SD-WAN Security a Headache?

Multiple approaches to secure SD-WAN
"The business can choose to have all their data encrypted back here at the branch, all the way back to the data center and into the cloud, also while still maintaining the integrity of the applications that are running…in many ways it's more secure than your traditional, legacy networking model because we're able to activate that encryption network-wide," said Wood.

Currently VeloCloud operates in over 120 countries, and has more than 700 enterprise and service provider customers reaching over 50,000 sites.

Competitor Versa Networks has taken a different approach to SD-WAN security and provides its own integrated security via its software-defined security (SD-Security) system in its SD-WAN service, and delivers a firewall and unified threat management in the same device.

"If you're putting in Internet connectivity, you need to put in security as well. If you can have it all in one product, one solution, one architecture it's a lot easier for the customers to manage, to actually maintain the security, and to grow and operate it," said Mark Weiner, CMO of Versa, in an interview with Light Reading.

Roopa Honnachari, industry director for Business Communication Services & Cloud Computing Services ICT at Stratecast/Frost & Sullivan, explains in an interview that many of the SD-WAN vendors have service chained and interoperate with security companies. This allows enterprises to select security solutions for SD-WAN through companies that they may already be working with.

"Now based on what I've heard from enterprises who have used [SD-WAN], security doesn't make a difference, I don't think that's one of the differentiators [between vendors]. I think right now the evaluation is based on what applications you can support and how well your solution works," said Honnachari. "...When you talk about security, I don't think that's really a key differentiator at this point in time because most [SD-WAN] vendors offer interoperability with leading security vendors and support for service chaining."

SD-WAN product offerings such as voice call monitoring and performance features, and visibility on how applications are functioning -- areas VeloCloud has experienced success in with service providers -- are better examples of differentiators that customers are considering when selecting an SD-WAN service, continued Honnachari.

Versa's security solution is built for the SDN and NFV approach with the end goal of delivering SD-Security as a VNF, and their security approach is a more long-term and gradual versus VeloCloud's, she added. In addition, Versa is also looking to sell SD-Security as a separate offering for customers that don't want SD-WAN but just the security solution on their WAN network.

Versa also has a global SD-WAN reach "due to managed services offered through global service providers like Tata Communications (which is reaching 140+ countries),” said Weiner in an email to Light Reading.

Related posts:

— Kelsey Kusterer Ziser, Senior Editor, Light Reading

Previous Page
2 of 2
ritmukhe 8/15/2017 | 3:43:34 PM
Zero Trust Security with Session Routing from 128T can help As noted, when deploying an SD-WAN solution, there is often a juggling act of ensuring security without losing the pre-conceived value (improved agility and cost savings) of the solution. Given that SD-WAN technologies rely on tunnels and overlays, they require coordinated provisioning along with automated key management, which isn't easy, particularly without defined standards and protocols. An alternative approach, which is actually simpler and cheaper over the long-haul, is by leapfrogging SD-WAN technologies that rely on tunnels and overlay techniques. The key is being session-oriented – understanding the language of applications and services – to enable visibility into the unique two-way exchange of information between source and destination endpoints. With session-orientation, you can enforce a Zero Trust Security model - ensuring that only valid sessions are sent along with required encryption and authentication. This removes complexities from the layers of infrastructure, and the required intricate coordination will resolve headaches.
VPMarket13134 8/14/2017 | 4:40:22 AM
Cato Networks converges SD-WAN, Security as a Service and a Global Backbone I agree that running IPSEC tunnels over SD-WAN provided IPSEC (or in our case DTLS) tunnels doesn't make sense. 

Threat protection and application control is a totally different story. Edge SD-WAN vendors work through service chaining or VNFs (virtual appliances), which involves backhauling or deploying security capabilities in the branch. Cato built a global backbone that has a full network security stack built into it. Our SD-WAN edge device and clients, connect branches, cloud instances, and mobile users to the cloud service and direct the traffic to the cloud service. All traffic, WAN and Internet, is inspected in our PoPs within 30ms of the resource - no "backhauling" and no need to deploy security in the branch (virtual or physical). 


Disclosure: I work for Cato Networks. 


mendyk 8/9/2017 | 3:08:20 PM
ouch Security is probably the number one headache for anything involving communications. We can guess that because nobody really wants to talk about it.
Sign In