Secure Your Network for Scale & the Cloud
-
Upload
velocloud-networks-inc -
Category
Technology
-
view
449 -
download
0
Transcript of Secure Your Network for Scale & the Cloud
![Page 1: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/1.jpg)
SD-WAN Architecture:
Secure Your Network
for Scale and the CloudSteve Woo
VP of Products & Co-founder
![Page 2: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/2.jpg)
Security Key Value for SD-WAN
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
![Page 3: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/3.jpg)
Title
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
![Page 4: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/4.jpg)
SD-WAN Security Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways
SaaS
Zero touch & secure deployments,
simplified operations, one-click
service insertion
Direct cloud access with
performance, reliability and
security
Simplified & Automated
WAN ManagementManaged on-ramp
to the cloud
Datacenter Edges
Transport independent performance &
security for the most demanding apps,
leverages economical bandwidth
SD-WAN Overlay
Assured Application
Performance & Security
![Page 5: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/5.jpg)
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
![Page 6: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/6.jpg)
Unified Secure Overlay
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Private - MPLS
IPsec VPN
Unified VPN over all transports
Cloud VPN eliminates backhaul
Automated VPN to cloud via gateway
eliminates NxN manual tunnels
![Page 7: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/7.jpg)
Traditional Key Architecture - i
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Centralized
Distributed Centralized
OrchestrationDifficult Easy
Control Plane Attack SurfaceSmall – Uncommon to attack the Hub Large – Key Server single point of attack
Data plane Attack SurfaceSmall – Just a pair-wise key Large – Entire Group sharing the same keys
Distributed
![Page 8: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/8.jpg)
Traditional Key Architecture - ii
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Pre-shared PKI
ComplexityIntegrated Requires a separate Certificate Authority
ScalabilityManual configured key-pair Centrally provisioned by the CA server
Automation workflows NoNot Integrated
- Secure onboarding
- CRL + Tunnel Integrity
Pre-shared Keys PKI
![Page 9: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/9.jpg)
SD-WAN Key Arch Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLSDynamic
branch to branch
Edge device’s Public key pinned
Preferred Attributes
Centralized Orchestration
Small control plane attack
surface due to pinning of Edge
public keys
Small data plane attack surface
due to Pair-wise keys
Integrated PKI + Orchestration
High Scalability with PKI
Integrated Automation of:
- CRL with Tunnel integrity
- Secure onboarding
IKE
+ IP
sec
sessio
n
CRL distribution
+
Automatic tunnel
integrity check
Integrated CA
Hub
Edge
![Page 10: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/10.jpg)
SD-WAN Segmentation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Enterprise A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Enterprise B VRF AVLAN 1
VLAN 2
VLAN 3
VLAN 4
Multi-Tenant
SD-WAN Cloud
Gateway
VRF 3
VRF 4
• Services by Enterprise – VRF mapping
• Services granularity by VLAN tag
VRF B-4
VRF B-3
SP NFV Orchestrator
SD-WAN
Edge
![Page 11: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/11.jpg)
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
![Page 12: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/12.jpg)
Security Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
Controllers
Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments
Service
Insertion Points
![Page 13: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/13.jpg)
Branch Security Service Insertions
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
vCPE platform
OS + HW
SD-WAN
VNFFW
VNF
WOC
VNF
Orchestration
General Purpose
Virtual CPE
3
= Cloud Delivered
SDWAN
SDWAN Virtual
Services Platform
SDWANFW
VNF
X
VNF
SDWAN Orchestration
SD-WAN Virtual
Services Platform
L7
Fire
wall
Dyn
Multi
Path
VPN NAT
SDWAN
SD-WAN CPE
with virtualized services
Embedded Services
Services on / off
Granular policies by L7 traffic profile
Multiple CPE options:
![Page 14: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/14.jpg)
SD-WAN Service Chaining
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
SaaS / IaaS
Enterprise DC
Branch
WebCloud
Gateways
Policy based service insertion:
Different service chains applied by policy
Services can be at branch only or dual ended
SD-WAN EdgeSD-WAN
Edge
VPN
Fire
wallDyn
Multi
Path
![Page 15: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/15.jpg)
Internet Backhaul Challenge
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Complex with Traditional WAN
Not performance-aware
Policy definition at L3 only
Require touching every branch
Per-application tuning difficult
More complex with multiple linksBranch
Headend
Advertise
0.0.0.0/0
(Preferred)
Advertise
0.0.0.0/0
![Page 16: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/16.jpg)
Policy-based Internet Backhaul to DCs
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edge
Primary
Hub EdgeSecondary
Hub Edge
Primary path Secondary path
Backhaul ALL or subset of Internet traffic
Flexible link steering policy
![Page 17: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/17.jpg)
SD-WAN Distributed Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
On Premise
Email DLPFirewalls
Enterprise
Applications
Enterprise Datacenters
Distributed Service Insertion
• SDWAN one-click app aware service insertion
• Enables disaggregation and distribution of services to
multiple regional mini-datacenters
• Same or different service chains by DC
• SDWAN optimal for SDN instantiated virtual services in DC
• Reduces branch complexity and attack surface
SD-WAN
Edges
SD-WAN
Edges
![Page 18: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/18.jpg)
Branch to Branch Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
Firewalls
Distributed Service Insertion
• Regionalize services even for branch to branch traffic
• Next gen firewall can apply rules by application
SD-WAN
Edges
![Page 19: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/19.jpg)
Multi-DC Services Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Datacenter 1
Multi-DC Service Insertion
• Dynamic routing for service insertion
Datacenter 2
SD-WAN
Edges
SD-WAN
Edge
SD-WAN
Edge
Email DLP
Firewalls
![Page 20: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/20.jpg)
SD-WAN Hybrid Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Enterprise Hub
On Premises
Security
Other Web traffic
Salesforce.com
Web email
Internet
• Backhaul to on-premises services
– Regional and central
• SD-WAN performance service chained to cloud security services
• One-click, by application Cloud
Security
Services
SD-WAN service chaining for hybrid services
SD-WAN
Edge
![Page 21: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/21.jpg)
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
![Page 22: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/22.jpg)
Complex & Insecure Legacy Deployments
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“IT Visit”
No security risk if box lost
X IT visit to site required
1-Ship
2-Install
3-Config
No IT visit required
X Drop ship not possible
X Configure and track every box
X Security risk if mis-ship
“Pre-stage”
2-Ship
3-Install
1-Config
![Page 23: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/23.jpg)
Simple & Secure SD-WAN Activation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“Pull Activation Key”
1-Ship
3-Install +
pull config
2-Create config + send key
“Call Home Push Activation”
1-Ship
2-Install +
Call Home
3-Push Config
No IT visit required
No security risk if box lost
No pre-staging required
No device tracking needed
Two factor – key and device
No IT visit required
No security risk if box lost
No pre-staging required
Independent physical install
> Requires knowledge of device to site
![Page 24: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/24.jpg)
Flexible Deployment Options
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site Enterprise DC
Datacenter
Edge
Edge
Enterprise DC
SaaSHybrid Cloud
Cloud DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
• On-premises in Enterprise
• Hosted in secure cloud datacenters
![Page 25: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/25.jpg)
On-Premise SD-WAN Deployment
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SaaS / IaaS
INTERNET and MPLS
VeloCloud
Edge
Enterprise DC
Edges in “hub” role at enterprise datacenters and
regional hubs
On-premise Orchestrator and Controllers
One-click granular traffic backhaul to regional hubs
Direct breakout to Internet for non-backhaul traffic
VeloCloud
Orchestrator
Regional Hubs
VeloCloud
Edge
VeloCloud
Edge
Regional Hubs
Internet
VeloCloud
Controllers
![Page 26: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/26.jpg)
Policy Based Link Steering Overrides
Pin an application to a path
even when the link fails
e.g. > PCI to compliant provider
Prefer application on a path but
steer away if cannot meet SLA
e.g. > Prefer high bandwidth
video conferencing on broadband
Prefer application on a path but
steer away if the link fails
e.g. > Wired to wireless
Add metered usage of wireless
Abstract actual interface/WAN links from the
business policy
Mandatory
Private
Available
Public Wired
Preferred
Public
Internet
Public-Wireless
Private
Public
Public-Wired
Private
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
![Page 27: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/27.jpg)
Managed SD-WAN / Security
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
MPLS/Private
Cloud SP
Datacenter
PECE
Router
PE
Virtual
CPE with
SD-WAN
Enterprise
DatacenterBranch
SDWAN
Gateway
SDWAN
Gateway
SDWAN
Orchestrator
SD-WAN
MPLS/Private
Cloud SP
Datacenter
SDWAN
Edge
Enterprise
Datacenter
Branch
SDWAN
Orchestrator
SDWAN
Edge
“Over The Top” “Integrated”
![Page 28: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/28.jpg)
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
![Page 29: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/29.jpg)
App Usage Visibility
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
App Usage & Categories
• ALL applications by category identifies risk
• Organize by category or volume
• One-click drill down to sources, destinations
![Page 30: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/30.jpg)
Compliance Monitoring
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Policy compliance monitoring
• Central orchestrator view across enterprise
• At-a-glance monitoring of site deviations from policy
• One-click drill down into policy details
![Page 31: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/31.jpg)
SIEM Analytics
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways SaaS
Datacenter Edges
SD-WAN Overlay
Orchestrator
SD-WAN to SIEM:
• Events, flow data and logs from
Edges and Orchestrator
• Visibility before encrypted tunneling
• Across on-premises and cloud
• Multi-tenant
SIEM
Event Collectors /
Processors
IPFIX (Netflow v10)
SNMP v2c/v3
Packet capture
Security logs
and alerts Syslog
API / SDK
![Page 32: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/32.jpg)
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
![Page 33: Secure Your Network for Scale & the Cloud](https://reader033.fdocuments.us/reader033/viewer/2022052706/586fcd581a28aba24c8b7481/html5/thumbnails/33.jpg)
Q&A
www.velocloud.com/sd-wan-dummies