Everything You Need to Know About Secure SD-WAN

This article was written by Gabriel Gomane at Aruba.

What is a secure SD-WAN?

A secure SD-WAN combines advanced SD-WAN capabilities such as tunnel bonding, dynamic path selection, and zero-touch provisioning with best-in-class security functions. Not only does it allow organizations to retire traditional routers but also to replace legacy branch firewalls, providing the right level of security in branches, while complementing SSE (Security Service Edge) solutions that can be potentially deployed in the organization.

A secure SD-WAN includes next-generation firewall capabilities such as IDS/IPS and DDoS protection capabilities. It also encrypts in-transit data and logs security events to analyze incidents. It enforces consistent end-to-end network and security policy across the LAN and the WAN through centralized orchestration, greatly improving networking and security operations.

What is a Secure SD-WAN certified by ICSA Labs?

ICSA Labs is a global organization that provides third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability, and performance. The organization is well-known for testing firewalls, anti-malware, and other security solutions. It recently added a new certification for SD-WAN called "Secure SD-WAN."

As stated by ICSA Labs Secure SD-WAN Certification Testing Criteria, an SD-WAN is secure if:

The SD-WAN product itself is secure
The SD-WAN communications are secure
The SD-WAN product properly enforces policy. This includes policy enforcements for both WAN-specific functions and security policies (i.e., just like an ICSA Labs Certified Firewall)
The SD-WAN product provides additional security functionality either inherently in itself or via an external

ICSA Labs notes that: "The policy configuration requirement to set security policies for network traffic in ICSA Labs Secure SD-WAN testing is equivalent to ICSA Labs Corporate Firewall Certification." Similar to firewall testing, ICSA Labs tests that Secure SD-WAN components are stateful, that they are not susceptible to trivial denial of service attacks, that the components themselves are invulnerable to known threats, and that they each properly enforce the configured security policy.

Secure SD-WAN explained

Over the years, branch offices and remote locations have accumulated a sprawl of network and security equipment. This equipment is difficult to maintain but also, it has not been designed for the cloud. With traditional router-centric WAN architectures, traffic must be sent to the corporate data center for further security inspection, which significantly impacts application performance. Additionally, security policy is inconsistent across branch locations, exposing the whole organization to potential security breaches.

A secure SD-WAN includes advanced SD-WAN and security capabilities that enable organizations to reduce device footprint, enforce consistent policy across branches. It also improves application performance by selecting the best path and automatically steering the traffic to the cloud. It provides the security functions necessary at the branch and complements SSE that supports other security functions like ZTNA, DLP and Sandboxing.

How does a secure SD-WAN work?

By virtualizing the network, a secure SD-WAN can seamlessly combine heterogeneous links such as MPLS, internet, and 5G through tunnel bonding, increasing network bandwidth and providing redundancy. Organizations can even replace expensive MPLS connections with internet-only links as the solution provides techniques to optimize the traffic and reduce jitter and packet loss that often occurs in internet links. As workloads move to the cloud, a secure SD-WAN also enables organizations to intelligently steer traffic to the cloud based on application type without first backhauling the traffic to the data center. For example, trusted cloud applications such as Microsoft 365 or Workday can be directly sent to the cloud while in-house legacy application traffic is sent to the data center. Advanced SD-WAN uses zero-touch provisioning to automatically distribute configuration updates to hundreds or thousands of branches in minutes while minimizing errors.

In addition to SD-WAN capabilities, a secure SD-WAN provides advanced security functions to protect branch locations:

Secures communications across the entire SD-WAN fabric by building IPsec tunnels using AES 256-bit encryption
Supports advanced security functions such as anti-malware, intrusion prevention and DoS protection through native next-gen firewall capabilities or via service chaining.
Enforces policy for both WAN-specific functions and security policies
Logs security events to help quickly identify and respond to incidents.

How a secure SD-WAN enforces end-to-end security policy across the entire fabric

In traditional environments, branch firewalls are configured manually resulting in inconsistent security policies across the WAN. This is time-consuming and occurs every time a policy changes. With a secure SD-WAN, security policies are centrally configured and pushed to thousands of locations in a couple of minutes, minimizing errors and enforcing consistent policies.

A secure SD-WAN provides end-to-end network segmentation spanning the LAN and the WAN and even into the cloud. Security policies are defined on a zone-by-zone basis limiting connectivity with other zones in compliance with predefined security policies, regulatory mandates, and business intent. For example, a policy could allow only outgoing traffic, or allow incoming traffic only from approved applications and services or block all traffic from less secure zones.

The use of a secure SD-WAN greatly simplifies operations and essentially operates as a single logical firewall across the entire fabric.

Why should I consider a secure SD-WAN?

Retire traditional branch firewalls - Advanced secure SD-WAN solutions that include next-generation firewall capabilities with role-based access control, fine-grained segmentation, IDS/IPS, and DDoS protection, can enable organizations to seamlessly replace legacy branch firewalls. They can also secure untrusted links with IPsec tunnels and seamlessly enforce security policies at the branch and across the WAN through centralized orchestration.
Simplify branch architecture - By integrating multiple capabilities including SD-WAN, routing, WAN optimization, and firewall, a secure SD-WAN helps branch offices save hardware footprint and power consumption by consolidating branch network and security functions in one solution. The solution can be easily deployed across thousands of sites with zero-touch provisioning from a single console, improving IT efficiency and streamlining management.
Support a cloud-first architecture - A secure SD-WAN intelligently steers traffic to the cloud and eliminates the need for backhauling traffic, improving application performance. Based on first packet identification, trusted SaaS and web traffic can be sent directly to the internet while unknown or untrusted web traffic can be service chained to SSE cloud services.
Secure IoT devices - A secure SD-WAN implements zero-trust network segmentation to secure IoT devices that are unable to run security agents, and therefore go beyond SASE. It uses identity-based access control security framework, segmenting traffic so that users and IoT devices can only reach network destinations consistent with their role in the business.

Benefits of a secure SD-WAN

Reduce Business Risk - A secure SD-WAN provides security across the entire SD-WAN fabric spanning the WAN and the LAN with end-to-end micro-segmentation capabilities. It helps organizations comply to regulatory frameworks such as HIPAA, PCI DSS, SOX, or NIST CSF.
Enhance Flexibility - A secure SD-WAN enables flexibility when implementing security controls at the branch and across the WAN. The solution can be easily and quickly deployed.
Increase IT Efficiency - A secure SD-WAN supports all necessary security functions and helps remove equipment sprawl in branches. With this solution, organizations can move to a thin branch model, streamlining network and security management.

Aruba EdgeConnect Enterprise SD-WAN is first to attain ICSA Labs secure SD-WAN certification. In addition to advanced SD-WAN capabilities that enable organizations to retire traditional branch routers, Aruba EdgeConnect Enterprise provides comprehensive security services including next-generation firewall, IDS/IPS, and DDoS detection and remediation. With these features, EdgeConnect can fully replace outdated and difficult to manage physical firewalls at branch locations while delivering consistent security for all users, from any network location, from any device, and wherever applications are hosted.

To learn more, download our white paper on Architecting a secure business-driven SD-WAN.