Blog · 23 Mar 2018

SD-WAN, security and the skills gap - what you need to know

Thinking about investing in SD-WAN? The benefits are clear - simplicity, flexibility, cost - but there are potential pitfalls.

Chief technology officer, security

SD-WAN equals simple, right?

It’s a fact that SD-WAN can make life easier for any IT team. Its user-friendly portals give powerful control over network functions. It brings flexibility and agility to the network, allowing the business to react quickly to needs. It’s also a cost-cutter, making savings with increased efficiency and moving away from expensive MPLS networks, although that can impact service, security and performance.

It’s a list of benefits that’s hard to ignore. Clearly, investing in SD-WAN can be a great choice for a business.

What’s important to remember, however, is that there are pitfalls, too. And you need to take these into account so that you can make the best decision to meet your unique business needs.

Underlying complexity

One of the major issues that can arise with SD-WAN is its underlying complexity.

Essentially, SD-WAN is an overlay which is transported onto a complex network underlay. It’s a bit like an automatic car. The SD-WAN is the car’s controls. You can accelerate, brake, steer, indicate and play music — all easily. The network underlay is the inner workings. The engine, the computer, the gearbox, the air conditioning system. If something goes wrong there, then there’s very little the average person can do about it.

That’s what can happen with SD-WAN. When there’s a problem with the underlay, the IT team working the SD-WAN overlay could be out of their depth. What’s more, finding the source of the issue can be a problem too, because the underlay is often made up of multiple vendors, possibly working in different countries. Getting these dispersed elements to work together to fix the problem can become a nightmare, so this is definitely something to watch out for.

What’s more, how does an IT person identify if an application performance issue is down to the overlay or underlay? If ten alarms appear at a site, how do they identify the root cause and avoid fixing ten events?

The need for additional bandwidth

Another common problem that’s sometimes forgotten is the packet overhead. Because SD-WAN creates secure tunnels (based on IPSEC) across the network, these tunnels create an overhead. This overhead means that packets are, on average, 20 per cent larger. As a result, the user can need 20 per cent more bandwidth in order to run the SD-WAN.

This often results in companies moving from MPLS to the public internet in order to increase their bandwidth. But this, too, has its pitfalls. When moving to public broadband, you suddenly need to consider contention ratios, internet exchange points, peering policies and the fact that it will often adversely impact application performance.

The security question

The final issue that we think is important to address is security.

Earlier, we mentioned the problem of the disconnect between the SD-WAN overlay and the network underlay. And it’s here that we find our first security concern. Cyber attackers thrive on gaps in a system, and a poor connection between overlay and underlay can create holes in your defence, susceptible to attack.

There are also three inherent security issues with SD-WAN.

  1. SD-WAN removes some opportunities for security controls, and combined with cloud this means that the old data centre focused layers are no longer working.
  2. This then leads to increases in the potential number of points-of-ingress in the network and the attack surface.
  3. As the SD-WAN capability becomes more flexible, security needs to be aligned to that flexibility while understanding the potential attack opportunities for reading and interacting with valid transactions.

Overcoming these challenges

By adding the extra dimension of the moving SD-WAN environment, your cyber-security analysts are going to be even more challenged to understand the complexity — the changing truth of the network position — while providing the same assurance to the business. And that scale and depth of those analyst and supporting capabilities area are key to keeping up and making sure the known skills gap in cyber has time to close, if it can.