Capitalizing on the promise of 5G with secure SD-WAN
by Blogs & Opinions
Given the legacy architectures of most organizations and public networks in place, delivering all 5G connectivity and performance – including ensuring adequate bandwidth, latency and compute resources – all the time will not be possible on day one.
Instead, 5G will gradually become available, supporting a growing number of use cases and capabilities over time. Fortunately, not only do many devices in use today not yet support 5G, but the majority of applications don't require that level of performance. So for the near term, all connectivity methods need to remain on the table, whether 3G/4G/LTE, MPLS, DSL or 5G.
The trick is in being able to provide the right connection to the right device using a specific application, recognizing when those requirements change or if a connection begins to degrade, and then being able to make connectivity changes on the fly without interrupting things like streaming services.
At the same time, security needs to prevent exposing sensitive traffic to risk simply because a connection shifts to another protocol and security is forced to play catch-up. This requires smart networks that are able to evaluate the performance capabilities of an end user, edge, and even IoT devices along with the performance requirements of an application, map them to an optimum connection, and then not only change those connections when needed, but also keep security in the loop so everything adjusts at the same time.
However, adding 5G to the set of available connection options isn't as easy as just having another connectivity choice. Adding another option to a complex system with multiple moving parts actually compounds the challenge of selecting, monitoring and managing connections exponentially – which can quickly outstrip the capacity and management capabilities of traditional edge-based routers.
SD-WAN is already 5G-ready
Fortunately, SD-WAN solutions are already designed to support and manage 5G connections. In just a few packets, an SD-WAN solution is able to determine the requirements needed to establish the most appropriate connection between any device and the application or service it needs to access. While some of those connections may require the high bandwidth and low latency 5G can deliver, others require something far less, and SD-WAN can automatically make that determination.
Imagine a branch office with 50 users all making connections to different services. SD-WAN solutions should have the flexibility to establish and modify all of those connections based on a number of criteria, including bandwidth requirements, connection quality and even cost – and also dynamically swap them out if a connection degrades to sub-optimal performance due to latency, jitter, or packet loss.
SD-WAN not only actively monitors all connections, but is constantly mapping application performance to available connections to ensure that every device has the best possible connection rates at any given moment.
Complex SD-WAN environments challenge traditional security
The bigger challenge is adding security to the mix. Traditionally, WAN traffic was backhauled through the data center, where it received the protections of the full stack of enterprise-class security. When that hub and spoke model is replaced with SD-WAN, however, all those protections go away. Unfortunately, most SD-WAN solutions try to replace those advanced protections with VPN and a basic firewall. And that's not good enough.
To support the dynamic connectivity and accelerating bandwidth requirements of today's organizations and applications, SD-WAN needs to manage an environment in constant flux. Unfortunately, this also leaves security operating in a perpetually reactive mode, constantly trying to catch up as connection and application requirements continually change – leaving huge security gaps that cybercriminals and sophisticated malware are only too happy to exploit.
5G compounds the challenge of securing SD-WAN
Securing an SD-WAN environment becomes even more complex once 5G is added to the mix, and will require two things: First, security will need to function even faster. Tasks like inspecting encrypted traffic traveling at 5G speeds will simply overwhelm most next-gen firewalls. Encryption already makes up more than 70% of network traffic, and that number is climbing as SD-WAN transactions happen directly over the public Internet.
At the same time, the adoption rate of TLS 1.3 – the faster and more secure successor to SSL – is picking up. These changes make it more critical than ever for security to provide deep inspection of encrypted traffic without interrupting business critical transactions and communications.
However, that's easier said than done. Inspecting encrypted traffic already takes such a significant toll on NGFW performance that many vendors simply refuse to make their performance numbers public. So actively inspecting the rising volume of encrypted traffic – especially when using TLS 1.3 to secure 5G connections – will drive the firewall, and as a result, SD-WAN connectivity to its knees, undermining one of the primary reasons why 5G was adopted in the first place.
Most security devices rely on off-the-shelf processors that were never designed to handle these new performance requirements. What's needed is a purpose-built secure SD-WAN solution designed from the ground up to keep pace with security-intensive processing such as inspecting encrypted traffic. Advanced hardware using purpose-built security ASICs rather than commercial processors are essential for accelerating critical security functions to maintain SD-WAN performance.
Second, security needs to be completely integrated with the networking side of SD-WAN. When a connection needs to be changed, networking and security need to work in concert to ensure the entire connection – connectivity protocols, applications and security – can respond as a single, integrated system. And a unified management interface ensures that any changes to the SD-WAN environment can be seen and orchestrated through a single pane of glass.
Secure SD-WAN is the ideal solution for organizations of any size
Enterprises are already transitioning from traditional WAN router and MPLS configurations to SD-WAN solutions to support the growing flexibility and performance requirements of their remote locations – including their plans for adopting 5G. But service providers are also finding that a service infrastructure built around SD-WAN enables them to provide advanced functionality to their customers, including the future deployment of 5G connectivity to ensure new SLAs, while continuing to leverage the rest of their connectivity services, such as MPLS, DSL, and fiber.
While 5G is likely to have a gradual, yet profound impact on the digital landscape, the full range of benefits businesses can take advantage of depends on the infrastructure that supports it. Secure SD-WAN solutions can seamlessly adapt 5G to prepare organizations for the next round of digital innovation.
— Satish Madiraju, Director of Products and Solutions, Fortinet