The document discusses SD-WAN architecture and security. It describes how SD-WAN provides secure connectivity across any transport, between enterprise and cloud datacenters, in a scalable and automated way. It also allows for segmentation within enterprises and between tenants, and enables security services insertion at branches, in distributed environments, and across clouds and vendors. SD-WAN provides secure deployment through automated branch provisioning and infrastructure security, and gives visibility into user and application activity as well as compliance and security analytics.

1. SD-WAN Architecture:
Secure Your Network
for Scale and the Cloud
Steve Woo
VP of Products & Co-founder

2. Security Key Value for SD-WAN
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

3. Title
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

4. SD-WAN Security Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways
SaaS
Zero touch & secure deployments,
simplified operations, one-click
service insertion
Direct cloud access with
performance, reliability and
security
Simplified & Automated
WAN Management
Managed on-ramp
to the cloud
Datacenter Edges
Transport independent performance &
security for the most demanding apps,
leverages economical bandwidth
SD-WAN Overlay
Assured Application
Performance & Security

5. SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics

6. Unified Secure Overlay
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site Enterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Private - MPLS
IPsec VPN
Unified VPN over all transports
Cloud VPN eliminates backhaul
Automated VPN to cloud via gateway
eliminates NxN manual tunnels

7. Traditional Key Architecture - i
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Centralized
Distributed Centralized
Orchestration
Difficult  Easy 
Control Plane Attack Surface
Small – Uncommon to attack the Hub  Large – Key Server single point of attack 
Data plane Attack Surface
Small – Just a pair-wise key  Large – Entire Group sharing the same keys 
Distributed

8. Traditional Key Architecture - ii
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Pre-shared PKI
Complexity
Integrated  Requires a separate Certificate Authority 
Scalability
Manual configured key-pair  Centrally provisioned by the CA server 
Automation workflows No
Not Integrated 
- Secure onboarding
- CRL + Tunnel Integrity
Pre-shared Keys PKI

9. SD-WAN Key Arch Advantages
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Enterprise DC
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLSDynamic
branch to branch
Edge device’s Public key pinned
Preferred Attributes 
Centralized Orchestration
Small control plane attack
surface due to pinning of Edge
public keys
Small data plane attack surface
due to Pair-wise keys
Integrated PKI + Orchestration
High Scalability with PKI
Integrated Automation of:
- CRL with Tunnel integrity
- Secure onboarding
IKE+IPsecsession
CRL distribution
+
Automatic tunnel
integrity check
Integrated CA
Hub
Edge

10. SD-WAN Segmentation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Enterprise A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Enterprise B VRF A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Multi-Tenant
SD-WAN Cloud
Gateway
VRF 3
VRF 4
• Services by Enterprise – VRF mapping
• Services granularity by VLAN tag
VRF B-4
VRF B-3
SP NFV Orchestrator
SD-WAN
Edge

11. SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics





12. Security Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site Enterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
Controllers
Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments
Service
Insertion Points

13. Branch Security Service Insertions
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
vCPE platform
OS + HW
SD-WAN
VNF
FW
VNF
WOC
VNF
Orchestration
General Purpose
Virtual CPE
3
= Cloud Delivered
SDWAN
SDWAN Virtual
Services Platform
SDWAN
FW
VNF
X
VNF
SDWAN Orchestration
SD-WAN Virtual
Services Platform
L7
Fire
wall
Dyn
Multi
Path
VPN NAT
SDWAN
SD-WAN CPE
with virtualized services
Embedded Services
 Services on / off
 Granular policies by L7 traffic profile
Multiple CPE options:

14. SD-WAN Service Chaining
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
SaaS / IaaS
Enterprise DC
Branch
Web
Cloud
Gateways
Policy based service insertion:
Different service chains applied by policy
Services can be at branch only or dual ended
SD-WAN Edge
SD-WAN
Edge
VPN
Fire
wall
Dyn
Multi
Path

15. Internet Backhaul Challenge
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Complex with Traditional WAN
 Not performance-aware
 Policy definition at L3 only
 Require touching every branch
 Per-application tuning difficult
 More complex with multiple links
Branch
Headend
Advertise
0.0.0.0/0
(Preferred)
Advertise
0.0.0.0/0

16. Policy-based Internet Backhaul to DCs
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edge
Primary
Hub Edge
Secondary
Hub Edge
Primary path Secondary path
 Backhaul ALL or subset of Internet traffic
 Flexible link steering policy

17. SD-WAN Distributed Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
On Premise
Email DLP
Firewalls
Enterprise
Applications
Enterprise Datacenters
Distributed Service Insertion
• SDWAN one-click app aware service insertion
• Enables disaggregation and distribution of services to
multiple regional mini-datacenters
• Same or different service chains by DC
• SDWAN optimal for SDN instantiated virtual services in DC
• Reduces branch complexity and attack surface
SD-WAN
Edges
SD-WAN
Edges

18. Branch to Branch Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Distributed Regional Mini-
Datacenters
Firewalls
Distributed Service Insertion
• Regionalize services even for branch to branch traffic
• Next gen firewall can apply rules by application
SD-WAN
Edges

19. Multi-DC Services Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Datacenter 1
Multi-DC Service Insertion
• Dynamic routing for service insertion
Datacenter 2
SD-WAN
Edges
SD-WAN
Edge
SD-WAN
Edge
Email DLP
Firewalls

20. SD-WAN Hybrid Security Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site
Enterprise Hub
On Premises
Security
Other Web traffic
Salesforce.com
Web email
Internet
• Backhaul to on-premises services
– Regional and central
• SD-WAN performance service chained to cloud security services
• One-click, by application Cloud
Security
Services
SD-WAN service chaining for hybrid services
SD-WAN
Edge

21. SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics






22. Complex & Insecure Legacy Deployments
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“IT Visit”
 No security risk if box lost
X IT visit to site required
1-Ship
2-Install
3-Config
 No IT visit required
X Drop ship not possible
X Configure and track every box
X Security risk if mis-ship
“Pre-stage”
2-Ship
3-Install
1-Config

23. Simple & Secure SD-WAN Activation
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
“Pull Activation Key”
1-Ship
3-Install +
pull config
2-Create config + send key
“Call Home Push Activation”
1-Ship
2-Install +
Call Home
3-Push Config
 No IT visit required
 No security risk if box lost
 No pre-staging required
 No device tracking needed
 Two factor – key and device
 No IT visit required
 No security risk if box lost
 No pre-staging required
 Independent physical install
> Requires knowledge of device to site

24. Flexible Deployment Options
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch Site Enterprise DC
Datacenter
Edge
Edge
Enterprise DC
SaaS
Hybrid Cloud
Cloud DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
• On-premises in Enterprise
• Hosted in secure cloud datacenters

25. On-Premise SD-WAN Deployment
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SaaS / IaaS
INTERNET and MPLS
VeloCloud
Edge
Enterprise DC
 Edges in “hub” role at enterprise datacenters and
regional hubs
 On-premise Orchestrator and Controllers
 One-click granular traffic backhaul to regional hubs
 Direct breakout to Internet for non-backhaul traffic
VeloCloud
Orchestrator
Regional Hubs
VeloCloud
Edge
VeloCloud
Edge
Regional Hubs
Internet
VeloCloud
Controllers

26. Policy Based Link Steering Overrides
 Pin an application to a path
even when the link fails
e.g. > PCI to compliant provider
 Prefer application on a path but
steer away if cannot meet SLA
e.g. > Prefer high bandwidth
video conferencing on broadband
 Prefer application on a path but
steer away if the link fails
e.g. > Wired to wireless
 Add metered usage of wireless
 Abstract actual interface/WAN links from the
business policy
Mandatory
Private
Available
Public Wired
Preferred
Public
Internet
Public-Wireless
Private
Public
Public-Wired
Private
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

27. Managed SD-WAN / Security
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
MPLS/Private
Cloud SP
Datacenter
PE
CE
Router
PE
Virtual
CPE with
SD-WAN
Enterprise
DatacenterBranch
SDWAN
Gateway
SDWAN
Gateway
SDWAN
Orchestrator
SD-WAN
MPLS/Private
Cloud SP
Datacenter
SDWAN
Edge
Enterprise
Datacenter
Branch
SDWAN
Orchestrator
SDWAN
Edge
“Over The Top”“Integrated”

28. SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics








29. App Usage Visibility
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
App Usage & Categories
• ALL applications by category identifies risk
• Organize by category or volume
• One-click drill down to sources, destinations

30. Compliance Monitoring
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Policy compliance monitoring
• Central orchestrator view across enterprise
• At-a-glance monitoring of site deviations from policy
• One-click drill down into policy details

31. SIEM Analytics
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Branch
Edges
Cloud Gateways SaaS
Datacenter Edges
SD-WAN Overlay
Orchestrator
SD-WAN to SIEM:
• Events, flow data and logs from
Edges and Orchestrator
• Visibility before encrypted tunneling
• Across on-premises and cloud
• Multi-tenant
SIEM
Event Collectors /
Processors
IPFIX (Netflow v10)
SNMP v2c/v3
Packet capture
Security logs
and alerts Syslog
API / SDK

32. SD-WAN Security Checklist
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Secure connectivity [ ] ANY and ALL transport
[ ] Enterprise AND cloud datacenters
[ ] Scalable, automated
Segmentation [ ] Intra enterprise, Multi-tenant
Security services insertion [ ] Branch, distributed, cloud, multi-
vendor
Secure deployment [ ] Branch provisioning
[ ] SD-WAN infrastructure
Visibility [ ] User and application activity
[ ] Compliance and security analytics










33. Q&A
www.velocloud.com/sd-wan-dummies