SD-WAN products have been available for the better part of five years. Early adopters of the technology focused primarily on transport-related issues such as replacing or augmenting MPLS with broadband. As any technology matures and moves out of the early adopter phase, the buying criteria changes — and SD-WAN is no different.
In 2018, a ZK Research survey asked respondents to rank SD-WAN buying criteria, and security came out as the top response, well ahead of technology innovation and price. (Note: I am employee of ZK Research.) To better understand this trend and what it means to network professionals, I sat down with Fortinet’s executive vice president of products and solutions, John Maddison, who sets the company’s product strategy, making him well versed in both SD-WAN and security.
Zeus Kerravala: What is the current state of SD-WAN?
John Maddison: As digital transformation took hold, it became clear that traditional links to branch offices could not support the complex connections required by today's businesses. Something as simple as a split tunnel, where a branch office has a dedicated link back to the corporate headquarters, and a live connection to the internet could undermine the security of the entire organization.
SD-WAN provides things like support for advanced business applications, the ability to move latency-sensitive data such as voice or video over to reliable, high-speed links, and bonding multiple connections together — such as links to the core network, connections to multi-cloud networks and services, and live connections to the Internet and mobile devices — into a single, integrated package.
The biggest challenge we see organizations facing is the result of trying to apply a consistent security framework to this new environment. It needs to not only secure the primary SD-WAN connection, but also be integrated into whatever security solutions that have been deployed elsewhere, such as in the cloud or at the remote network. This allows organizations to implement a single security strategy that includes application protection, web filtering, sandboxing, network access control, SSL inspection, and solutions such as NGFW, IPS, and VPN to protect applications, workflows, and data in motion.
As the shift from early adopter to mainstream happens, how does the market change?
The initial wave of SD-WAN was very transport-centric. It was primarily driven by a desire to shift away from MPLS to a combination of MPLS and broadband for more flexibility regarding adopting new applications and services to support digital business requirements. Now that businesses are using SD-WAN in production, however, there is more focus on security. The branch office cannot become the new weak link in today’s interconnected and distributed networking model. There is also a growing interest to extend SD-WAN to LAN and redefine the entire branch with SD-Branch, which provides consistent security, unified policy and unified management.
Now that security is a core requirement for SD-WAN, what kind of new challenges have been created?
The biggest challenge is that traditional security solutions are no longer enough. Legacy security solutions just do not have the performance, flexibility, or interconnectivity that SD-WAN connections require. And to make it more challenging, they very often can't see past the edge connection. It's why we have been developing intent-based segmentation. This strategy can isolate a user, application, workflow, or data based on a number of parameters to provide security along its entire transaction path. Traffic can be forced to conform to specific behaviors, or be isolated to specific users or destinations, to ensure consistent policy application and enforcement from beginning to end.
The biggest challenge [for SD-WANs] is that traditional security solutions are no longer enough."
Can you please expand on user- and intent-based segmentation: what it is, and the benefits it provides?
When a user initiates or receives a transaction, it needs to travel across the public network. Traditional security tools can harden a connection, inspect traffic, and identify and prevent malware or traffic hijacking, but that’s often not enough. Given the growing volume of traffic and the density of other devices traveling through those same connections, it can be easy to lose track of traffic.
Isolating a user, application, or workflow allows organizations to see and control the devices that can interact with that connection, makes it harder for criminals and insiders to intercept, steal, or corrupt that data, and helps ensure that data and resources are managed and secured as they move across an increasingly expanding network of connected ecosystems. Intent-based segmentation is intelligently segmenting IT assets based on the intent of the business objectives and desired security processes with granular access control to prevent the proliferation of lateral threats spreading in the network.
What kinds of threats does this protect against?
There are a wide variety of security issues that intent-based segmentation can protect against, including insider threats and even spillover from malware that may have infected some other segment of the network. Intent-based segmentation ensures that cyber criminals who infiltrate the network are quickly detected to prevent the lateral spread of security threats.
One of the challenges security teams face is that they are already overwhelmed with too many security tools. Doesn't this exacerbate the problem?
The real problem is trying to secure a distributed network using tools that were never designed for that. What tends to happen is that security is either applied only at the gateway, which reduces deep visibility into the network, or different tools get selected and deployed for different parts of the network. IT teams can quickly be overwhelmed by security sprawl, and as a result, tools don’t get updated or optimized, or there is inconsistency in enforcement.
What's needed is a single security platform that can provide the consistent enforcement of the policies, regardless of where security solutions have been deployed, and then be managed using a unified management and orchestration console. Security at the core, in the cloud, and at the branch needs to be deployed, implemented, managed and optimized like a single holistic system. Of course, this is easier said than done. Native controls in different cloud environments, for example, can vary wildly. Security solutions need to be carefully chosen based on their ability to be applied and managed consistently regardless of where they are deployed.
Any other advice you would like to pass on to our readers about SD-WAN?
One of the biggest challenges facing organizations considering an SD-WAN solution is wading through all of the marketing hype. New platforms tend not to be very well defined, resulting in vendor solutions that can be very different from one another. Security is an especially challenging issue, as it has recently been identified as one of the top concerns of organizations deploying an SD-WAN strategy.
Of the more than 60 vendors currently providing SD-WAN solutions, few of them offer any sort of integrated security strategy. While most provide basic VPN connections and some simple stateful security, they do not natively address the majority of security issues that today’s digital businesses are being exposed to. Instead, they depend on other vendors to provide functions such as intrusion prevention, next-generation firewall, web filtering, malware analysis, SSL and IPSec inspection and sandboxing.
But given the current security skills gap, this can be a disaster waiting to happen. Deploying advanced security across public networks to next-gen branch offices is not trivial. Deployment, configuration, and optimization alone creates personnel and financial overhead that many organizations just do not have the resources to manage. But any gaps in these can make SD-WAN connections vulnerable to attack.
Instead, organizations should look for solutions that meet their resource constraints through simple, integrated security and SD-WAN solutions tied together into a single platform.