& cplSiteName &

SD-WAN Security a Headache?

Kelsey Kusterer Ziser
8/9/2017
100%
0%

One of the early challenges in the burgeoning SD-WAN market is addressing security, and that includes both the reality and the customer perception of how secure this new service offering can be.

For example, service provider MetTel finds some customers try to run their own IPsec tunnels over the SD-WAN platform, creating new problems for themselves, because they aren't convinced the existing software-defined wide area networking service is secure, says Ed Fox, vice president of network services.

"When we go into a situation where the customer might not have MPLS today, but at their branches they're doing VPN and IPsec tunnels -- they're kind of making their own mesh -- those particular customers present a challenge when they deploy because they still want to run their IPsec tunnels over the SD-WAN solution and you lose a lot of what the SD-WAN solution gives you."

That additional encryption reduces network traffic and application visibility, and diminishes the benefits of utilizing SD-WAN. But some security operations teams remain concerned over the notion that bringing in an Internet connection to support bandwidth-intensive applications in the branch will expose them to new security threats.

"You have this situation where you have tunnels over tunnels over tunnels, which in some cases actually increases the packet size so much that there are certain things that we have to do -- particularly when LTE is part of the solution -- because those networks are very packet-size sensitive," added Fox. "So we have to make sure we take extra precautions in those situations."

Fox noted the importance of talking to customers during on-boarding of SD-WAN services to avoid this security challenge, and determine if the customer wants to maintain control over their tunnels or rely on MetTel to encrypt their traffic. MetTel currently has more than 90 customers with greater than 2,000 sites supported with SD-WAN, and has partnered with VeloCloud Networks Inc. for more than two years for SD-WAN services.

In an interview with Light Reading, VeloCloud's Vice President of Marketing Mike Wood echoed Fox's sentiment that it's important for operators to talk to enterprises deploying SD-WAN not just about its overall benefits but also its secure architecture. For example, during initial deployment, the VeloCloud SD-WAN device activates only after credentials are downloaded from the orchestrator or the branch manager authenticates the device via a link emailed by the orchestrator.


Track the heartbeat of the virtualization movement with Light Reading at the NFV & Carrier SDN event in Denver. There's still time to register for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!


But if users don't understand that the SD-WAN service is secured and data encrypted using IPsec tunnels at the device, keeping messaging, control and management secure, Wood says, they may feel the need to add their own IPSec tunnels, creating the problems Fox describes.

In order to achieve interoperability with current and future security systems, VeloCloud created the SD-WAN Security Technology Partner Program to afford enterprises the choice to integrate the SD-WAN service with their preferred security technology. The program launched in April, enabling VelcoCloud to service chain security offerings with security partners including Check Point Software Technologies, Zscaler, IBM Security, Palo Alto Networks and Fortinet -- which MetTel also works with for its cloud firewall product. (See SD-WAN Buzz Spills Into Reseller & Partner Space.)

Next page: Multiple approaches to secure SD-WAN

(3)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
ritmukhe
50%
50%
ritmukhe,
User Rank: Light Beer
8/15/2017 | 3:43:34 PM
Zero Trust Security with Session Routing from 128T can help
As noted, when deploying an SD-WAN solution, there is often a juggling act of ensuring security without losing the pre-conceived value (improved agility and cost savings) of the solution. Given that SD-WAN technologies rely on tunnels and overlays, they require coordinated provisioning along with automated key management, which isn't easy, particularly without defined standards and protocols. An alternative approach, which is actually simpler and cheaper over the long-haul, is by leapfrogging SD-WAN technologies that rely on tunnels and overlay techniques. The key is being session-oriented – understanding the language of applications and services – to enable visibility into the unique two-way exchange of information between source and destination endpoints. With session-orientation, you can enforce a Zero Trust Security model - ensuring that only valid sessions are sent along with required encryption and authentication. This removes complexities from the layers of infrastructure, and the required intricate coordination will resolve headaches.
VPMarket13134
50%
50%
VPMarket13134,
User Rank: Light Beer
8/14/2017 | 4:40:22 AM
Cato Networks converges SD-WAN, Security as a Service and a Global Backbone
I agree that running IPSEC tunnels over SD-WAN provided IPSEC (or in our case DTLS) tunnels doesn't make sense. 

Threat protection and application control is a totally different story. Edge SD-WAN vendors work through service chaining or VNFs (virtual appliances), which involves backhauling or deploying security capabilities in the branch. Cato built a global backbone that has a full network security stack built into it. Our SD-WAN edge device and clients, connect branches, cloud instances, and mobile users to the cloud service and direct the traffic to the cloud service. All traffic, WAN and Internet, is inspected in our PoPs within 30ms of the resource - no "backhauling" and no need to deploy security in the branch (virtual or physical). 

 

Disclosure: I work for Cato Networks. 

 

 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
8/9/2017 | 3:08:20 PM
ouch
Security is probably the number one headache for anything involving communications. We can guess that because nobody really wants to talk about it.
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 6, 2018, London, United Kingdom
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
Telecom Jargonosaurus Part 1: Repeat Offenders
Iain Morris, News Editor, 7/13/2018
Broadcom Buys CA – Huh?
Mitch Wagner, Executive Editor, Light Reading, 7/11/2018
Verizon Taps Malady as Acting CTO
Dan Jones, Mobile Editor, 7/12/2018
Get Off My Wireline Lawn!
Carol Wilson, Editor-at-large, 7/17/2018
FCC's Rosenworcel: US 'Falling Behind' on 5G
Iain Morris, News Editor, 7/13/2018
Animals with Phones
Casual Tuesday Takes On New Meaning Click Here
When you forget your pants.
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed