The Role of SD-WAN in Securing the Expanding Network Perimeter

Jody Hagemann Senior Director, SD-WAN Product Management, Comcast Business
Joseph Richardson, Sr. Director Cybersecurity Products, Comcast Business

Software-Defined WAN (SD-WAN) is one of the most rapidly adopted technologies of the past decade. According to a recent study published by Dell’Oro Group, the worldwide sales of SD-WAN technologies are forecasted to grow at double-digit rates over each of the next five years to surpass $3.2 billion in 2024. This growth is certainly a testament to some of the more well-known benefits of SD-WAN technology, such as centralized network policy management, network flexibility and application-aware routing. But we should not overlook how some of these same features can be optimized to boost network security, nor lose sight of the new security considerations that SD-WAN introduces.

With SD-WAN, branch offices are now part of an enterprise’s network topology, with their own Internet egress. Corporate devices can access the Internet via multiple endpoints, adding a layer of complexity to network security. However, if properly configured, SD-WAN can simplify management, help improve security, and decrease threat vectors. In total, SD-WAN greatly improves an organization’s security posture and can ultimately decrease the stress and costs associated with a security intrusion.

In this article, we will review how to optimize your SD-WAN to its full potential for advanced security protection from threats.

Key considerations

Traditional security models were designed to support a walled castle approach where all of a company’s data, applications, and users operate behind a firewall at a centralized headquarters or data center. As more enterprises are moving to the cloud, infrastructure and applications are moving out of the traditional data center to the edge, so security perimeters are evolving - making every access point and network element a potential security breach. The basic firewall functionality is not enough to protect enterprise networks. Organizations are better served by using an SD-WAN solution that integrates security into the network functionality. The following are some key considerations for optimization:

Network policies and segmentation for on-demand security: SD-WAN delivers the flexibility to segment networks and implement application-aware routing, thus limiting the attack surface of highly sensitive data and systems. For example, segmenting mission critical systems and data from those less critical systems like basic productivity, office and research tools creates risk domains. Network segmentation then minimizes the impact of a successful attack to said domain. When set up properly, enterprise security policies with segmentations will prevent or reduce the impact of any security incursion, and hopefully prevent propagation beyond the borders of the impacted segment.

Without SD-WAN, application-specific security protection for cloud-based applications can be complicated and expensive. By setting up protected regional zones to securely direct cloud-based application traffic to where it needs to go based on corporate security policies -- SD-WAN can help you architect and incorporate security controls to platforms and apps like AWS and Office 365 into your connectivity fabric.

Encryption: In order to protect the site-to-site traffic of corporate locations, software-defined networking (SDN) management connects all locations with a secure tunnel using AES256 encryption. SD-WAN can help you prioritize and route that traffic by application, and then allow IT leaders to apply security policies using the SD-WAN appliances as enforcement.

Unified threat management (UTM)/firewalls: UTM delivers multiple security functions through a single service designed to protect business infrastructure. This combined security approach can present a unified security posture over geographically dispersed, distributed networks. SD-WAN appliances with UTM and/or next-generation firewall capabilities built in, to protect each branch location – getting back to the expanding perimeter point. Using SD-WAN technology that includes integrated security solutions reduces the complexity of deploying and networking a separate suite of security tools. This includes point solutions like NGFW, IDS/IPS, URL or a fully stand-alone UTM.

Single Pane of Glass Monitoring: Once proper orchestration and security policies are in place, IT teams can monitor all traffic and ports. With SD-WAN’s real-time, simultaneous management of the network and UTM threat protection on a single pane of glass, flagging risks and thwarting potential threats can help reduce overall total cost of ownership and corporate risk profile.

Compliance: For retail or other credit card accepting digital commerce organizations, finding an SD-WAN solution that is PCI compliant should be a top consideration for transmitting sensitive credit card data using industry standard encryption. Flexible provisioning and segmentation capabilities of SD-WAN are especially relevant for retailers in order to easily isolate their POS systems, as well as other critical networks and data. While segregating the POS system from the rest of the network isn’t a requirement under the PCI standards, it is highly recommended and considered a best practice.

Managed security and managed SD-WAN: Managing both an SD-WAN and advanced security is simplified when combined, but can still be a lot to handle, especially in an environment where companies may be making staff reductions. Working with a service provider that has a broad purview of the threat landscape can reduce a threat before it even reaches the organization's perimeter. Threat visibility and management  are a critical component in managed security services and can offer peace of mind in an environment where security threats are constantly changing.


SD-WAN with Security simplifies management with agile network design that enables organizations to transform in stages, allowing new and old networks to co-exist securely. This reduces the complexity and effort required to redesign networks, providing a smooth migration path for any deployment models, from flat networks to highly segmented ones. And as this migration advances, special security rules and policies can be applied to reduce risk along the way. Optimally, advanced security and network architecture can work in harmony to deliver a network with enhanced performance, exceptional user experiences, and reliable connectivity with a strong security posture.

Help defend your network against fast-changing and malicious attacks with the Comcast Business suite of cybersecurity offerings.