MPLS, SD-WAN and Network Security
Listen to post:
Getting your Trinity Audio player ready...
|
TechTarget has recently published an interesting article on the security implications of deploying SD-WAN using 2 customer case studies. In both cases, the customers wanted to extend an MPLS-only WAN into a hybrid WAN based on a combined MPLS and Internet connectivity.
There are several interesting anecdotes by the financial services customers (Scott Smith and “D.V.”) and a system integrator, Tim Coats from Trace3, interviewed for this article that I would like to highlight.
Is MPLS Secure?
MPLS security is based on the fact that it is a private network vs. the “public Internet”. The private nature of MPLS allowed an organization to not encrypt MPLS traffic, a big benefit in terms of encryption key management and required CPE (customer premise equipment) capabilities. As D.V. puts it: “although the public Internet always carries some risk, the reality is that MPLS is also a shared medium. The irony of an MPLS circuit is that the security is VLANs—that’s all it is. You have your traffic marked and put into a special VLAN, so it’s running over the same pipe as everyone else’s MPLS circuit”.
Does SD-WAN improve on MPLS security?
For the customers, SD-WAN needs to be as secure as MPLS to be a viable extension. The immediate concern is encrypting the internet tunnel of the SD-WAN solution. This is a no-brainer: MPLS networks are often not encrypted and SD-WAN require organizations to think about encryption, something they may not have done before.
However, SD-WAN or MPLS aren’t security solutions.
“It’s not a physical layer of security. There’s no special inspection that a firewall might throw in, or an IDS or IPS. None of that is present in an SD-WAN solution, but none of that’s really present in an MPLS solution unless you choose to put it in.”
Beyond its core objective of offloading traffic from expensive MPLS link, SD-WAN doesn’t typically include Internet access security. This means that while SD-WAN solutions do slow down the growth in MPLS spending by using the Internet for backhaul, they have no impact of enabling direct internet access at the branch without adding 3rd party security solutions.
Do SD-WAN solutions go far enough in solving customers WAN challenges?
SD-WAN solutions abstract the physical topology of the network using a set of overlay encrypted tunnels. SD-WAN management help with encryption key distribution and management for remote locations, this could potentially be a big advantage as you don’t need a point to point encryption.
But does this address all WAN challenges?
Tim Coats says he is concerned with the point solution nature of SD-WAN. Coats would like to see SD-WAN vendors go one step further in simplifying how hybrid networks are secured by removing a lot of the manual labor and guesswork out of service chaining. And then there are the new emerging WAN elements. “Everyone is trying to solve this one little piece, and no one’s looking at the whole picture. And the whole picture is I have users who are everywhere, and my services are distributed on different platforms. I need one place I can pull it all together,” he says.
Summary
SD-WAN is primarily a networking technology – it is aiming to address the spiraling cost of MPLS by weaving into the WAN a cheaper, Internet-based, alternative.
Is security just an afterthought in the world of SD-WAN? It shouldn’t be. “Oh, God, yes,” D.V. says. “Security is networking. I object to the whole idea that security is separate.”
We couldn’t agree more. We view the integration of networking and security as a critical component of the future WAN. By security, we don’t mean just encrypting the transport layer which is a required enabling capability to route traffic over the Internet. We see an opportunity to embed a full network security stack into the WAN, and extend it to Cloud infrastructure and the mobile workforce. This approach can dramatically cut the capital and operational expense of networking and security, while delivering a powerful defense for the enterprise.
Learn more about SD-WAN vs. MPLS and the current and emerging options available to architect a secure WAN, by watching our recorded Webinar: MPLS, SD-WAN, and Cloud Network: The Path to a Better, Secure, and More Affordable WAN.