Software Defined WAN (SD-WAN): Security Implications and Design Solutions

Software Defined WAN (SD-WAN) is transforming Wide Area Networks (WANs) by providing a highly available Secure WAN Transport combined with Direct Internet Access in the branches. With SD-WAN, Enterprises can mix WAN service offerings from multiple providers (MPLS, Internet, Carrier Ethernet, 3G/4G, etc.) to optimize their bandwidth costs and dynamically balance applications across the various links. This session will discuss the security implications of this new architecture. SD-WAN can be implemented either using a tunnel transport centralized security method which adheres to the current security design models where users still access the Internet centrally, or with Direct Internet access where users in each branch access the Internet directly from the branch. With Direct Internet Access, enterprises can improve public cloud application performance and offload the private WAN of Internet bound traffic, which reduces the need for more private WAN bandwidth. This has security implications however, in terms of NG-Firewall, NG-IPS, VPN, encryptions suites, web secure gateway access for users, and advanced anti-malware placement and design. These security assets can be provided locally in the branch, centrally at the head end, or in the cloud. Security design pro’s and con’s for centralized tunnel transport and Direct Internet access will be laid out. The problem of how to intercept applications and dynamically redirect a small number of whitelisted ones only out the local Internet connection is a difficult one currently to solve. Possible solutions will be discussed.