Securing SD-WAN with Zero Trust Network Segmentation

Airgap Networks
5 min readMay 16, 2022


SD-WAN in 2 Minutes

SD-WAN, or software-defined wide-area networking, is a programmatic, automated solution to regulating business network connection and circuit charges. It integrates software-defined networking (SDN) into a platform that companies can use to swiftly set up a smart hybrid WAN. SD-WANs control communication, management, and services between data centers and distant branches or cloud instances using the software. SD-WAN is widely used in critical enterprises such as healthcare organizations and organizational technology (OT) infrastructure and is designed to support application communication with secure information-as-a-service (IaaS) and software-as-a-service (SaaS) endeavors. SD-WAN can improve application performance and user experience, resulting in higher business productivity and agility by embedding flexibility in networks, scalability as traffic grows, and improved manageability through infrastructure simplification.

The failure rate for network segmentation projects is high, and most projects last longer than the average tenure of a CISO. Gartner— ID G00740393

SD-WAN is more cost-efficient than traditional WAN because it is not dependent on expensive infrastructure and multiprotocol label switching (MPLS) for traffic routing. As internet-based applications increasingly adopt SD-WAN architecture, associated security protocols are evolving as well. To be sufficient and effective in deterring modern ransomware attacks, security teams must focus on intra-VLAN lateral threats with just-in-time access to critical resources.

The issue, especially concerning SD-WAN, is that the infrastructure is continuously adapting to new technologies due to increasingly complex business requirements and demands for complete visibility and control of all inter- and intra-VLAN communications.

Figure 1. Simple SD-WAN Network Diagram

Transitioning from MPLS to SD-WAN

MPLS was developed for organizations operating several remote branch offices distributed across the country or the globe, where the majority of traffic is routed through data centers. Nowadays, Businesses have redirected a large portion of their traffic to and from cloud providers, rendering MPLS obsolete. MPLS usage dropped 24 percent from 2019 to 2020, while SD-WAN implementation increased 18 percent to 43 percent over the same period. Before SD-WAN, traditional WAN connected users at branch offices and corporate campuses to applications hosted on data center servers. Dedicated MPLS circuits were often designed to support enhanced security and reliability. Network and resource digitization limits traditional WANs’ performance because their complex network hierarchies make it difficult to secure. Due to a lack of flexibility, bandwidth limits, costly equipment, and their reliance on MPLS, traditional WANs are not designed to manage today’s dispersed environments.

ACLs for SD-WAN Security

According to research by Coleman Parkes, 46 percent of the data breaches in 2021 were the result of organizations not having security policies for SD-WAN. The implementation of an access control list (ACL) can establish access monitoring and restrictions. ACL generally governs access to a particular resource based on the source and destination addresses to conduct behavioral analysis.

The administrator defines the rules for permitting traffic access to and movement within the network, but ACL still contains some critical drawbacks such as a lack of efficiency, scalability, and visibility. With the rise of advanced persistent threats (APTs) and organized cybercrime, organizational ACLs cannot guarantee they will adequately restrict attackers from unauthorized access.

Due to the upgrade from WAN to SD-WAN and the digital transformation connecting more and more devices, the attack surface has been widened for cybercriminals. Organizations are justifiably concerned about zero-day risks.

When under attack, a Zero Trust Isolation platform can immediately limit an enterprise’s attack surface to the single infected endpoint without any implicit trust. Zero Trust Isolation platforms provide ringfencing isolation which segregates and strictly controls access to each Layer 3 endpoint along production lines.

Bring Layers of Defense to Your Flat Network

Digital innovation is disrupting enterprise companies by introducing new networks such as dynamic multi-cloud that enable new services and commercial prospects. At the same time, these new environments bring with them a higher level of cyber threat.

Some organizations choose flat networks with an eye toward reducing cost, maintenance, and administration. This design, unlike hierarchal network segmentation, does not use different switches to physically segregate the network. Because all traffic flows via a single switch, it is impossible to divide networks into segments and restrict users from accessing specific areas. This makes it easier for hackers to intercept data on the network.

The convergence of IT and OT creates network vulnerabilities that organizations should closely monitor. The internet of things and other devices can be easily manipulated as EDR/XDR agents usually cannot be installed. In 2022, it is anticipated that ransomware will serve as the primary attack vector against the industrial sector.

Airgap Networks is the industry’s first Zero Trust agentless segmentation solution, working at the convergence of IT and OT to protect companies from external and internal threats. Airgap prevents lateral threat movement, allows only permitted and verified access to high-value assets, and ensures rapid incident response with its unique Ransomware Kill Switch solution, all based on Zero Trust principles.

On 15 March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 became law in the U.S. That means new reporting requirements for cyberincidents (72 hours) and ransomware payments (24 hours) in 16 critical infrastructure sectors.

Companies often choose to adopt SD-WAN primarily because it allows seamless cloud access. When business-critical applications are present, traffic can be routed through the network infrastructure. On the other hand, SD-WAN lacks when it comes to on-site security. Security standards must still be implemented to ensure that networks are secure and not vulnerable to outside threats. A single data leak might damage the IT, OT, and IoT infrastructure. An agentless segmentation solution must be able to analyze trust levels in order to determine the appropriate amount of access to grant to particular users, devices, and services in order to enable effective SD-WAN implementation.

Despite an organization’s best efforts, human error can sometimes result in a ransomware compromise. In these instances, most IT firms resort to shutting down the networking infrastructure to protect against proliferation. This results in a loss of business productivity. Airgap’s patented Ransomware Kill Switch™ offers a more refined solution. Serving as a surgical attack response, it stops the spread of ransomware while allowing most business operations to continue. Zero Trust Agentless Segmentation supports all cloud, SaaS, and internal connectivity with integration compatibility with SD-WAN.

Organizations usually build separate SD-WAN and security measures, such as next-generation firewalls, to mitigate these threats. This requires IT and security teams to actively monitor their network traffic logs and look for hacker tools and unauthorized devices and users attempting to connect with the system. The organization should mobilize extra security operations analysts to monitor traffic and conduct threat hunting operations with SIEM/SOAR solutions. Airgap Zero Trust Segmentation provides built-in integration with SIEM/SOAR solution and the continuous monitoring of the network and analyzes every IP address associated with IoT, IOMT, IIOT, and OT critical infrastructure.

Want to know more about segmenting the big flat network or getting autonomous Ransomware defense? Schedule an intro call today with Airgap Networks.



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.