5 Best Practices for SD-WAN Security

Best Practices for SD-WAN Security

Securing IT resources within four walls is hard enough, but it’s a challenge of a different order when it comes to securing a WAN with links reaching around the world, provided by a range of service providers and supporting a mix of endpoint security appliances.

The security picture gets even murkier when you bring in SD-WAN to augment aging MPLS networks because most SD-WANs exclusively use the public Internet for transport.

Most, but not all. And that is an important consideration when you’re evaluating the security implications of various SD-WAN options. If you replace the public Internet with a software-defined private network over the middle mile, that equates with adding an additional layer of security.

In fact, a multi-layered defense in-depth approach is the best way to approach SD-WAN security. There are simply too many types of threats and attack vectors for a single security “answer” to do any good.  You assume some defenses won’t work all the time and have additional layers of defense at the ready.

Here are the best practices for SD-WAN security deployments:

1. Contain your network

If your SD-WAN solely uses the public Internet for middle mile transport, you are starting off with a disadvantage, especially for international links.  There is no way to know what links your traffic will traverse and who has access to what facilities (say nothing of the performance hit you’ll get using best effort public Internet for SD-WAN transport).

The alternative is to sign up for a SD-WAN service provided over a secure, managed, private global network like Aryaka’s Global SD-WAN.  Using a private network for the middle mile significantly minimizes attack vectors by elimating exposure to the public Internet.

2. Compartmentalize your traffic

Job one is to avoid the public Internet, and job two is to ensure your traffic is compartmentalized in a true multi-tenant fashion, with dedicated tunnels that keep your traffic from mixing with traffic of other companies.

3. Don’t put all your eggs in one basket

Diversity is a core virtue in a multi-layer, defense in-depth security strategy, but some SD-WAN suppliers are touting the so called “advantages” of building and integrating their own security stack.  This approach may be a point of vulnerability for many enterprises.

The best practice is to have multiple layers of security delivered by multiple suppliers that are the best in the business. This approach would mitigate the fundamental vulnerability associated with utilizing a single-vendor security stack.

Aryaka partners with Palo Alto Networks and Zscaler for edge- and cloud -based security, both of whom are solely focused on the global enterprise WAN.  Homegrown code from a smaller company just can’t compare.

If you’re a large or mid-sized global enterprise, integrated best-of-breed security from multiple vendors is a must.

4. Insist on options

It goes without saying that you need a layer of security at the network edge for both inbound and outbound traffic, but often SD-WAN providers will have limited options and try to dictate a specific strategy rather than accommodate your preferences.

At Aryaka, we take the security direction from you.  The Aryaka CPE has a built-in firewall, enabling you to collapse that function into the device and reduce branch office appliance clutter. But if you need more horsepower, a Palo Alto next generation firewall can be deployed on-premises.  Alternatively, you can direct traffic to a Palo Alto Networks or Zscaler cloud-based solution. If you’ve migrated applications to the cloud, you can leverage a virtual firewall from Zcaler for AWS or Azure environments.

5. Add early warning systems

Make sure your SD-WAN provider can deliver a portal that enables you to monitor your global network from a single pane of glass.  Odd traffic spikes or multiple connections from an unexpected part of the network or the world might be indicators of nefarious activity that demand closer inspection.  This would further enable you to quarantine users and prevent the spread of an attack.

Obviously, there is no such thing as 100% security, and that’s why a defense in depth model is critical.  Look for SD-WAN providers that can deliver services over a secure, private, managed network, and offer best of breed options for each of the multiple security layers required to protect your global network, and your business-critical data!

About the author

Andy Leong, Sr. Director, Product Marketing
Andy is the Senior Director of Product Marketing at Aryaka. He is responsible for the company's go-to-market strategy, outbound marketing, and corporate communications, bringing over 20 years of leadership experience from across networking and software industries.