Network Security is a critical element of each organization's overall security strategy. As a result of the public cloud and remote workers, the attack surface of the WAN has expanded drastically in recent years, as shown in the following diagram.
Network and security teams are constantly pressured to defend their domains against cybersecurity attacks and data breaches. However, the traditional WAN environment has multiple security problems:
- There is not much attention on ensuring the authenticity of network devices. In many environments, you can plug in a new router or switch in the network and connect it with the existing routing/control protocols. In large-scale environments spread across thousands of branches, this becomes hard to track and defend against.
- Each control plane protocol implements its own security mechanisms. For example, BGP, OSPF, PIM, HSRP, SNMP, etc., implement keys and key rotation differently. Ensuring that all control-plane communications are secure is a challenge.
- Securing the data traffic across all links involves lots of manual setup of IPsec tunnels and shared keys.
- Network (router, switches, etc.) and Security (firewalls, IPS, proxies, etc.) are generally implemented via separate hardware appliances, resulting in network sprawl.
- High availability and security solutions are often in conflict.
SD-WAN Security Overview
Cisco has adopted a completely different approach to WAN security based on three fundamental principles:
- Fabric Security - The solution ensures that all devices participating in the network are genuine and trusted. All communication between network devices is automatically encrypted, eliminating the manual box-to-box approach involved in securing each WAN link and each control-plane protocol.
- Embedded Security - The solution integrates all security functions such as Zone-based Firewall, IPS, URLF, and AMP in routers' firmware, eliminating the need for separate dedicated hardware appliances performing the security functions. This eliminates the network sprawl at branches.
- Cloud Security - It provides seamless integration with multiple cloud security providers, making the transition to a hybrid security model very easy.
Figure 12.2 summarizes the security pillar provided by Cisco SD-WAN. Let’s explore each one.