What SD-WAN security issues should I be aware of?

Hi peers,

What are some of the most common SD-WAN security vulnerabilities? How can I detect and prevent these potential security issues? 

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
  • 7
  • 454
PeerSpot user
9 Answers
Product Development Manager at a comms service provider with 501-1,000 employees
Real User
Top 10
Feb 15, 2023

In my experience, we can prevent vulnerabilities from SD-WAN (one of them) using an IPS/IDS feature. Moreover, we can leverage other security features in the SD-WAN vendors. To the best of my knowledge, Versa Networks is one of the sophisticated SD-WAN vendors. They have a great solution in network and security as well. 

Search for a product comparison in Software Defined WAN (SD-WAN) Solutions
Richard Vivian - PeerSpot reviewer
Chief Technology Officer at KOLOK SA
Real User
Top 5
Jul 29, 2020

The Citrix-SD wan comes wish a full firewall, that is very capable.  You just need to make sure that you harden the rules.  I would follow an approach of blocking everything, then open only what you need.   One point to note, there is a difference in applying a block or a drop rule.  A block still takes some processing, the drop just ignores these packets.  This makes a big difference when facing DDOS attacked.   Use drop rather than block, or DDOS will still take your services down.   NOTE.  This is a quick response, not a tech note. Check all changes carefully before implementing. 

Director at Secure Design Communications Limited
May 27, 2020

Restricting this response to security only. Keep focused on your desired outcome. SDWAN protects by communication encryption. Is this all you want to protect? What about your data at rest, what about the human risk, what about Active Directory, what about passwords? Security is an entire posture. Also consider that once inside the SDWAN an intruder moves with inpunity unless the chosen SDWAN inspects TLS (Still commonly called SSL inspection) Ensure your SDWAN choice includes strong security with the ability to integrate with other security applications. Then also remember a good SDWAN will improve the performace of the underlaying circuits, but not change the nature of the circuit. A contended broadband, will still be a contended broadband, Lastly if multiple vendor applications are used ,a single user interface will save your limited time.

Director at a integrator with 11-50 employees
May 27, 2020

Adding NGFW functions into the pure play SD-WAN solution is much more difficult than adding SD-WAN feature to NGFW. So when you go away from backhauling all branch traffic to HQ (moving towards direct cloud access and enabling edge computing) you need to be sure that the local traffic is secured enough, and this traffic is inspected for intrusion attempts and malware downloads. Cloud is not secure by default. That's why you need to plan security controls locally with the ability to manage and monitor them in HQ. I would prefer to use a single appliance at branch which can do security inspection and SD-WAN both at high level.

Account Director at a tech services company with 51-200 employees
May 27, 2020

It depends which SD-WAN vendor you are considering. Pure play SD-WAN generally lack enterprise grade security features and their architectures require a firewall - which means more complexity and cost. A number of firewall vendors have Secure SD-WAN appliances that incorporate NGFW and SDWAN functionality in one appliance. Pure play vendors are well known for overselling their security capabilities and leaving customers vulnerable.

A risk with SD-WAN devices is that you move away from hub and spoke networking to meshed, which means that there is a potential for the compromise of one device to give attackers visibility into the traffic flow from across the network. Its more efficient, manageable and cost effective to have a Secure SD-WAN device from a security vendor.

Country Manager at Gilat Satellite Networks
Real User
Top 5Leaderboard
May 26, 2020

SD-WAN comes with firewall inside the device, the issue with that Firewalls is lack of features like SSL-VPN. It is recommended to recheck management access because this device is connected directly through Internet, and make sure it is always up to date.

Remember this is the direct link from internet/branches with default security once installed, again make sure to configure it correctly

Learn what your peers think about Cisco SD-WAN. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
735,226 professionals have used our research since 2012.
Senior Pre-sales consultant at Businesscom BV
May 27, 2020

This depends on the supplier. Most of the well known cloud suppliers know how to do security. Best to be aware of the human factor. Things like accounts take over. To prevent account takeovers a two factor identification would help a lot.

it_user1146165 - PeerSpot reviewer
Cibersecurity Pre-Sales at Ingram Micro Inc.
Real User
May 27, 2020

The SD-WAN does not have any vulnerability, since that feature can be natively integrated with a security platform, such as an SD-WAN gateway that uses security as a virtual network function (Velocloud + Palo Alto Networks , Citrix + Palo Alto Networks), or a native security platform with a plug-in SD-WAN (Palo Alto Networks, Fortinet). The main advantage of the second option is that you only have to use an orchestration console.

President at a printing company with 51-200 employees
Aug 12, 2020

The Fortinet secure SD Wan solution is included in the firmware, no additional license required and you can implement all NGFW functions, making it secure. Additionally, it has one the highest throughput and LCO. You can steer traffic in multiple ways in your links implementing SLA levels for each type of traffic. Very happy with the solutions.

Related Questions
Information Technology Domain Network & Solutions Architect at National Grid
Feb 17, 2023
Hello community,  I am an Information Technology Domain Network and Solutions Architect at a large utility company. I am currently researching SD-WAN solutions. Is the network connection for an SD-WAN router the same as a network connection to a traditional router? They both employ an ethernet private line for access, is that correct? Thank you for your help.
2 out of 3 answers
Luis Apodaca - PeerSpot reviewer
IT Support and Network Admin at Escuela Carlos Pereyra
Feb 16, 2023
More information please!! Of course it's not the same type of solution, but if you're talking about infrastructure, yes it's the same, you just need a patch cable (copper or fiber) from your ISP router connected to your router's WAN IN port.Otherwise, if you're talking about capabilities, it's normal behavior of the whole network to become slower if your UTM server is not good enough and that depends on how big your current and future network need is, take note of that, it is the main concern that you should focus on.Personal advice for you; go with a hardware kind router, most of the time it is a better solution and cheaper one, maybe you just don't know yet about the correct one for you, please let me know if I was helpful.
Network Security Engineer at Social Security Commission
Feb 17, 2023
Yes. Physical connections will remain the same.
Jacob_Koithra - PeerSpot reviewer
Project & Program manager at Shell Grp
Dec 5, 2022
Hello peers,  I am a project and program manager at a medium-sized utility company. I am interested in SD-WAN. Does anyone know what IBM focuses on within SD-WAN space? Thank you.
See 1 answer
Executive Vice President Operations and IT at Sterling National Bank
Dec 5, 2022
IBM does not appear in Gartner's Magic Quadrant for SD-WAN as of the 12th September 2022.   One of my clients implemented Viptela which was later acquired by Cisco. They replaced about 30 MPLS circuits with multiple business broadband circuits, saved a lot of money, and increased speed and reliability.  According to Gartner's 2022 MQ report, the leaders are Fortinet, VMware, Cisco, HPE (Aruba), Versa, and Palo Alto.  
Related Articles
Director of Community at PeerSpot (formerly IT Central Station)
Jul 18, 2022
Dear PeerSpot community members, Welcome to the latest PeerSpot Community Spotlight, where we sum up the most relevant recent postings by your peers in the community.  Check out the latest questions, articles and professional discussions contributed by PeerSpot community members!  Trending Here are some topics that your peers are discussing at the moment: What is your recomme...
Director of Community at PeerSpot (formerly IT Central Station)
Jun 20, 2022
Hi PeerSpot community members, This is a fresh-from-the-oven Community Spotlight for you. Here, we've summarized and selected the latest posts (professional questions, articles and discussions) by PeerSpot community members. Check them out! Also, please share with us your feedback and suggestions by commenting below! Trending See what is trending at the moment and chime in to discuss! ...
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
Related Articles
Director of Community at PeerSpot (formerly IT Central Station)
Jul 18, 2022
Community Spotlight #18
Dear PeerSpot community members, Welcome to the latest PeerSpot Community Spotlight, where we su...
Director of Community at PeerSpot (formerly IT Central Station)
Jun 20, 2022
Community Spotlight #16
Hi PeerSpot community members, This is a fresh-from-the-oven Community Spotlight for you. Here, ...
Download Free Report
Download our free Cisco SD-WAN Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
735,226 professionals have used our research since 2012.