Many midmarket businesses and distributed enterprises are implementing SD-WAN to lower costs and make their networks more agile. However, networks that span many remote locations have several unique security risks that are often exacerbated by a move to SD-WAN, especially if the IT team doesn’t take security into account during the rollout. Our Sr. Technical Product Manager Ben Brobak recently wrote a guest article for SD-WAN Resources.com explaining four of these security issues and how they can be prevented. Here’s an excerpt from the article explaining how the move to SD-WAN creates new attack surfaces:
Imagine a collection of remote offices with an MPLS (Multi-Protocol Label Switching) connection that routes all traffic to HQ, where it then passes through a corporate firewall. Since none of the remote locations are exposed to the open internet and the connection is secured at headquarters, it’s fairly safe overall. However, if that company moves to an SD-WAN model, each of those locations now has a physical connection to the internet, exposing them to a staggering number of attacks. For example, in one research trial, a fake AWS server was online for less than a minute before automated hacks began targeting it…This creates new risk even if all of their traffic is still being routed to headquarters and through a firewall via VPN tunnels.
Other risks associated with SD-WAN rollouts are applying security centrally instead of at each location (which allows threats that penetrate the network to freely move laterally once they’re in), forgetting to add firewalls to protect traffic that is now moving across the open internet, and accidentally bypassing the firewall when installing or troubleshooting an SD-WAN appliance.
Read Ben’s full article to learn more about SD-WAN security. WatchGuard offers some SD-WAN services, and using a setup like ours that combines security and SD-WAN in one appliance is one way to solve many of the issue Ben’s article highlights. Read more about what we can offer here on Secplicity, or on our main site here.