What's Ahead for SD WAN in 2021

By Aleksander Gorkowienko, Managing Consultant of SecurityLabs at Spirent

Today, every significant player in the IT business is considering investing in an SD-WAN solution - an innovation that could not only become a replacement for existing MPLS based networks but improve corporate network performance, agility and security. SD-WAN is a relatively new approach to networking despite the fact that first experiments with software-defined networks were done in late 90's-early 2000's when MPLS was born. At that time, many started thinking about WAN traffic optimization, which ultimately led to the concept of SD-WAN. Building on its history, as I look into my crystal ball, I think SD-WAN has a unique potential to start transforming connectivity for enterprises by connecting home, branch and multi-cloud environments in 2021. However, as this shift begins, security cannot be an afterthought. The robust security of SD-WAN is not only critical for keeping the customers' traffic and data safe but is also a key "enabler" for quick adoption of the technology.

WAN and SD-WAN compared

SD-WAN Protocol Standards are on the Horizon

It is worth to point out that while SD-WAN is, indeed, a significant improvement over today's WAN there is a significant challenge: there isn't any SD-WAN protocol standard. As a consequence, all current solutions are proprietary, which in turn, results in vendor lock-in.

While promising many benefits for the future, such as reducing network complexity, improving resilience and reliability and providing more efficient access to the cloud and SaaS applications, SD-WAN is still an immature technology and not free from security flaws. The incorrect implementation of SD-WAN features or misconfiguration could (and will) expand the network attack surface and expose businesses to additional unnecessary security risks unless security measures are taken.

By design, SD-WAN is supposed to provide various advanced security features which should raise the corporate security to the next level. Those security features are an integral part of SD-WAN and include automatic and optimized traffic routing, filtering, managing quality of service (which is very important for latency-sensitive applications), anti-virus and anti-malware protection and many more. There is high agility in managing these traffic and security rules so they can be defined and fine-tuned for hundreds of network services and applications.

As always, the devil is in the detail, and, from the practical perspective, a lot is in the hands of the SD-WAN vendors and the way they implement those features. Having worked for years hand in hand with major vendors of network equipment and systems to make their solutions robust and secure, we are very familiar with this approach. And as we look to the new year, the Spirent team has been supporting efforts to develop the SD-WAN application security standard that vendors can rely on. These include SD-WAN Security Standard (MEF-88) and Security Certification Program in collaboration with MEF (Metro Ethernet Forum).

Industry Will Refocus on Practical SD-WAN Cybersecurity Measures

From a practical cybersecurity point of view, there are two large areas requiring additional attention as adoption increases in 2021:

1. SD-WAN implementation, including the security of SD-WAN endpoints, managing interfaces, virtualized services, zero-touch provisioning mechanisms and more.
2. SD-WAN configuration, which is specific to the customer
   

We are working towards providing a set of vendor-agnostic guidelines and certification schemes for SD-WAN implementation (for vendors) and SD-WAN configuration (for customers), so the IT industry could have a reliable reference point regarding the security of the solution. Our approach to testing SD-WAN will combine security and performance assessment as, in my opinion, they are equally important.

Testing SD-WAN performance in this new era will require using a set of specialized tools, but the security assessment is mainly a manual process, when the security consultant will be checking areas including but not limited to:

• SD-WAN virtual appliance build review
• Appliance firmware analysis and code review
• Hypervisor security
• MBF VMs breakout (if applicable)
• Privilege escalation within MBF
• Encryption/decryption mechanisms
• Communication on the control plane
• Communication on the user plane
• Security of data in transit
• Remote management
• Zero-touch provisioning mechanisms
  

The Promise of SD-WAN

The promise of SD-WAN is to make networks faster, better, cheaper, more reliable and secure. While there are some inevitable trade-offs, early adopters of SD-WANs report many benefits, so the others now follow the path. I predict the further rapid expansion of this technology, making it is even more important for industry to contribute to the development of SD-WAN and the necessary security measures to ensure it becomes the true Connectivity of Tomorrow.

##

About the Author

Aleksander Gorkowienko is a cybersecurity advocate, trainer and speaker with more than 20 years of practice in the security business, working in numerous industry sectors. He is a senior consultant and a part of the vibrant Spirent SecurityLabs team. Aleksander has a passion for cybersecurity which he shares with business leaders and industry audiences both through his work as a security professional and through his various public speaking engagements. His primary focus is building long-term corporate cyber resilience and ethical hacking.

Aleksander is a practitioner, managing penetration testing team for years and helping companies and individuals to protect their valuable assets and data. He believes that cybersecurity is never a one-time action - it is a continuous process which engages the whole organization on all levels and requires all employees to be aware and confident of modern cyber threats.