September 6, 2020

Challenges of SD-WAN security

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.

August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks.

As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago.

These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service.

But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out.

WAN Security and the Challenges Facing the Enterprise

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.

MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge.

For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including:

  • Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors.
  • Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast.
  • Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint.

Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer

The cloud-native network infrastructure supporting the ICG Asia's SD-WAN takes security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, ICG Asia’s cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management.

Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on ICG Asia’s global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with ICG Asia's Software Defined Perimeter, support for mobile users becomes simple and scalable.

In short, by shifting security functions to the cloud, ICG Asia delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security.

Enterprise-Grade Cloud-Based SD-WAN Security Features

Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set ICG Asia SD-WAN apart.

  • NGFW. Inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement.
  • Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN.
  • Anti-malware. To deliver enterprise-grade anti-malware functionality, the ICG Asia SD-WAN takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, ICG Asia has partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks.
  • IPS. Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the ICG Asia network in the form of a more robust IPS. Research Labs use big data to optimize IPS performance and reduce false positives and false negatives.
  • Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to ICG Asia’s security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, ICG Asia’s SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)).

Modern and Scalable SD-WAN Security

As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable ICG Asia to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective.

This point is driven home by Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality [SD-WAN] has to offer, it will bring significant financial, functional and IT management benefits.”

If you’d like to learn more about how ICG Asia is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, book a Discovery Workshop today.

Have time for a coffee?

Face to face or over Zoom, we are here to help you.
Sharing insights and solving IT challenges.
We make "IT" possible.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Read more
You might also be interested in...
Gartner Report 2021 Strategic Roadmap for SASE Convergence
Gartner Report 2021 Strategic Roadmap for SASE Convergence

April 20, 2021

Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device.
Industry 4.0 – Talking About a Revolution
Industry 4.0 – Talking About a Revolution

March 15, 2021

Industry 4.0 represents the next phase of innovation in production processes, merging traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing.
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security

February 8, 2021

For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.
Why Remote Work and Legacy Security Architectures Don’t Mix
Why Remote Work and Legacy Security Architectures Don’t Mix

January 25, 2021

Last week, Cato Networks announced the results of the 5th annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for 2021, and what they think about secure access service edge (SASE).
SD-WAN or SASE: Choose a platform rather than a product
SD-WAN or SASE: Choose a platform rather than a product

January 12, 2021

As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office.
Connecting Hybrid Clouds with SD-WAN in a Snap
Connecting Hybrid Clouds with SD-WAN in a Snap

December 7, 2020

How to integrate hybrid clouds and multi-clouds with SD-WAN in 5 minutes or less.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.

November 9, 2020

Since its premier over a decade ago, SD-WAN was adopted by enterprises as the go-to-technology for preparing their network for the digital transformation.
Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity
Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity

November 2, 2020

The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.
Secure Remote Work: Deploying Zero Trust Access
Secure Remote Work: Deploying Zero Trust Access

October 12, 2020

The global pandemic has forced knowledge workers to move out of their offices en masse to the isolated environment of their homes. Most will return to the office at some point, even if only part-time, as companies adjust to social distancing measures meant to keep employees safe.
How much does SD-WAN cost?
How much does SD-WAN cost?

October 6, 2020

Calculating the cost of SD-WAN can be complicated, especially when it comes to CAPEX vs OPEX and ambiguous ROIs. With so many vendors promising massive savings over MPLS internet connections, SD-WAN is currently been touted as one of the hottest categories in networking today. Take a closer look at the costs, considerations, potential savings and leverage the SD-WAN calculator to estimate your organisations SD-WAN cost.
Considerations for a branch office firewall
Considerations for a branch office firewall

October 5, 2020

Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.
What is STaaS?
What is STaaS?

September 22, 2020

Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis.
What is SD-WAN?
What is SD-WAN?

September 21, 2020

Software-Defined WAN (SD-WAN) is a networking technology that seamlessly connects branch offices, HQs cloud and data centers over broadband internet rather than MPLS leased lines.
SD-WAN vs. VPN comparison
SD-WAN vs. VPN comparison

September 15, 2020

Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match.
SD-WAN vs. MPLS vs. broadband public internet
SD-WAN vs. MPLS vs. broadband public internet

September 10, 2020

To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks?
SD-WAN vs. MPLS: Choose the best WAN solution for you
SD-WAN vs. MPLS: Choose the best WAN solution for you

September 9, 2020

You've probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by enterprise networking we mean the use of MPLS at the core of enterprise networks. So, to SD-WAN or to MPLS? Here is what you need to consider.
Alternatives to MPLS internet
Alternatives to MPLS internet

September 8, 2020

SD-WAN is looking to address the challenges of MPLS like cost, capacity, rigidity, and manageability.
Challenges of SD-WAN security
Challenges of SD-WAN security

September 6, 2020

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.
WAN Optimization in the SD-WAN Era
WAN Optimization in the SD-WAN Era

September 3, 2020

WAN optimization has been with us for a long time. Born alongside expensive and capacity constrained WAN connectivity, such as MPLS, WAN optimization appliances allowed organizations to squeeze more bandwidth out of thin pipes through compression, and prioritize traffic of loss-sensitive applications such as remote desktops.
History of SD-WAN
History of SD-WAN

August 28, 2020

Let's take a look at the history of WAN and as we journey from Point-to-Point, T1/T3, Frame Relay, to MPLS, and finally arrive at SD-WAN.
How to load balance multiple internet connections?
How to load balance multiple internet connections?

August 18, 2020

Internet load balancing or fail-over for multiple internet connections can seem like a tight rope walk, but it doesn't have to be. There are multiple ways to accomplish it, from point products to routers and firewalls. Let's take a look at the options and alternatives.
How does SD-WAN work?
How does SD-WAN work?

August 12, 2020

SD-WAN has quickly become the go-to technology for enterprises seeking to leverage the cloud and embrace digital transformation. Yet, much confusion still exists about what exactly is an SD-WAN, and how the technology works.
WAN Optimization vs. SD-WAN
WAN Optimization vs. SD-WAN

August 11, 2020

With the rising popularity of SD-WAN, there is a growing debate that WAN optimization is becoming obsolete. SD-WAN is gaining acceptance and for good reason. It creates an intelligent overlay of multiple transports on your WAN to efficiently and automatically route traffic over the most optimal path.
How to connect multiple branch offices?
How to connect multiple branch offices?

August 10, 2020

How do you connect multiple offices rapidly and affordably without sacrificing performance?
Last mile constraints for SD-WAN
Last mile constraints for SD-WAN

August 3, 2020

From pairing MPLS with a backup internet connection, to link-bonding for aggregate last-mile, SD-WAN introduces new ways to handle old problems, with policy-based routing, active/active links, packet loss mitigation, and quality of service (QoS).
Affordable MPLS Alternatives
Affordable MPLS Alternatives

July 28, 2020

After decades of use, enterprises are looking for MPLS alternatives. To be considered a viable alternative, a network must match MPLS’ service levels for predictability and consistency, while avoiding its pitfalls of cost, rigidity and capacity constraints.
SD-WAN vs. MPLS redundancy
SD-WAN vs. MPLS redundancy

July 23, 2020

How can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?
How does SD-WAN benefit digital transformation?
How does SD-WAN benefit digital transformation?

July 21, 2020

Digital transformation is all about agility. SD-WAN enables organisations to be more agile in multiple different ways. Such as the ability to rapidly stand-up a new site with secure internet and inter-office connectivity, without the need for additional security appliances, make policy changes across multiple sites on-the-fly, gain real-time visibility of users and connections, on-board new VPN users for remote work without worries license or connection limits.
The Trombone Effect
The Trombone Effect

July 3, 2020

The “Trombone Effect” occurs in a network architecture that forces a distributed organization to use a single secure exit point to the Internet. Simply put, network traffic from remote locations and mobile users is being backhauled to the corporate datacenter where it exits to the Internet through the corporate’s security appliances stack. Network responses then flow back through the same stack and travel from the data center to the remote user.
Evolution of SD-WAN
Evolution of SD-WAN

June 2, 2020

SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements.