Secure Your Network for Scale & the Cloud

SD-WAN Architecture:

Secure Your Network

for Scale and the CloudSteve Woo

VP of Products & Co-founder

Security Key Value for SD-WAN

VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Title


SD-WAN Security Advantages


Branch

Edges

Cloud Gateways

SaaS

Zero touch & secure deployments,

simplified operations, one-click

service insertion

Direct cloud access with

performance, reliability and

security

Simplified & Automated

WAN ManagementManaged on-ramp

to the cloud

Datacenter Edges

Transport independent performance &

security for the most demanding apps,

leverages economical bandwidth

SD-WAN Overlay

Assured Application

Performance & Security

SD-WAN Security Checklist


Secure connectivity [ ] ANY and ALL transport

[ ] Enterprise AND cloud datacenters

[ ] Scalable, automated

Segmentation [ ] Intra enterprise, Multi-tenant

Security services insertion [ ] Branch, distributed, cloud, multi-

vendor

Secure deployment [ ] Branch provisioning

[ ] SD-WAN infrastructure

Visibility [ ] User and application activity

[ ] Compliance and security analytics

Unified Secure Overlay


Branch SiteEnterprise DC

Hub Edge

Branch

Edge

Enterprise DC

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Private - MPLS

IPsec VPN

Unified VPN over all transports

Cloud VPN eliminates backhaul

Automated VPN to cloud via gateway

eliminates NxN manual tunnels

Traditional Key Architecture - i


Centralized

Distributed Centralized

OrchestrationDifficult Easy

Control Plane Attack SurfaceSmall – Uncommon to attack the Hub Large – Key Server single point of attack

Data plane Attack SurfaceSmall – Just a pair-wise key Large – Entire Group sharing the same keys

Distributed

Traditional Key Architecture - ii


Pre-shared PKI

ComplexityIntegrated Requires a separate Certificate Authority

ScalabilityManual configured key-pair Centrally provisioned by the CA server

Automation workflows NoNot Integrated

- Secure onboarding

- CRL + Tunnel Integrity

Pre-shared Keys PKI

SD-WAN Key Arch Advantages



Branch

Edge

Enterprise DC

Hybrid Cloud

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Orchestrator

Private - MPLSDynamic

branch to branch

Edge device’s Public key pinned

Preferred Attributes

Centralized Orchestration

Small control plane attack

surface due to pinning of Edge

public keys

Small data plane attack surface

due to Pair-wise keys

Integrated PKI + Orchestration

High Scalability with PKI

Integrated Automation of:

- CRL with Tunnel integrity

- Secure onboarding

IKE

+ IP

sec

sessio

n

CRL distribution

+

Automatic tunnel

integrity check

Integrated CA

Hub

Edge

SD-WAN Segmentation


Enterprise A

VLAN 1

VLAN 2

VLAN 3

VLAN 4

Enterprise B VRF AVLAN 1

VLAN 2

VLAN 3

VLAN 4

Multi-Tenant

SD-WAN Cloud

Gateway

VRF 3

VRF 4

• Services by Enterprise – VRF mapping

• Services granularity by VLAN tag

VRF B-4

VRF B-3

SP NFV Orchestrator

SD-WAN

Edge








vendor





Security Service Insertion



Hub Edge

Branch

Edge

Enterprise DC

Hybrid Cloud

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Orchestrator

Private - MPLS

Controllers

Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments

Service

Insertion Points

Branch Security Service Insertions


vCPE platform

OS + HW

SD-WAN

VNFFW

VNF

WOC

VNF

Orchestration

General Purpose

Virtual CPE

3

= Cloud Delivered

SDWAN

SDWAN Virtual

Services Platform

SDWANFW

VNF

X

VNF

SDWAN Orchestration

SD-WAN Virtual

Services Platform

L7

Fire

wall

Dyn

Multi

Path

VPN NAT

SDWAN

SD-WAN CPE

with virtualized services

Embedded Services

Services on / off

Granular policies by L7 traffic profile

Multiple CPE options:

SD-WAN Service Chaining


SD-WAN

SaaS / IaaS

Enterprise DC

Branch

WebCloud

Gateways

Policy based service insertion:

Different service chains applied by policy

Services can be at branch only or dual ended

SD-WAN EdgeSD-WAN

Edge

VPN

Fire

wallDyn

Multi

Path

Internet Backhaul Challenge


Complex with Traditional WAN

Not performance-aware

Policy definition at L3 only

Require touching every branch

Per-application tuning difficult

More complex with multiple linksBranch

Headend

Advertise

0.0.0.0/0

(Preferred)

Advertise

0.0.0.0/0

Policy-based Internet Backhaul to DCs


Branch

Edge

Primary

Hub EdgeSecondary

Hub Edge

Primary path Secondary path

Backhaul ALL or subset of Internet traffic

Flexible link steering policy

SD-WAN Distributed Security Insertion


Branch Site

Distributed Regional Mini-

Datacenters

On Premise

Email DLPFirewalls

Enterprise

Applications

Enterprise Datacenters

Distributed Service Insertion

• SDWAN one-click app aware service insertion

• Enables disaggregation and distribution of services to

multiple regional mini-datacenters

• Same or different service chains by DC

• SDWAN optimal for SDN instantiated virtual services in DC

• Reduces branch complexity and attack surface

SD-WAN

Edges

SD-WAN

Edges

Branch to Branch Service Insertion


Branch Site

Distributed Regional Mini-

Datacenters

Firewalls

Distributed Service Insertion

• Regionalize services even for branch to branch traffic

• Next gen firewall can apply rules by application

SD-WAN

Edges

Multi-DC Services Insertion


Branch Site

Datacenter 1

Multi-DC Service Insertion

• Dynamic routing for service insertion

Datacenter 2

SD-WAN

Edges

SD-WAN

Edge

SD-WAN

Edge

Email DLP

Firewalls

SD-WAN Hybrid Security Insertion


Branch Site

Enterprise Hub

On Premises

Security

Other Web traffic

Salesforce.com

Web email

Internet

• Backhaul to on-premises services

– Regional and central

• SD-WAN performance service chained to cloud security services

• One-click, by application Cloud

Security

Services

SD-WAN service chaining for hybrid services

SD-WAN

Edge








vendor





Complex & Insecure Legacy Deployments


“IT Visit”

No security risk if box lost

X IT visit to site required

1-Ship

2-Install

3-Config

No IT visit required

X Drop ship not possible

X Configure and track every box

X Security risk if mis-ship

“Pre-stage”

2-Ship

3-Install

1-Config

Simple & Secure SD-WAN Activation


“Pull Activation Key”

1-Ship

3-Install +

pull config

2-Create config + send key

“Call Home Push Activation”

1-Ship

2-Install +

Call Home

3-Push Config



No pre-staging required

No device tracking needed

Two factor – key and device



No pre-staging required

Independent physical install

> Requires knowledge of device to site

Flexible Deployment Options


Branch Site Enterprise DC

Datacenter

Edge

Edge

Enterprise DC

SaaSHybrid Cloud

Cloud DC

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Orchestrator

Private - MPLS

• On-premises in Enterprise

• Hosted in secure cloud datacenters

On-Premise SD-WAN Deployment


SaaS / IaaS

INTERNET and MPLS

VeloCloud

Edge

Enterprise DC

Edges in “hub” role at enterprise datacenters and

regional hubs

On-premise Orchestrator and Controllers

One-click granular traffic backhaul to regional hubs

Direct breakout to Internet for non-backhaul traffic

VeloCloud

Orchestrator

Regional Hubs

VeloCloud

Edge

VeloCloud

Edge

Regional Hubs

Internet

VeloCloud

Controllers

Policy Based Link Steering Overrides

Pin an application to a path

even when the link fails

e.g. > PCI to compliant provider

Prefer application on a path but

steer away if cannot meet SLA

e.g. > Prefer high bandwidth

video conferencing on broadband

Prefer application on a path but

steer away if the link fails

e.g. > Wired to wireless

Add metered usage of wireless

Abstract actual interface/WAN links from the

business policy

Mandatory

Private

Available

Public Wired

Preferred

Public

Internet

Public-Wireless

Private

Public

Public-Wired

Private


Managed SD-WAN / Security


SD-WAN

MPLS/Private

Cloud SP

Datacenter

PECE

Router

PE

Virtual

CPE with

SD-WAN

Enterprise

DatacenterBranch

SDWAN

Gateway

SDWAN

Gateway

SDWAN

Orchestrator

SD-WAN

MPLS/Private

Cloud SP

Datacenter

SDWAN

Edge

Enterprise

Datacenter

Branch

SDWAN

Orchestrator

SDWAN

Edge

“Over The Top” “Integrated”








vendor





App Usage Visibility


App Usage & Categories

• ALL applications by category identifies risk

• Organize by category or volume

• One-click drill down to sources, destinations

Compliance Monitoring


Policy compliance monitoring

• Central orchestrator view across enterprise

• At-a-glance monitoring of site deviations from policy

• One-click drill down into policy details

SIEM Analytics


Branch

Edges

Cloud Gateways SaaS

Datacenter Edges

SD-WAN Overlay

Orchestrator

SD-WAN to SIEM:

• Events, flow data and logs from

Edges and Orchestrator

• Visibility before encrypted tunneling

• Across on-premises and cloud

• Multi-tenant

SIEM

Event Collectors /

Processors

IPFIX (Netflow v10)

SNMP v2c/v3

Packet capture

Security logs

and alerts Syslog

API / SDK








vendor





Q&A

www.velocloud.com/sd-wan-dummies

Date post:	16-Apr-2017
Category:	Technology
Upload:	velocloud-networks-inc
View:	448 times
Download:	0 times

Secure Your Network for Scale & the Cloud

Technology