Optimizing the corporate WAN is a crucial component of many organizations’ digital transformation efforts, and deploying software-defined wide area networking (SD-WAN) is a key component of this process.
However, SD-WAN is not a perfect solution. SD-WAN appliances are prone to vulnerabilities, and patching these vulnerabilities can be difficult. A managed SD-WAN or a SASE solution allows an organization to take advantage of the benefits of an optimized WAN without the associated maintenance overhead.
Introduction to SD-WAN
SD-WAN is a network solution designed to help reduce an organization’s reliance on expensive and geographically constrained multiprotocol label switching (MPLS) links. Historically, organizations have invested in MPLS circuits because they provided a high level of network performance and reliability, which was essential for some applications.
SD-WAN helps to reduce reliance on MPLS by providing a similar level of reliability and performance in a more scalable and cost-effective manner. Instead of relying on dedicated circuits, SD-WAN achieves its guarantees by aggregating multiple different types of transport media (broadband Internet, mobile networks, MPLS, etc.) and selecting the best option for a given connection on a case-by-case basis.
This approach to networking enables an organization to optimize its networking investment by saving high-performance, reliable bandwidth for the applications that need it, while routing other traffic over less-expensive transport media. Additionally, the use of multiple different types of transport links in SD-WAN provides a higher level of network resiliency because the SD-WAN appliance can adapt to issues that degrade a particular medium’s performance or render it unavailable.
SD-WAN Appliances Are Vulnerable to Exploitation
While incorporating SD-WAN functionality into an organization’s corporate WAN can help to improve network performance and reliability, this increased performance can also come at a cost to security.
Like virtual private network (VPN) endpoints, SD-WAN appliances are prone to vulnerabilities that impact their ability to provide their services. Within a single week in November, both VMware and Citrix reported vulnerabilities in their SD-WAN appliances.
If these vulnerabilities were to be exploited by an attacker, the potential impacts are significant. In the case of the Citrix bug, the issue was a remote code execution (RCE) vulnerability that would allow the attacker to run malicious code on the SD-WAN appliance. As this appliance was responsible for routing all of an organization’s network traffic over the corporate WAN, the potential for data leakages and degraded network performance was significant.
Vulnerability Management in SD-WAN Can Be Challenging
While these vulnerabilities have been publicly reported and patches have been made available, an organization needs to apply these patches for them to be effective. However, the nature of SD-WAN may make this complicated. The role of SD-WAN within an organization’s environment is to act as the backbone of the corporate WAN. SD-WAN appliances are deployed at various sites within the corporate network and optimally route traffic between themselves.
This means that the majority of an organization’s SD-WAN appliances are not deployed on the headquarters network, and IT staff may not be stationed at the remote locations where they are located. This increases the probability that updates will be delayed for these appliances.
Additionally, SD-WAN appliances are critical infrastructure within an organization’s network, and taking them down negatively impacts network usability. As a result, updates are likely to be scheduled during maintenance windows where the effect is minimal. However, this also serves to delay the application of updates, potentially at a time when these vulnerabilities are being actively exploited by attackers.
Managed SD-WAN Simplifies SD-WAN Management
When an organization deploys its own array of SD-WAN appliances, it is responsible for their maintenance and security. Managed SD-WAN provides an alternative that can help to increase an organization’s network usability and security.
An internally-managed SD-WAN appliance is more likely to suffer from vulnerabilities for which patches are delayed or not applied at all. With managed SD-WAN, an organization’s service provider will rapidly apply patches for any new vulnerabilities. This decreases the window in which an attacker could exploit these vulnerabilities and use them to steal sensitive data or otherwise negatively impact the corporate WAN.
Moving Beyond SD-WAN to SASE
Making the shift from SD-WAN to managed SD-WAN makes it simpler for an organization to manage its corporate WAN. However, the benefits of managed SD-WAN are far outweighed by those of Secure Access Service Edge (SASE).
SD-WAN is a networking solution that provides optimized routing of traffic over the corporate WAN. However, it does nothing for an organization’s security. In order to take full advantage of SD-WAN’s capabilities without compromising security, a full security stack needs to be deployed behind every SD-WAN appliance. Otherwise, an organization must either not inspect traffic on the corporate WAN (compromising security) or route all traffic through the headquarters network for security inspection (destroying the network optimization provided by SD-WAN).
SASE integrates SD-WAN functionality with a full security stack and deploys as a virtual appliance in the cloud. This makes it possible to leverage the full benefits of SD-WAN and achieve consistent security across the corporate WAN. Additionally, like SD-WAN, SASE is available as managed solutions, providing hands-off configuration, management, and maintenance.