The Right Way to Secure SD-WAN

Stuart Borgman


What are network operators trying to achieve through security in SD-WAN deployments? Palo Alto Networks and a number of SD-WAN vendors addressed this question in the 2018 MPLS + SDN + NFV World Congress in Paris.

Security has never been more important to network operators and their customers. Software-defined networking, or SDN, is creating new security challenges as the network becomes tightly coupled to the service applications.

Palo Alto Networks is helping our service provider customers secure their SDN services, and during the conference, I had the opportunity to join an SD-WAN security panel session. The session was hosted by Amir Zmora from YouNow, Inc., and involved a number of different SD-WAN vendors. The key question Amir posed: how did the panel view security integrated into SD-WAN and whether security should be provided by SD-WAN vendors or by a security company (best-of-breed vs. security native to the SD-WAN vendor)?

In general, the panel agreed that combining best-of-breed security and SD-WAN vendor platforms is the right approach. I work for a best-of-breed security vendor, so I was a strong supporter of this opinion. However, the next question needs to be: why?

To answer this question, I believe you need to step back from the products and ask the more fundamental question: what are you trying to achieve through security in your SD-WAN deployment?

Think about the current cybersecurity threat landscape, which continues to change at a rapid pace. Cyberattacks are widespread and always in the headlines. These threats take on many forms with varying levels of sophistication. A successful cyberattack requires planning, which involves gathering of intelligence and the selection or creation of a playbook to execute the attack.

The attacker will want to silently execute the attack, typically infecting the target without being noticed. Attacks will have multiple phases: exploiting vulnerabilities in an application or operating system, followed by malware execution, then establishment of command-and-control channels, and then achieving the objective, such as stealing data or malicious damage. New attacks are continually emerging – some new and some simply evolved versions of previously observed attacks. Our threat intelligence team, Unit 42, continually analyzes cybersecurity threats and shares the latest threat intelligence information.

Once data is stolen, it’s often impossible to fully recover. Copies are easily made and distributed. Traditional theft is different – a physical item can be recovered and returned to the rightful owner. It is therefore important to define a security posture aligned with your objective. If you want to protect your data, your posture has to focus on prevention.

A true prevention posture must be able to stop the threats within the advisory playbook from being executed. Threats can take many forms and are not always obvious to those being attacked. A legitimate application could have been compromised. Malware could be hidden inside a spreadsheet that was distributed. A website may have been compromised. Each step within the playbook could seem innocuous but may show a sophisticated attack when pieced together. A good analogy is a jigsaw puzzle: only when you have all the pieces joined together can you see the real picture.

The security posture and underlying technology needs to provide the visibility required to detect an attack. It needs to be able to identify the applications, ensure they are behaving correctly and validate that they have not been compromised. Ideally, it should be able to whitelist those applications that are required and restrict the rest. It needs to be able to detect and prevent access to websites associated to malicious activity. It also needs to be able to inspect the content and ensure it does not contain any malware.

The more difficult challenge to operating a prevention security posture is dealing with the previously unknown, or “zero-day,” exploit or malware. This requires a greater level of sophistication. To solve this problem requires the compute power of the cloud, which is playing an increasingly important role in detection and rapid analysis of new threats.

Let’s return to the original question of security in SD-WAN and how it should be provided. If a customer is buying a secure service, the customer’s objective is to prevent a security violation. Building and designing the correct security posture should be the primary objective. This means they need to be able to protect against both known and unknown threats. Selection criteria should be based on security requirements and whether it has the correct design and elements. Just because a device comes pre-installed with security does not mean it delivers the required security posture. Recovering from data loss can be very expensive, and this should not be forgotten when designing your security posture.

Our Security Operating Platform automates the prevention of successful cyberattacks. The platform has the flexibility to be deployed in an open SDN or SD-WAN architecture, allowing its customers to build a secure, best-of-breed SD-WAN. Palo Alto Networks Security Operating Platform is used by mobile network operators, managed security service providers and cable MSOs for their infrastructure, IT, data center and security applications.

Read more about Palo Alto Networks through Managed Security Services partners.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.