Basics of SD-WAN Security

Basics of SD-WAN Security

FREMONT, CA | Wednesday, April 28, 2021

Instead of the standard SD-WAN hub-and-spoke topology, SASE securely links users to the nearest network Point of Presence (PoP), where security and networking functions are performed, regardless of their location.

FREMONT, CA

Network administrators centrally manage and mediate these security elements through software that gives granular visibility into the network. The network perimeter has been expanded thanks to the combination of WAN  virtualization and the trend of putting applications in the cloud. This necessitates the presence of security functionality at a company's headquarters, branch offices, and cloud.

Security network functions must be virtualized to keep up with emerging security threats and monitor the cost of updating and upgrading security elements. Virtual machines in SD-WAN protection allow software upgrades to be built on existing hardware rather than having to buy new hardware for each upgrade, saving time and money.

Secure Access Service Edge (SASE) is a more recent secure networking technology that several SD-WAN vendors have begun to sell alongside SD-WAN. SD-WAN and SASE are based on virtualization and the use of multiple connection types. SASE, on the other hand, does something different: it decentralizes the network. Instead of the standard SD-WAN hub-and-spoke topology, SASE securely links users to the nearest network Point of Presence (PoP), where security and networking functions are performed, regardless of their location.

Basics of SD-WAN Security: IPsec and VPNs

VPNs based on IPsec are almost universal in SD-WANs. Since an SD-WAN uses the public internet in addition to MPLS connections, a VPN or IPsec tunnel is necessary to ensure that traffic between the sender and receiver is not interfered with.

This is accomplished by:

  • Authenticating the sender, receiver, and sent packets.
  • Using encryption keys that have already been exchanged between the hosts sending and receiving data, or using public and private key encryption.
  • Using the Encapsulating Security Payload (ESP) protocol to ensure packets have not been tampered with.
  • An Authentication Header (AH) that examines the IP header confirms that the origin of packets can be trusted.

NGFW for SD-WAN Security

SD-WAN security relies heavily on a Next-Generation Firewall (NGFW). An NGFW is a virtualized and enhanced version of conventional hardware-based firewalls that can be deployed at all branches and headquarters. Application awareness, intrusion detection and prevention, URL and web content filtering, malware detection, and antivirus security are just a few of the Virtual Network Functions (VNFs) that an NGFW may perform. In addition to on-premises, NGFWs and the VNFs they run can be hosted in the cloud.

Weekly Brief

Read Also