SD-WAN and Network Security – A Double Bladed Sword

August 15th, 2016 by · Leave a Comment

This Industry Viewpoint was contributed by David W Wang
Human beings often have to face dilemmas. One good example is from the modern IT and network communication arena. On one hand, we keep innovating the ways we connect and communicate to each other; on the other hand, the more open and software driven the network becomes, the more likely it will face security threat and breaches.

According to the latest report from Dublin-based Research and Markets, the global marketplace for cybersecurity goods and services, driven by increasing corporate fear of hackers and spiraling compliance and regulatory demands, will grow more than 10 percent annually over the next five years or to $202.36 billion by 2021.
One hot segment is in application security, driven by the exponential growth of the Internet of Things and corporate “bring your own device” policies. This is because traditionally the ingress/egress points in a network were mostly limited to the enterprises’ offices, buildings or data centers. But today, partner connections across Intranet and even the boarders, consumer and employee mobile devices, and more direct Internet access from branches have significantly increased the number of attack points in a network and made it very hard to defend.
Another huge security vulnerability is coming from the trendy SDN and NFV efforts, SD-WAN in particular. While we know SDN means software defined network, but it can cripple a network as well since a malware is by nature also a type of software. From the SD-WAN standpoint, it certainly adds more attacking points for such security breach as D-DoS (distributed denial of services) and also makes such attacks more effective and damaging. For instance by attacking a virtualized server, a hacker can bring down multi-tenants all together; or by flooding a centralized SDN control point with D-DoS, a hacker technically can shut down a big network segment or even the entire network.
Meanwhile, on the positive side, SD-WAN can bring up more enhanced and cost effective security measures and defense for enterprises, especially for their used to be vulnerable branch offices.  In the past, to deploy robust security in branch offices was either too costly to do or hard to manage, security solutions like firewall, DNS security, web gateway security might each need a separate box for configuration, installation and management. But now SD-WAN can bundle and enhance all these security solutions via remotely centralized, policy based software intelligence and then push the security solutions through to each of the enterprises’ branches.
For instance, Versa Networks – a SD-WAN startup HQed in Silicon Valley, CA, has launched its FlexVNF software-defined security products, covering DNS security and a secure Web gateway. Both are key for smooth and secure Internet access services:
DNS security protects against phishing, botnet access, and advanced persistent threats (APT), and augments reputation systems with zero-day validation of domains. Secure Web gateway performs SSL encryption/decryption and granular URL filtering, and integrates with other Versa security functions for layered user group policies, file filtering, IP filtering and DNS mapping.
Service deployment and management wise, it will take much shorter time to set up the SDN/NFV based security services via vCPEs, and also make the security management ongoing basis more agile and scalable.
Since the hackers never stop coming up with new tricks and malware, SD-WAN can be more responsive to such new types of cyber attacks and plots so as to target and thwart them. One big advantage is SD-WAN offers a holistic visibility into the amount and types of traffic traversing the network. Any kind of anomaly can instantly flag on a security issue or at least something that draws the administrator’s attention. Plus the big data capability of SD-WAN through the cloud would also make security threat and its pattern tracking, analyzing, info sharing and reporting more effective.
Some pessimists view network security is a losing battle. It is not, but won’t be a quick win either. Instead it would be a protracted war. Again the biggest challenge is as our network services grow and expand, so do the security threats.  The more software driven intelligent the network becomes, the more manipulating points it may expose to the hackers. It is like a double bladed sword.
The key is when deploying a SD-WAN solution, always keep the security elements in mind. SD-WAN is not just for cost saving and service agility, it is about network security as well. Only when being planned and managed well, SD-WAN can become a win win for both the network service providers and their enterprise end users.
David W Wang is a senior telecom/IT business development consultant based in Washington DC metro and author of the new book “Cash in on Cloud Computing”。 David can be reached at

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Industry Viewpoint · NFV · SDN · Security

Discuss this Post

Leave a Comment

You may Log In to post a comment, or fill in the form to post anonymously.

  • Ramblings’ Jobs

    Post a Job - Just $99/30days
  • Event Calendar