Contact Us

SD-WAN Fit Points: Security


Purchasing SD-WAN is not an off-the-shelf buy, you have to take your enterprise’s proper measurements, just as you would take a suit to the tailor, to ensure you’re getting the right fit SD-WAN for your business. In a series of blog posts, we will explore how to help you define the proper fit points you should be measuring as you explore your SD-WAN solution. We’ll begin with SD-WAN security, because security is central to any successful SD-WAN deployment. In fact, it’s why we refer to our solution as Managed Secure SD-WAN.

When looking into what level of security your enterprise needs for protection, begin with the comparison of a stateful firewall or a next generation firewall. A stateful firewall tracks the operating state and characteristics of your network’s connections, limiting its effectiveness to previously known and defined connections to pass through. This limited protection may be adequate to protect, but there are still other threats that can pass through this level of security.

A stateful firewall can be adequate to protect and isolate communications between devices within a closed, private network, but once devices on that network can gain internet access, or public users begin accessing the network to employ loyalty or other in-store applications, filtering the access becomes critical to managing the potential attack surface and protecting against those threats that bypass stateful firewall protections.

A next generation firewall (NGFW) combines the port and protocol inspection and blocking of stateful firewalls with increased application-level inspection and filtering, intrusion detection and prevention (IDS/IPS), and bringing intelligence from outside the firewall to update security measures like white/black lists, application signatures, and virus/malware definitions. The NGFW’s ability to filter packets based on applications gives you greater control and visibility on what applications can access and transit your network, and help prevent unwanted or dangerous applications from gaining access.

That give you control over individual application performance. Most current SD-WAN solutions come with a stateful firewall, but very few come with proven integrated NGFW’s. We believe all of our customers need the protection afforded by a NGFW. With the advent of the Cloud and SaaS/XaaS services, very few businesses run 100% within a closed private network. Especially if you’re providing Guest Wi-Fi services, there is even more need for the added protection of web and content filtering from a solution. A Managed SD-WAN from Hughes will ensure your enterprise has the security solution and protection your business needs.

NGFWs protect your employees and customers from the ‘big bad’ Internet and allow you to provide amenity services to consumers such as web browsing, email and social media without exposing users to the entire internet or dark web.

The next step of ensuring you are ready for an SD-WAN transformation is knowing the security architecture needed. In the event a customer has legacy applications that require the filtering of east/west traffic within the branch, the deployment of an NGFW at the edge is essential, and the question of security architecture is answered. The reason for this is that to fully protect devices that are within PCI scope to communicate directly with those that are out of scope, there has to be strong edge security at the branch location to meet PCI standards.

The location of security enforcement is critical because enforcing security policies can be resource intensive. Deploying IPS/IDS at the edge comes at the cost of computing resources and possible throughput constraints. But if the majority of the risky traffic you’re trying to protect is funneled through an aggregation point, like a data center or cloud POP for example, it makes more sense to deploy enforcement where resources are more readily available.

A third security architecture to be considered is the Secure Web Gateway (SWG). The SWG is a distributed cloud-based series of checkpoints that all traffic flows through to keep unauthorized users and traffic from entering your network. This architecture, because it relies on user access instead of device access, allows for the adoption of Zero Trust security architecture for SD-WAN deployments if companies have already implemented this approach or want to transition to it.

In most enterprise cases, the riskiest traffic is traffic going straight from specific store or branch locations to the internet. To effectively mitigate risks from traffic going direct to the Internet requires either advanced edge based policy management or a SWG approach managing policies at the internet cloud POP. The good news is that both approaches are available to you in a Managed SD-WAN solution from Hughes.

Protecting your customers’ payment information is another crucial reason to assess your security concerns. Do you need a partner that can perform network scans, facilitate the PCI audit process and provide mandated employee training? Do you need threat management features to protect from advanced attacks that cause data breaches such as ransomware or phishing attacks targeted at your employees?

Unless you have a highly trained security operations team, it is unlikely that you have the resources readily available in-house to internalize and react to all threat feeds and alerts that may arise. A Management, Detection, and Response (MDR) service from a trusted managed network service provider like Hughes can provide the specialized resources and tools to vastly improve your SD-WAN security.