Zscaler and SD-WAN · 2019-02-15 · ZSCALER SD-WAN SOLUTION BRIEF 21 Zscaler, Inc. All rits...
Transcript of Zscaler and SD-WAN · 2019-02-15 · ZSCALER SD-WAN SOLUTION BRIEF 21 Zscaler, Inc. All rits...
SOLUTION BRIEF
Zscaler™ and SD-WANSecuring the Internet-only branch
Zscaler and SD-WAN make it easy to migrate from a hub-and-spoke network to an Internet-only branch architecture by enabling secure local Internet breakouts.
CLOUD APPS HAVE BROKEN TRADITIONAL ARCHITECTURES For organizations deploying cloud applications like Office 365, the old approach to routing traffic — backhauling over MPLS to a centralized Internet gateway via a hub-and-spoke architecture is inadequate. To deliver a fast user experience and support cloud applications and services, Internet traffic must be routed locally.
But to deliver the same level of security as the centralized Internet gateway organizations must replicate the stack of security appliances at every branch, which is expensive to buy, deploy, and manage. Traditional firewalls and UTMs are a poor alternative, as they cannot handle SSL-encrypted traffic or non-standard ports and protocols. Because of these challenges, organizations are increasingly turning to SD-WAN to establish local Internet breakouts and deliver a fast user experience.
SD-WAN AND LOCAL INTERNET BREAKOUTSSoftware-Defined Wide Area Networking (SD-WAN) simplifies how traffic is routed in the branch, and makes it easy to establish local Internet breakouts. Software-defined policies are used to select the best path to route traffic connecting the branch to the Internet, cloud applications, and the datacenter. By defining policies for all branches — in the cloud through a single interface — organizations can easily deploy new applications and services, and manage policies across many locations. But, these local breakouts need to be secured.
Traditional Hub-and-Spoke
HQ DATA CENTER
UTM/Firewall Appliance Sprawl
HQ DATA CENTER
• Backhauling over MPLS is expensive
• Introduces unnecessary latency
• Negatively impacts user experience
• Cost prohibitive to deploy
• Creates appliance sprawl
• Untenable to manage
• Compromises branch security
• Performance degrades with SSL inspection and additional security services
ZSCALER SD-WAN SOLUTION BRIEF
©2017 Zscaler, Inc. All rights reserved.
ZSCALER: THE CLOUD WAY TO SECURE SD-WAN Zscaler secures outbound Internet traffic and delivers a fast user experience— without backhauling and without duplicating the security appliance stack at each location. Because the Zscaler Cloud Security Platform delivers the entire security stack as a cloud service, there is no compromising on security. And with Zscaler, policies are not tied to a physical location; instead, they follow users to provide identical protection no matter where they connect.
Simply route Internet-bound traffic to Zscaler and immediately begin inspecting all traffic — all ports and protocols, including SSL. You can define and immediately enforce access and security policies across all locations from a single console. And with Zscaler, cloud services scale elastically, allowing you to deploy new services, like Bandwidth Control, in just a few clicks — without impacting performance and without costly appliance upgrades.
SSL INSPECTION WITH SLA-BACKED PERFORMANCESSL is now the default communication protocol, and many threats like ransomware try to hide inside SSL—and sometimes even use other ports—so it’s imperative to inspect all traffic. But SSL inspection remains a significant challenge for security appliances; decrypting, inspecting, and re-encrypting that traffic is known to decimate a firewall’s performance.2 Zscaler Cloud Firewall , a part of the Zscaler platform of services, inspects all traffic — all ports and protocols, including SSL , with near-zero latency.
OPEN INTERNETSAAS
CLOUD
• Secure local Internet breakouts• Enables a fast user experience• Delivers the entire security stack as a cloud-based service – without appliances
• Software-defined policies to send select traffic to Zscaler Cloud
MPLS/Internet
HQBRANCHMOBILE EMPLOYEES
Internet trafficBroadband, 4G/LTE
DATA CENTER SD-WAN EDGE DEVICESD-WAN Overlay
Internet trafficBroadband
BRANCH SD-WAN EDGE DEVICE
>86%More than 86% of tra�ic to Google is encrypted1
81%SSL inspection with an
appliance creates an 81% average loss in performance2
1 Transparency Report – Google, https://www.google.com/transparencyreport/https/?hl=en2 Pirc, John W., “SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement. NSS Labs
(https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/)
ZSCALER SD-WAN SOLUTION BRIEF
©2017 Zscaler, Inc. All rights reserved.
ZSCALER AND SD-WAN
Reduce cost and complexity
Zscaler and SD-WAN enable the Internet-only branch without the cost and complexity of traditional network and security appliances
Simplify operations
Zscaler and SD-WAN simplify branch operations by delivering security as a cloud service and using software-defined policies to route traffic
Secure and scale
Zscaler delivers the entire security stack as a cloud-service, providing and identical protection for users wherever they connect — coffee shop, headquarters, or the branch
SD-WAN
• Simplifies connecting branches to the Internet by using software-defined policies and eliminating complex access control lists associated with traditional appliances
• Leverages multiple branch connection types (broadband, VPN over broadband, LTE, and MPLS) to allow a seamless migration from hub-and-spoke architecture
ZSCALER
• Secures local Internet breakouts by delivering the entire security stack as a cloud service, eliminating the need for branch firewalls and UTMs
• Enables secure local Internet breakouts without any appliances to deploy or manage
• Reduces MPLS backhauling costs
SD-WAN
• Uses software policies that are defined in a single cloud management console to determine how traffic is routed
ZSCALER
• Eliminates the need to buy, deploy, and manage stacks of security appliances in all your branch locations
• Allows central definition of security and access policies in a single console
• Immediately enforces policy changes across all locations
• Enables deployment of new security services across all locations in minutes, with just a few clicks
• Routes Internet traffic locally to enable a fast user experience
• Provides security and access controls for outbound Internet traffic on all ports, not just 80 and 443, to prevent advanced threats
ZSCALER
• Delivers a full set of security and access controls as a purpose-built, cloud-based service - no compromising on security
• Performs full inline content inspection, and access controls for all ports and protocols with full logging capabilities
• Natively inspects SSL traffic
• Scales elastically to enable rapid deployment of new features (like bandwidth control or data loss prevention) without impacting performance or requiring appliance refreshes
• Brings the entire security stack close to the user, ensuring identical protection for users wherever they connect
ZSCALER SD-WAN SOLUTION BRIEF
CONTACT US
Zscaler, Inc.110 Rose Orchard WaySan Jose, CA 95134, USA+1 408.533.0288+1 866.902.7811
www.zscaler.com
FOLLOW USfacebook.com/zscaler
linkedin.com/company/zscaler
twitter.com/zscaler
youtube.com/zscaler
blog.zscaler.com
© 2017 Zscaler, Inc. All rights reserved. Zscaler™, SHIFT™, Direct-to-Cloud™, ZPA™, ByteScan™, PageRisk™, Nanolog™, PolicyNow™, and The Internet is the new network™ are trademarks or registered trademarks of Zscaler, Inc. in the
United States and/or other countries. All other trademarks are the property of their respective owners. This product may be subject to one or more U.S. or non-U.S. patents listed at www.zscaler.com/patents
AGILENT
With the Zscaler Cloud Security Platform, Agilent established secure local Internet breakouts for 120 remote sites. The company had been backhauling traffic to six regional datacenters with stacks of security appliances, but with Zscaler, Agilent secured its sites at the edge — without deploying 240+ appliances.
Powered by Patented Technologies
THREAT PREVENTION
ADVANCED PROTECTION
CLOUD SANDBOX
ANTI-VIRUS
DNS SECURITY
DATA PROTECTION
DATA LOSS PREVENTION
FILE TYPE CONTROLS
CLOUD APPS (CASB)
ACCESS CONTROL
URL FILTERING
CLOUD FIREWALL
BANDWIDTH CONTROL
DNS FILTERING
SSMA™All security engines fire with
each content scan – only microsecond delay
ByteScan™Each outbound/inbound byte scanned, native SSL
scanning
PageRisk™Risk of each object computed inline,
dynamically
NanoLog™50:1 compression,
real-time global log consolidation
PolicyNow™Polices follow the user for Same on-premise,
off-premise protection
Viptela and Zscaler demonstrated their leadership and ability to deliver the enterprise SD-WAN and cloud-based security we were after. This has fundamentally transformed our cost structure and enabled us to confidently realize the benefits of operational efficiency and scalability around the globe.
– Pascal Heger, Global Network Architect at Agilent
ZSCALER PURPOSE-BUILT MULTI-TENANT CLOUD SECURITY PLATFORM