Is SD-WAN Secure Enough for Mission Critical Applications and Essential Infrastructure?

October 01, 2019

By Juhi Fadia, Correspondent

A great deal has been written about the benefits of SD-WAN, especially for distributed businesses who require reliable, private connectivity between geographically dispersed locations. Without a doubt, SD-WAN solutions are being adopted to reduce cost and improve agility compared to legacy solutions.  Whether connecting restaurant chains, retail stores, gas stations, SD WAN appears to be a good fit for basic edge network connectivity.

But what about clouds and applications that connect government agencies, hospital systems, energy grids, military branches, public safety systems, smart cities and other networked organizations for whom security breaches could be not only costly and embarrassing but also disastrous or even deadly?

Given the years of hype on SD-WAN, many still believe a high level of security is built in, but experts know this is not the case.  Most SD-WAN does include some embedded security capabilities, but it’s based on 23 year old designs.  For organizations and enterprises who handle sensitive data, private information, payments, and confidential interactions, IT teams need to dig deeper to understand the vulnerability associated with “just SD-WAN” architectures.

EMA’s WAN Transformation researchreported that businesses who implemented traditional SD-WAN networks are 1.3 times more likely than the average enterprise to have experienced a security breach in a remote site over the last year. Shamus McGillicuddy, the author of the report, tapped over 30 enterprise WAN decision-makers and subject matter experts to examine all aspects of WAN transformation, from cloud, to Internet and best practices, with warnings on what enterprises should not do with their networks.

EMA (News - Alert) suspects that these enterprises whose SD-WANs were compromised may have been oversold on the native security capabilities of the providers they chose.

“Many organizations are moving their network infrastructure and applications to the cloud. This trend, combined with the rapid growth in multi-tenant LANs, media-rich applications, and networked devices, is placing increasingdemands on WAN service delivery,” McGillicuddywrote earlier this year.

Cisco’s (News - Alert) SD-WAN, formerly Viptela, is an overlay architecture that the company says builds secure, unified connectivity over any transport technology (Multiprotocol Label Switching [MPLS], broadband, Long-Term Evolution [LTE (News - Alert)], Very Small Aperture Terminal [VSAT], and others). Cisco promotes their solution on the basis of simplified operations with centralized management, policy control, and application visibility with their Secure Extensible Network (SEN) platform which enterprises and service providers use to build large-scale networks with full integration of routing, security, centralized policy, and orchestration.

“It is a myth – and a dangerous one – that SD-WAN equals security,” said Chris Swan, Chief Revenue Officer, Dispersive Networks. “SD-WAN is turning out to be a lot more expensive and complex than originally promised, and without the right software and tools in place, they are less secure than previous options, for example the private MPLS networks they seek to replace.”

Swan explained that for mission critical infrastructure and other high value and high-risk applications, it’s essential that software-defined networks protect data at rest, data in use, and data in motion.

“Security must be natively embedded in private networks, as bolting on additional tools causes more problems than it solves,” Swan said, “Adding layers of security instead of ensuring security in the network paths themselves can slow down performance, increase costs, and drive ongoing complexity that network operations teams don’t need, especially as attacks are on the rise and the attack surface is expanding.

Dispersive works with government and military agencies, energy companies, financial institutions and others whose demands for cyber security are at an all-time high.

“We’ve chosen to go well beyond traditional SD-WAN offerings in support of enterprise and government digital transformation projects, where there can be no compromise when it comes to security. With our programmable networking approach, our customers can leverage the ubiquity and economics of the Internet while supporting centralized control, microservices, multi-cloud architectures and growing their implementations across a much more comprehensive and secure edge, including IoT and Industrial IoT.”

Swan explains the differenceDispersive networking makes by splitting every session into multiple channels that transit different core paths deployed over a choice of public and private clouds.

“We look at SDN differently than traditional SD-WAN providers,” Swan said. “The data and each channelis encrypted with a different, NIST-compliant encryption key. Furthermore, if the programmable network detects a man-in-the-middle, BGP attack or other network or QoS disturbance, Dispersive reacts in real time, dynamically and automatically rolling data from the troubled channel to a reliable one. This avoids attacks, bottlenecks and service interruptions while accelerating throughput.”

Swan explains that this also eliminates a key security weakness of VPNs: the single data path. “This one pipeline is not only an attractive target for hackers, but it makes decryption easier because all data is captured in order from one source. Conversely, Dispersive’s multi-channel approach and data-rolling capability makes reconstructing the data virtually impossible.”

To further increase security, Swan said the programmablenetworking approach requires off-network, two-factor authentication before providing network access with the ability to integrate identity management solutions. “Our call-out only approach also shifts the attack surface outside the enterprise network and eliminates the need for open firewall ports. Multi-cloud networking is becoming increasingly common,” Swan said, “so it is critical to be able to operate across multiple clouds and networks with a solution that is resilient to outages, including DDoS attacks. If the Dispersive Network identifies disruption, it can roll to other clouds.  Couple the adaptive nature of programmable networking with active managed services, and you get that mission critical level to protect data, resources and assets.”

“Given our history serving the most demanding government agencies, utilities and enterprises in the world has confirmed that mission-critical CIOsare not willing to compromise security. With more and more endpoints being added to enterprise networks the attack surface is growing exponentially. There can be no trade-offs when it comes to preventing adversarial attacks,” Swan said, “and rather than layering applications, adding security into the network itself, with multi-paths, deflects and the multi-factor authentication of every single endpoint, cloud, application and user is the only solution we see that will scale to meet the growing demands as digital services grow.”

Juhi Fadia is an engineer, analyst, researcher and writer covering advanced and emerging technologies.

Edited by Maurice Nagle

Get stories like this delivered straight to your inbox. [Free eNews Subscription]