What are some of the most common SD-WAN security vulnerabilities? How can I plan for these potential security issues?
The Citrix-SD wan comes wish a full firewall, that is very capable. You just need to make sure that you harden the rules. I would follow an approach of blocking everything, then open only what you need. One point to note, there is a difference in applying a block or a drop rule. A block still takes some processing, the drop just ignores these packets. This makes a big difference when facing DDOS attacked. Use drop rather than block, or DDOS will still take your services down. NOTE. This is a quick response, not a tech note. Check all changes carefully before implementing.
Restricting this response to security only. Keep focused on your desired outcome. SDWAN protects by communication encryption. Is this all you want to protect? What about your data at rest, what about the human risk, what about Active Directory, what about passwords? Security is an entire posture. Also consider that once inside the SDWAN an intruder moves with inpunity unless the chosen SDWAN inspects TLS (Still commonly called SSL inspection) Ensure your SDWAN choice includes strong security with the ability to integrate with other security applications. Then also remember a good SDWAN will improve the performace of the underlaying circuits, but not change the nature of the circuit. A contended broadband, will still be a contended broadband, Lastly if multiple vendor applications are used ,a single user interface will save your limited time.
Adding NGFW functions into the pure play SD-WAN solution is much more difficult than adding SD-WAN feature to NGFW. So when you go away from backhauling all branch traffic to HQ (moving towards direct cloud access and enabling edge computing) you need to be sure that the local traffic is secured enough, and this traffic is inspected for intrusion attempts and malware downloads. Cloud is not secure by default. That's why you need to plan security controls locally with the ability to manage and monitor them in HQ. I would prefer to use a single appliance at branch which can do security inspection and SD-WAN both at high level.
It depends which SD-WAN vendor you are considering. Pure play SD-WAN generally lack enterprise grade security features and their architectures require a firewall - which means more complexity and cost. A number of firewall vendors have Secure SD-WAN appliances that incorporate NGFW and SDWAN functionality in one appliance. Pure play vendors are well known for overselling their security capabilities and leaving customers vulnerable.
A risk with SD-WAN devices is that you move away from hub and spoke networking to meshed, which means that there is a potential for the compromise of one device to give attackers visibility into the traffic flow from across the network. Its more efficient, manageable and cost effective to have a Secure SD-WAN device from a security vendor.
SD-WAN comes with firewall inside the device, the issue with that Firewalls is lack of features like SSL-VPN. It is recommended to recheck management access because this device is connected directly through Internet, and make sure it is always up to date.
Remember this is the direct link from internet/branches with default security once installed, again make sure to configure it correctly
This depends on the supplier. Most of the well known cloud suppliers know how to do security. Best to be aware of the human factor. Things like accounts take over. To prevent account takeovers a two factor identification would help a lot.
The SD-WAN does not have any vulnerability, since that feature can be natively integrated with a security platform, such as an SD-WAN gateway that uses security as a virtual network function (Velocloud + Palo Alto Networks , Citrix + Palo Alto Networks), or a native security platform with a plug-in SD-WAN (Palo Alto Networks, Fortinet). The main advantage of the second option is that you only have to use an orchestration console.
The Fortinet secure SD Wan solution is included in the firmware, no additional license required and you can implement all NGFW functions, making it secure. Additionally, it has one the highest throughput and LCO. You can steer traffic in multiple ways in your links implementing SLA levels for each type of traffic. Very happy with the solutions.