In my last blog, I wrote about the origins of SD-WAN and its benefits. However, these advantages are certainly not without their challengers and threats, which all interested companies should consider when analyzing the various options offered by the market.
From a security point of view, the main threats arising have to do with the use of unprotected residential broadband networks. Unlike what happened with traditional corporate WAN networks, where services such as MPLS created virtual private networks that were unreachable from the Internet, these residential broadband networks, connect SD-WAN branches directly to Internet.
Therefore, there are several additional security risks for SD-WAN networks versus MPLS networks.:
- Firstly, traffic running over Internet is, by its very nature, unsafe. It requires encryption to avoid being inspected or even replaced by third parties. All SD-WAN solutions currently on the market use VPN technologies to create an ‘overlay’ (virtual WAN net) over the physical network. However, not all VPN technologies are the same and these differences can be seen in the quality of authentication or encryption in proprietor VPN mechanisms.
We can also look at theTrack records of individual proprietor mechanisms and their benchmarks (SD-WAN is still a very new technology) to analyze robustness and scalability. These two factors have a significant impact on both launching and operating costs.
- Secondly, and perhaps more importantly than the fact that our corporate traffic can be seen in the Internet, is having SD-WAN offering online access to corporate datacenters to anyone who can mimic a branch SD-WAN terminator. As most residential broadband Internet connections use dynamic IP (unknown a priori), SD-WAN solutions are designed to operate in this connectivity environment using dynamic IP addressing. Since all Internet lines are initially valid to connect to a corporate network, anyone who can simulate, or has an SD-WAN terminal can, in theory, connect to a main corporate net, with all the permissions and passwords of a legitimate user. The greatest risk coming from SD-WAN is the consequences of an original SD-WAN terminal being stolen from an office (or remote point), potentially allowing said thief to access the corporate network. This doesn’t happen in MPLS nets, as access to central systems requires using a particular WAN MPLS line per office. This means a budding MPLS router thief can’t access the network by connecting the router to any broadband network. Thus, SD-WAN solutions must be equipped with antitheft mechanisms for routers, which detect if they are used out of branch environments.
A threat requiring protection in this category is the reset button (found on most communication equipment), which restores factory settings and may be used by a hacker to connect an SD-WAN terminal to a central network from an unauthorized point, simulating an initial set up.
- A third risk, closely linked to the above, is the secure installation of SD-WAN terminators in authorized locations. The intrinsic independence of SD-WAN with respect to the network provider/s makes the use of zero touch provisioning mechanisms (ZTP) commonplace and easy, as most SD-WAN solutions on the market come pre-equipped. Remote SD-WAN terminators can be sent via ordinary mail for example, and be installed at the corresponding corporate offices by the staff (forestalling the need for specialized technical personnel and/or training). All that’s needed is to unpack the device and connect it to the existing routers and devices on the local office network (LAN) or LAN switch.
SD-WAN solutions must have security mechanisms at startup (or initial installation) at the branch office. Bidirectional safe authentication is needed to cover the remote SD-WAN terminator to the central point and back again. There are many different products aimed at resolving this risk and allowing ZTP. These include security tokens through USB, smartphone apps, emails or SMS with authentication credentials etc. Said mutual authentication should, of course, be kept for successive connections, not just for the first (installation). Successive connections shouldn’t require additional ZTP. While human intervention is not necessary at the remote point, some type of manual validation is used, or specified (at the central point) and a SD-WAN terminator should at least save connection credentials for a certain length of time. And it’s at this point where antitheft mechanisms should come into play.
- Another risk to corporate traffic is the security of communication protocols or mechanisms between a remote SD-WAN terminator and a central management system, or controller, and should be analyzed through SDN native terminology. Said communication channel must also be secure (it’s quite common, or at least possible, for a controller to reside in a public cloud, or management traffic to run over Internet). If you use a controller in a multi-tenant public cloud topology (i.e. shared), security behind reclaiming devices in an initial set up also deserves attention. At first glance, a remote SD-WAN terminator could belong to any customer sharing the public cloud. However, only the customer identified as legitimate should be able to claim it.
In my previous blog, I mentioned that SD-WAN could be used in traditional branch offices as well as in any corporate network worth connecting and gave M2M and transport as examples. Once again, the risks we’ve already looked at need not only to be analyzed but widened to cover the nuances of these out of office settings. Said sectors typically use 4G technology (requiring SIM cards) and so pose an additional security challenge (theft or the intentional blocking of SIMs).
SD-WAN is a promising technology that, despite not being fully developed, has been designed to help companies use Internet broadband networks safely. This brings a lot of corporate advantages when compared to the traditional use of MPLS networks. While risks from Internet use are inherent to SD-WAN, a great deal of work is being put into critical safety and design features.