SD-WAN Security: 3 Reasons to make it Top Priority by Ben Ferguson


For CTOs thinking about migrating from an MPLS network architecture to SD-WAN or a hybrid architecture, security has to be the number one priority.  SD WAN acts as a carrier-independent logical overlay network with the ability to relay commands to and receive data from WAN nodes on one or more public or private WANs (and even LTE networks).

This makes enterprise device deployment quick, easy and scalable with boxes able to be delivered to data centers and branches (or cloud PoPs), plugged in, configured and activated, even by non-IT personnel. Some will automatically call 'home' on activation, instantly becoming part of the WAN.

Whereas MPLS is adequate for small enterprises with no public internet-based apps or services, it is expensive and inflexible when you need to expand and/or venture out on to the public internet.

Before writing your WAN RFP or speaking to SD WAN consultants, make sure you have security top of mind. This article explains why.

  1. Protection is Critical on the Public Information Highway

Transporting customer data from the relative safety of a traditional WAN network within a private space to an SD WAN encompassing cloud apps and services is like venturing from the familiar safety of your local neighborhood streets and out onto the highway.

This public information highway – which includes the internet – is the hunting ground of hackers and cyberterrorists, avidly scanning networks for vulnerabilities. Dealing with the increased threat your business will face will require much more than a standard firewall, so it is imperative that you set out your security requirements in a robust WAN RFP or when discussing migration with a consultant from the SD WAN space.

  1. Only the Secure will Survive

This evolutionary maxim applies to both SD WAN carriers and the businesses who use their services. Business decision-makers as a whole are more concerned about security than any other aspect of SD WAN migration and with good cause. The penalties for a data protection breach – in terms of fines, legal damages and loss of customer trust – are so severe that many businesses, particularly SMEs, are unlikely to survive one.

An insecure SD WAN carrier could go out of business very quickly if one of its customers takes a financial or reputation hit, even if your customers' private data is safely segmented when an attack happens. This could leave you floundering as you search for another carrier.

To minimize the risk of these nightmare scenarios, choose a secure SD WAN carrier from the outset.

  1. The Age of Security is Dawning

As the enterprise community figures out its place within the cloud, there is currently a lot of variation in the SD WAN landscape and relatively little standardization. As the most security aware businesses and SD WAN providers begin to gravitate towards one another, it is inevitable that the most effective security systems and deployments will emerge.

These security measures are likely to form the backbone of industry-wide SD WAN security standardization leading to a scramble to become compliant. If your SD WAN carrier is lagging behind in the security stakes, they may be regulated out of existence or seek to pass on compliance costs to their enterprise clients. In short, if you cut corners on security now, you are likely to be risking data protection for a bottom-line savings that you will end up paying for later anyway.

What Does Secure SD WAN Look Like?

So what sort of security and technologies should CTOs be on the lookout for when discussing SD WAN architecture?

The three main areas to focus on are encryption/authentication, threat protection and security policy.

SD WANs should be using technology such as IPSec to perform end-to-end encryption and authentication on data packets being transported between edges (the SD WAN equivalent of nodes). Recall that this layer of security overlays and is independent of existing encryption and authentication protocols on individual WANs so this shouldn't be a cause of concern.

There should also be some sort of UTM technology in place, such as an NGFW rather than a standard firewall, that will not be sophisticated enough to protect clients from the smart hackers at work in the public space. Above all, there should be some kind of lucid security policy focused on ensuring best practice and compliance.

Most CTOs do prioritize security when researching SD WAN providers and hopefully this article has convinced you to follow suit. When drawing up your WAN RFP or meeting an SD WAN consultant to discuss your requirements, be sure to ask for detailed information about the security measures they have in place. It would also be pertinent to question them about their plans for the future with regards to compliance. Insecure SD WAN deployments will put your customers' data at risk. Even if a data breach doesn't put you or your carrier out of business, the inevitable standardization on the horizon will leave you struggling to keep pace. Prioritize security at the outset to future-proof your migration to the information fast lane.

About Ben Ferguson:

Ben Ferguson is the Senior Network Architect and Vice President of Shamrock Consulting Group, the leader in technical procurement for telecommunications, data communications, data center, cloud services and dark fiber consulting.

Since his departure from biochemical research in 2004, he has built core competencies around enterprise wide area network architecture, high density data center deployments, public and private cloud deployments, and voice over IP telephony.

Ben has designed hundreds of wide area networks for some of the largest companies in the world. When he takes the occasional break from designing networks, he enjoys surfing, golf, working out, trying new restaurants and spending time with his wife Linsey and his dog Hamilton.

On The Web

The Benefits of SD WAN:

Technical Terms

IPSec (Internet Protocol Security) – a suite of protocols that authenticates and encrypts data over a network.

LTE (Long Term Evolution) – High speed mobile telecommunications technology.

MPLS (Multiple Protocol Label Switching) – a technique used in WANs to manage data transport between nodes. It can encapsulate different network protocols.

NFV (Network Functions Virtualization) – a network architecture that virtualizes various classes of network functions (e.g. WAN accelerators, firewalls, load balancers, etc.)

NGFW (Next Generation Firewall) – a type of UTM technology.

PoP (Point of Presence) – An artificial point marking an interface between networks. A PoP is often located in a data center and may contain various routers, servers, multiplexers, network switches and other interface technology.

RFP (Request for Proposal) – A document sent out to vendors/carriers to detail an enterprise customer's needs.

SD WAN (Software-defined networking in a Wide Access Network) – A technology that separates the control of a cloud-based WAN from its data network, enabling scalable deployment of devices, top down control and deep WAN insight.

UTM (Unified Threat Management) – a security system incorporating multiple security tools (e.g. firewall, deep packet inspection and intrusion detection).


The Stack, 'Building a secure SD-WAN architecture'

CTC Technologies, 'How Secure is Software-Defined WAN?'

Juniper Networks, 'How Secure are SD-WANs?'

Techgenix, 'SD-WAN: What it is and why it’s so Important to the Enterprise'


February 14, 2018


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023