Is SD-WAN Secured?

 

Issues with traditional security:

• Traditional security is discontiguous configured site by site manually. Which is complex and is not easy to manage.

• Current security model is designed as per traditional architectures like on-prem Data centres services and Office users.

• Enterprises are moving towards multi-cloud environment with current on-prem security has many gaps to secure SAAS/IAAS/PAAS cloud solutions.

• Now customers with mobile security should not be only tagged to his machine,location or port.

• Business is changing sometimes requires fast service and security rules for required couple of hours only.

• This traditional security can provide some sort of security with in enterprise however when users are mobile and accessing cloud , REST API's interactions over internet.It requires new intelligent security design.

• There is a need of security model with full stack intelligence,proactiveness,analytics,IPS,IDS,malware protection,Sandbox and DNS layer security.

• Zero trust security model is required. Zero Trust is basically change in the traditional security best practices where inside users were considers as trusted users.

•  But the problem is if any organisation has hosted everything on their backbone network like MPLS they will have all security appliances and policies in place.No one can access the inside network. However despite of having all security practices in place the network can still be compromised.What if, any of the inside user is compromised then entire security will be compromised.Most of these attacks happens from the inside.From outside it not so easy to crack the private network.

• As shown below in figure 1  the control plan corporation has user inside the office which are in traditional security designs considered as trusted user and users accessing the network from outside of office are untrusted users.

• By chance, if internal security is compromised then  it could be a disaster.

• To avoid such issues Zero trust model was invented by Forrester Research Inc.Anybody on network inside or outside everybody have to follow strict security policies and check lists to access network.

•  And to protect the end user security MFA multi-factor authentication came into picture.As all are using BYOD (Bring your own device) accessing internet/cloud hosted application or enterprise application from their personal mobile devices.

• In today's working environment, security is not restricted within the building,it is distributed everywhere.

Figure-1-Zero-Trust

• Let's take an example of traditional security Bob staying in the control plane society.He visit bank whenever he needs to check his balance or withdraw amount.This was because back in early 2000 there was no such strong remote security or core banking facilities exists. Banks were only secure place for transaction and security was restricted to on-premises. Bob was wasting most of the time  and money  going to bank.But in today's  fast moving world this model is outdated and slow.Time and security means revenue.

Figure-3-Traditional-Security

• Now application are changing from desktop websites to mobile phone websites to smartphone apps.Security requirement is also changing per application based.Most of the traffic we access now a days is SSL/TLS encrypted.All the websites with https where 's' is secure are SSL/TLS encrypted websites. NSS Labs predicts that around 75 percent of total enterprise traffic will be encrypted by next year.Traditional security model always trust the SSL traffic assuming its encrypted.It means half of the traffic will pass the security uninspected which is a threat.
• Below figure shows anyone is assessing the banking or any cloud websites  from office or home are https and tradition security will always send SSL traffic uninspected.
• SSL security can be used for attacks like intruders can build their own SSL website and launch attack if SSL inspection is not in place.
• Attacker can hide the malicious data the SSl enable sites any can launch attack by bypassing the security if uninspected.

Figure-2-Encrypted-Traffic

• You have got basic understanding now ,how traditional security and on prem-hardware security can not provide the complete security as per today's application and user requirement.As both are mobile not restricted to a single computer or location. SDWAN solution is application-aware and DPI (Deep packet inspection) which has list of well known ports to identify the application along with cloud SAAS application visibility as well.This features were missing in traditional WAN or security designs.

• SDWAN provides in-built security features like IPS,IDS,Firewall,Advanced Malware protection,private cloud security,public cloud security fro enterprises.

• In the diagram shown below you can see remote site is accessing public cloud.And could functionality extend  till SDWA edges.Making easy choice for enterprises who are already using Multi-cloud functionality.Its make easy to connect IAAS,SAAS cloud applications.  

• Let's first take an example if traditional WAN and security were in place.When remote site will access  public cloud if primary link is MPLS traffic will either back hauled to data center for accessing cloud where generally cloud peering will be establish and there will be set of high end security appliances.You need set of WAN optimization devices to optimise the MPLS traffic so that like is not over utilized. Or Cloud traffic like SAAS is allowed over backup internet link where additional security is required.Last traditional scenario is using DMVPN tunnels over internet to back haul to datacenter. This will degrade the WAN  performance as those tunnels will not have QoS.

• Now take SDWAN example if remote site wants to access public cloud it can use both transports.All above gaps will be overcame by SDWAN solution as both transports MPLS and internet can be used on intent basis. As now a days internet links are also improved enterprise grade. SDWAN has in-built security.For internet transport security cloud can be integrated along with baked-in SDWAN security .

• There is no requirement of WAN optimizers. As traffic will be optimised on many other factors auch as quality of link, jitter,packet loss,application criticality.And even MPLS usage will be offloaded and shared among multiple internet link transports.Making SDWAN more flexible,intelligent and secure as compare to traditional networks.

Figure-4-SDWAN-Cloud-on-Ramp

Will SD-WAN replace MPLS?

• SDWAN -Software Define Wide Area Network.
• MPLS  - Multi-Protocol  Label Switching.

As you know that there are a lot of digital transformations happening in recent years and the things have been changing with rapid pace.Starting from the desktop websites to mobile websites and then from mobile apps to cloud apps, OTT media services.But the problem was with the network, its was designed on the basis of hops,device,source and destination based with no visibility to applications.The network was not application centric.

 

In order to meet the current business requirement enterprise network need to be more intelligent,cost-effective and with fast WAN deployments.That's why SDWAN solution came into picture to fill-up this gap.

Let's take an example, In picture shown below you can see a car dashboard. It was late 80's or 90's design which had basic information to reach from Point A to B.You can relate this to MPLS without SDWAN. MPLS will still be there for backbone connectivity.But this design will not meet today's business requirement.

              

                                                                                              Picture-1

SD-WAN

What is SDWAN? SDWAN vs traditional WAN?

SDWAN 

SDWAN is most advanced technology in WAN.Today there are multiple SDWAN vendors exists. However this discussion will not be vendor specific.It will be a general high level overview about SDWAN solution.

• SDWAN stands for Software Defined Wide Area Network.
• In SDWAN  control plane ,data plane and management planes are segregated.
• In addition to this we have new term in SDWAN which is orchestration plane.
• Orchestration plane is policy driven segment of SD-WAN where we can push any action on sites using policies.
• This action can be traffic flow,routing changes,transport change etc.
• SDWAN has application aware routing functionality.Which means it can identify the applications.So,accordingly critical applications traffic engineering can be done.
• SDWAN solution is transport independent.It's does't matter if you have MPLS, private cloud or Internet link.Just need reachability till controllers.
• SDWAN has controllers which can be hosted on public cloud or on customer on premises  data centres.
• These controllers serve Management ,Orchestration and Control plane services.
• The data plane reside inside the another SDWAN customer edge router device which will be installed on remote sites or Data Center.
• The remote site or customer data center should have underlay reachability till controllers.
• The term underlay and overlay is frequently used in SDWAN environment.
• Underlay is physical connectivity and reachability  of site A to site B or site A to any DC or Site A to internet.
• Overlay is a logical connectivity which is build over underlay using IPSec in case of SDWAN.
• All the Customer Edges SDWAN routers  will connect to controllers using secured encrypted tunnels.
• All the SDWAN controllers will have to exchange the encrypted keys before establishing the secure connection.
• For control plane traffic there will be direct tunnels towards SDWAN which will be established after whitelisting and key exchange mechanism.
• All the SDWAN edges devices will have serial number tagged to a particular organisation.
• Once the control connection between controllers and SDWAN edges is established, All SDWAN edges devices will receive the information about the destination from controllers.
• After getting the the destination information the SDWAN edges will establish the dynamic IPSec full mesh tunnels with all site for data plane connectivity.
• These IPSec tunnel connection is more faster ,dynamic and different from tradition IPSec.
• Advantage of SDWAN is if site has two WAN links either MPLS-Internet,MPLS-MPLS,Internet-Internet.Both can be utilized using policy driven routing.  
• Customer SDWAN edges have plug and play feature no manual intervention required.
• Inbuilt  traffic inspection and detection, no separate hardware required. 
• SDWAN will monitor the all possible underlay end to end hop connections as well.So,  any issues can be reported proactively.
• As SD-WAN controllers are hosted in cloud, this solution has capability of Cloud integration.
• Deployment time is very less.

Traditional WAN:

• In tradition WAN there is no application visibility.
• For each site CPE need manual intervention and Provider dependency for routing and peering setup.
• Does not have flexibility and fast enough to do application aware routing.
• In traditional WAN there is a DMVPN solution to use internet as underlay however that is not much scalable and have limitations.
• Control Plane lies on same CPE so have to login to each CPE for any changes.
• For WAN  Traffic optimization,inspection and detection separate hardware required. 
• Required more bandwidth and both WAN links will not be utilized optimally.
• It has legacy way for cloud integration.When enterprise use multi-cloud, its difficult to manage and troubleshoot.
• If any of the WAN link is highly utilized it require a manual intervention to offload the traffic to backup link.
• The manual offloading is expensive if both links are MPLS as enterprise need to opt for active/active load sharing WAN connection which will increase the operational cost.
• If backup link is DMVPN it has limitation voice and video traffic performance will be degraded.There is no dynamic tunnel tracking.Sometimes required a manual bounce to refresh the tunnel.
• Some of the service providers use 3G/4G backup links on which performance will be very poor with unoptimized traffic flow.
• Enterprises will have very less visibility at provider end.For any issue enterprises need to log a case with service provider where getting response and resolution on time is challenging.
• For each WAN changes enterprise need to engage provider engineer and have to careful about prefix limits.Requires downtime and sometime failover will also not work due to many issues.
• It's very expensive and time consuming.

        

 

Overall because of these advantages most of the organisations are moving towards SDWAN solutions.It is single fabric to manage all the WAN devices.Can SD-WAN replace MPLS? Follow us for upcoming blogs to know more.