IPsec is an IETF standard that enables mutual authentication between hosts and also facilitates negotiation of cryptographic keys that will be used in encrypting the IP packets. Even though IPsec support encryption without authentication, that is really not a good idea for security. With the latest news about NSA tools potentially being stolen and available in the black market to crack routers from Cisco Systems, Juniper Networks and Fortinet, the immediate question arises: is IPsec security good enough, or do you need to rely on an additional transport layer (such as TLS) or application layer (such as SSH) security that is not necessarily tied to the router?
If you believe that the NSA code is available (for the NSA or for hackers at large) to intercept and “hack” the IPsec tunnel, then having the IPsec layer initiating and terminating on these type of routers will not provide security against those threats, i.e. if the traffic can be mangled at the router on the path, that certainly will nullify the IPsec layer security.
However, if your site-to-site network is utilizing overlay tunnels between hosts (or gateways), you can use the security functionality of the overlay tunnels (if they have those features) to add another layer of authentication and encryption. No hacker tool will be capable of hacking into two levels of security, implemented via two separate layers, in two different routers. So the idea is to inject the already encrypted IPsec packets into an SD-WAN router that is capable of creating a non-layer 3 overlay tunnel, using encryption and authentication, so that the SD-WAN router can take those already encrypted packets as datagrams and further encrypt on top. If the SD-WAN router is also capable of Broadband Bonding, you will also benefit from the traffic flow being distributed over two or more transports. So even though this is not a standardized security feature, it clearly provides a strong additional level of security.
No matter your approach, you should always keep your routers up to date with their latest security patches and firmware upgrades to make sure there are no vulnerabilities. If you want to be extra cautious, we recommend the encrypted Broadband Bonding tunnels provided by SD-WAN routers on top of your legacy IPsec.
Cahit Akin, CEO, Mushroom Networks, Inc.
Mushroom Networks is the provider of SD-WAN (Software Defined WAN) and NFV solutions capable of Broadband Bonding that enables self-healing WAN networks that route around network problems such as latency, jitter and packet loss.