We recently asked our security guru if SD-WAN should be considered a part of the security posture in modern networking. Glad we did and below are parts of his response.
- Security data sources includes telemetry in the form of logs from applications, firewalls, network devices, and security technologies. Logs are intended to inform an external source what an application or device is doing. But logs are programmed sources of data, meaning a system architect or programmer makes the decision on when to log and what form that log takes. It is a piece of the code that says “log this event or information” that is called as a subroutine through a program. It is entirely possible for a compromise to happen that occurs at a point where an event is not logged, or even that logs can be suppressed as part of the exploit. While logs are a good source of data, especially when collected in mass and correlated together, they represent a secondary level source of information–it can only tell what the software thinks; if the software is wrong, so is the log.
- Network traffic is “outside” of an application or even network device. It is traffic on a wire and it must be used to move from one system to another. It is the underlying mechanism of data transport and it is a primary source of information. Regardless of the application state, the network traffic to it is the real data. A remote compromise must generate network data in order to traverse to new system and this network data cannot be faked (though noise can be generated to try to hide it). It is a PRIMARY source data that triggers change of state or events in the destination and that eventually lead to compromise.
- All network data has a source and for two-way communication that source must be real not spoofed or faked). This source is indisputable for two systems to communicate (two systems can’t communicate using a spoofed source.) This source can be used to backtrack through a network to determine the device or origin. A log can be made to report the wrong source, but if it is wrong on the wire, it gets delivered to the wrong device or simple tossed as incorrect.
- All connections between networks (external, partner, customer, or public) must be watched for 100% attack surface coverage. Why attack a data center where there is generally lots of security, versus the small branch office it connects to where people might be lax and there is much less investment in security?
- Finally, SDWAN operates as many devices that are part of the security stack. They operate as router, switch, firewall, security sensor for traffic inspection, point of inspection for viruses, malware, and ransomware (and many others). They are all these devices in a single system instead of deployed in 5 or 6 different devices spread throughout the network and the systems on the network. It is a single point that can not only inspect but control data flow. It is more cost effective because it is a single device. It is easier to deploy and manage because it is a single device. It can be easily upgraded with new functionality because it is a software device that doesn’t require firmware or hardware refresh to gain new functionality.