SD-WAN Network As Secure As My MPLS Network - V3 PDF
SD-WAN Network As Secure As My MPLS Network - V3 PDF
SD-WAN Network As Secure As My MPLS Network - V3 PDF
An MPLS network is a private network. The only Deploying SD-WAN over the top of a MPLS Most SD-WAN deployments are associated
way on and off it is through ports allocated by your network would be as secure, as well as adding with either a change of underlay network to
service provider. Access to and from the internet encryption to all traffic crossing your network, include internet-based transport or a change of
is typically via one of your data centres, where the but would require SD-WAN devices to handle architecture to move from centralised internet
perimeter security is often concentrated and traffic all traffic at spokes, hubs and cloud gateways. breakout at the hub (heavily firewalled and policy
flows are configured and limited. Because actual However, there are far simpler ways to achieve the controlled) to local internet breakout at each
messages being passed can only be seen by people application visibility and performance optimisation spoke location.
and applications within your private network features of SD-WAN using the capabilities built
domain, MPLS traffic isn’t usually encrypted. into MPLS.
Article
Internet-based transport There are two approaches that can be taken. How can I deploy SD-WAN and maintain
Moving to internet transport and encrypting your The first is to attempt to maintain this impervious security?
information in IPSec tunnels (as is done by all expanded perimeter. The second is to focus on Whilst SD-WAN networks are not as secure as
SD-WANs) is actually a very good way of keeping more internal security approaches such as identity traditional MPLS networks, if I’m asked “how can I
it safe. But the timing and nature of your traffic controls and micro segmentation. deploy SD-WAN and maintain security?”, then I am
flows are exposed. This information, completely back to my stock answer. It depends on how you
hidden in a MPLS world, could be used to identify Most SD-WAN vendors include an Access will use the SD-WAN, on your security policy and
key locations and times of the day, week or month Control List (ACL) which should prevent inbound the equipment you already have at remote sites,
when large information flows converge into a hub. communication over both the WAN ports and on your company’s policies and the regulations
That hub can then become a potential target for the management channels. Many customers it operates under and, as always, it depends on
DDoS ransom attacks on the assumption that these then combine this with the use of a cloud-based your appetite to risk. You have to weigh up the
flows are important for your company’s operation proxy for outbound communications, exploiting impact of a breach or loss of network connectivity
or regulatory compliance. functionality in many SD-WAN solutions to create against affordability to deploy additional security
and secure GRE or IPSec links to ZEN nodes. around the network as part of your SD-WAN
Unlike MPLS networks, SD-WAN networks have However, whilst providing reasonable security on transformation business case.
central controllers which are on the internet. Unless outbound traffic, this solution is relatively weak
well controlled, these may expose vulnerabilities. on inbound traffic. Spoofing traffic to get through One thing that is clear is that SD-WAN
A recent study found close to 5,000 IP addresses an ACL is not very hard for an experienced hacker, deployment is not just in the territory of the
spread over 2,000 hosts that appear to be SD- which is why maintaining a secure perimeter relies traditional network manager and the NOC.
WAN central-controller interfaces, most of which on good and consistent application of ACL policy Knowing what you are trying to achieve and
were running outdated versions of software which across the estate. what applications you are utilising is key, as is the
have known vulnerabilities. inclusion of the security team and the SOC early in
I frequently come across global enterprises who architectural development.
These central controllers not only represent a already have suitable firewalls in place at many
potential to gain the keys to your IPSec security, sites, making local internet breakout via SD-WAN
but also the ability to cut off access to a SD-WAN a low-incremental-risk option.
management server. This could result in you losing
visibility and an ability to change routing. After a As we are confident in the security of traffic
period of time, sites will be unable to exchange between SD-WAN devices, local internet breakout Find out how to get
updated keys with the manager and so will stop to secure services “in the cloud”, for example the
routing all together. customer’s Azure hosting environment, can be
secure high-performance
achieved by adding virtual SD-WAN devices within connectivity between your
Local internet breakout
Whilst the move to internet transport and
the IaaS solution. Alternatively, this can be done by
using the service provider’s traditional MPLS links
critical sites.
SD-WAN can therefore open up security risks, into AWS, Azure etc. without relying on internet
the biggest impact comes from using a site’s connectivity for this last leg. However, at this
internet connection for local internet breakout. point, cloud security controls, together with use
This moves the tightly-controlled and controllable of network access control and identity
internet-facing perimeter from a small number management controls, need to be considered
of major data centre locations to one where it depending on what assets and data are at, or
expands to each remote site. For our largest global accessed from, particular sites or locations and
customers, that could be 3,000 locations across by whom.
140 countries.
Offices worldwide
The services described in this publication are subject to availability and may be
modified from time to time. Services and equipment are provided subject to
British Telecommunications plc’s respective standard conditions of contract.
Nothing in this publication forms any part of any contract.