SD-WAN has been a bright spot in the networking industry over the last several years, its ability to simplify operations while decreasing expenditures resonates strongly with potential users. With all its merits – PLUS industry hype – the broad market adoption forecast by industry analysts has failed to materialize. I’m not worried about the SD-WAN market, it will grow as predicted, just a bit more slowly. What’s holding SD-WAN back? I think there are likely a few factors contributing, today I’d like to focus on security. Traditional SD-WAN solutions have limited the scope of security to simple packet encryption and authentication using IPSec, access control with Access Control Lists (ACLs) and intrusion prevention/detection. To successfully deploy at scale solutions must also include granular segmentation capabilities, support for multi-tenancy and Zero Trust Security (ZTS). Our Session Smart SD-WAN solution supports all baseline security requirements but also extends the scope to include the full requirements for a secure, large scale SD-WAN deployment.
Traditional SD-WAN Security:
When it comes to per packet encryption and authentication, the Session Smart solution is superior to the traditional IKEv1/IKEv2/IPSec based solution implemented by most SD-WAN vendors. 128 Technology’s deny-by-default rule, along with access control using context-specific access policies, allows network architects to avoid complexity and design an easy to deploy SD-WAN network.
Unique to our solution is Adaptive Encryption (AE), an encryption technology based on FIPS 140-2 certified AES256/HMAC-SHA256 algorithms. With Adaptive Encryption, packets that have been encrypted using IPSec or HTTPS (as most Internet traffic is), will not be re-encrypted, eliminating double encryption. This improves performance and while providing a cost savings compared to traditional SD-WAN solutions.
Our solution provides layer-3/layer-4 stateful firewall capabilities that are applied per service and on a per session basis. Each session created under a service will go through a thorough DOS/DDOS/IDS/IPS inspection along with URL filtering checks. If packet inspection and URL checks determine that the session created does not match Enterprise policy, the session is blocked and appropriate security logs, audit logs, and alarms are generated. 128T has full support for SNAT/DNAT, both source and destination address/port are masked on the public network, eliminating most attacks that require knowledge of network addresses. Detailed analytics are provided on a per session and per service basis, which aids in advanced threat mitigation. 128T also has Service Function Chaining (SFC) capability, allowing a 128T router to service chain with a third party next-generation firewall.
Extending the Reach of SD-WAN Security:
Granular Segmentation and Mulit-tenancy: With our approach, called hypersegmentation, network segmentation is directly tied to the services and applications in use. Administrators define the tenants and attach services to these tenants. Hypersegmentation eliminates the need for VLAN, VxLAN, IPSec or any other tunneling technologies.
Zero Trust: Hypersegmentation enables Zero Trust Security (ZTS) in the network by default. Administrators define encryption/authentication policies, access rules, and traffic engineering parameters per tenant and per service. With hyper-segmentation unique encryption/authentication policies can be defined per tenant, meaning that each network built using 128T routers is truly ZTS enabled.
Session Smart SD-WAN provides all security features of existing SD-WAN solutions plus granular segmentation capabilities, support for multi-tenancy and Zero Trust Security (ZTS). This solution is simplified, easier to manage, more cost-effective and future proofed, allowing network architects to build a real next generation SD-WAN.
Want to learn more about 128 Technology’s security capabilities? Download the paper: