5 Must-Have SD-WAN Security Capabilities
As interest in Software-Defined Wide-Area Networks (SD-WAN) picks up among companies of all sizes, it’s becoming clear that one of the key drivers for the technology is security. The reason? SD-WAN lets companies deploy strong security features at the network edge and easily apply security policies throughout the network.
SD-WAN is clearly growing in popularity. The Frost & Sullivan 2018 SD-WAN survey of 350 U.S.-based IT decision-makers found that 15% of respondents had already deployed SD-WAN (up from 7% in 2016), another 18% had a deployment underway, and 61% said they would deploy within the next 2 years.
Among the reasons respondents were deploying SD-WAN, 76% of respondents cited the ability to apply granular security policies.
To learn more about what security features customers are looking for from SD-WAN vendors, I talked with Michael Lawson, General Manager for SD-WAN Solution Architecture for CenturyLink, which offers managed SD-WAN services.
Traditional security models were designed to support a walled castle approach where all of a company’s data, applications, and users operate behind a firewall at a centralized headquarters or data center. “With the cloudification of the enterprise, infrastructure and applications are moved out of the data center to the edge, so security perimeters are going away,” Lawson says. “Every access point and network element is prone to security breaches.”
SD-WAN lets IT leaders apply security policies using the SD-WAN appliances that sit in each edge location.
“Over 60% of CenturyLink SD-WAN customers have advanced security profile features enabled with the service,” Lawson says. Among the must-have features customers want are the following:
1. Policies for On-Demand Security: Once customers have an understanding of their operating environment, in terms of which resources are critical and which are less so, they can employ enterprise security policies that get deployed automatically either on the premises or in the cloud. “Enterprises want to spin up functions on demand when and where they need them, based on the applications they’re looking to run and secure,” he says.
2. Encryption: An example of a security feature that would be deployed on-premises is encryption, in order to enable site-to-site encryption, Lawson notes.
3. Distributed Denial-of-Service (DDoS) Protection: On the other hand, protecting against DDOS attacks should be a cloud-based service. If you deploy a DDOS policy on premises and then get a DDOS attack targeting that location, the policy will kick in and likely shut down that location—effectively making the attack successful, Lawson says. A cloud-based service can detect and thwart the attack by denying or redirecting the suspicious traffic.
4. Unified Threat Management (UTM)/Firewalls: SD-WAN appliances should have UTM and/or next-generation firewall capabilities built in, to protect each branch location—getting back to the expanding perimeter point. That’s a big one, according to the Frost & Sullivan report. In terms of vendor selection criteria, “integrated UTM functionality or next generation firewall” was cited by 74% of respondents, second only to “cloud-based network management.”
5. Threat Intelligence: SD-WAN providers also provide access to a threat intelligence service that can identify and thwart threats. Increasingly, these services use artificial intelligence (AI) to help predict threats before they launch, based on suspicious traffic patterns. “CenturyLink, for example, runs an extremely large Internet backbone,” Lawson notes. “That creates an opportunity for us to see the world’s Internet traffic and enable a threat intelligence capability that allows us to see attacks as they happen, or even before, and take down bots and other security threats.”
Learn more about how SD-WAN can enable strong, distributed enterprise security.
This article was previously published on Network World on September 12, 2019.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.