SD-WAN Security a Headache?

MetTel's Ed Fox explains the SD-WAN deployment challenge in assisting enterprise customers is making the transition from a legacy approach to security to a secure SD-WAN.

Kelsey Ziser, Senior Editor

August 9, 2017

6 Min Read
SD-WAN Security a Headache?

One of the early challenges in the burgeoning SD-WAN market is addressing security, and that includes both the reality and the customer perception of how secure this new service offering can be.

For example, service provider MetTel finds some customers try to run their own IPsec tunnels over the SD-WAN platform, creating new problems for themselves, because they aren't convinced the existing software-defined wide area networking service is secure, says Ed Fox, vice president of network services.

"When we go into a situation where the customer might not have MPLS today, but at their branches they're doing VPN and IPsec tunnels -- they're kind of making their own mesh -- those particular customers present a challenge when they deploy because they still want to run their IPsec tunnels over the SD-WAN solution and you lose a lot of what the SD-WAN solution gives you."

That additional encryption reduces network traffic and application visibility, and diminishes the benefits of utilizing SD-WAN. But some security operations teams remain concerned over the notion that bringing in an Internet connection to support bandwidth-intensive applications in the branch will expose them to new security threats.

"You have this situation where you have tunnels over tunnels over tunnels, which in some cases actually increases the packet size so much that there are certain things that we have to do -- particularly when LTE is part of the solution -- because those networks are very packet-size sensitive," added Fox. "So we have to make sure we take extra precautions in those situations."

Fox noted the importance of talking to customers during on-boarding of SD-WAN services to avoid this security challenge, and determine if the customer wants to maintain control over their tunnels or rely on MetTel to encrypt their traffic. MetTel currently has more than 90 customers with greater than 2,000 sites supported with SD-WAN, and has partnered with VeloCloud Networks Inc. for more than two years for SD-WAN services.

In an interview with Light Reading, VeloCloud's Vice President of Marketing Mike Wood echoed Fox's sentiment that it's important for operators to talk to enterprises deploying SD-WAN not just about its overall benefits but also its secure architecture. For example, during initial deployment, the VeloCloud SD-WAN device activates only after credentials are downloaded from the orchestrator or the branch manager authenticates the device via a link emailed by the orchestrator.

Track the heartbeat of the virtualization movement with Light Reading at the NFV & Carrier SDN event in Denver. There's still time to register for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

But if users don't understand that the SD-WAN service is secured and data encrypted using IPsec tunnels at the device, keeping messaging, control and management secure, Wood says, they may feel the need to add their own IPSec tunnels, creating the problems Fox describes.

In order to achieve interoperability with current and future security systems, VeloCloud created the SD-WAN Security Technology Partner Program to afford enterprises the choice to integrate the SD-WAN service with their preferred security technology. The program launched in April, enabling VelcoCloud to service chain security offerings with security partners including Check Point Software Technologies, Zscaler, IBM Security, Palo Alto Networks and Fortinet -- which MetTel also works with for its cloud firewall product. (See SD-WAN Buzz Spills Into Reseller & Partner Space.)

Next page: Multiple approaches to secure SD-WAN Multiple approaches to secure SD-WAN
"The business can choose to have all their data encrypted back here at the branch, all the way back to the data center and into the cloud, also while still maintaining the integrity of the applications that are running…in many ways it's more secure than your traditional, legacy networking model because we're able to activate that encryption network-wide," said Wood.

Currently VeloCloud operates in over 120 countries, and has more than 700 enterprise and service provider customers reaching over 50,000 sites.

Competitor Versa Networks has taken a different approach to SD-WAN security and provides its own integrated security via its software-defined security (SD-Security) system in its SD-WAN service, and delivers a firewall and unified threat management in the same device.

"If you're putting in Internet connectivity, you need to put in security as well. If you can have it all in one product, one solution, one architecture it's a lot easier for the customers to manage, to actually maintain the security, and to grow and operate it," said Mark Weiner, CMO of Versa, in an interview with Light Reading.

Roopa Honnachari, industry director for Business Communication Services & Cloud Computing Services ICT at Stratecast/Frost & Sullivan, explains in an interview that many of the SD-WAN vendors have service chained and interoperate with security companies. This allows enterprises to select security solutions for SD-WAN through companies that they may already be working with.

"Now based on what I've heard from enterprises who have used [SD-WAN], security doesn't make a difference, I don't think that's one of the differentiators [between vendors]. I think right now the evaluation is based on what applications you can support and how well your solution works," said Honnachari. "...When you talk about security, I don't think that's really a key differentiator at this point in time because most [SD-WAN] vendors offer interoperability with leading security vendors and support for service chaining."

SD-WAN product offerings such as voice call monitoring and performance features, and visibility on how applications are functioning -- areas VeloCloud has experienced success in with service providers -- are better examples of differentiators that customers are considering when selecting an SD-WAN service, continued Honnachari.

Versa's security solution is built for the SDN and NFV approach with the end goal of delivering SD-Security as a VNF, and their security approach is a more long-term and gradual versus VeloCloud's, she added. In addition, Versa is also looking to sell SD-Security as a separate offering for customers that don't want SD-WAN but just the security solution on their WAN network.

Versa also has a global SD-WAN reach "due to managed services offered through global service providers like Tata Communications (which is reaching 140+ countries),” said Weiner in an email to Light Reading.

Related posts:

— Kelsey Kusterer Ziser, Senior Editor, Light Reading

About the Author(s)

Kelsey Ziser

Senior Editor, Light Reading

Kelsey is a senior editor at Light Reading, co-host of the Light Reading podcast, and host of the "What's the story?" podcast.

Her interest in the telecom world started with a PR position at Connect2 Communications, which led to a communications role at the FREEDM Systems Center, a smart grid research lab at N.C. State University. There, she orchestrated their webinar program across college campuses and covered research projects such as the center's smart solid-state transformer.

Kelsey enjoys reading four (or 12) books at once, watching movies about space travel, crafting and (hoarding) houseplants.

Kelsey is based in Raleigh, N.C.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like