Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
SD-WAN security: How to protect the wide area network in the era of cloud and remote working?
For years, the architecture of the corporate wide area network (WAN) was simple and predictable. The company’s headquarters was the heart of the operation, and all branch offices connected to it via dedicated, reliable but extremely expensive MPLS links. All Internet traffic, regardless of which office it came from, was routed back to the central data center, where it passed through the company’s powerful firewall, and only then made its way to the global network. This model, known as hub-and-spoke, provided a great deal of control, but in today’s world it has become an operational and cost bottleneck.
Digital transformation, mass migration to cloud applications (SaaS) and the proliferation of hybrid work have completely broken this old paradigm. It has become absurdly inefficient to send all traffic to a headquarters just to access Microsoft 365 or Salesforce. In response to this challenge, Software-Defined WAN (SD-WAN) technology was born. It’s a revolution that offers companies tremendous flexibility, cost savings and efficiency. But at the same time, by opening hundreds of new “doors” to the Internet, it creates entirely new and complex challenges for cyber security. How do we ensure consistent protection when our network no longer has a single, easily defensible perimeter?
What is SD-WAN and why have traditional WANs become inefficient?
SD-WAN (Software-Defined Wide Area Network) is a modern approach to the design and management of wide area networks that uses software to intelligently and dynamically direct network traffic. Unlike the traditional WAN, which relied on physical, dedicated links (mainly MPLS) and complex, manual configuration of routers, SD-WAN is flexible, centralized and automated.
The traditional WAN became inefficient because it was designed for a world in which 90% of applications and data resided in a central, corporate data center. In the cloud era, with key business applications (CRM, ERP, mail) running as SaaS services, this model no longer made sense. It forced traffic from a branch office, which was destined for a nearby Microsoft data center, to make a long and inefficient trip “back and forth” through corporate headquarters. This caused huge delays (latency), reduced user productivity and generated gigantic maintenance costs for expensive MPLS links.
SD-WAN solves this problem by enabling the use of many different types of connections – from low-cost broadband Internet connections (broadband), to LTE/5G, to the still-used MPLS links. SD-WAN’s central controller intelligently decides which “route” to send the traffic, based on its type and priority, to ensure the best possible quality and performance.
What new cyber security challenges and risks does the SD-WAN architecture introduce?
Despite the tremendous operational benefits, deploying SD-WAN without a well-thought-out security strategy can open a Pandora’s box. Decentralization and direct Internet access from every branch create new attack vectors and significantly increase an organization’s attack surface.
The main challenge is the loss of centralized control and visibility. In the old model, all traffic went through a single, powerful security stack at headquarters. Administrators had a single point where they could enforce policies, monitor traffic and detect threats. In an SD-WAN architecture with local exits to the Internet, each of the dozens or hundreds of branches becomes a small, independent “network edge.” Ensuring consistent security policies and monitoring traffic in such a distributed environment becomes extremely difficult.
This leads to an inconsistent security posture. Branches may have varying levels of security, outdated software on network devices, or be managed by local staff with less cybersecurity expertise. For an attacker, such a poorly secured, small branch office becomes an ideal entry point into the entire corporate network. Compromising one office can allow lateral movement and reach key resources at headquarters or other branches.
Why are local breakouts to the Internet (local breakout) in each branch so challenging?
The local internet breakout function is the heart and main performance advantage of SD-WAN technology. It allows traffic destined for trusted cloud applications (e.g. Microsoft 365, Salesforce) to be intelligently routed directly from the branch office to the Internet, bypassing the headquarters. This drastically improves productivity and user experience. At the same time, it is the most challenging from a security perspective.
By opening a direct connection to the Internet in each branch, we de facto eliminate the traditional single network circuit (perimeter). Instead of a single, heavily fortified point of contact with the public network, we suddenly have dozens or hundreds of them. Each of these points must be as well secured as a central data center once was. Leaving a small branch office with only a simple router with basic firewall functions is asking for trouble.
This necessitates the implementation of advanced security features at each individual branch office. Each local output to the Internet must be protected by the same rich set of security features as the headquarters. This includes next-generation firewall (NGFW), intrusion prevention system (IPS), Internet content filtering, malware protection and sandboxing functions, among others. Managing such a distributed security architecture manually is virtually impossible.
What is Secure SD-WAN and why is it a better choice than “tightening” security?
In response to the challenges of SD-WAN security, the market has evolved towards Secure SD-WAN class solutions. This is an approach in which advanced network functions (SD-WAN) and key security functions (Security) are integrated into a single, cohesive platform, managed from a single, central console.
The traditional “tacked-on” security approach involved deploying a separate SD-WAN appliance and a separate next-generation firewall (NGFW) appliance in each branch, often from different vendors. This led to a complicated and expensive architecture, difficult to manage and prone to configuration errors. Two separate systems meant two separate consoles, two sets of policies and no consistent visibility.
Secure SD-WAN eliminates these problems. Features such as NGFW, IPS, antivirus, URL filtering and sandboxing are built directly into the device or SD-WAN platform. As a result, administrators can create and enforce consistent network and security policies from one place for the entire organization. For example, they can define a policy: “Traffic to Microsoft 365 has the highest priority, is to be routed through the local exit to the Internet and subjected to IPS inspection and antivirus protection.” Such an integrated policy is then automatically distributed to all branches.
| Evolution of the Wide Area Network: Traditional WAN vs. Secure SD-WAN | ||
| Aspect | Traditional WAN (MPLS-based). | Secure SD-WAN |
| Main medium | Expensive private MPLS links. | Multiple types of connectivity: broadband, LTE/5G, MPLS. |
| Routing | Static, device-based and manual configuration. | Dynamic, application-based and central policy. |
| Internet access | Centralized (backhauling by headquarters). | Decentralized (local outputs to the Internet in branches). |
| Security Management | Centralized, but inefficient. A single, powerful firewall. | Distributed but centrally managed. Integrated security functions at each branch. |
| Cost | High (cost of MPLS links). | Low to medium (use of low-cost Internet connections). |
How does SD-WAN fit into the broader SASE (Secure Access Service Edge) architecture concept?
SASE (Secure Access Service Edge), pronounced “sassy,” is an architectural concept popularized by analyst firm Gartner. It is the natural next step in the evolution of network security in the era of cloud and remote working. SASE involves the convergence of network functions (represented mainly by SD-WAN) and a wide range of security functions into a single, cloud-delivered service.
In the traditional Secure SD-WAN model, security functions (such as NGFW) are embedded in a physical or virtual device at each branch office. In the SASE model, both the intelligence controlling the network and the entire security stack are moved to the service provider’s global Point of Presence (PoP) network. Instead of connecting directly to the Internet, the user or branch connects to the nearest SASE “node.” It is at this node, in the cloud, that all security policies are enforced.
The SASE architecture includes a much broader range of services than a typical Secure SD-WAN. In addition to NGFW and IPS, it also includes Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall-as-a-Service (FWaaS), among others. SD-WAN becomes a key “network” component in this model, responsible for intelligently and reliably connecting branches and users to the SASE cloud.
How can nFlo help you design, deploy and secure your SD-WAN?
Transforming a network from a traditional WAN model to an SD-WAN is a complex project that requires not only deep network expertise, but above all a strategic approach to cyber security. At nFlo, we act as a trusted partner at every stage of this journey, ensuring that the new network is not only efficient and flexible, but above all secure from the start.
Our process begins with a consulting and design phase. We analyze the client’s current network architecture, application traffic characteristics and business objectives. Based on this, we help design a future-proof Secure SD-WAN or SASE architecture that is optimally suited to the organization’s needs. Our approach is technology-neutral – we help select the best solution from among the market-leading vendors, guided solely by the client’s interests.
Our team of certified engineers performs end-to-end implementation and migration from the existing MPLS network to the new SD-WAN architecture. We make sure that the process is smooth, minimizes business downtime and ensures that all security policies are properly configured. We also offer managed services (Managed SD-WAN), where our team takes on the burden of monitoring network performance and security, managing policies and responding to incidents. In this way, the client gets all the benefits of a modern network, without the need to build and maintain a dedicated in-house team of specialists.
About the author:
Marcin Godula
Marcin is a seasoned IT professional with over 20 years of experience. He focuses on market trend analysis, strategic planning, and developing innovative technology solutions. His expertise is backed by numerous technical and sales certifications from leading IT vendors, providing him with a deep understanding of both technological and business aspects.
In his work, Marcin is guided by values such as partnership, honesty, and agility. His approach to technology development is based on practical experience and continuous process improvement. He is known for his enthusiastic application of the kaizen philosophy, resulting in constant improvements and delivering increasing value in IT projects.
Marcin is particularly interested in automation and the implementation of GenAI in business. Additionally, he delves into cybersecurity, focusing on innovative methods of protecting IT infrastructure from threats. In the infrastructure area, he explores opportunities to optimize data centers, increase energy efficiency, and implement advanced networking solutions.
He actively engages in the analysis of new technologies, sharing his knowledge through publications and industry presentations. He believes that the key to success in IT is combining technological innovation with practical business needs, while maintaining the highest standards of security and infrastructure performance.