Security on SD-WAN Enterprise

Why Cisco SD-WAN? A question that kept me thinking until I came to understand SD-WAN. In what follows I would like to share with you a little of my experience with SD-WAN and a few words about Security in SD-WAN. Now that more and more companies adopt remote work, it is very important to think first about security, a very challenging goal for companies when we talk about multiple locations and think about making the right choice for your infrastructure security. I was amazed to find so many gread thinks about SD-WAN or in other words a solution to think about all aspects when it comes not only to your security but also your network management. There are many security features that SD-WAN is capable to do, and I want to talk about few of them, let's say the ones that I've discovered on my attempt to build an SD-WAN infrastructure in to a virtual environment like Eve-Ng.

I. SD-WAN Built-in security elements

1. Microsegementation and Zero-touch

SD-WAN microsegmentation allows admins to segment traffic according to application characteristics and network policies. Segmenting out virtual networks within the SD-WAN’s overlay prevents traffic coming from less secure locations from compromising other segments that contain more sensitive information. One great thing about zero-touch provisioning is that lets you add a new branch or remote location online in a matter of minutes.

2. VPN's and encrypted traffic

SD-WAN protects traffic between locations by connecting them all with a secure tunnel that employs strong built-in encryption like 128- and 256-bit AES encryption and Internet Protocol Security (IPsec) virtual private network (VPN). 

3. Traffic prioritisation from remote locations

Today's business are combining a variety of network connection types into your WAN, such as private circuits, mobile networks and any internet connection. This enables you to ensure the connectivity used is appropriate for the generated data. With SD-WAN you can prioritise traffic from your locations, moving voice and/or video traffic over low-latency, high-bandwidth links (such as MPLS) and using cheaper local internet for less time critical traffic.

4. Centralised arhitecture

The centralised controller in SD-WAN can set security policies for the entire network. You can create and distribute security policies across the business, which can then be enforced and maintained centrally.

The centralised controller allows you to filter and block malicious traffic without affecting the rest of the network’s operations. Suspicious activity can be automatically redirected and reported to the administrators. We can create, control and deploy security policies at scale as the business changes and grows, or as you provision new applications. Below I will show what I was able to do with some of the templates I created.

II. SD-WAN topology on EVE-NG

1. Network topology

In order to convince someone of how gready the SD-WAN is, I had to convince myself first, and that's how I started with this network topology in the EVE-NG simulation platform. For those unfamiliar with EVE-NG, very briefly, this is a simulation platform especially for network devices. I have built several locations, trying to bring as close as possible to reality what many companies are facing today and so I have several locations that have vEdges for each location.

My Eve-Ng network topology

I have to admit it was a bit of a struggle at first in my attempt to connect all vEdges and be able to see them in vManage but here it is, this is the Dashboard in vManage, this is where all your devices are located and you can monitor them. I don't have much data, I probably have to let more time to generate some traffic in order to better see certain statistics in my tabs. One thing I really liked was the way the new devices are authenticated, namely that the device must have a certificate issued by a valid CA installed. Now in my topology I used a cisco router to generate this certificates, and it worked very well.

As I mentioned earlier, we have the possibility to create those device templates, which define a device's complete operational configuration. A device template consists of a number of feature templates. Each feature template defines the configuration for a particular Cisco SD-WAN software feature. Below is a screen shot from the configurations I've made. One thing I liked about the way the deployment is done is that it compares the current configuration on your device with the one to be sent to the device. If something goes wrong in that deployment, an error message is generated.

III. Just a tip

Each one of us that are interested on SD-WAN or something good for the company, should take time to educate yourself so that you can fully understand which security features are integrated into the solution and which are missing for your company. My advice don’t sacrifice security to save on costs because cheaper solutions are not only less secure, but they are also a false economy as you will probably undertake the complex task of adding extra layers of security of the near future.