Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | velocloud-networks-inc |
View: | 448 times |
Download: | 0 times |
SD-WAN Architecture:
Secure Your Network
for Scale and the CloudSteve Woo
VP of Products & Co-founder
Security Key Value for SD-WAN
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Title
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN Security Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways
SaaS
Zero touch & secure deployments,
simplified operations, one-click
service insertion
Direct cloud access with
performance, reliability and
security
Simplified & Automated
WAN ManagementManaged on-ramp
to the cloud
Datacenter Edges
Transport independent performance &
security for the most demanding apps,
leverages economical bandwidth
SD-WAN Overlay
Assured Application
Performance & Security
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
Unified Secure Overlay
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Private - MPLS
IPsec VPN
Unified VPN over all transports
Cloud VPN eliminates backhaul
Automated VPN to cloud via gateway
eliminates NxN manual tunnels
Traditional Key Architecture - i
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Centralized
Distributed Centralized
OrchestrationDifficult Easy
Control Plane Attack SurfaceSmall – Uncommon to attack the Hub Large – Key Server single point of attack
Data plane Attack SurfaceSmall – Just a pair-wise key Large – Entire Group sharing the same keys
Distributed
Traditional Key Architecture - ii
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Pre-shared PKI
ComplexityIntegrated Requires a separate Certificate Authority
ScalabilityManual configured key-pair Centrally provisioned by the CA server
Automation workflows NoNot Integrated
- Secure onboarding
- CRL + Tunnel Integrity
Pre-shared Keys PKI
SD-WAN Key Arch Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLSDynamic
branch to branch
Edge device’s Public key pinned
Preferred Attributes
Centralized Orchestration
Small control plane attack
surface due to pinning of Edge
public keys
Small data plane attack surface
due to Pair-wise keys
Integrated PKI + Orchestration
High Scalability with PKI
Integrated Automation of:
- CRL with Tunnel integrity
- Secure onboarding
IKE
+ IP
sec
sessio
n
CRL distribution
+
Automatic tunnel
integrity check
Integrated CA
Hub
Edge
SD-WAN Segmentation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Enterprise A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Enterprise B VRF AVLAN 1
VLAN 2
VLAN 3
VLAN 4
Multi-Tenant
SD-WAN Cloud
Gateway
VRF 3
VRF 4
• Services by Enterprise – VRF mapping
• Services granularity by VLAN tag
VRF B-4
VRF B-3
SP NFV Orchestrator
SD-WAN
Edge
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
Security Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch SiteEnterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
Controllers
Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments
Service
Insertion Points
Branch Security Service Insertions
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
vCPE platform
OS + HW
SD-WAN
VNFFW
VNF
WOC
VNF
Orchestration
General Purpose
Virtual CPE
3
= Cloud Delivered
SDWAN
SDWAN Virtual
Services Platform
SDWANFW
VNF
X
VNF
SDWAN Orchestration
SD-WAN Virtual
Services Platform
L7
Fire
wall
Dyn
Multi
Path
VPN NAT
SDWAN
SD-WAN CPE
with virtualized services
Embedded Services
Services on / off
Granular policies by L7 traffic profile
Multiple CPE options:
SD-WAN Service Chaining
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
SaaS / IaaS
Enterprise DC
Branch
WebCloud
Gateways
Policy based service insertion:
Different service chains applied by policy
Services can be at branch only or dual ended
SD-WAN EdgeSD-WAN
Edge
VPN
Fire
wallDyn
Multi
Path
Internet Backhaul Challenge
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Complex with Traditional WAN
Not performance-aware
Policy definition at L3 only
Require touching every branch
Per-application tuning difficult
More complex with multiple linksBranch
Headend
Advertise
0.0.0.0/0
(Preferred)
Advertise
0.0.0.0/0
Policy-based Internet Backhaul to DCs
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edge
Primary
Hub EdgeSecondary
Hub Edge
Primary path Secondary path
Backhaul ALL or subset of Internet traffic
Flexible link steering policy
SD-WAN Distributed Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
On Premise
Email DLPFirewalls
Enterprise
Applications
Enterprise Datacenters
Distributed Service Insertion
• SDWAN one-click app aware service insertion
• Enables disaggregation and distribution of services to
multiple regional mini-datacenters
• Same or different service chains by DC
• SDWAN optimal for SDN instantiated virtual services in DC
• Reduces branch complexity and attack surface
SD-WAN
Edges
SD-WAN
Edges
Branch to Branch Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
Firewalls
Distributed Service Insertion
• Regionalize services even for branch to branch traffic
• Next gen firewall can apply rules by application
SD-WAN
Edges
Multi-DC Services Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Datacenter 1
Multi-DC Service Insertion
• Dynamic routing for service insertion
Datacenter 2
SD-WAN
Edges
SD-WAN
Edge
SD-WAN
Edge
Email DLP
Firewalls
SD-WAN Hybrid Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Enterprise Hub
On Premises
Security
Other Web traffic
Salesforce.com
Web email
Internet
• Backhaul to on-premises services
– Regional and central
• SD-WAN performance service chained to cloud security services
• One-click, by application Cloud
Security
Services
SD-WAN service chaining for hybrid services
SD-WAN
Edge
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
Complex & Insecure Legacy Deployments
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“IT Visit”
No security risk if box lost
X IT visit to site required
1-Ship
2-Install
3-Config
No IT visit required
X Drop ship not possible
X Configure and track every box
X Security risk if mis-ship
“Pre-stage”
2-Ship
3-Install
1-Config
Simple & Secure SD-WAN Activation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“Pull Activation Key”
1-Ship
3-Install +
pull config
2-Create config + send key
“Call Home Push Activation”
1-Ship
2-Install +
Call Home
3-Push Config
No IT visit required
No security risk if box lost
No pre-staging required
No device tracking needed
Two factor – key and device
No IT visit required
No security risk if box lost
No pre-staging required
Independent physical install
> Requires knowledge of device to site
Flexible Deployment Options
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site Enterprise DC
Datacenter
Edge
Edge
Enterprise DC
SaaSHybrid Cloud
Cloud DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
• On-premises in Enterprise
• Hosted in secure cloud datacenters
On-Premise SD-WAN Deployment
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SaaS / IaaS
INTERNET and MPLS
VeloCloud
Edge
Enterprise DC
Edges in “hub” role at enterprise datacenters and
regional hubs
On-premise Orchestrator and Controllers
One-click granular traffic backhaul to regional hubs
Direct breakout to Internet for non-backhaul traffic
VeloCloud
Orchestrator
Regional Hubs
VeloCloud
Edge
VeloCloud
Edge
Regional Hubs
Internet
VeloCloud
Controllers
Policy Based Link Steering Overrides
Pin an application to a path
even when the link fails
e.g. > PCI to compliant provider
Prefer application on a path but
steer away if cannot meet SLA
e.g. > Prefer high bandwidth
video conferencing on broadband
Prefer application on a path but
steer away if the link fails
e.g. > Wired to wireless
Add metered usage of wireless
Abstract actual interface/WAN links from the
business policy
Mandatory
Private
Available
Public Wired
Preferred
Public
Internet
Public-Wireless
Private
Public
Public-Wired
Private
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Managed SD-WAN / Security
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
MPLS/Private
Cloud SP
Datacenter
PECE
Router
PE
Virtual
CPE with
SD-WAN
Enterprise
DatacenterBranch
SDWAN
Gateway
SDWAN
Gateway
SDWAN
Orchestrator
SD-WAN
MPLS/Private
Cloud SP
Datacenter
SDWAN
Edge
Enterprise
Datacenter
Branch
SDWAN
Orchestrator
SDWAN
Edge
“Over The Top” “Integrated”
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
App Usage Visibility
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
App Usage & Categories
• ALL applications by category identifies risk
• Organize by category or volume
• One-click drill down to sources, destinations
Compliance Monitoring
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Policy compliance monitoring
• Central orchestrator view across enterprise
• At-a-glance monitoring of site deviations from policy
• One-click drill down into policy details
SIEM Analytics
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways SaaS
Datacenter Edges
SD-WAN Overlay
Orchestrator
SD-WAN to SIEM:
• Events, flow data and logs from
Edges and Orchestrator
• Visibility before encrypted tunneling
• Across on-premises and cloud
• Multi-tenant
SIEM
Event Collectors /
Processors
IPFIX (Netflow v10)
SNMP v2c/v3
Packet capture
Security logs
and alerts Syslog
API / SDK
SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics
Q&A
www.velocloud.com/sd-wan-dummies