Factoring Threat into SD-WAN

The ability to optimize wide area network (WAN) performance based on real-time control objectives is an essential component of any global distributed enterprise. Relevant criteria for dynamically tuning WAN functionality from a branch office or data center include measured latency, available bandwidth, and policy objectives. As can be seen from major carriers such as AT&T, the adoption of software-defined techniques can lower cost and improve flexibility in WAN management.

Network product vendors have also discovered the incredible power of SD-WAN, and have begun developing integrated suites of tools for optimizing wide area network communications between branches, data centers, and now clouds. These tools provide WAN managers with advanced software-defined controllers that serve as a dashboard for optimizing the performance of a modern hybrid cloud enterprise.

Speaking at the Fortinet Fast and Secure Conference this week in Dallas, Nirav Shah, Director of Product Marketing at Fortinet, offered an exciting glimpse into this new world of programmable wide area networks. Predicting SD-WAN usage to reach 30% of enterprise branches by 2019, Nirav showed how the Fortinet solution fabric allows for zero-touch provisioning of WAN connectivity including support for link quality management, load balancing, and path control.

Nirav’s talk was especially encouraging to security engineers, because software-defined networking integrates WAN control with protection policy. Familiar security approaches such as NGFW, SSL inspection, and IPSec VPN are all included in the Fortinet suite, and do not require any special new tools for day-to-day management. A single team should have no trouble handling the networking and security in a seamless manner.

But after Nirav stepped down from the podium, I pulled him aside to share a technical recommendation that has been on my mind for some time – namely, that threat-based cyber security situational awareness should play a much heavier role in SD-WAN dynamic control. Threat feeds, SIEM output, and forensic results, for example, should have a more direct and more automated influence on how software-defined decisions are being made for the WAN.

Security engineers already tout the benefits of SD-WANs in streamlining DDOS defense by improving link management in the face of heavy traffic volume burdens. But this can be easily extended to dynamic route avoidance, priority adjustments, and policy rule changes if the cyber threat management telemetry suggests a serious data breach or vulnerability at some branch site. Automation might even be achieved through protocols such as STIX or TAXII.

Here’s an example: Suppose that a complex hybrid enterprise of branches, data centers, and clouds running MPLS with SD-WAN controls detects through its SIEM that some remote branch is showing signs of malicious exploitation. The SD-WAN should have the ability to dynamically adjust link prioritization so that non-essential traffic avoids this infected branch while forensic investigators use the underlying virtual controls to create a real-time image of the problem. (I know that's a bit of a mouthful, but you can be sure that hackers will not like this.)

I thought it prudent to share my thoughts here in this article with you, since the expanded power and reach of our collective social community can multiply our ability to influence network vendors to move in this direction. I can tell you that Nirav was certainly open to the idea, and I have a strong suspicion that the major Tier 1 carriers will like it as well. And this all stands to reason, because most APTs involve lateral traversal of an enterprise between branches. Having smarter WANs that are connected to threat feeds just makes sense.

So, if you are part of the team running the WAN in your enterprise, then it is time to connect with your favorite vendors and carriers to toss this idea around. In this era of uncontrolled APT attacks such as Equifax, I think it’s time now to bring on the cavalry. And for an old network professional like myself, that means bringing on the teams managing and optimizing your enterprise wide area network. I’m sure Nirav and the Fortinet team will be happy to help as well.

Let me know what you think.