How Much Security Testing is in ICSA Labs “Secure” SD-WAN Testing?
June 9, 2022
By Jack Walsh
The super succinct answer to the question posed in the blog title is, “quite a bit, actually!”  Of course, a blog posting minus a more detailed explanation, wouldn’t really be a blog worth reading.  What follows then is a more in-depth answer, preceded by a brief refresher about how we got to needing Software-defined Wide Area Network (SD-WAN) technology in the first place.
The WAN topology known as SD-WAN became necessary as companies began to witness an increasing number of users, coming from an increasing number of locations, using an increasing number of connection types (e.g., broadband Internet, MPLS, 3G, and 4G LTE), all trying to get to an ever-increasing number of applications.  Complicating matters, the applications being accessed were often in disparate locations including software as a service (SaaS) clouds, like custom-built apps to infrastructure as a service (IaaS) clouds like that of AWS, Alibaba Cloud and Microsoft Azure to Private clouds to apps in the data center, branch offices and even the campus itself.  
Intelligently directing traffic across WAN paths, an SD-WAN solution potentially solves problems like increased network complexity, inconsistent app performance-related experiences, and greater risk exposure (among other difficulties) stemming from the complex conditions mentioned above that are frequently found in today’s enterprise networks.  
With all of this in mind, ICSA Labs decided to create and launch an SD-WAN certification testing service in 2019. We named the service, ICSA Labs Secure SD-WAN Certification Testing.  The insertion of the word “Secure” into the title for the testing service is no accident.  Rather than being only a SD-WAN functionality test, we at ICSA Labs determined that the testing for such a service needed significant, supplemental, security-related test cases.  
By “Secure” we mean:
  • The SD-WAN product itself is secure;
  • The SD-WAN communications are secure;
  • The SD-WAN product properly enforces policy. This includes policy enforcements for both WAN-specific functions and security policies (i.e., just like an ICSA Labs Certified Firewall);
  • The SD-WAN product provides additional security functionality either inherently in itself or via an external mechanism such as service chaining one or more external security products (e.g., anti-malware, intrusion prevention, etc.).
In particular, the policy configuration requirement to set security policies for network traffic in ICSA Labs’ Secure SD-WAN testing is equivalent to one of our standard ICSA Labs Firewall Certifications (called Corporate Firewall).  As in Firewall testing, ICSA Labs tests that Secure SD-WAN components are stateful, that they are not susceptible to trivial denial of service attacks, that the components themselves are invulnerable to known threats, and that they each properly enforce the configured security policy.
As a result, the corresponding security testing performed is equally stringent in every regards as that which we perform in Firewall testing.  What this indicates is that a tested and certified ICSA Labs Secure SD-WAN solution passes all the same kinds of security testing test cases as does a certified ICSA Labs Firewall.  
That begs a couple questions.  First, does this mean that any product that attains ICSA Labs Secure SD-WAN certification be immediately granted ICSA Labs Firewall certification?  And, second, which testing service is better?
Let’s address the second question first.  ICSA Labs would not consider a Corporate Firewall Certification better than a Secure SD-WAN Certification. And likewise, we would not consider a Secure SD-WAN Certification better than a Corporate Firewall Certification. They are two different testing services designed to certify different types of solutions.  While there is overlap in the security testing area as we have explained, the test beds for each service are entirely different.  
In Firewall testing, ICSA Labs configures the test environment to emulate a perimeter firewall where services are hosted on an internal network or DMZ.  Network traffic flows outbound from users as well as inbound to servers.  In this test bed, there is a single Firewall device (physical or virtual) in the testbed that is exposed to all the test cases.
In Secure SD-WAN testing, the testbed is considerably more complex than that of Firewall testing.  Rather than a single device, there are a minimum of three edge devices simulating a data center with two remote branches.  This is necessary in order for ICSA Labs to emulate the complexity of SD-WAN edge devices needing to be auto-provisioned and dynamically selecting the best path for application traffic when there is path degradation, regardless of the underlying WAN connection type. 
Perhaps you can see already that the answer is “no” to the first question about whether any product that attains ICSA Labs Secure SD-WAN certification can be immediately granted ICSA Labs Firewall certification.  After all, as the configurations are dramatically different, then the testing in Secure SD-WAN and Firewalls cannot be and is not exactly the same. After re-configuring and potentially having to alter the security policy, additional tests have to be performed in order to separately attain ICSA Labs Firewall certification.
That said, ICSA Labs believes that it would be far simpler for an ICSA Labs certified Secure SD-WAN to more easily and quickly get successfully through Firewall testing than it would be for an ICSA Labs certified Firewall to get successfully through Secure SD-WAN testing.  This is because there is a significant amount of SD-WAN functions being tested in Secure SD-WAN, all of which are well above and beyond that which is required in Firewall testing.


Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

This question is for testing whether you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.