The definitive SD-WAN security checklist<\/h2>\n
Keeping an SD-WAN architecture secure requires several features to be successful. It\u2019s vital to consider this comprehensive list.\u00a0<\/p>\n
1. Frequent security patching<\/h3>\n
Outdated operating systems create a significant security risk. According to a 2016 Voke Media survey<\/a>, about 80% of breaches or failed audits could have been prevented by patching outdated software or updating device configurations. An SD-WAN router with an outdated OS is more likely to have vulnerabilities, and the longer it goes unpatched, the more likely a hacker is to find and exploit those vulnerabilities.<\/p>\n However, SD-WAN architectures are often multi-vendor and highly distributed, making it challenging for administrators to monitor for vulnerabilities and stay on top of patch schedules. There are two primary ways to overcome this difficulty:<\/p>\n Your ability to keep SD-WAN device software secure ultimately depends on the vendor\u2019s patch schedule. Some providers are sluggish to patch known vulnerabilities in their software, either because they think they can keep said vulnerabilities a secret or because they don\u2019t want to dedicate the time and resources needed to keep the OS up to date. That\u2019s why you should look for SD-WAN hardware and software vendors who are transparent about vulnerabilities and who work diligently to release frequent patches and updates.\u00a0<\/p>\n SD-WAN platforms are software-based, but they still require underlying networking hardware at each remote site for connecting to the enterprise network. Deploying this hardware can be difficult, especially when SD-WAN sites are in hard-to-reach locations such as offshore oil rigs, remote weather stations, or nations experiencing disasters or active conflicts. Often, organizations opt to pre-stage devices in their home office and then ship them to remote sites so they can avoid costly or dangerous travel.<\/p>\n Pre-staging creates a security risk because a pre-configured device could be intercepted by hackers and used to access the enterprise network. Zero Touch Provisioning (ZTP)<\/a> reduces the need for pre-staging by deploying new device configurations over the network. ZTP-enabled devices provision themselves by using DHCP or TFTP to find and download configuration files, which means administrators can ship factory-default hardware that doesn\u2019t contain any exploitable information about the enterprise network.<\/p>\n However, ZTP also introduces some additional security challenges. Once they\u2019ve created the configuration file, administrators generally don\u2019t monitor the entire automatic provisioning process, so there\u2019s a chance that a mistake in the configuration file could create a security vulnerability that goes unnoticed. And, since one ZTP configuration file is usually applied to multiple devices, a potential security vulnerability could affect several systems or locations without anyone knowing. In addition, hackers could intercept the transmission of the configuration file over the network if the connection isn\u2019t strongly encrypted.<\/p>\n These challenges are overcome with a secure ZTP solution that follows zero trust security principles<\/a>. This type of solution is often referred to as \u201cZero Trust Provisioning,\u201d and it includes hardware-based security like TPM, BIOS protection, encryption modules, and an onboard firewall which protects the software layer (secure boot) and management layer (two-factor authentication). In addition, the ideal Zero Trust Provisioning solution supports integrations with automated configuration management tools like Chef and Ansible which can be set up to test and monitor ZTP configurations for mistakes and security vulnerabilities.<\/p>\n Zero Trust Provisioning is a key part of the SD-WAN security checklist because it prevents branch networking hardware from being intercepted and used in a cyberattack. It also ensures that automatic provisioning occurs over a secure, encrypted network connection, and allows integration with configuration management tools to prevent errors from introducing additional vulnerabilities.\u00a0<\/p>\n Many organizations use out-of-band (OOB) management to configure, control, and troubleshoot remote network infrastructure. OOB management uses a separate management plane, so resource-intensive network management and orchestration workflows don\u2019t affect the performance or reliability of the production network. This may involve using a jump box to access an OOB network<\/a>, which is an entirely separate management network architecture that runs parallel to the production network. However, a simpler solution is to use an OOB console server<\/a> to achieve the same goal without the hassle of deploying a separate architecture.<\/p>\n OOB management improves the performance and reliability of production networks, and provides an alternative path to remote infrastructure (typically via cellular modem) in the event of an ISP outage or a network device failure. The issue with OOB management is that jump boxes and console servers are attractive targets to hackers. If a malicious actor manages to compromise the OOB network, they\u2019ll gain complete control over the remote infrastructure.<\/p>\n To keep SD-WAN devices and other remote infrastructure secure, it\u2019s best to use an OOB console server with advanced encryption for both the hardware and the management connections. In addition, the OOB solution should include Zero Trust features like MFA (multi-factor authentication) and RBAC (role-based access control). Just like the SD-WAN hardware, the OOB device(s) should run a fully patched OS and support Zero Trust Provisioning. For even greater protection, choose an OOB solution that supports integrations with third-party security solutions like next-generation firewalls (NGFW).<\/p>\n A secure out-of-band management solution gives network administrators 24\/7 access to remote infrastructure on a dedicated, encrypted network connection using hardened OOB console server devices. This ensures that hackers can\u2019t use the OOB network to hijack production infrastructure while also giving administrators the ability to quickly recover from outages, hardware failures, and cyberattacks.<\/p>\n As we\u2019ve discussed above, it\u2019s possible to run SD-WAN solutions on hardware with onboard firewall features. However, these basic firewalls often lack the advanced functionality needed to protect enterprise networks from sophisticated cyberattacks, which is why most organizations also use some form of stateful firewall or NGFW that resides in a central data center. This works well for a single, centralized enterprise network, but the addition of remote sites can create performance issues. For the centralized firewall to inspect and protect SD-WAN traffic, that traffic must be backhauled through the central data center, even if the request is ultimately destined for the web. This inefficient routing causes bottlenecks, performance issues, and even dropped connections for on-premises and remote users alike. The obvious solution to this problem would be installing physical or virtual firewalls in each remote location, but this is expensive and disruptive and creates more management complexity for network administrators.<\/p>\n A better way to protect remote traffic while improving performance is through the use of cloud-based security solutions, such as Security Service Edge (SSE)<\/a>. SSE relies on SD-WAN\u2019s intelligent routing capabilities to separate remote traffic that\u2019s destined for web, cloud, and SaaS resources. This traffic bypasses the firewall and is instead routed through a cloud-based security stack, reducing the load on the enterprise network.<\/p>\n Ideally, the SD-WAN solution will tightly integrate with the SSE platform. This combination of SSE security with an SD-WAN on-ramp creates what\u2019s known as SASE, or Secure Access Service Edge<\/a>. This is most easily achieved using vendor-neutral branch networking platforms which can host or integrate with a wide variety of SD-WAN and SSE solutions. An integrated SASE architecture ensures comprehensive security while providing remote users and systems with fast, reliable access to cloud resources.<\/p>\n Only one remote network management solution provides everything you need to keep your SD-WAN architecture secure: the Nodegrid platform from ZPE Systems. Nodegrid\u2019s vendor-neutral routers, such as the 5-in-1 Hive SR branch gateway<\/a>, can directly host or integrate with your chosen SD-WAN solution. Whether you enable SD-WAN with a Nodegrid device or by using ZPE Cloud\u2019s SD-WAN application, you\u2019ll get seamless access, centralized management, and state-of-the-art security.<\/p>\n Nodegrid\u2019s branch gateway routers<\/a> run on the vendor-neutral, x86 Linux-based Nodegrid OS, which is constantly monitored for vulnerabilities and frequently patched to ensure security. Plus, with the ZPE Cloud orchestration platform, you can monitor and update all your SD-WAN devices from one convenient management portal\u2014even if that hardware comes from another vendor.<\/p>\n All Nodegrid devices support Zero Trust Provisioning, and they can extend this capability to any third-party devices managed by Nodegrid. That means administrators can securely configure all the multi-vendor devices in a remote branch network without the need for travel or pre-staging. Nodegrid ZTP is considered Zero Trust because it protects the hardware, software, and management layers with advanced security features like:<\/p>\n Nodegrid also supports integrations with automated configuration management solutions like Ansible, Chef, and Puppet, so you can ensure every device is provisioned correctly.<\/p>\n Nodegrid services routers provide reliable, Gen 3 OOB management<\/a> access to any connected devices, including those from other vendors. This access is protected by a patched OS, onboard hardware security features, and current encryption modules. Plus, Nodegrid\u2019s hardware and software can host or integrate with third-party security solutions like NGFWs for comprehensive OOB security.\u00a0<\/p>\n The Nodegrid branch networking solution provides the ideal SD-WAN on-ramp to leading Security Service Edge providers. That\u2019s because Nodegrid is a completely open platform that can host or integrate with any SSE and SD-WAN offering to provide a single, unified SASE solution<\/a>. This gives administrators complete control over every aspect of branch network management and SD-WAN security from one convenient portal, reducing complexity and improving your security posture at the same time.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_text_color=”#FFFFFF” background_color=”#358AAF” custom_margin=”||||true|false” custom_padding=”30px|30px|30px|30px|true|true” hover_enabled=”0″ global_colors_info=”{}” theme_builder_area=”post_content” sticky_enabled=”0″]<\/p>\n Contact ZPE Systems today to learn more<\/p>\n\n
2. Zero Trust Provisioning<\/h3>\n
3. Secure out-of-band access<\/h3>\n
4. Cloud-based security technology<\/h3>\n
![\"\"](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2020\/11\/SASEText-198x300.png\")
<\/p>\nNodegrid checks every box on your SD-WAN security checklist<\/h2>\n
1. Secure, up-to-date SD-WAN device OS<\/h3>\n
2. Zero Trust Provisioning for branch networks<\/h3>\n
\n
3. Gen 3 secure out-of-band management<\/h3>\n
4. An SD-WAN onramp to SSE<\/h3>\n
Wondering how ZPE\u2019s Nodegrid solution checks all the boxes on your SD-WAN security checklist?<\/h2>\n