Star Wars, Network Security and the Force of SD-WAN
“This is not going to go the way you think.” — Luke Skywalker
Like me, you’ve probably seen Star Wars: The Last Jedi a few times already. And, like me, you probably enjoyed it more than you expected. (For me it may have been partially due to the full-reclining seats, buttered popcorn, and 3-D glasses, but I digress).
The Last Jedi got me thinking about SD-WAN security and how the First Order broke through the Resistance’s “firewall” and installed a tracking device on General Leia Organa’s craft. How Rose and Finn neglected to treat DJ, the codebreaker enlisted by Rose and Finn, as a potential insider threat. And how the Resistance’s security posture was not nearly strong enough to withstand the First Order.
The Resistance is not alone in preventing and mitigating the impact of security threats. With cyberattacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130, according to a recent Ponemon Institute/Accenture study. These breaches cost companies an average of $11.7 million USD annually.
Here at Riverbed, we’ve led the charge around a better way to manage and secure the network. IT teams are embracing Software-Defined WAN (also known as SD-WAN or SDN) for its ability to centrally configure and manage hybrid WANs, cloud connectivity, and branch office networks. Many of our customers are also adopting SD-WAN because it provides greater security than traditional device-centric MPLS networks.
7 ways that SD-WAN security makes your network more secure
I’ve highlighted the top 7 ways that Software-Defined WAN technology can make your network more secure than traditional MPLS networks. Starting from the top:
- Centralized Security Policy Management vs Device-Centric Management: SD-WAN allows you to establish centralized control of network-wide business and security policies. Rules can be implemented, deployed, managed, and changed universally throughout the system—without requiring command-line interface (CLI) configuration that is often susceptible to human error or driven by custom scripts. SD-WAN provides rules-based traffic, security, and hardware assignment policy definition. Best of all, it’s centralized and automated rather than on a manual, per-device basis. Say goodbye to CLI.
- Unified Views of the Network vs Multiple Panes of Glass: SD-WAN management dashboards offer unified views of the network topology, including registered and online appliances and new events. The dashboards continuously and automatically reflect network events, sites, and tunnel status to validate that security policies are working as expected. You can gain insight of the entire network topology or drill into specific site, application, and user views. With improved visibility and integrated analytics, you can troubleshoot problems quickly, better plan for changes, and even rollback changes if they are not working as intended.
- Built-in Firewalls vs Separate Firewall Appliances: SD-WANs provide centralized support for embedded security, firewalls, access points, and switches, eliminating the need for additional security appliances in many remote/branch location scenarios. They include a built-in stateful firewall and allow tight policy control over the types of Internet traffic that are allowed in and out at a branch. SD-WAN solutions are hardened and provide in-flight encryption for additional built-in security. Lastly, because many SD-WANs deployments run on top of existing infrastructure, they work in combination with your current firewalls and switches.
- Network Segmentation: You can define granular segmentation policies tied to application characteristics, network configurations, addressing, etc., which are distributed across all nodes in the SD-WAN. Based on the segmentation policies, SD-WAN creates multi-point tunnels using IPsec to dynamically enforce segmentation of LAN and Wi-Fi users and devices across all locations. Many organizations also use network segmentation to reduce attack surfaces and contain possible breaches. Traditional WAN segmentation was based on Layer 2/3 and was not driven by application and business priorities.
- Identity Based User Access: SD-WAN identifies users by names, roles, or job functions, and assigns users to a virtual network zone to simplify management. These virtual zones automatically follow the users and their devices across all locations, no matter which device is used. You can rely on user-identity based access control to better secure mobile and bring-your-own-device (BYOD) environments.
- Secure Guest Wi-Fi Access: SD-WAN offers authenticated and identity-based registration and then directs all guest Wi-Fi traffic over the Internet with a firewall between the guest zones and the internal zones. Guests can self-register each device in a matter of minutes and the administrator automatically attaches the security policy to each device registered by that user. Web content restriction and malware filtering can also be set as policies.
- Auto Virtual Private Network (AutoVPN): AutoVPN, based on the industry-standard IPsec with AES-256 encryption, creates a secure VPN backbone around remote branches and users. It can also be deployed between access points, gateways, as well as third-party VPNs (Classic VPNs). Encrypted AutoVPNs are typically supported over all WAN transports including Internet and MPLS and can be applied to SD-WAN environments for highly-sensitive data and applications.
I know that I said 7 but…
For many of us, direct Internet connections can raise security concerns. Cloud-based security solutions, like Zscaler, can minimize security threats associated with direct Internet access. In this scenario, your SD-WAN is service chained to the cloud security gateway, which inspects all traffic inline, including SSL. You can provide advanced threat prevention, data protection, access controls, and compliance reporting – all while maintaining performance and an improved user experience.
SD-WAN and the last, Last Jedi
On a final note, the Resistance lacked the visibility to recognize that its security had been breached. To that end, I’ll make an analogy to network visibility. Network visibility is essential for quickly identify breaches and rolling out fixes. When network visibility is woven into a management dashboard that includes end-user experience and device, application, and infrastructure monitoring, it becomes a more powerful force (pun intended). Seeking more insight on how to improve your SD-WAN Jedi skills? Check out the white paper, Solving Cloud and Branch Office Security Challenges with SD-WAN.