May 24, 2016 4m read

MPLS, SD-WAN and Network Security

Yishay Yovel
Yishay Yovel

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

TechTarget has recently published an interesting article on the security implications of deploying SD-WAN using 2 customer case studies. In both cases, the customers wanted to extend an MPLS-only WAN into a hybrid WAN based on a combined MPLS and Internet connectivity.

There are several interesting anecdotes by the financial services customers (Scott Smith and “D.V.”) and a system integrator, Tim Coats from Trace3, interviewed for this article that I would like to highlight.

 

Is MPLS Secure?

MPLS security is based on the fact that it is a private network vs. the “public Internet”. The private nature of MPLS allowed an organization to not encrypt MPLS traffic, a big benefit in terms of encryption key management and required CPE (customer premise equipment) capabilities.  As D.V. puts it: “although the public Internet always carries some risk, the reality is that MPLS is also a shared medium. The irony of an MPLS circuit is that the security is VLANs—that’s all it is. You have your traffic marked and put into a special VLAN, so it’s running over the same pipe as everyone else’s MPLS circuit”.

 

Does SD-WAN improve on MPLS security?

For the customers, SD-WAN needs to be as secure as MPLS to be a viable extension. The immediate concern is encrypting the internet tunnel of the SD-WAN solution. This is a no-brainer: MPLS networks are often not encrypted and SD-WAN require organizations to think about encryption, something they may not have done before.

However, SD-WAN or MPLS aren’t security solutions.

“It’s not a physical layer of security. There’s no special inspection that a firewall might throw in, or an IDS or IPS. None of that is present in an SD-WAN solution, but none of that’s really present in an MPLS solution unless you choose to put it in.”

Beyond its core objective of offloading traffic from expensive MPLS link, SD-WAN doesn’t typically include Internet access security. This means that while SD-WAN solutions do slow down the growth in MPLS spending by using the Internet for backhaul, they have no impact of enabling direct internet access at the branch without adding 3rd party security solutions.

 

Do SD-WAN solutions go far enough in solving customers WAN challenges?

SD-WAN solutions abstract the physical topology of the network using a set of overlay encrypted tunnels. SD-WAN management help with encryption key distribution and management for remote locations, this could potentially be a big advantage as you don’t need a point to point encryption.

But does this address all WAN challenges?

Tim Coats says he is concerned with the point solution nature of SD-WAN. Coats would like to see SD-WAN vendors go one step further in simplifying how hybrid networks are secured by removing a lot of the manual labor and guesswork out of service chaining. And then there are the new emerging WAN elements. “Everyone is trying to solve this one little piece, and no one’s looking at the whole picture. And the whole picture is I have users who are everywhere, and my services are distributed on different platforms. I need one place I can pull it all together,” he says.

 

Summary

SD-WAN is primarily a networking technology – it is aiming to address the spiraling cost of MPLS by weaving into the WAN a cheaper, Internet-based, alternative.

Is security just an afterthought in the world of SD-WAN? It shouldn’t be. “Oh, God, yes,” D.V. says. “Security is networking. I object to the whole idea that security is separate.”

We couldn’t agree more. We view the integration of networking and security as a critical component of the future WAN. By security, we don’t mean just encrypting the transport layer which is a required enabling capability to route traffic over the Internet. We see an opportunity to embed a full network security stack into the WAN, and extend it to Cloud infrastructure and the mobile workforce. This approach can dramatically cut the capital and operational expense of networking and security, while delivering a powerful defense for the enterprise.

Learn more about SD-WAN vs. MPLS and the current and emerging options available to architect a secure WAN, by watching our recorded Webinar: MPLS, SD-WAN, and Cloud Network: The Path to a Better, Secure, and More Affordable WAN.

Read about Bitcoin mining security risks

Wondering where to begin your SASE journey?

We've got you covered!
Yishay Yovel

Yishay Yovel

Yishay drives Cato’s strategic communication to investors, partners, and customers. A Cato veteran, Yishay was the former CMO of Cato. Before Cato, Yishay held executive marketing positions at Trusteer, a financial fraud and advanced malware protection company, and at Imperva. Yishay has over 25 years of experience in marketing and product management in enterprise software companies in the areas of security, networking, IT infrastructure, and mobile computing. Yishay holds a bachelor degree in Law from Tel Aviv University.

Read More