Security for SD-WAN Solutions
Obtain with Teldat the best SD-WAN communications solution and the most appropriate security system for your network against malware. Security within your devices, overlay and the cloud.
Security threats & malware
Malware is constantly evolving, with new threats appearing every day and taking very different forms, such as phishing, spyware, crypto mining, ransomware… As an example, we can see in the analysis from AV Test that there are now more than 1.1 billion active malware or PUA (Potential Unwanted Applications) – and the number is constantly growing.
There are many options in the market to protect customers from these threats, with approaches ranging from internal device firewalls, DNS and URL filtering, advanced NGFWs (Next Generation Firewalls) and SWGs (Secure Web Gateways). Each has its own advantages and focuses on different budgets, depth analysis and different types of traffic.
URL filtering solutions work by comparing the URLs that users want to access with defined URL categories or lists. This can be useful to prevent users from accessing websites containing content that is not allowed to be accessed (for instance on educational sites), or that is potentially harmful or not related to work. In budget terms, these are low-level security solutions.
SWGs act like proxies between the user and the web content, analyzing and securing any traffic passing through them. They normally include URL filtering, anti-malware detection and blocking, and application control. They act like security guards, allowing or denying access to sites or the download of files. These are medium-level security solutions.
An NGFW, as Gartner defines it, is a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall”. There are some important differences between traditional Firewalls and NGFWs: NGFWs are able to filter packets based on Layer 7 applications using signatures and classify traffic using SSL decryption. They can also be easily and remotely upgraded. These are top-level solutions as they offer all the security possibilities in one product. Their price rises depending on the number of features.
Many vendors use multiple approaches to sell these technologies, like different licensing schemes (bytes consumed/users connected) or price per site/edge. These also depend on the type of deployment, on-premise or on-cloud (aaS/aaP), each of which have advantages and disadvantages. For instance, on-premise solutions secure sites by analyzing all the traffic passing through them. This increases the hardware processing capability (and costs associated with this) and generates vendor lock-ins, as the communications provider and the security provider must be the same.
On-cloud solutions offer much more flexibility:
- Always updated: Receiving updates or patches from the vendor and spending time and money on restarts is not necessary because the cloud constantly offers the latest version and features.
- Always connected: High Availability (HA) is assured – the service is always available no matter the date, time of year or location.
- Pay per use: Pay for the services that are needed, adapting to each budget and requirement. The option of a rollback is always offered when a service is not needed and there is no need to pay for it.
What’s Teldat’s approach to Security?
Combining SD-WAN with Security (be.Safe)
Security in the devices
L7 firewall enabled by default and interfaces isolated by VRFs:
- Perimeter security (intrusions and attacks)
- Blocking incoming and outbound connections by default using parameters such as IP address, Port protocol, and URL. Only specifically allowed traffic will be processed by default, the rest will be discarded.
Security in the overlay
There are three objectives to be covered in this scenario:
Confidentiality is intended to prevent third parties from accessing our information. Integrity ensures that the data has not been modified in transit. Authentication ensures that data comes from the trusted source (required to defend against man-in-the-middle attacks)
All 3 objectives are covered by using IPSec on all overlay connections. IPSec is the current standard for security in data communications, which provides confidentiality through encryption (AES-256), and integrity and authentication using authentication headers (SHA-256).
The SDWAN Teldat implementation uses the IPSec protocol without modification, ensuring secure transit over the network of security keys based on public keys and private certificates, generation and periodic renewal of session keys securely, anti-replay mechanisms, use of secure keys based on PFS (Perfect Forward Security), etc.
The process of dividing the network into logical subnets is called segmentation. It is based on isolation from different domains or network zones, so that traffic from one domain cannot reach destinations located in other domains. The Teldat solution provides centralized tools for configuring end-to-end segmentation on SD-WAN. Users and services are isolated in separate SD-WAN segments, based on security criteria and common traffic processing needs, or ip addressing requirements overlaid on different corporate departments. The next picture details one of these scenarios:
Teldat Basic / Cost Effective security layer:
Using the best security options to cover different malware threats
Access policies, content filtering, malicious site blocking
be.SAFE SMART is a highly user-friendly solution that allows SMBs and residential internet users to control their cybersecurity risks and content policies for their employees and families. The main features are:
- Web Filtering: Empowered with a Leading Threat Intelligence dictionary, providing updated categorization of 90% of websites worldwide according to content categories and geographies
- Malware Protection: Empowered with a Leading Threat Intelligence dictionary, automatically detects, classifies and blocks malware threats.
- Comprehensive Analytics and Productivity feedback: Understand internet usage patterns, blocked sites, blocked malware categories, malicious attempts, content blocked by region…
- Omnichannel and User Friendly: Use be.SAFE SMART mobile APP or be.SAFE SMART website to configure cybersecurity policies in seconds and without deep cybersecurity knowledge
- CPE agnostic: Compatible with 99% of currently deployed CPEs in SMBs and residential markets (based on DNS Resolution)
Visualizer (NTA with AI)
Proactive detection of malware
Visualizer enriches Telemetry traffic with updated information on malicious sites and internet addresses via highly accurate threat intelligence feeds for Web and IP space (v4 and v6) reputation and classification in real-time.
- WEB CLASSIFICATION AND REPUTATION: Content classification across 70+ categories for billions of web pages, to protect end users from malicious sites
- IP REPUTATION: This Visualizer Addon analyzes IP threats and manages dynamic data sets of millions of high-risk IP addresses for use with customizable alarms.
- SHADOW IT CONTROL: By controlling shadow IT, organizations can avoid data leaks and uncontrolled or unknown corporate processes.
Also offers the possibility of notifying via alarms when a connection to one of these sites is detected. Combining different dimensions makes it possible to detect not only the site where the connection originates, but also the LAN IP, map location, exact minute and amount of traffic detected.
Teldat Advanced (be.safe Premium):
Using the best security options to cover different malware threats.
Using the best security options to cover different malware threats. Networks must be flexible to adapt to changing environments, both in user access and application locations. They must also be ready to support Cloud Applications with the best user experience, and must be agile, scalable, reliable, and secure. Direct Cloud Access from branch offices and teleworkers, as centralized internet access is a drawback when most traffic goes to Public Clouds. When internet access is opened beyond the traditional centralized Datacenter, the Security Perimeter is widened, and new security strategies are required.
An effective solution for maximum security at the perimeters of these networks requires, in addition to web filtering capacity, centralized solutions with IDS/IPS capacity, antivirus, antispam, sandboxing, address reputation, DLP, SSL analysis, and email filtering, among others. Local security solutions simply do not scale to provide a similar level of security to what is possible with cloud solutions.
SD-WAN Teldat can use traditional private network and internet access, both for internal traffic and Cloud access, using hardened Internet access, stateful Firewall and DoS prevention in the Edge device, plus level-7 rules to identify trusted and untrusted destinations and applications. Furthermore, it integrates with Cloud security solutions, offering a unified management, using a VPN connection to the Cloud service. In this way, all traffic to and from the internet is sent from each site through a secure tunnel to the cloud service. This latter performs the necessary security analysis, blocking any threat without the need to manage security updates on local devices or requiring superior hardware processors (which would increase costs).
- Cloud Security Service provided by Teldat
- 1st Top Edge Firewall in partnership with Check Point
- Integrated SD-WAN and Security management
Given that communications technology changes approximately every three years, and security threats/technology every 3- to 6-months, flexible solutions are required to avoid vendor lock-in. Teldat’s approach can provide both the best communications solution and the best security solution, while allowing integration with other vendors if different features or pricing are required. Optimization of the vendor solution results in security-effective and cost-effective security solutions.
Teldat can do all this thanks to its Level 7 based communication SD-WAN solution, and the whole ecosystem that gives customers the opportunity to tailor their network requirements to their budgets and adopt SD-WAN solutions at their own pace.
Making the Net Work
For more information about our SD-WAN solution simply contact us.
Our team of specialists will respond immediately.