With the Growth of SD-WAN Approaches, New Security Vulnerabilities Are Also Growing

After experiencing slower growth in 2020 caused by the COVID-19 pandemic, Dell'Oro Group said earlier this year that the SD-WAN market is expected to accelerate in 2021 and 2022.

According to the analyst firm, worldwide sales of SD-WAN technologies are forecasted to grow at a compound annual growth rate (CAGR) of 24 percent over the next five years, and the market is expected to surpass $4 billion in 2025.

"The pandemic caused some delays in SD-WAN deployments in 2020, but the underlying demand drivers for modernizing WAN infrastructures remains strong", said Shin Umeda, Vice President at Dell (News - Alert)'Oro Group, when the company released results in January of this year.

SD-WAN is defined as a specific application of software-defined networking (SDN) to WAN connections. It is built on years of innovation in the virtualization of network functions and impressive software leaders (including many of whom have been acquired by giant tech firms over the last few years), and while the very definition of a private WAN theoretically embeds security, as more breaches occur, threats and vulnerabilities found in SD-WAN products are coming to the fore.

According to Gartner's predictions, more than 50% of routers will be replaced with SD-WAN solutions by 2020, but community knowledge on SD-WAN threats and attacks is limited.

SD-WAN systems form a network perimeter and connect Internet, WAN, extranet, and branches, which makes them attractive targets for attackers. SD-WAN includes firewalls, DPI, VPN, malware detection, and other traditional security features on board, which is crucial from a cybersecurity point of view, but may be lacking when it comes to how privileged users are being managed.

SD-WAN enables new implementation of the planes and its functions on the SDN-NFV infrastructure specific to WAN, which provides additional features for enterprise network operations teams and managed service providers, including multitenancy (VRF and routing), zero-touch provisioning, overlay, and dynamic tunneling VPN, WAN optimization, automatic bandwidth detection, and service chaining.

Documented weaknesses, including instances where a network controller and orchestrator can be deployed in the same IP network, enable attackers to perform vertical access control attacks and access management interfaces and functions, which can be catastrophic for organizations.

Furkan Kirmaci, Product Owner at Ironsphere, a Privileged Access Management software and solution company, said, "It's time the industry recognize that without a solid access management component to any type of enterprise network, including SD-WANs, the cost savings new models enable may evaporate if the network is compromised and valuable data is breached."

SD-WAN separates the data and control planes of the wide-area network, monitors the performance of the mix of WAN data connections (Internet, Internet with IP overlay, MPLS, ATM), and selects the most appropriate connection for each traffic type, based on current link performance, the cost of the connection, and the needs of the application or service.

"SD-WANs can certainly be flexible, efficient, and cost-effective if they employ multiple transport services, including the public Internet," Kirmaci said, "and even more savings can be recognized as the overlay innovators prove they can provide high speed, secure access, leveraging the public Internet – a trend that is now an inevitability."

Kirmaci explained that increasing cloud workloads, more edge automated solutions, remote users, IoT devices, and simply more computing means enterprises will rely even more heavily on the Internet going forward.

"The good news is that with access management software and automation, ensuring that breaches don't happen, especially when privileged users, for example, IT admins, are supported by automation, including password controllers that generate passwords and create a recording of activities that can be used to strengthen compliance, especially in highly regulated industries."

Kirmaci said Zero Trust Networking will be the de facto access standard, and privileged accounts/users are the most critical piece of ZTNA.

"One critical aspect of transitioning to ZTNA is ensuring users remain safe while accessing applications the enterprise doesn't control," Kirmaci said. "We've seen that over and over recently, with various sophisticated phishing attacks when users were tied to the corporate network using managed devices designed to protect against malware and ransomware, where phishing expeditions were still successful and where the biggest attacks most recently have been associated with privileged credentials being accidentally or intentionally shared."

Kirmaci said CISOs can no longer leave this to chance and that the time to act is now, "even as organizations are rolling out digital transformation initiatives, making the environment even more complicated and vulnerable."

The motivations behind SD-WAN migration make perfect sense: reduce cost, increase agility, build flexibility, and some experts are now saying it may be time to skip SD-WAN altogether and move straight to a Zero Trust framework.

"We'll see a lot of combinations, variations, and transitions over time," Kirmaci concluded. "What will never change is the need to ensure that only those users who should have access to mission-critical systems do have access, and by helping them with automated, intelligent, intuitive support systems, organizations can optimize the full value of software-driven data networking without losing sleep."