TechWiseTV Workshop: SD-WAN Security

Reza Koohrangpour, Kural Arangasamy
May 8, 2019
Cisco SD-WAN Security

• SD-WAN security Challenges
• Cisco SD-WAN Security
• Technical Demo
AGENDA

IaaSSaaS
Internet
Data
Center &
Campus
Corporate
Software
Critical
Infrastructure
Enterprise WAN
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
Traffic
Backhaul
(MPLS)
WANEDGE
WANEDGE
Limitations to traditional WAN topology
• Traffic must be backhauled to
datacenters for security
• Latency in connection to cloud
applications
• Multi-cloud environments are
the new normal
• Branches and device policy
require manual configuration
• New devices and clouds require
new configurations
• Deployment is not centrally
managed
Bad user experience
Expensive to deploy
Complex management

SaaS
Corporate
Software
Critical
Infrastructure
SD-WAN Fabric
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
Transport
Independence
WANEDGE
WANEDGE
IaaS
Internet
CLOUD EDGE
Data
Center &
Campus
SD-WAN enables digital transformation
• Access cloud applications
directly to decrease latency
• Manage all security and
networking from a central
command
• Increased visibility
• Configure new devices and
policies at scale
• Turnkey solution
• Zero touch deployment
Faster access
Ease of deployment
Simple management

SaaS IaaS
Internet
Corporate
Software
Critical
Infrastructure
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
NO SECURITYEXISTINGSECURITY
BASIC/NOSECURITY
SD-WAN Fabric
Data
Center &
Campus
SD-WAN exposes new security challenges
• Exposed connections as traffic
is no longer backhauled to the
data center
• Traffic throughout the fabric
must be secure from threats,
segmented, and private.
• Threats inside the network
inevitably lead to inside-out
traffic to malicious
infrastructures
Outside-in threats
Inside-out threats
Internal threats

Remote
DevicesUsers
SaaS IaaS
Data
Center &
Campus
Corporate
Software
Critical
Infrastructure Branch
IOT Mobile
devices
Users
(guests)
BASIC/NOSECURITY
SD-WAN Fabric
NO SECURITY
Internet
EXISTINGSECURITY
Direct internet access exposes connections
• Unauthorized access
• Denial of service attacks
• Untrusted access
• Lateral movement
• Compliance
• Man-in-the-Middle
• Malware infection
• Command & control
• Phishing attacks
• Untrusted users/devices
Outside-in threats
Inside-out threats
Internal threats

SaaS IaaS
Internet
Data
Center &
Campus
Corporate
Software
Critical
Infrastructure
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
BASIC/NOSECURITY
SD-WAN Fabric
NO SECURITYEXISTINGSECURITY
Defend against bad destinations & data breaches
• Ransomware
• Compliance
Outside-in threats
Inside-out threats
Internal threats

SaaS
Internet
Corporate
Software
Critical
Infrastructure
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
WANEDGE
SD-WAN Fabric
IaaS
CLOUD EDGE
WANEDGE
Data
Center &
Campus
Policy and access gaps expand attack surface
• Ransomware
• Compliance
Outside-in threats
Internal threats
Inside-out threats

SaaS
Corporate
Software
Critical
Infrastructure
Secure
SD-WAN Fabric
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
SECUREWANEDGE
IaaS
Internet
SECURE CLOUD EDGE
SECUREWANEDGE
Data
Center &
Campus
Comprehensive SD-WAN security
• Mitigate external security risks
with integrated threat defense
from the WAN to cloud edge
• Mitigate internal security risks
with a secure SD-WAN fabric
with simple or flexible routing
configurations
Full edge
security stack
Thin, rich or
full-stack router

Corporate
Software
Data
Center &
Campus
Critical
Infrastructure
SD-WAN Fabric
IaaS
Remote
DevicesUsers
SaaS
Branch
IOT Mobile
devices
Users
(guests)
SECURE CLOUD EDGE
Internet
SECUREWANEDGE
SECUREWANEDGE
Enterprise-grade security embedded
• Firewall and intrusion
prevention embedded plus URL
filtering and malware
sandboxing for inside-out
• Single console to manage
routing and security
• Shortest time to threat detection
powered by Talos
Outside-in
SD-WAN security

Corporate
Software
Data
Center &
Campus
Critical
Infrastructure
SaaS
SD-WAN Fabric
Remote
DevicesUsers
Branch
IOT Mobile
devices
Users
(guests)
SECUREWANEDGE
IaaS
Internet
SECURE CLOUD EDGE
SECUREWANEDGE
Simplified cloud security
• Umbrella’s Secure Internet
Gateway protects users and
devices and protects data
sent to and from the cloud
• Duo’s Multi-Factor
Authentication verifies that only
trusted users and devices
access cloud & on-prem apps
Inside-out
SD-WAN security

Remote
DevicesUsers
SaaS
Corporate
Software
Critical
Infrastructure
Secure
SD-WAN Fabric
Branch
IOT Mobile
devices
Users
(guests)
SECUREWANEDGE
SECUREWANEDGE
Internet
IaaS
SECURE CLOUD EDGE
Data
Center &
Campus
Secure internal connections
• End to end segmentation to
stop breach propagation,
enforce regulatory compliance,
and promote network (and
application) layer security
• Zero-trust authentication and
full payload encryption between
edge routers
Internal
SD-WAN security

Data Center
& Campus
SaaS
Secure
SD-WAN Fabric
SECUREWANEDGE
Internet
IaaS
SECURE CLOUD EDGE
Branch
SECUREWANEDGE
Remote
Simple and automated security
• Integrated connectivity and
security solutions in one box
• Transport agnostic:
Mix and match any protocol
with any transport
• Zero touch provisioning of
new branches
WAN Router Enterprise Firewall
NETWORKING SECURITY
WEB
VOICE
VIDEO
Any
Transport
BROADBAND
MPLS
4/5G

Secure
SD-WAN
Fabric
Branch
SaaS IaaS
Internet
Data Center
& Campus
Remote (On-VPN)
• Configure policy efficiently
through automation at scale
• Manage security and
networking from one console
• Ease of manageability
• Increased visibility across the
network
Unified Dashboard
Centralized, simple management
Global
policy
Location
policy
Connection
policy

Integrated, hardened, cloud-managed
from WAN to cloud edge
#1 in networking
for flexibility and scalability
#1 in security
for efficacy and simplicity
routing intelligence and threat intelligence
on certified trustworthy infrastructure

Gartner MQ leader in networking and security
WAN Edge Infrastructure Enterprise Network Firewalls
Cisco is the ONLY
leader across both
magic quadrants

Customer Intent
• Protect against liability
• Prevent guest users from
disrupting network
Guest Access
IPsec VPN
Enterprise Firewall
App Aware
URL-Filtering
DNS/web-layer filtering
• Leverage the local
internet path for all
internet traffic
• Protect against potential
threats from coming in
Direct Internet Access
IPsec VPN
Enterprise Firewall
App Aware
Intrusion Prevention
DNS/web-layer Security
URL Filtering
Advanced Malware Protection (AMP)
• Protect Card Holder Data
• Protect Patient Data
• Protect against data
breaches
Compliance
IPsec VPN
Enterprise Firewall
App Aware
• Reduce Expense
• Provide better user
experience
• Protect the enterprise
branch
Direct Cloud Access
IPsec VPN
Enterprise Firewall
App Aware
DNS/web-layer Security
URL Filtering
Advanced Malware Protection (AMP)
Attack surface
Exposure
Attack Surface
Exposure
Risk
Attack Surface
Exposure
Attack Surface
Exposure Risk
Attack Surface
Exposure
Cisco SD-WAN Security Customer Use Cases

Cisco SD-WAN Security
Manage in
Cloud or
On-Prem
Provisioning
ReportingMonitoring Troubleshooting
Branch
Edge
vManageEdge
Router
Flexibility
Branch Edge Cloud Edge
Enterprise FW App Aware
IPS URL filter
Managing
CSRENCS w/ISRvISR 4/1K
ASR1K vEdges (Viptela)
Only FW
Adv Malware
DNS/Web-Layer Security
Full Edge
Security
Only App Aware FW and DNS/web-layer security

SD-WAN Security Demo
Internet
DC-vEdge
Branch1
CSR
PCI Non-PCI Guest
VPN FW URLF AMPIPS
Direct Internet Access
 Application Control: AppAware Firewall
 Attack Prevention: IPS
 Liability Protection: DNS/URL Filtering
 Malware Prevention: AMP
CP & Management
vManage vBond vSmart Jump PC

Thank you for watching.
For more information, please visit: cisco.com/go/sdwan-security

TechWiseTV Workshop: SD-WAN Security

More Related Content

What's hot

Similar to TechWiseTV Workshop: SD-WAN Security

More from Robb Boyd

Recently uploaded

TechWiseTV Workshop: SD-WAN Security