SD-WAN FAQs:
Avoid the Top Security Mistakes When Implementing SD-WAN

By Chris Hope, Senior Director of IT and Security, One Source

It seems like everyone these days is talking about implementing SD-WAN. In fact, 92% of companies are expecting to adopt an SD-WAN infrastructure within the next couple of years. But why are companies so interested? We have compiled some of the most frequently asked questions regarding SD-WAN, its implementation, and the security needed to support adoption, to help demystify the trendy connectivity solution.

Why are companies adopting SD-WAN?

There are a couple of reasons for adopting SD-WAN, starting with lowering costs. SD-WAN is a lower-cost alternative that enables organizations to connect remote sites together with the ability of a shared business network. Other means of doing this, like ELAN and MPLS infrastructure, require extensive investment on the carrier side for connectivity service, as you start to pay heavy carrier contracts. SD-WAN lowers costs allowing you to take advantage of standard business level bandwidth without having to worry about what your carrier is at each location. Additionally, there aren’t any build-out costs that are often associated with ELAN and MPLS.

Traditional ELAN and MPLS also require a highly capable IT team to manage them. Provisioning for SD-WAN is all web-based, making it very simple for someone with a moderate IT networking background to be able to build out the infrastructure and have it work. Low cost, low complexity, ease of use, and ease of deployment are all key drivers for the adoption of SD-WAN.

What are some tactics to overcome networking and security challenges when switching from MPLS to a public broadband connection?

There are 2 major strategies to overcome these challenges:

1. Network Segmentation – This is the idea of creating segments within your network that are defined for specific purposes and use. For example, one segment would be known as a Tier Zero segment and would be defined as containing your most critical servers or the “crown jewels” of your business. The traffic that flows to and from this segment should be heavily regulated and be defined to only specific connections that make sense to pull data in and out of Tier Zero. You take this model of segmentation and apply it down to each of the other levels that exist within your environment – creating Tier 1, Tier 2, etc. There are many businesses that are required to do this kind of network segmentation regardless of if they are using SD-WAN or traditional networks. For example, if your business does any credit card processing, you are required to have a specific database segment just for credit card data.

   The most important, and hardest part of network segmentation is rule creation. Once you have categorized assets into different layers, and that those layers are segmented from each other, you need to create meaningful and true rules between each layer. If you do not create the right rules between each layer, then you have just a big flat network with different subnets.

2. VPN Controls – Many companies experience data breach problems, and the two most common causes are password reuse and VPN design. Password reuse applies to employees who reuse the same password across several online applications. If that password leaks, then threat actors have access to those different applications, including VPN creating a risk for the organization. Additionally, to avoid poor VPN design, you need to ensure the applications you are using are up to date with all the right security patches so they cannot be externally exploited. You need to make sure you have multi-factor authentication (MFA) turned on as this is the best thing you can do to secure VPN. SD-WAN supports global connectivity and the ability for users to work from anywhere, but it can also support an attacker doing the same thing if you haven’t built these fundamentals in. You need to have the fundamentals of network security built-in from the beginning of SD-WAN adoption and from there you can build the specific SD-WAN capabilities.

How can I improve SD-WAN security to provide protection against the more sophisticated attacks I’m seeing today?

In this cloud-based world of SD-WAN, you need to consider what is exposed to the internet and how you are protecting those assets. While SD-WAN makes it is easier to configure and set up an environment, you also run the risk of things getting misconfigured or exposed. If a zero-day vulnerability presents itself in the management interface of your SD-WAN appliance, you need to be aware of what patching versions you currently have in place. It is also a good idea to invest in an external scanning service that looks at your public IPs and monitors those continually to see if a new port or new service is exposed to the internet and that you are notified of it. VPN vulnerability is an easy way for threat actors to gain access using VPN credentials, as we saw with the Colonial Pipeline data breach. Typically, there is a VPN capability built into each one of these SD-WAN appliances. You need to be sure VPN is turned off on those and that MFA on those VPN endpoints or concentrators is the default.

What is application-aware filtering in SD-WAN?

This is one of the more powerful SD-WAN features that tend to be underleveraged. When you make the move from MPLS to SD-WAN, you tend to think about security in the traditional model like traditional segmentation and traditional Access Control Lists (ACLs). But SD-WAN application-aware filtering is something that you cannot replicate in a traditional MPLS environment. SD-WAN is aware of who your users are and where they normally work, so your employees can have that “work from anywhere” ability. In the same token, if someone is trying to do something they are not supposed to, like access something that is restricted, then SD-WAN is aware of that application violation and can restrict that access. This helps prevent those lateral movements that ransomware is so dangerous for, where threat actors hop from one server to another. If you have to filter on and the user who is the victim of an initial breach is not allowed to access those “crown jewels”, you have contained the spread to minimize the impact to your organization.

How can I continually manage SD-WAN without sacrificing security?

It needs to be clear who is managing the SD-WAN infrastructure, who is making sure that devices are patched, and that if a new rule is put in place that someone is alerted. A misconfigured rule or port that is open, even if it is open temporarily for testing, puts your organization at risk of being compromised. You can use honey pots to help with breach detection. Honey pots are high-fidelity devices that attract threat actors so that if they do gain access to your environment, they are drawn to find out what is in those devices. Once you have drawn them in you start gathering information on the threat actors and can use this threat intelligence to protect yourself further in the future. Some SD-WAN appliances even come with firewall capabilities built-in, such as Cisco Meraki. This can give you enterprise-level capabilities and protection.