Five security advantages in the Cisco SD-WAN solution
Software-defined wide area network (SD-WAN) is an important technology update and iteration direction for traditional enterprise-wide WAN solutions. Traditional WAN platforms are primarily used to connect branch offices directly to the data center, and are not flexible enough to handle simultaneous connections to multiple cloud platforms, nor can they automatically select the most efficient and cost-effective routing.
For enterprises, the advantages of the new solution are not only the development and management convenience when adopting cloud technology, but also the boundary of the software-defined WAN to incorporate a wider range of security capabilities to cope with the risks brought by complex environments.
The outstanding ability of network products has always been the core competitiveness of Cisco. The leader in the Magic Quadrant for Gartner's "Wired and Wireless LAN Access Infrastructure" for many years is the best proof. The combination of network and security is the direction of Cisco's efforts in recent years, but both the product and program levels have remained relatively independent. But this time, in its software-defined WAN solution, Cisco has deeply integrated a large number of security capabilities with software-defined WAN technology at the product level and mentioned security as an important feature of its network solution.
This article will highlight the important benefits that security brings to the Cisco SD-WAN solution.
New WAN boundaries need to incorporate more security capabilities
Cisco has more than 100,000 WAN border device enterprise customers worldwide, and more than 1.1 million routers are operating in the customer environment. In order to further complete the technical layout of SD-WAN, Cisco announced in August 2017 that it completed the acquisition of software-defined WAN company Viptela with $610 million in cash and related equity incentives, and completed at the fastest speed ever and Viptela's comprehensive Technology integration.
Viptela's strength lies in advanced routing and network segmentation capabilities, as well as good scalability. At the same time, cloud-supported management, orchestration and overlay technologies make SD-WAN deployment and management easier. Combined with the Cisco Meraki Routing (including wireless) family of products, Cisco's SD-WAN solutions can be used to meet a wide range of customer deployment requirements.
The successful acquisition of Viptela not only brings critical capabilities to the Cisco SD-WAN solution but also enables it to successfully enter the leader quadrant of Gartner's 2018 WAN Border Infrastructure Magic Quadrant report, which is Cisco's software-centric approach. A key step in the strategic transformation of subscription-led network models.
Gartner said in the report that the traditional MPLS network will undergo a huge transformation driven by the digital transformation of enterprises and the demand for management of many important business lines. The updating of WAN border infrastructure, software-defined WAN software/applications and traditional routing, is an important direction. The transformation of the market is bound to flood into more suppliers. Security will also be embedded as an important feature in the new WAN border infrastructure.
The Cisco SD-WAN solution also reflects the importance of security consistent with Gartner's assertion.
Cisco summarized the features of its SD-WAN solution as "simple, secure, and scalable." Among them, “simple” lies in the solution deployment and management of network and security functions through a single interface; “scalability” lies in the support of cloud services/applications; “security” is more abundant, including the threat intelligence (TI) team. Talos' data support, next-generation firewalls, intrusion detection and prevention, URLs filtering, Umberlla (DNS protection), and Duo Security (multi-factor authentication) completed in October last year for $2.35 billion.
Cisco uses these as a core security capability to integrate it into the entire SD-WAN solution by integrating with WAN devices to provide multiple, optional, and comprehensive security protection against multiple threat scenarios.
Embedded security capabilities are an important advantage of the Cisco SD-WAN solution.
Security risks in SD-WAN scenarios
Scott Harrell, Cisco's senior vice president and general manager of the Enterprise Network Division, has said that the emergence of a new cloud boundary is disrupting customers' networks and security architecture. Today, every WAN device must support software definitions with strong security features.
Cisco believes that the introduction of the cloud, the application of software-defined WAN technology, inevitably introduces more risks. From the perspective of protection, it can be roughly divided into the following three scenarios:
Cloud boundaries, the intersection of networks, clouds, and security systems. In this threat scenario, enterprises are suffering from many problems.
Enterprise branch offices have a large need for access to critical resources on cloud applications/services. If all traffic, ie access and backhaul traffic, is forwarded to the enterprise data center for security inspection, analysis and filtering, then the release of secure traffic means the use of a large number of expensive MPLS lines. Not only does this increase the size and complexity of the data center security architecture, it is inefficient, and security costs increase rapidly as traffic grows. At the same time, it also means that devices and people cannot enjoy the convenience experience they should have when connecting to cloud services due to security barriers. This is inconsistent with the original intention of the company to embrace the cloud.
However, if you do not pass the security device in the data center, the organization faces the security risks such as data leakage and malware infection caused by malicious visits to the malicious site. Security is a future-oriented investment. If you just bypass the direct connection, even if there are no security incidents, these concerns will make it impossible for enterprises to use the cloud service of their choice.
2. Branch network access
Companies that focus on the customer experience tend to open their branch office WiFi to customers so that visitors can access corporate open services, data and services. At the same time, because of the complexity of the geographical distribution of the organizational structure of the enterprise, the employees of the branch and their equipment also need to be correctly identified, and through different network segmentation strategies, effective access control is achieved. How to conduct identity authentication and management efficiently and without compromise, while considering the experience and timely blocking unauthorized access from branches and the Internet, is a dilemma that enterprises must face.
3. Compliance of private data within the WAN
Data security compliance is an important hot spot in 2018, especially after the official implementation of GDPR. Enterprises with large branches need to pay attention to the sensitive information inside the WAN. In the process of storage and transmission, whether the different compliance requirements of various industries in various countries are met. Regardless of whether the data is in a branch structure or a cloud application, it is necessary to work hard on access control and secure transmission of sensitive data. The maximum guarantee is that no unauthorized access or man-in-the-middle attacks will result in multiple losses of customer, corporate reputation and commercial interests due to data leakage.
From a threat perspective, the three scenarios actually correspond to four security threats:
One is malicious traffic from the Internet or cloud applications through cloud boundaries;
The second is the communication between the phishing site and the malicious C2 server from within the enterprise WAN;
The third is the necessary identity authentication and control when attempting to access the WAN inside through various forms of branch structure;
The fourth is the compliance guarantee of sensitive data in the internal traffic of the WAN.
Cisco has embedded a variety of security capabilities in its SD-WAN solution to target customers and minimize the security risks in these scenarios. Combine the important support of the Talos team and the simple management of the unified interface with the network function to achieve effective, timely and simple security capabilities.
Five security advantages of the Cisco SD-WAN solution
The favor of cloud applications makes the attack surface of the traditional WAN of the enterprise correctly connected and amplified. Whether the threat is coming from the cloud, the Internet, or corporate WAN. Today, the compliance requirements for information security are becoming more prominent. The demand for enterprise-wide WAN customers to be able to tightly couple with advanced SD-WAN solutions is bound to follow.
A combination of application experience and security is a prominent feature of the Cisco Software Defined WAN solution. By providing comprehensive protection at the edge of branch office routers, Cisco's embedded security capabilities in its SD-WAN bring the following five distinct advantages to its solution.
Advantages 1. Centralized, automated safety management
Based on a wide range of traffic protocols, transport methods and extensive support from a variety of cloud providers, the Cisco SD-WAN solution enables rapid deployment and startup, and easier management, which is an important advantage of software-defined WAN technology over traditional WANs. . This advantage has also continued into the security part of the program.
Cisco's SD-WAN is a "package" of network and security solutions. WAN devices have integrated security features including next-generation firewalls, intrusion prevention, URL filtering, DNS protection, and identity management. With the underlying support of threat intelligence, security capabilities are more automated. By integrating with Viptela's technology, traditional WAN customers only need to upgrade their software, enjoy network and security functions after purchasing through a single license, and implement network and security in a single interface through a centralized management of vManage controller. Scaled policy configuration.
Advantages 2. Compliance guarantee for sensitive information
For example, user and employee personal information, corporate transaction and financial data, critical application development source code and test cases and other sensitive information will flow between branches within the WAN, not to mention the newly introduced cloud applications. In Cisco's intent-based network, you only need to make a setting like "Transfer sensitive data only on IPsec VPN" once in vManage, and it can be automatically applied to the entire network. At the same time, with the built-in firewall in the WAN router and the vSmart controller that can clearly divide traffic according to security policies, ensure that only the required applications can access these critical data.
Advantage 3. Zero-trust access control
Whether the visitor accesses the enterprise open application, data and services from the branch structure wifi, or the login of the enterprise employee and its device WAN, not only the network segmentation support is required according to the security policy, but all service data flows are performed through the IPsec VPN tunnel. Secure transmission also requires strict control over its identity and permissions. Of course, this is not limited to the branching structure boundaries of traditional WANs, especially when new cloud boundaries are introduced.
In its SD-WAN solution, Cisco integrated Duo Security, which was acquired in October last year. Duo Security is a company dedicated to unified access security and multi-factor authentication for cloud delivery. By verifying identity and device health, Duo Security can help Cisco WAN customers securely access any cloud application from any device. In this way, the cloud security policy in the Cisco SD-WAN solution is simplified, and the visibility of the endpoint device is expanded.
Of course, the threshold for identity and access control can only help to exclude unauthorized access. If the visitor or employee's web access returns malicious traffic, it is still necessary to prevent and control through more systematic advanced security capabilities.
Benefits 4. Secure Web/Cloud Application Access with Application Experience
When the traditional WAN solution solves the security problems brought by the cloud boundary, it must be a trade-off between security, cost and application experience. However, Cisco has achieved a good integration between its core security framework and WAN devices in its SD-WAN solution to minimize the risk of malicious attacks and data leakage without compromising the quality of cloud applications and Internet access experiences.
The first is Cisco's next-generation firewall, intrusion detection, and prevention. The two Gartner-approved Cisco fist security products entered the leader quadrant of the 2018 Gartner Magic Quadrant report (see below). Security Bulls also has a special article on Cisco's next-generation firewall.
The nearly real-time data support provided by the Talos team from a threat perspective, strategic scheduling, extremely short time windows, effective threat detection and response (CTR), and automated disposal (blocking) are the core of these two products. Advantage.
Combined with URLs filtering, and Cisco Umbrella provides intrusion detection capabilities from the DNS and IP layers, Cisco's embedded security capabilities in its WAN devices enable efficient detection of phishing sites, malicious C&C server connections, DDoS attacks, etc. And defense. Even these attacks use the Internet connection and open APIs used by cloud applications as a medium.
More importantly, this embedded security capability allows WAN customers to eliminate the need to deliberately forward traffic to the data center, but to perform security detection on the WAN boundary in a near-direct way, taking into account the experience. It also greatly saves the user's security costs.
Advantages 5. Multiple options
The favor of enterprises for cloud applications is not only more flexible, but also an important consideration for enterprises. The same is true for security, which requires moderate protection. At the marketing level of the solution, Cisco also has a variety of combinations that allow companies to choose SD-WAN and security capabilities based on their needs.
Cisco comes with a DNA Essentials licenses SD-WAN solution, which contains a strong ability to integrate Viptela SD-WAN technology, as well as the ability to remove all security and Duo Security Umbrella mentioned above. The Meraki version, which has a slightly weaker SD-WAN capability, offers two versions of enterprise and advanced security.
Easy to see, by the way Cisco is trying to Meraki basis Viptela and the SD-WAN initiative to expand product portfolio, and further consolidate the services in user-selectable SD-WAN applications.
Safety cow review
Whether it is Cisco or Gartner industry observations, security capabilities are undoubtedly critical to the overall capabilities of SD-WAN solutions. This directly reflects the significant value that Cisco's years of security accumulation can give to the network. The application of new network technologies allows security to intervene earlier and deeper and provides strong support for future business development. From Cisco's massive acquisitions and rapid integration of Viptela and Duo Security, as well as the security strengths of SD-WAN solutions, Cisco is trying to build a bridge to new business areas for its customers. Not only does the bridge drive customers to unlock the power of cloud computing, but it also has the important premise of significantly reducing security risks. The future of network and security is more closely integrated.
Start the discussion...