Securing the Cloud Edge with SD-WAN
Cisco SD-WAN technology is already enhancing networks by efficiently connecting branches, colocation, data center, and cloud resources into the information fabric that unites a distributed enterprise. But it’s at the Cloud Edge—the intersection of the network, cloud, and security–where businesses also face greater security risks, inconsistent application performance, and increasing complexity.
As branches open up to direct cloud connections and run business critical applications over the internet, the traditional approach to securing the WAN, where traffic is back-hauled to the corporate firewall, is inefficient and costly. That’s because traditional WAN platforms were primarily designed to connect branches directly to data centers. They do not have the flexibility to deal with simultaneous connections to multiple cloud platforms, automatically selecting the most efficient and cost-effective routes.
Organizations need a comprehensive and flexible software-defined architecture to secure the WAN while simplifying distributed network management and lowering connection costs. In effect, every WAN device must become software defined and secure. Therefore, we are announcing a new advanced SD-WAN security stack with capabilities that solve critical edge security challenges. Cisco is providing IT with highly effective and scalable security for SD-WAN that is easy to manage, deploy, and maintain, enabling businesses to use cloud services of their choice with confidence. Cisco SD-WAN seamlessly connects devices and people to any cloud, providing a superior application experience while delivering consistent unified threat protection from branch to cloud.
Cisco SD-WAN Provides Four Levels of Security at the Edge
The traditional way of dealing with security at the cloud edge is to send all traffic back to the corporate data center for inspection, analysis, and filtering before sending it on to SaaS applications or public cloud services. For distributed enterprises, this choice normally requires the use of costly MPLS lines which increases the scale and complexity of security layers in the data center. The more traffic increases among distributed branches, the higher the cost and complexity of managing multiple MPLS connections and the data center security.
The all new Cisco SD-WAN security stack provides a complete shield operating at the edge, in the branch router, with centralized control for both network and security management. The embedded security capabilities protect data passing to and from branch business systems and cloud platforms. The security stack also guards the entire connected enterprise against debilitating security attacks that could originate from compromised internet connections and applications. Cisco SD-WAN security stack focuses on four key traffic profiles that are especially relevant in the branch:
- Compliance: Protecting sensitive data at rest and in transit; in the branch and in the cloud.
- Direct Internet Access: Opening network ports to direct internet connections significantly expands the potential attack surface from external sources.
- Direct Cloud Access: Providing direct access to cloud resources and SaaS applications bypasses existing centralized security—DMZ, Firewalls, Intrusion Detection—built-in to the enterprise network and data center.
- Guest Access: Enabling guest access to local Wi-Fi from personal devices while keeping business traffic and sensitive network services completely separate from guest traffic.
Let’s look into how the security innovations we are launching mitigate the threat surface exposed by these traffic profiles while continuing to leverage the cost savings enabled by our SD-WAN architecture.
Compliance
Every organization accepts, stores, and processes sensitive data sets such as personally identifiable information (PII) and payment card information (PCI). Application-aware firewalls ensure that sensitive data is only accessible by authorized applications and people. Cisco SD-WAN security adds an embedded application-aware firewall in the branch router that learns and enforces which applications can access sensitive data types, such as PCI. The SD-WAN fabric then routes sensitive traffic through a secure VPN to the applications in the enterprise data center or multicloud platforms. In Cisco Intent-based Networks, intents such as “transmit sensitive data type PCI only on the IPsec VPN,” can be programmed once in Cisco vManage and automatically applied across the entire network, with Cisco vSmart Controllers intelligently segmenting traffic as defined by security policies.
Direct Internet Access
Before the advent of SD-WAN, organizations primarily relied on secure yet expensive MPLS lines for connectivity from branches to data center where the security functions would reside. As organizations enable applications and devices at branch sites to directly access the internet, they bypass the traditional centralized security perimeter. This results in exposing the branch to all types of internet traffic, and in the process, increases the attack surface at the edge.
To counter these threats, the SD-WAN Security stack provides a combination of embedded Security functions consisting of application-aware firewall, intrusion detection and prevention, and Cisco Umbrella DNS cloud security layer. The Cisco SD-WAN fabric intelligently routes traffic to and from branches according to SecOps policies. The Web security maintains a local cache of safe URLs that are regularly updated to keep up with the latest security threat reports.
Direct Cloud Access
Direct cloud access improves application Quality of Experience (QoE) for cloud and SaaS applications while introducing a similar risk profile as seen with Direct Internet Access. Cisco SD-WAN Security leverages DNS security layer, coupled with intrusion detection, to prevent the most aggressive Denial of Service, phishing, malware, and the ransomware attacks that can piggyback on internet connections and open ports used by SaaS and cloud applications. In addition, these embedded security capabilities leverage the current threat data of the Cisco Talos team, one of the most sophisticated commercial threat-intelligence organizations in the world.
Guest Access
Organizations that focus on customer experience, such as retail stores, are willing to open their branch Wi-Fi to customers to provide interactive methods of engaging them. However, allowing guests on the branch Wi-Fi can expose business applications, data, and services to them as well. A security policy that segments guest access is the first step, so that while internet access is permitted, all other segments of the business network are off limits. Organizations still need to prevent guests from accidentally, or maliciously, downloading malware that could infect the branch network. Cisco SD-WAN Security provides web filtering, intrusion detection and prevention capabilities to prevent internet infections from guest devices spreading through the network. In addition, segmentation restricts employees from the guest network, with all business data flowing through IPsec VPN tunnels.
SD-WAN Simplifies Security Management
To support the new security stack features and simplify management, Cisco SD-WAN provides a GUI-based workflow through the cloud-managed vManage controller. The zero touch Cisco ISR/ASR and vEdge routers can be powered up by non-technical personnel in the branch and configured remotely based on pre-defined business intents, customized to the needs of the business. The edge routers continuously monitor traffic patterns and automatically adjust connections to accommodate priority business data, maintain cloud and SaaS application QoE, and proactively adapt to security threats.
These innovations in our Cisco SD-WAN portfolio help to solve real-world security challenges facing enterprises today. Even better, licensing is simple because SD-WAN comes packaged with our DNA Essentials license. You can look forward to more innovations from our engineering organization to facilitate connecting and securing branch offices with enterprise, multicloud, and SaaS application platforms with better performance while reducing the total cost of connectivity.