CenturyLink, Windstream and other providers have made SD-WAN the new networking fashion for businesses, but with an ever-growing array of cyberthreats, the new focus is on making these connections secure.
Like any emerging concept, securing SD-WAN services comes with several approaches that will be adopted and offered based on what a business needs for service.
SD-WAN security today is based on two main concepts: an integrated platform and a best-of-breed approach.
With an integrated approach, vendors like Versa and Cato have incorporated security into their SD-WAN platforms and software. A best-of-breed approach, which has been touted by SD-WAN vendors like VeloCloud, will couple their platform with other security products from security-based companies like Fortinet, Palo Alto Networks and Symantec.
While there are certainly different options to ensure SD-WAN security, Windstream and CenturyLink are being flexible in their approach. This reflects the reality that every business will need an SD-WAN security platform that can accommodate their unique needs and functions.
Chris Johnson, principal solutions architect for Windstream, told FierceTelecom that by having various arrows in its SD-WAN quiver, his company can accommodate a wide range of business types.
“SD-WAN security is definitely a hot topic and there is no one-size-fits-all for the customer,” Johnson said. “It’s really based on the customer’s network goals and what SaaS providers they’re using and what’s the best way to deliver the security service.”
Best of breed gains momentum
Traditional service providers like CenturyLink and Windstream offer business customers several options for SD-WAN security. By offering a best-of-breed SD-WAN security approach, the service provider and the SD-WAN vendor can give the business customer a security solution that allows them to choose the security platform they are most comfortable with using.
Windstream, which announced its 500th endpoint for SD-WAN services late last year, brought its SD-WAN services into the Windstream core network to ensure security. The service provider can address the best of breed or an integrated approach. It can offer either a virtualized-based option or a premises-based service.
“The next part of SD-WAN security is everyone is going to virtualization so you will have an X.86 box where you can take a blade and put in a certain license for SD-WAN and take a Fortinet or Palo Alto solution and put the security at the edge,” Johnson said. “Another option is we can still do the premises-managed services.”
However, other SD-WAN providers like Aryaka, which has developed an SD-WAN product that runs on its own global network, says this best-of-breed approach for SD-WAN security is the best as it can provide deeper protection.
The company recently established an agreement with network security vendor Zscaler. As part of that relationship, Aryaka combines its global SD-WAN capabilities with Zscaler’s security controls needed for Internet and cloud-bound traffic, such as threat protection, data protection and access-control capabilities.
A key differentiator that Aryaka has been touting is that unlike other traditional SD-WAN providers that use broadband connectivity, the company’s traffic stays on its own private network.
“The difference between Aryaka and other solutions is the traffic is traversing over the private network versus the public network,” said Gary Sevounts, VP of marketing for Aryaka. “It is fully multitenant and the bandwidth is dedicated to each of the customers without mixing it.”
Integrated solutions divide
An integrated SD-WAN solution, which includes security within their platform, offers businesses the option to have one solution to either manage themselves or have a provider do it for them as part of a managed service.
CenturyLink, which launched its initial standalone SD-WAN service in June 2016, offers an integrated security option with its key vendor Versa. The service provider later launched a hybrid SD-WAN service that allows businesses to integrate and optimize traffic flow over a mix of broadband internet connections and private MPLS networks.
Eric Barrett, senior director of network product management for CenturyLink, said that the driver to choose an integrated or a best-of-breed SD-WAN security approach depends on the customer.
“What we’re seeing is the network person inside a business is making the decision on the SD-WAN network service and the second person is handling security for larger companies,” Barrett said. “The security guy might not be willing to use the Versa platform or SD-WAN security platform so they want to use what they’re comfortable with.”
One option that CenturyLink is working on is a universal CPE that allows the customer to run a security platform on the same physical device.
Meanwhile, other customers want to gate internet traffic through a core location. Based on the Fortinet platform, CenturyLink allows businesses to route their traffic through the network core and the Fortinet platform. Additionally, CenturyLink is also offering the former Level 3’s ANS security service.
“We’ll have a full security gateway component to the service that you can attach to the SD-WAN offer,” Barrett said. “I think security is going to be a major component of this transformation that customers are making, and we’re going to have to accommodate them all.”
Sevounts said that without partners, providing SD-WAN security is challenging.
“There’s an approach by some vendors to do security all by themselves,” said Sevounts. “The danger of this approach is that small SD-WAN companies with limited resources, you can only provide the IP for some layers to address certain security needs.”
Sevounts added that some enterprises want to work “with several best-of-breed products instead of one integrated solution from a single vendor, which becomes a single point of failure.”