There is no doubt that SD-WAN has become one of the most prevailing technologies for IT fields due to the advantages of end-to-end visibility, agility, application optimization, and particularly the economical incentives that allows a white-box VCPE hardware to run third-party applications and VNFs (virtualized network functions). Indeed, SD-WAN shares the bandwidth of traditional MPLS connectivity and public Internet so that connectivity between branch offices and headquarter can be far more cost-effective. However, the use of public Internet indicates higher exposure to potential cyber-threats. With the widespread of SD-WAN in the enterprise sector, it is essential to secure the software-defined wide area network before an evolved attack begins to penetrate.
SD-WAN and VPN
One of the simplest, most natural to SD-WAN security measure is VPN. Before the introduction of SD-WAN, organizations have to pay high costs to MPLS service provider to have VPN connection. Nowadays, with SD-WAN, IT management can set automated security policy and routing so that private traffic can be routed directly, for instance, between branch and headquarter. Thus, they no longer have to pay MPLS service providers to manage their VPN traffic.
Advantages of SD-WAN based VPN include authentication, encryption, and privatized packets.
SD-WAN and Firewall
Another approach that is natural to SD-WAN is virtualized NGFW (next-generation firewall). Different from traditional fixed firewalls, the deployment of virtual NGFW can be easily deployed at either branch or headquarter. In fact, virtualized firewall can run multiple security-oriented VNFs to run IPS (intrusion prevention system), IDS (intrusion detection system), DPI (deep packet inspection) and whitelisting/filtering. All these security VNFs can be imposed and automated across protocols to detect malware, virus and phishing spam.
End-to-End Visibility and Micro-segmentation
SD-WAN provides an software abstract layer on existing networking hardware so that IT management gains the visibility across all broadband protocols. This end-to-end visibility allows IT staff to monitor traffic and conducts micro-segmented routing for traffic from various protocols. In case of unauthorized packet, this visibility allows IT staff to implement responsive countermeasure for that specific segment of traffic.
To secure SD-WAN, the optimal solution is through the uses of white-box servers with crypto-acceleration engine to run multiple security VNFs, firewalls and VPNs without compatibility issue that may compromise cryptographic performance. For small and medium enterprise SD-WAN, Lanner’s NCA-1515 is an ideal choice as it is powered by Intel® Atom® C3000 (codenamed Denverton) CPU offering low power consumption and moderate performance. The compact white-box hardware is built in with Intel® QuickAssist Technology, offering cryptographic acceleration and commercial-grade LAN functions.
For large-scale and global-level corporations, it is recommended to have a high-performance and high-throughput white-box solution to handle that level of traffic loads. For instance, Lanner’s NCA-5520, powered by 2nd Generation Intel® Xeon® Processor Scalable Family and Intel® C626 or C621 chipset, features optimized computing power and virtualization capacity in a compact 1U form factor with support for up to 320GB DDR4 system memory at 2666 MHz, can optimize the performance of security VNFs, particularly in packet processing and crypto-acceleration. In fact, NCA-5520 is built in with advanced Intel® QuickAssist Technology to secure all interfaces of SD-WAN, in LTE, Wi-Fi, or public Internet.
Desktop Network Appliance for vCPE/uCPE and Edge Security
|CPU||Intel® Atom® C3000 (Denverton)|
Security Gateway Appliance for Network Traffic Management and Virtualized Network Security
|CPU||2nd Gen Intel® Xeon® Processor Scalable Family (Cascade Lake)|