WHITEPAPERWHITE PAPER

Enhancing network security through

programmable networks

Attackers have morphed from lone-wolf mischief-makers to highly skilled groups and organizations that are focused on monetization or changes in geo-politics. Cybersecurity has become critical to organizations of all sizes. One of the most common points of attack is the wide area network (WAN). Many legacy networks are hard to defend, with disparate segments and no single management console. For this reason, many businesses are moving to programmable,software-defined networks to provide a foundation for dramatically enhanced security.

Executive takeawaysYou will learn the following from this white paper:

Cybersecurity has become one of the most important corporate initiatives, with board and executive-level support for better protection

The next-generation SD-WAN incorporates a number of different capabilities and technologies for enhancing cybersecurity

SD-WAN solutions provide the basis for much-improved security, but it is essential to make the right choices to truly upgrade your defensive posture

Windstream Enterprise provides the combination of products and services to provide best-in-class security for SD-WANs

3 41 2

ENHANCING NETWORK SECURITY THROUGH PROGRAMMABLE NETWORKS

2

Introduction: Security is job #1Ensuring cybersecurity is now the most important task, not only for IT, but for corporate management as well. As breaches become commonplace, new draft legislation such as the Consumer Data Protection Act and existing statutes in many states make the impact of any breach much more serious. Networks have become a focal point of many attacks.

Organizations must respond and do more to secure the WAN. According to a recent Forrester study, commissioned by Windstream Enterprise, nearly half of all organizations see improving network security as a top priority. There is good reason for this focus. A recent IBM X-Force Threat Intelligence study showed that nearly 20% of all breaches start with network intrusion.

The haphazard nature and inconsistency with which many legacy WANs were built have resulted in vulnerabilities that may be the conduit for an intruder. Most legacy WANs are composed of disparate and isolated links that make the application of consistent security policies difficult, if not impossible. Further, the randomness of the WAN makes it very likely that there are unknown gaps and vulnerabilities that may not be visible. It is very difficult to update or remediate vulnerabilities or deploy protection against new threats in a timely or even cohesive fashion.

Some vulnerabilities may arise because specific security tools and products are not used across all WAN links. This may be the result of binding specific apps to specific links. This approach forces the network management or security team to individually deploy and manage security for each link, a process that expands the possibility of human error and is highly resource-intensive. More importantly, increasing interconnection of network links makes a vulnerability at one site an opportunity to penetrate many others.

A highly effective approach for securing the WAN is to overlay software-defined WAN (SD-WAN) functionality to act as a platform for a dramatically improved defensive posture. The approach also provides consistent management and comprehensive visibility. This allows for consistent policy implementation and holistic use of security solutions across the WAN in a comprehensive fashion. This single network “image” reduces complexity and simplifies deploying better security. It is also an important way to reduce potential errors or omissions that can occur when the network is a jumble of links that must be secured individually. Finally, with a single SD-WAN, network operations and security teams can ensure that there is documented and consistent use of security solutions and policies across the WAN.

Ensuring your SD-WAN is secure: Where to startSecure SD-WAN solutions require more than just the basics. To choose the best offering, it is important to look for a service provider that is committed to security and has enhanced SD-WAN security solutions in production environments today.

From a more tactical perspective, there are several specific features or capabilities that you should look for when using SD-WAN and software-defined networking (SDN) to enhance WAN security:

Broad and effective encryption. The use of encryption to protect data in flight is becoming quite common. However, with a highly siloed, legacy WAN, encryption can be difficult to implement and manage. The ability to support broad,

integrated encryption across the SD-WAN provides an important security enhancement.

PCI DSS-compliant service. One of the most important and useful standards for ensuring security is a network that delivers PCI DSS (Payment Card Industry Data Security Standard) compliance. Many organizations that aren’t directly involved in using payment cards still rely on the PCI standard because it delivers documented protection. A network that delivers PCI compliance has undergone penetration and other testing to ensure it is secure. In addition, these networks will support two-factor authentication (2FA) as part of the compliance regime. PCI compliance shows a network provider is serious about security.

ENHANCING NETWORK SECURITY THROUGH PROGRAMMABLE NETWORKS

3

Next-generation firewall (NGFW) integration and delivery. Protecting the WAN at key locations or at the nexus of key traffic flows is essential. The best SD-WAN services will offer the ability to stand up a physical or virtual NGFW to offer more protection at various points on the network. Using firewalls based on application flow is an especially important capability that many organizations will find improves their defensive posture.

Pathway to unified threat management (UTM). Among the most important changes in the operational model for cybersecurity solutions is the movement to a single, unified security appliance. These appliances often include NGFWs, gateway anti-virus and intrusion detection/prevention capabilities. Ensuring that the SD-WAN is designed to support UTM has become an important component of providing a truly secure environment.

SD-WAN, SDN, NFV and NGFW deliver next-generation security for the WANUsing an SD-WAN, within an overall software-defined network (SDN) environment that is managed with a single, consistent set of tools that view the WAN as a comprehensive entity is the platform that enables far better cybersecurity. This is the necessary foundation.

This single, software-defined WAN platform brings the consistency and ubiquity that ensures that all cyber-defenses are deployed across the WAN and can be updated to meet evolving threats. There is now one source for all approved policies and configurations that are used universally across the network. Effective security is nearly impossible without this consistency. Further, security moves away from being an after-the-fact set of technologies that are bolted on ad hoc. With SDN and SD-WAN, security becomes a core component of the “software” that is used to operate and manage the network.

SD-WAN service providers that are truly serious about security will build on the base capabilities of the SD-WAN/SDN platform to deliver additional security functionality and capabilities. These can be used as managed services to offload the work from existing network staff or as a means of adding hard-to-hire expertise. Working with a managed service provider (MSP) gets these advanced defenses in place more quickly and integrated with other security solutions. The best-in-class managed services partners will provide low/no-touch provisioning of services with the security capabilities already installed or included. This simplifies things for network admins and operations staff.

The delivery of micro-segmentation capabilities is a critical enhancement to SDN that allows more fine-grained security policies to be implemented for specific workloads or applications, without losing the overall consistent, software-defined platform policies. For many organizations, leveraging the skills of a partner that is well-versed in micro-segmentation is the best option for fast deployment.

An additional and broader enhancement to security is improved traffic visibility. This may include full visibility or a substantial improvement of visibility for key links. Traffic that transits the network without any evaluation or oversight can become a huge vulnerability, particularly if attackers find and exploit it for the exfiltration of data. In addition, with full visibility, it is possible to inspect more traffic for malware and threats, stopping them at the earliest stages. In this scenario, a breach of the network can be mitigated before the attacker escalates, limiting the incursion.

MSPs must also offer improved security for branch or remote offices. Many of these locations don’t have any network expertise present at the location, but more importantly, these offices may contract for WAN links without corporate oversight or evaluation. In addition, remote workers will often install or introduce new software that would be identified at a more secure headquarters location. As a result, additional security tools such as an NGFW at remote locations can be important security enhancements from an MSP.

ENHANCING NETWORK SECURITY THROUGH PROGRAMMABLE NETWORKS

4

Effective cyber-defenses require speed. The ability to quickly deploy cybersecurity protection and update it in near real time based on changing or emerging threats is critical. Every second that a vulnerability exists or that a known vulnerability is not patched puts the organization at risk. Speed is essential to strong security. “Speed to protection” is also an aspect of security that SD-WAN and SDN support better than most alternatives. The fundamental design of a software-defined network allows the operations team to install or enhance security, across the SD-WAN, with just a single click. This stands in stark contrast to many current WAN implementations that require the security or network operations team to install/update security on each specific link. Beyond logistical delays, this can also lead to omissions or human error, resulting in unknown vulnerabilities.

The enhanced management console used in a holistic manner across a next-generation SD-WAN not only ensures that policies, protection and privileges are managed cohesively across the network, but also provides the information to identify any links that are not up to par. It also becomes possible to use the traffic visibility provided by the SD-WAN management tools as a platform to evaluate traffic irregularities, or other issues. The management tools also simplify documenting and ensuring correct operational processes. This is particularly helpful when staffing changes require less experienced staff to become involved in the network security process.

The Windstream Enterprise approach: Delivering enhanced network security with best-in-class managed services and solutionsAs a leader in the market for SD-WAN technologies and services, Windstream Enterprise (WE) delivers services and technologies that upgrade WAN security using SD-WAN as the platform. With thousands of customers across the U.S., we have substantial real-world experience deploying SD-WAN services and solutions that deliver the enhanced cybersecurity that today’s organizations demand. We are recognized by many third parties as a leading MSP. Our commitment to customer service is demonstrated by our concierge service offering, which provides the expertise and ongoing support necessary to truly protect your business.

We deliver several offerings that can be combined with existing security infrastructure to provide greater protection. The most notable of these include:

PCI DSS-compliant SD-WAN. Not only does the availability of a PCI DSS-compliant SD-WAN service benefit retailers, merchants and those that must process payment cards, but the key technologies to support this standard also deliver 2FA and security class differentiation.

Firewall. SD-WAN will support the distribution of assets across the data center, cloud and hybrid cloud environments. Such distribution may create new vulnerabilities. Deploying firewalls that focus defenses based on application flow provides better protection. The firewall can provide content filtering, application control and intrusion prevention/detection.

WE Connect SD-WAN Management Tool. The legacy WAN was difficult and complex to manage, with many silos and unique links. This made deploying security in a cohesive and organized fashion quite difficult. However, the WE Connect portal provides a single comprehensive platform that simplifies consistent deployment and utilization of policies, coherent security tool use and deployment, and the ability to respond and update security when new threats emerge using a mobile app or desktop experience.

Virtual network function (VNF) software. Delivering VNF within an SD-WAN environment makes it possible to enhance security by utilizing security tools such as the firewall “virtually” on existing equipment at the physical location. This makes it possible to tightly integrate unified threat management security features within the network. Further, VNF supports faster provisioning and greater flexibility in policy management.

Traffic encryption. A common threat that many organizations face is hackers that have penetrated the network but hide and scan network traffic for valuable information. When this traffic in flight is encrypted, the data is protected. SD-WAN delivers strong end-to-end encryption to stop data loss.

ENHANCING NETWORK SECURITY THROUGH PROGRAMMABLE NETWORKS

5

Key takeawaysThe WAN is one of the most common attack points that hackers will use to enter an organization’s systems and databases. And as attacks become more technically sophisticated and virulent, it is essential to improve the defensive posture of the WAN. SD-WAN and SDN provide a software-defined platform for managing, securing and operating the WAN that can dramatically enhance security. As a leading MSP, Windstream Enterprise provides a wide range of best-in-class secure SD-WAN services. These services simplify managing and operating the WAN and provide the foundation for the network and security teams to work together to deliver the necessary levels of security. The best news is that through a partnership with a firm such as Windstream Enterprise, this protection can be put in place quickly and kept up to date in near real time.

Secure SD-WAN from Windstream Enterprise provides value above and beyond its competitors:

Windstream Enterprise is the only MSP to have achieved third-party validation for PCI DSS compliance with an associated Attestation of Compliance (AOC).

Windstream Enterprise enables customers to modify security policies on edge devices via a user-friendly portal, WE Connect—most MSPs do not allow self-service. Seconds saved during a security event may prove invaluable to minimizing negative impacts to your assets, customers, employees, and ultimately, your brand.

Windstream Enterprise also gives customers the freedom to rename and tag the environment in multiple ways that are most meaningful to security staff. This can further reduce response time during an event.

For more information on how you can move from a vulnerable WAN to a secure and protected SD-WAN, please go to: windstreamenterprise.com/sd-wan.

Why Windstream Enterprise?Windstream Enterprise can help you navigate the complexity of network transformation with tailored solutions that align to your vision. With leading-edge solutions and expert, dedicated support, we’ll help you adapt, evolve and reshape your IT infrastructure. Here’s how.

1 Support for hybrid models

SD-WAN from Windstream Enterprise can support existing MPLS and broadband connections to create a hybrid WAN. Most service providers require you to purchase their access.

2 Greater control and visibility

Most SD-WAN providers offer a portal for visibility into performance, but only Windstream Enterprise gives you access to the unique WE Connect portal to control your own business and security policies.

3 Cloud-ready solutions

Cloud Connect supports all of our network and Unified Communications solutions, including highly secure and cost-effective connectivity to leading CSPs.

4 We keep your business “on”

Business continuity is provided by Windstream Enterprise Fixed Wireless and Diverse Connect to significantly improve the reliability and uptime for your critical applications.

5 Cloud to the core

Our networks are built on our Cloud Core architecture, which enables rapid deployments of any scale that can easily be expanded in the future.

6 PCI DSS compliance

Only SD-WAN from Windstream Enterprise is certified as PCI DSS compliant, allowing your business to accept credit card payment and process cardholder data.

Cloud Core™ technologies:

Software-defined networking (SDN): Network architecture that virtualizes the control and configuration of networks.

Network functions virtualization (NFV): Network architecture that virtualizes entire classes of network functions into building blocks that connect to create communication services.

Programmable network (PN) orchestration: Network devices and flow control are handled by software that operates independently from network hardware.

About Windstream Enterprise

Windstream Enterprise collaborates with businesses across the U.S. to drive digital transformation by delivering solutions that solve today’s most complex networking and communication challenges.

To learn more about network solutions, visit windstreamenterprise.com

©2019 Windstream Services, LLC. All Rights Reserved.

ENHANCING NETWORK SECURITY THROUGH PROGRAMMABLE NETWORKS