Over untrusted and provide confidentiality (encryption), integrity (hashing), and

Over the last several years, there has been an evolution within the enterprise and public Internet space that has shifted traditional networking designs towards a more “application centric” approach. With this design philosophy, network architects have been able to create custom virtual networks tailored for specific applications that utilize a common physical underlying network of routers, switches, and other appliances. As this “Software Defined Networking (SDN)” approach has matured over the last few years, the realization that this design could benefit the productivity and security of not only the Enterprise Local Area Network (LAN) environment, but also the more complex and cost-sensitive Wide Area Network (WAN) space has created an exciting new segment within the cloud provider industry. This new implementation of SDN beyond the Enterprise LAN space is called SD-WAN, or Software-Defined Wide Area Network.Within this paper, we will discuss what zero-trust security is and how SD-WAN implements it within the WAN in such a way as to preserve the scalability and thus, viability of SD-WAN as a realistic business solution.Zero-Trust SecurityZero-trust security is a concept originated by Forrester Research, as part of their work for the National Institute of Science and Technology (NIST). As an extension of an existing technology called network segmentation, zero-trust security ensures that 100% of all network segments, or links, are untrusted and provide confidentiality (encryption), integrity (hashing), and availability. It also enforces the principle of least privilege and strictly enforces access control. Further, zero-trust security inspects and logs all traffic, as well as provides a programmatic framework, usually via application programming interfaces (APIs) for external monitoring, analytics, and centralized automation and orchestration.1How SD-WAN implements Zero Trust SecurityAs a cloud-focused technology, one of SD-WAN’s primary functions is to provide the greatest scalability with the easiest management to enterprise cloud technology consumers. This means that the metrics used to make data forwarding decisions, called the control plane, is stored within the cloud service providers network within the WAN. Traditionally, the greatest fear or concern of organizations in adopting cloud-focused technologies has been the security of their data as it traverses networks external to their own secured data centers. While securing the data plane (the network segments where actual customer data is transmitted) is accomplished by using the well-known IPsec VPN technology, securing the control plane has always been more difficult. To fully secure the control plane within a normally unsecure WAN space, SD-WAN providers use Datagram Transport Layer Security (DTLS). DTLS is a lighter-weight variation of the TLS protocol that uses UDP to transmit packets, instead of TCP. The decision to use UDP provides two key benefits: 1) customers do not have to manually punch holes in their firewalls to all DTLS control traffic to pass and 2) it provides for faster traffic, since it does not require packets to be acknowledged in the same way that TCP does.21 Robert C. Covington, Throw out the trust, and verify everything, CSO Online, https://www.csoonline.com/article/2944794/network-security/throw-out-the-trust-and-verify-everything.html. 2Datagram Transport Layer Security, IETF, https://tools.ietf.org/html/rfc4347. Using DTLS, SD-WAN service providers are able to each untrusted connection with full confidentiality (AES-256 encryption) and integrity (SHA-3 hashing). These providers also enforce mutual certificate-based authentication of either side of the network link across the DTLS connections. Further, SD-WAN has the capability of centralizing all control plane operations within the cloud, which not only greatly enhances its scalability, but it also allows the use of whitelisting any devices that connect to the network. This whitelist is comprised of an identifying number for the customer’s edge router, such as its serial number. As these edge devices communicate across the WAN to the SD-WAN provider, this whitelist is consulted first. Only after being found on the whitelist can an organization’s edge router pass traffic across the WAN network.3SummaryIn closing, we can see not only how powerful SD-WAN is, but also how it is able to use zero-trust security techniques to provide a level of security not seen before within the WAN cloud-provider space. By using a combination of the DTLS protocol, mutual certificate-based authentication, and device whitelisting, SD-WAN providers are able to treat each and every connection as untrusted and enforce full authentication, encryption, and integrity on all network segments. In the modern age of application-centric architectures, SD-WAN will bring the same level of performance, security, and stability to the WAN that exists today within the LAN