SOLUTION BRIEF

Zscaler™ and SD-WANSecuring the Internet-only branch

Zscaler and SD-WAN make it easy to migrate from a hub-and-spoke network to an Internet-only branch architecture by enabling secure local Internet breakouts.

CLOUD APPS HAVE BROKEN TRADITIONAL ARCHITECTURES For organizations deploying cloud applications like Office 365, the old approach to routing traffic — backhauling over MPLS to a centralized Internet gateway via a hub-and-spoke architecture is inadequate. To deliver a fast user experience and support cloud applications and services, Internet traffic must be routed locally.

But to deliver the same level of security as the centralized Internet gateway organizations must replicate the stack of security appliances at every branch, which is expensive to buy, deploy, and manage. Traditional firewalls and UTMs are a poor alternative, as they cannot handle SSL-encrypted traffic or non-standard ports and protocols. Because of these challenges, organizations are increasingly turning to SD-WAN to establish local Internet breakouts and deliver a fast user experience.

SD-WAN AND LOCAL INTERNET BREAKOUTSSoftware-Defined Wide Area Networking (SD-WAN) simplifies how traffic is routed in the branch, and makes it easy to establish local Internet breakouts. Software-defined policies are used to select the best path to route traffic connecting the branch to the Internet, cloud applications, and the datacenter. By defining policies for all branches — in the cloud through a single interface — organizations can easily deploy new applications and services, and manage policies across many locations. But, these local breakouts need to be secured.

Traditional Hub-and-Spoke

HQ DATA CENTER

UTM/Firewall Appliance Sprawl

HQ DATA CENTER

• Backhauling over MPLS is expensive

• Introduces unnecessary latency

• Negatively impacts user experience

• Cost prohibitive to deploy

• Creates appliance sprawl

• Untenable to manage

• Compromises branch security

• Performance degrades with SSL inspection and additional security services

ZSCALER SD-WAN SOLUTION BRIEF

©2017 Zscaler, Inc. All rights reserved.

ZSCALER: THE CLOUD WAY TO SECURE SD-WAN Zscaler secures outbound Internet traffic and delivers a fast user experience— without backhauling and without duplicating the security appliance stack at each location. Because the Zscaler Cloud Security Platform delivers the entire security stack as a cloud service, there is no compromising on security. And with Zscaler, policies are not tied to a physical location; instead, they follow users to provide identical protection no matter where they connect.

Simply route Internet-bound traffic to Zscaler and immediately begin inspecting all traffic — all ports and protocols, including SSL. You can define and immediately enforce access and security policies across all locations from a single console. And with Zscaler, cloud services scale elastically, allowing you to deploy new services, like Bandwidth Control, in just a few clicks — without impacting performance and without costly appliance upgrades.

SSL INSPECTION WITH SLA-BACKED PERFORMANCESSL is now the default communication protocol, and many threats like ransomware try to hide inside SSL—and sometimes even use other ports—so it’s imperative to inspect all traffic. But SSL inspection remains a significant challenge for security appliances; decrypting, inspecting, and re-encrypting that traffic is known to decimate a firewall’s performance.2 Zscaler Cloud Firewall , a part of the Zscaler platform of services, inspects all traffic — all ports and protocols, including SSL , with near-zero latency.

OPEN INTERNETSAAS

CLOUD

• Secure local Internet breakouts• Enables a fast user experience• Delivers the entire security stack as a cloud-based service – without appliances

• Software-defined policies to send select traffic to Zscaler Cloud

MPLS/Internet

HQBRANCHMOBILE EMPLOYEES

Internet trafficBroadband, 4G/LTE

DATA CENTER SD-WAN EDGE DEVICESD-WAN Overlay

Internet trafficBroadband

BRANCH SD-WAN EDGE DEVICE

>86%More than 86% of tra�ic to Google is encrypted1

81%SSL inspection with an

appliance creates an 81% average loss in performance2

1 Transparency Report – Google, https://www.google.com/transparencyreport/https/?hl=en2 Pirc, John W., “SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement. NSS Labs

(https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/)

ZSCALER SD-WAN SOLUTION BRIEF

©2017 Zscaler, Inc. All rights reserved.

ZSCALER AND SD-WAN

Reduce cost and complexity

Zscaler and SD-WAN enable the Internet-only branch without the cost and complexity of traditional network and security appliances

Simplify operations

Zscaler and SD-WAN simplify branch operations by delivering security as a cloud service and using software-defined policies to route traffic

Secure and scale

Zscaler delivers the entire security stack as a cloud-service, providing and identical protection for users wherever they connect — coffee shop, headquarters, or the branch

SD-WAN

• Simplifies connecting branches to the Internet by using software-defined policies and eliminating complex access control lists associated with traditional appliances

• Leverages multiple branch connection types (broadband, VPN over broadband, LTE, and MPLS) to allow a seamless migration from hub-and-spoke architecture

ZSCALER

• Secures local Internet breakouts by delivering the entire security stack as a cloud service, eliminating the need for branch firewalls and UTMs

• Enables secure local Internet breakouts without any appliances to deploy or manage

• Reduces MPLS backhauling costs

SD-WAN

• Uses software policies that are defined in a single cloud management console to determine how traffic is routed

ZSCALER

• Eliminates the need to buy, deploy, and manage stacks of security appliances in all your branch locations

• Allows central definition of security and access policies in a single console

• Immediately enforces policy changes across all locations

• Enables deployment of new security services across all locations in minutes, with just a few clicks

• Routes Internet traffic locally to enable a fast user experience

• Provides security and access controls for outbound Internet traffic on all ports, not just 80 and 443, to prevent advanced threats

ZSCALER

• Delivers a full set of security and access controls as a purpose-built, cloud-based service - no compromising on security

• Performs full inline content inspection, and access controls for all ports and protocols with full logging capabilities

• Natively inspects SSL traffic

• Scales elastically to enable rapid deployment of new features (like bandwidth control or data loss prevention) without impacting performance or requiring appliance refreshes

• Brings the entire security stack close to the user, ensuring identical protection for users wherever they connect

ZSCALER SD-WAN SOLUTION BRIEF

CONTACT US

Zscaler, Inc.110 Rose Orchard WaySan Jose, CA 95134, USA+1 408.533.0288+1 866.902.7811

www.zscaler.com

FOLLOW USfacebook.com/zscaler

linkedin.com/company/zscaler

twitter.com/zscaler

youtube.com/zscaler

blog.zscaler.com

© 2017 Zscaler, Inc. All rights reserved. Zscaler™, SHIFT™, Direct-to-Cloud™, ZPA™, ByteScan™, PageRisk™, Nanolog™, PolicyNow™, and The Internet is the new network™ are trademarks or registered trademarks of Zscaler, Inc. in the

United States and/or other countries. All other trademarks are the property of their respective owners. This product may be subject to one or more U.S. or non-U.S. patents listed at www.zscaler.com/patents

AGILENT

With the Zscaler Cloud Security Platform, Agilent established secure local Internet breakouts for 120 remote sites. The company had been backhauling traffic to six regional datacenters with stacks of security appliances, but with Zscaler, Agilent secured its sites at the edge — without deploying 240+ appliances.

Powered by Patented Technologies

THREAT PREVENTION

ADVANCED PROTECTION

CLOUD SANDBOX

ANTI-VIRUS

DNS SECURITY

DATA PROTECTION

DATA LOSS PREVENTION

FILE TYPE CONTROLS

CLOUD APPS (CASB)

ACCESS CONTROL

URL FILTERING

CLOUD FIREWALL

BANDWIDTH CONTROL

DNS FILTERING

SSMA™All security engines fire with

each content scan – only microsecond delay

ByteScan™Each outbound/inbound byte scanned, native SSL

scanning

PageRisk™Risk of each object computed inline,

dynamically

NanoLog™50:1 compression,

real-time global log consolidation

PolicyNow™Polices follow the user for Same on-premise,

off-premise protection

Viptela and Zscaler demonstrated their leadership and ability to deliver the enterprise SD-WAN and cloud-based security we were after. This has fundamentally transformed our cost structure and enabled us to confidently realize the benefits of operational efficiency and scalability around the globe.

– Pascal Heger, Global Network Architect at Agilent

ZSCALER PURPOSE-BUILT MULTI-TENANT CLOUD SECURITY PLATFORM