Secure the Last-Mile Connection With a Reliably Failsafe SD-WAN

Atchison Frazer, World Wide Head of Marketing, Talari

Your Business Can’t Function without Secure Connectivity

IT leaders must take a harder look at the wide-area network (WAN) connecting their offices to critical applications in their private data centers and the public Internet. Turning to software-defined WANs (SD-WAN) to help secure the last-mile connection to branch offices and corporate locations is essential to fuel business agility while avoiding security risks that can slow down your enterprise..

Build a More Secure WAN Edge

A failsafe SD-WAN enables organizations to deliver a high-quality user experience from data center to branch, helping to protect against WAN outages and cyber attacks.

With a failsafe SD-WAN, IT can:

1. Isolate network management traffic. With a failsafe SD-WAN, data is transported over a different path than network monitoring and management traffic. This way, application and data flowing over the network cannot be compromised via network management applications that have known vulnerabilities or zero-day exploits or through standard probing and port scanning techniques. Network management traffic is isolated and encyrpted.

2. Better protect broadband Internet links with security zones. An SD-WAN enables organizations to create a hybrid WAN to connect branch offices, fluidly using traditional MPLS links and inexpensive broadband Internet. With a failsafe SD-WAN, IT can create different security zones for trusted and untrusted WAN links. MPLS andIPsec VPNs are designed to be secure, so additional protection is advisable but not necessary. But DSL, cable or other public Internet connection is untrusted, and traffic should be encrypted or virtually scubbed to protect against incidents, data theft and spying.

3. Allow only legitimate traffic into the branch office using a stateful firewall. Organizations can create zone-based security with policy-based filtering between different applications and services. Extending security zones across multiple branch locations strengthens and simplifies security. The context, gleaned from previous connections and packets, is also critical to ensuring that only valid traffic is permitted into the trusted network and malicious traffic is dropped. Traffic also can be filtered within a site or between zones located in different locations, which ensures that local traffic is scrutinized to limit exposure if a device is compromised or if there is a malicious insider. A contemporary SD-WAN can also be serviced-chained to separate security devices, such as next-generation firewalls, to ensure that performance and security policies flow contiguously with changes in the network.

4. Segment traffic from different business entities using virtual routing. An SD-WAN that supports virtual routing and forwarding (VRF) enables an organization to securely support IT systems from multiple business unit or departments on the infrastructure. With VRF functionality, multiple distinct routing tables are supported in the same physical router. By automatically segregating traffic, VRFs increase network security and reduce the need for encryption and authentication technologies. From a regulatory and legal compliance standpoint, this greatly aides the ability to adhere to segmentation of duties and privileged communications that must be protected with multiple layers of defenses.

5. Ensure data privacy with path encryption. Encrypting data as it travels between sites can make data next to useless if it is stolen. AES with a 128-bit or 256-bit key should be used. Other techniques, including cipher block chaining, per-protocol sequence numbers, and per-session symmetric encryption, can further strengthen data privacy. Messages also should be authenticated upon their delivery to verify that the packets have not been compromised in transit.

6. Guard against interception with replay attack protection. An attacker may try to copy a stream of messages to sow disruption, gain privileged access or other damage. A failsafe SD-WAN can guard against replay attacks by maintaining a time window in which all clients must synchronize. If the timestamp of an arriving packet isn’t within the range of the current network time, the packet is unlikely to be needed by the users anymoreand is unlikely to be valid anymore. Using a time-based method is more efficient thansequence number synchronization.

7. Mitigate the risk of compromised passwords and encryption keys. The vast majority of breaches start with weak or stolen account credentials. While it’s not possible to completely eliminate the risk of leaked VPN passwords or leaked encryption keys, a failsafe SD-WAN can securely regenerate encryption keys to additional protection. By using secure key for a particular site or all sites, the key can be quickly changed if a compromise occurs, thereby limiting damage.

8. Simplify the WAN infrastructure. Many organizations use IPsec VPNs, despite the difficulty to ensure consistent service levels. A failsafe SD-WANcan remedy that long-standing issue by terminating IPsec tunnels. This allows organizations to replace dedicated hardware for site-to-site IPsec connectivity and reduces the complexity and cost of the WAN infrastructure.

A digital business simply doesn’t function without reliable, secure connectivity, and with a failsafe SD-WAN, organizations can build strong, flexible last-mile bandwidth connections that will fuel transformation and deliver on customer and employee expectations for exceptional service at every interaction.