Secured SD-WAN: Stateful Firewalls are not Enough


Agility and lower costs throughout a branch-office network are the biggest benefits and promises of software-defined WANs (SD-WANs). But what happens to security when we move some of the corporate traffic of the private MPLS network to public internet links?

The opened broadband routes on the public Internet pose greater levels of exposure to malware and bad actors than a carrier MPLS network. Moreover, the combination of WAN virtualisation and the practice of placing applications in “the cloud,” have extended the network perimeter. What is needed is a way to reap the advantages of SD-WAN technology without increasing the business risk. This necessitates security functionality be placed at multiple levels in an organisation’s headquarters, branch locations, and in the cloud, causing complexities and difficulties. Ideally, data and network security are facets best addressed through a Managed Service.

A Stateful Firewall is Not Enough

While firewall capabilities include policy-based filtering and blocking applications based on port or IP addresses, basic stateful firewalls might be sufficient as phase 1 connectivity for connecting a location across the Internet to specific SaaS IPs but not for broader Internet access. For that, Layer 4 to Layer 7 control capabilities, such as next generation firewall (NGFW), intrusion prevention system (IPS), URL filtering and more, are required.

Most common SD-WAN implementations offer a way to encrypt the branch-to-branch corporate traffic using IPsec, which protects the data. Because most SD-WAN vendors offer IPsec, it’s not uncommon to assume that SD-WANs are secure. While it’s true that IPsec handles protecting the data as it traverses the network, it has no impact on break-ins and malware for direct branch-to-cloud traffic.

Comprehensive security solutions that include not only IPsec transport encryption, but also next-generation firewalls (NGFWs) with unified threat management (UTM) features, is one of the top criteria to successfully deploying an SD-WAN and significantly increasing the layer of defence. We all know there is no single security application by itself that can solve the cybersecurity dilemma. A comprehensive bundle of security functions is needed to mitigate the different types of risks across the threat landscape.

There is a Solution

The ideal method to overcome potential security weaknesses is to look for an SD-WAN provider who can also provide additional security as a service. For example, PCCW Global can act as a one stop shop for both the provision of SD-WAN and a choice of managed services, one supplier means a single point of contact, a single contract and easier day to day management.

A Managed Firewall and/or Cloud Security Solution incorporates a variety of advanced security functions, including sandboxing, application control, intrusion detection and prevention (IDS/IPS), quarantining or otherwise deflecting detected malware, and web filtering, which define the risky Internet sites and prevents the users from visiting them.

Note that due to the fact that every branch constitutes a WAN edge with exposure to the public Internet, all of these capabilities are required at each one. Some solutions also have flexibility to choose between SD-WAN & Firewall appliances or virtual images hosted on the same equipment depending on needs and budget.

No matter what you choose, the important thing is to remember that stateful firewalls are not enough to protect your network. When choosing your SD-WAN provider, look carefully at the security options available to you.

SD-WAN security image