MPLS vs. SD-WAN – Why CISOs should care

While SD-WAN is a hot topic right now with CIOs, it’s not something that I hear much talk about from CISOs. Given how much CISOs already have on their plate, who has time to learn about one more thing, especially if you don’t think it’s critical to your success. But SD-WAN is a transformative technology that all CISOs better learn. It’s coming to your enterprise and it’s important you’re ready, because it can introduce significant new risks.

Although there are many reasons why organizations are flocking to SD-WAN, two top reasons are reducing circuit costs by replacing expensive MPLS circuits with less expensive internet circuits and enabling cloud adoption.

But what does that mean from a security standpoint and why do you need to care? To answer this question, let’s look at what MPLS security challenges can be overcome with SD-WAN, what risks SD-WAN can introduce, and how SD-WAN can actually help make you more secure.

MPLS networks lack basic protections for confidentiality, authentication and integrity, requiring organizations to implement a VPN solution on top of their MPLS circuits. Unfortunately, this adds complexity and cost, and consequently, many organizations fail to do this. With most SD-WAN solutions, however, VPN capabilities are natively built in, solving this challenge.

Blog-chuttersnap-580675-unsplashPhotograph by Chutternsnap

If you’ve evaluated any SD-WAN solutions, I’m sure you’re familiar with the phrase «local internet breakout». With legacy MPLS-based WANs, most organizations backhaul all of their internet outbound traffic from remote locations to a main data center before routing the traffic to the internet. With «local internet breakout», however, remote locations directly access the internet and cloud applications, without backhauling the traffic to a main data center, hence improving performance. But now you must have your complete internet outbound security stack running at every remote location and if you don’t, you’ve just significantly reduced your overall security posture. So, if your company is looking at implementing SD-WAN, as a CISO you’d better be intimately involved in the planning, otherwise you’ll be left playing catch-up to add redundant security controls across many sites.

While legacy WANs might use dynamic routing protocols such as OSPF or RIP, they are actually very static in their nature. These routing protocols do provide value as they reduce manual configurations and allow traffic to be automatically rerouted on a mesh network in response to a network outage or congestion. But they don’t provide the flexibility that SD-WAN does. Because SD-WAN is application aware, you can route traffic differently based on the specific application. This enables both traffic shaping, and prioritization based on application criticality and requirements, something that dynamic routing protocols can’t do. And because your policies are centrally managed and based on applications, new locations or services can quickly be provisioned, enabling cloud adoption as opposed to hindering it.

SD-WAN can also decrease the cost and impact of an incident by improving your overall security detection capabilities with increased application and traffic visibility and correlation, reducing hacker dwell times. And when something is detected, like ransomware, SD-WAN’s dynamic segmentation can contain the attack to one site, significantly reducing the impact (think Maersk’s NotPetya ransomware incident that propagated across its WAN).

So, get ready, SD-WAN is coming!! But don’t stress; this can be a good thing. In fact, I recommend that CISOs actually start pushing SD-WAN projects. What’s better than driving a project that not only increases your overall security but actually helps the business accomplish its goals at the same time?

Jack Miller image

This post was written by Jack Miller, Jack is a CISO at Open Systems.