Why software defined networks demand Level 4 encryption
Paul German, CEO Certes Networks

Why software defined networks demand Level 4 encryption

As software-defined networking rises, so the need for an agnostic, Layer 4 encryption solution increases – one that can secure any communications network without performance degradation. Paul German, CEO of Certes Networks, explains.

iob new conectionsNEW CONNECTIONS

An occasional series of vendor perspectives on the world of connected business – because it’s all about making new connections and starting new conversations.

The battle between achieving business agility and ensuring data security in transit has never been more challenging. Clearly, the threat landscape has changed radically in recent years – just take the public announcement by UK defence secretary Gavin Williamson that state-sponsored cyber attacks on the UK’s infrastructure could cause economic chaos.

It is little wonder that recent CIO and CTO spending patterns reveal not only a concern with security – especially in the cloud – but also a need to understand what is happening to data, and the ability to identify and address threats as they emerge.

Operationally driven moves away from MPLS networking technology and towards software-defined networking (SDN), notably for wide-area networks (WANs), could be creating security risks, or restrictions on the technology that can be deployed.

Today, SD-WANs offer an alternative to legacy WANs, via their agility, simplicity, and potential to lower costs. The model not only opens up the opportunity to embrace blended communications infrastructures – from copper to Wi-Fi, and from fibre to satellite – in order to deliver the most efficient, low-cost solution for distributed businesses, but its central management ability reduces the management overhead associated with complex legacy WAN infrastructures.

Typically, the result of using of an SD-WAN is reduced network costs of 30 to 50 percent – but only if it’s the same vendor end-to-end solution. For complex networks, networks at scale, or those operating in a high information assurance environment, those benefits remain questionable. At least, without an innovative approach to enabling third-party infrastructure solutions to be deployed – and without a separate security overlay that can remove capacity constraints, as well as vendor/network choice dependency.

The current approach

Many SDN vendors typically offer Layer 3 encryption technology as part of their SD-WAN offerings. While some suggest that encryption is too costly or too difficult to deploy for many enterprises, the reality is that deploying Layer 3 encryption is better than nothing.

But for new large SD-WAN providers who may be offering the solution from a shared orchestration instance, the question is how any enterprise can secure infrastructures operated by another vendor – and even where the orchestration platform is deployed (which presents another security concern).

Furthermore, given that one of the most compelling reasons for embracing SD-WANs is the flexibility with which new infrastructures can be connected to support business change – a model that will, by default, result in infrastructure from multiple providers – how can an organisation ensure that each new connection is also secure?

With organisations increasingly deploying application-level encryption, there are also questions regarding performance and throughput. Encryption on encryption is a huge issue, affecting both legacy and SD-WANs. Many SD-WAN deployments are constrained not by the network bandwidth, but by the encryption overhead.

Even more concerning is the fact that, should an IT team wish to investigate an application or data source, these encryption solutions typically need to be turned off, leaving the organisation wide open to attack.

Network disaggregation

It is in recognition of these problems that growing numbers of CIOs are pushing a disaggregation agenda, concluding that service and security should be separate and distinct from the management and maintenance of any SD-WAN. This trend reflects a different approach to safeguarding business-critical infrastructure costs effectively, while removing the reliance on a single supplier.

The only way to maximise the commercial benefits of SD-WANs and achieve a security level that reflects the emerging threat is to embrace a security overlay model. In other words, to find a way to deploy end-to-end Layer 4 encryption across every part of the infrastructure, irrespective of the underlying network technology.

In addition to meeting the network disaggregation goals of many organisations, a network-agnostic encryption solution can also reinforce the centralised management benefits of SD-WANs by providing centralised orchestration.

This not only demonstrates how the network is being secured, but also provides essential insight into network activity and security performance. And, should an application need to be investigated, there is no need to switch off all security protocols – ensuring the company is safeguarded at all times.


SD-WANs potentially offer compelling benefits, and are increasingly the only viable option for distributed organisations, especially given the growing use of internet-based infrastructures and the cloud. However, the result is that organisations have less knowledge about the infrastructure. Where is the data going? Who owns the network? Which route is being taken? And, critically, who is securing the data – and how?

The less knowledge and control over the infrastructure, the more security control and knowledge an organisation requires.  It is only by taking that step towards network disaggregation, embracing a truly network-agnostic encryption technology that can secure data in transit across any IP network, and achieving centralised security orchestration with full data visibility, that organisations can confidently embrace SD-WANs and achieve agility without compromise.

Internet of Business says: This article has been submitted by Certes Networks, and not by our independent editorial team.