected by a firewall at each location. Modern routers do offer some basic security capabilities (this is often just an Access Control List), roughly equivalent to what firewalls did 15-20 years ago. Organizations like the one I just described often rely on these router security features to protect their MPLS lines, and a firewall to secure the small amount of internet traffic at each site.

The problem: when these companies upgrade to SD-WAN, they often swap all their equipment, including the firewall, for SD-WAN routers. Now they’re moving significantly more traffic across the open internet and have removed the limited security their firewalls were providing. Even if they are still relying on the basic ACS (News - Alert) security built into their routers, they’re 15 to 20 years out of date in terms of network security! This leaves them extremely exposed to new security threats, like obfuscated, evasive malware, trojans, network software exploits, and DDoS attacks.

Applying Security Centrally Instead of Distributed

In the aforementioned example, companies moving to SD-WAN are applying security to their traffic using a central firewall at headquarters. But some network security should be applied at each network and gateway. For instance, Intrusion (News - Alert) Prevention Services (IPS) applied at each individual location’s gateway can protect each site from other sites. This can catch network worms as they spread from system to system, or stop an attacker from moving laterally through the network. If security is applied centrally, there’s no network segmentation and malware can spread through the network more easily. Internal threats will be much more dangerous in this scenario – all it takes is one employee to bring a laptop with malware they picked up somewhere else into the office (or a USB drive they picked up in the parking lot) and connect to the network for malware to slip past the central firewall and wreak havoc.

Accidentally Bypassing the Firewall

This one sounds like an incredibly dumb mistake, but it happens more often than I’d like to see. Organizations using a pure-play SD-WAN appliance and a firewall may accidentally bypass the firewall, which prevents their traffic from being protected at all! There are a few ways this can happen:

  • If an SD-WAN appliance is behind a firewall, then traffic is sent over the tunnels before the firewall does any inspection.  
  • More often, IT will bypass the firewall to troubleshoot the SD-WAN appliance (sometimes at the urging of the SD-WAN provider), but then forget to turn it back on after things are fixed.
  • The SD-WAN appliance should be installed in front of the firewall so that the SD-WAN box handles the WAN connections and the firewall still protects the internal network.

If you’re a security-conscious IT director managing an SD-WAN rollout, you have a few options for securing your SD-WAN properly.

First, you may just be able to use your firewall. Many new UTMs offer some SD-WAN features, like dynamic path routing and a VPN. If all you need is to choose the best of multiple WAN interfaces, then this option may be right for you. If you need features like a dedicated pipe to a cloud-based SD-WAN, then look for an SD-WAN provider that has a partnership with your security provider. There will be fewer configuration issues with this solution since the companies have worked these out in advanced for you. If that isn’t an option, then carefully set up your SD-WAN appliance and a firewall to ensure that your traffic is being inspected. With these best practices in hand, you’ll be well-equipped to enjoy the benefits of SD-WAN while keeping your employees and customer data safe from hackers.

Edited by Maurice Nagle