SD-WAN Security Solutions
Cisco SD-WAN Security Solutions
Gartner predicts that by 2023, 93% of organizations will be doing some form of SD-WAN for the WAN edge. The reason for this disruption are obvious. Organizations can save money by not being as reliant on private circuits, providing better application performance with intelligent monitoring and steering and simplified management with orchestrators and zero-touch provisioning. But with all of these moving parts come old and new security concerns.
In order to secure the SD-WAN, first thing to realize is a not all SD-WAN is created equal. With the explosion of Cisco SD-WAN Security Solutions over the last few years, we’re seeing more and more vendors incorporate SD-WAN as a feature into their existing product offering.
That means that we have an influx of traditional networking when optimization and security vendors who are now competing with the pure-play SD-WAN vendors (e.g. Cisco SD-WAN). While this means more options for the consumer, you also have an abundance of SD-WAN vendors to pick from with varying levels of proficiency.
The security offerings from the various vendors can be grouped into three general categories: Cloud-based, Third party integrators or built-in security.
SD-WAN cloud-based security means the SD-WAN devices is not doing any local inspection and instead it offloads all the packets that require inspection to a cloud service. That means that for every packet that needs to be inspected, the SD-WAN device is forwarding it off to a cloud for security inspection.
Third party integration usually comes in the form of service chaining using VMs server chaining is an SD-WAN terminology to describe multiple virtual services working together within a physical box. In most cases SD-WAN would provide the networking service while the security vendor would provide the security services.
All this happening on the same physical box using a hypervisor and an SD-WAN controller (e.g. Cisco vManage). Built in security offering means a security inspection is happening in the SD-WAN appliance itself. These are generally traditional security devices like a UTM or next-gen firewall they have SD-WAN Security Solutions as a feature.
All three options have their pros and cons but from a security perspective there’s one option that you should only use as a last resort, and that leads us to the first item on our list number.
Cisco SD-WAN On-Premise Security
From a security perspective, on-premise security is always preferred over the cloud for a number of reasons. Not only does it provide additional services that a cloud-based solution doesn’t offer, but it also lowers your bandwidth costs and increases performance at the edge. For cloud inspection, to work properly all branch internet traffic must be forwarded to the cloud through a GRE or an IPSec tunnel.
That means a regular user traffic needs to be forwarded to the nearest cloud datacenter, inspected and then forward it off to the destination. That means that if you have an SD-WAN rule to route an application (e.g. Office 365) directly out to the internet without going through the cloud inspection first, it bypasses security altogether. In other words, everything needs to route through security cloud.
This removes almost all the benefit of implementing SD-WAN in the first place. It also means higher when usage which leads to higher costs particularly if you’re using a 4G card as a backup link which charges per Megabyte. On-Prem security can be accomplished with the Cisco SD-WAN that provides security services natively on the box using Firepower features on the vEdge and cEdge devices.
This option greatly increases the performance on traffic that require security inspection while also lowering the cost by reducing the amount of traffic that is sent off through the WAN. All needed segmentation access layer security intra-brand security, inspection, for example scanning Malware on a file share at the branch, breach containment, quarantine and even local authentication can be handled by Cisco WAN Edge devices.
Cisco SD-WAN Application Routing
In SD-WAN we create rules that specify where to route application or groups of application. First, you have to first identify the applications that are actually in use. Next, customers should identify which of these applications need to be back hauled to your cloud or data center.
These will be called known corporate applications. For applications that use a direct internet connection, known as SaaS applications. For business continuity, it’s critical that these applications always work at all times through redundant paths. The next group of applications can be a group called allowed application.
These can be applications that polled little to no security risk and are allowed out to the Internet to provide business functionality. Cisco SD-WAN products will offer layer 7 identification of potentially risky application. This category can include things like botnet activity, security evasion software, proxy avoidance and many more.
We’ll also want to create an application group for applications that we know should never be used. For instance, if your company is using an internal file share, we can block all other forms of file sharing like Dropbox and Google Drive. Ultimately these unwanted categories should be blocked before ever leaving the site.