Transcription
SD-WAN Security and SASECharuhas GhatgeProduct Marketing, Nuage Networks1 2020 Nokia 2020Nokia
Agenda Security for SD-WANs Branch Security Requirements SD-WAN Security Paradigm – Prevent-Detect-Respond Security Functions – IPS/IDS/Web Filtering, Security Monitoring and automated Response to threats SD-WAN Security – Customer Verticals and Use Cases Secured Access Service Edge (SASE) What is SASE? Why is it needed? Components of SASE Deployment Considerations A SASE Implementation2 2020 Nokia
Enterprise Network EvolutionUniversal Security FrameworkPerimeter SecurityBusiness PoliciesManagementPortalSecurity PoliciesApplication PoliciesEnterprise AppsData udSaaSInternetPrivateCloudSP HostedServicesBranchSecure Enterprise Network Hub-spoke Branch-DC Centralized SecurityMobile3 2020 NokiaSo-HoOfficesFactoriesIoT
Branch Security Needs to Evolve with Threat LandscapeRequires Automated, End-to-end approach based on AnalyticsPreventNeed to secure localinternet breakout accessfrom branch (e.g., L3-7Firewall, URL Filtering,IDS/IPS)Prevent lateral malwarespread from branch to DC4 2020 NokiaDetectNeed real-time visibility andmonitoring for all trafficentering or leaving branch todetect emerging threatsRespondNeed to automate response tomitigate security threats innear real-time
Branch Edge Security RequirementsAdvanced Security FeaturesStateful Firewall Protect branch network access from outside Restrict branch user access to corporate network and internet using protocol/portsL7 ApplicationControl Restrict branch user access to select applications (e.g., allow Skype for Business, block Facebook)URL/Web Filtering Limit branch user access to internet content, block malware White list access to cloud services Regulatory ComplianceThreat Prevention(IDP, Anti-Virus) Detect/block known threats from outside to branch as well as from branch to DC/internet Protect branch users from network based virus/malware (e.g. via Web, Email, File downloads)Real-Time SecurityAnalytics andAutomation Visibility into all traffic from branch to internet and DC/cloud Detect new zero day threats Automate response based on analytics to limit malware spread5 2020 Nokia
Nuage SD-WAN SecurityKey BenefitsKey Features End to End Security Policy L3-L7 Application FirewallInternet SaaS Application Control Web/URL Filtering Threat Prevention (IDP) Hosted Third-PartyVNFs/Cloud SecurityPrevent Visibility and SecurityMonitoring Dynamic SecurityAutomation Automated PoliciesBased on NetworkSecurity Analytics Contextual FlowVisualization Near Real-time AlertsBased on NetworkAnalytics6 2020 NokiaRespondDetect Dynamic ServiceInsertion for ThreatMitigation Secure branch user tolocal internet breakoutaccessPrevent unauthorizedaccess to malicious webcontentEnd-to-End Segmentationand Security Policy forThreat Prevention and toprevent lateral spread ofmalwareFast Detection and RapidResponse based onSecurity Analytics
Embedded L3-L7 Firewall and SaaS Access ControlAdvanced Security FeaturesL3-L4 StatefulDistributed FirewallL7 ApplicationControlSaaS ApplicationControl7 2020 Nokia Limit branch access to/from internet using statefulL3-4 security Validated by 3rd party for PCI-DSS v3.2 networkfirewall requirements Logging of ACL actions for compliance and auditing Restricts branch user access for specific applicationusing L7 DPI Supports 1900 application signatures L7 application classification for TLS traffic based oncname in certificates Visibility and logging L7 application information.Supports pre-defined SaaS services –Office365, Webex, Salesforce, Github,JIRA, Azure, AWS, Google
Web/URL FilteringBlock user access to inappropriate or malicious internet contentUse Cases Restrict local internet access from branch to cloud services/white listedwebsites Block branch user access to inappropriate or malicious contentKey Features DNS based enforcement based on filtering DNS queries to the websites Content/Website Category based filtering (block malware, block adultcontent, block streaming media) Support for over 180 website categories Supports daily update of pre-defined website categories Filtering based on custom website list (e.g., allow www.salesforce.com) Logging of blocked websites/categories Supported on all NSG physical form-factors as well as NSG-V8 2020 Nokia
Threat Prevention – IDP (IDS/IPS)Detect and Block Known ThreatsUse Cases Detect/block known threats from outside to branch as well as frombranch to HQ/DC/internet Targeted for medium/small sites with 100s Mbps connectivityKey Features Embedded security capability in NSG Uses signatures of known attacks to match traffic that passes throughthe NSG in order to prevent attacks Signatures are divided into different groups containing relevantsignatures - based on use case IDS/IPS policies defined and managed centrally by VSD GUI, API Stats/Reports on intrusion event details and rule hit count logging ofblocked websites/categories Signatures updated dynamically from cloud and applied to NSG9 2020 Nokia
Contextual Flow VisibilityOverlay and Underlay 10 2020 NokiaNetwork security monitoring forcompliance and auditDelivered as a managed cloud service toenterprisesShift from traditional box heavy branch(NGFW, Branch Routers) to a thin branch(with SD-WAN) and heavy cloud modelThreat huntingNetwork forensics and troubleshooting
Real-Time Network Security MonitoringThreshold based Alerts and Security eventReports based on near-real time flow andACL analytics to detect and alert on varioussecurity events: Port Scan Detection Port Sweep Detection Security Policy violations (ACL deny) TCP SYN/RST flood (TCP flag count) Volumetric DoS attack (Byte/Pkt count) Anti spoof11 2020 Nokia
Automated ResponseFIREWALL / IPSBare MetalOverlayEXTRANETSEGMENTSD-WANX-86 CPEHyper-VBare MetalSD-WANX-86 CPEBare MetalHyper-VKVMKVMDATA CENTER Leverage network security analytics to identifysuspect end-points based on threshold alerts Dynamically insert security services (e.g., NGFW,IPS) for suspect traffic Security services can be hosted in the data centeror the branchBranch 1PRIVATE IPESXiESXiPrevent malware from infected branch device fromentering corporate networkPartnersINTERNETContainer ContainerSD-WANX-86 CPEHQ12 2020 NokiaIntel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries
Flexible Deployment with Partner Eco-SystemSecurity across entire IT landscape delivered as cloud-managed serviceInternetbreakoutCloud Security ServicesProtect branch user access to internetvia local breakout Limit access to specific cloudservices via local breakout3rd Party Hosted VNF and Service Chaining toHQ/DC (For example, Checkpoint) 13Hosting 3rd party VNF(s) on the branch CPEService chaining to CSP Cloud VNFs or HQ/DCappliancesAn eco-system of security partners (NGFW/UTM) 2020 NokiaIntel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries
SD-WAN Security – Customer Use casesHealthcareFinancial/BankingManaged ServiceProvider Identification of malwareactivity at branch site(doctor’s office) based onNuage embeddednetwork traffic analytics14 2020 NokiaSecuring guest useraccess to internet from abank branch office usingL3-7 firewall andembedded URL filteringValue added securityservices for SD-WANusing Nuage embeddedsecurity capabilities orusing partner securityVNF
Secured Access Service Edge (SASE)15 Nokia 2020 Nokia 2020
The SASE Story Why SASE - What Problem isbeing solved Evolution of EnterpriseNetworking & Security NeedsWhy SASE Description, Status andKey Requirements What is SASE, Where is it onHype Cycle, No Standards, 5-10year Journey vs. a defineddestination, majorrequirements (Gartner)What Deployment Considerations Consider the state of Industry, SDWAN technology, Securitytechnology, Enterprise. Need for flexibility: Rip and replacevs. evolution – undefinedstandards, dynamic and evolvingthreats, vendor lock-in, dynamicneeds, flexibility.When16 2020 Nokia Nuage does SASE How we meet keyrequirements Incremental Options andBenefitsHow Nuage does SASE in detail SASE at the end points SASE at service edge and cloudWho
A new architecture is required to deal with both Security andConnectivityConnect to Datacenter/HQConnect to Clouds (Private, SaaS, Public) Traditional Security (VPN) is overwhelmedConnectivity from AnywhereSource: Gartner17 2020 Nokia IT Operations are stretched Growing Network performance and costs
Migration of Enterprise to Cloud requires Cloud-CentricConnectivity & SecurityEnterprise Applications Migrate to CloudSD-WAN architecture is evolvingEnterprise ApplicationsDatacenterSD-WANBranch OfficeBranch OfficeModern ApplicationsCloudBranch Office18 2020 NokiaBranch OfficeLegacy ApplicationsSD-WANBranch OfficeDatacenterBranch Office
What is SASE Framework and what are its potential Use CasesSASE Use CasesConnect user from anywherePOP-centric Cloud access with assured SLASecure WAN access with end-to-end security protectionEnhanced Application experienceEnterprise Digital TransformationSimplification of Security & Network OperationsMigration and adoption of CloudNetworking for IoT and Industry 4.019 2020 Nokia
High level SASE requirements & recommended approachNetworking 20Performance based POPselectionApplication aware routingand traffic steeringFull MPLS support forlegacy Datacenter access 2020 NokiaSecurity Access privileges areenforced at endpoint bypolicies includingnetworking firewall andURL filteringSWG, CASB, NGFW, ZTNA,DLP and others arehandled at the serviceedgeManagement Easy provisioning andfull visibility reports at allthe networking levels.Multi-platformprovisioning supportVendor Strategy Multi security vendorssupportMulti Cloud vendorssupport
SASE Networking Requirements & vendor Implementation21Networking RequirementsDescriptionComprehensive Routing capabilitiesFull stack of routing protocols to support switching and routing personalitiesAccess and Connectivity to and from AnywhereSeamless connectivity and policy management across fixed (internet, L2 andL3) and mobile WANsPerformance based POP selectionSupport for multiple paths and PoPs and performance-based selection abilityApplication aware routing and traffic steeringProviding optimal application experience based on application typesHybrid WAN support (e.g. Full MPLS/Ethernet) forlegacy Datacenter accessSeamless integration of existing networking to access data center and appsMulti-Cloud & Hybrid Cloud connectivityPolicy based access to and across applications in private cloud and multiplepublic cloudsConnectivity Security – VPN, IPSecEmbedded encryption and end point securityWAN Optimization & Bandwidth AggregationOptimizing the use of available network for availability and performanceSD-WAN Service PortalMulti-tenant SD-WAN portal hosted by CSP for the visibility and control.Enabling co-management with enterprise 2020 NokiaVendor
SASE Security Requirements and vendor ImplementationSASE RequirementsDescriptionVendor Implementation guidelinesIPSIDSFirewallIntrusion Prevention systemIntrusion Detection SystemStateful FirewallPreferably NativePreferably NativePreferably NativeRealtime SecurityAnalytics & AutomationWith end-to-end visibility and control for each application, the operator can detect, protectresources at a very granular level, and use automation to respond in real-time to threats.Native, multi-tenant platform and should becloud delivered (analytics and management canbe hosted by SP)SWG and DNS FilteringSecure Web Gateway is used to protect users and devices from online security threatsby enforcing internet security and compliance policies and filtering out malicious internet traffic.ZTNAZero trust network access is a set of technologies that operates on an adaptive trust model, wheretrust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined bygranular policies. A seamless and secure connectivity to private applications without exposing appsto the internet.CASBCloud Access Security Broker - According to Gartner, a cloud access security broker (CASB) is anon-premises or cloud-based security policy enforcement point that is placed between cloud service Provided via integration with specialized cloudconsumers and cloud service providers to combine and interject enterprise security policies assecurity vendorcloud-based resources are accessed.DLPData Loss Prevention - DLP provides visibility across all sensitive information, everywhere andalways, enabling strong protective actions to safeguard data from threats and violations ofcorporate policies.Provided via integration with specialized cloudsecurity vendorFWaaSFirewall as a ServicePolicy Management layer for FWaaS should bemulti-tenant and hosted in SP cloud.22 2020 NokiaPreferably NativeProvided via integration with specialized cloudsecurity vendor
SASE Solution: Options to incrementally evolve towards SASE23 2020 Nokia
DeploymentConsiderations24 2020 Nokia
Caveats on SASE @Peak of Inflated Expectation on Hype CycleSASE is at the Peak of Inflated Expectation on Gartner’s hype cycle. Whereas, SD-WANcan be MEF certified, SASE standards are still being worked25 2020 Nokia
SASE Deployment ConsiderationsFlexibility becomes critical in an evolving and dynamic space SD-WAN and Cloud Security solutions arewidely deployed A rip-n-replace SASE deployment is notpractical. Pragmatic solution requires utilizinginvestments A complete SASE solution from a singlevendor would:‒ compromise completeness‒ reduce flexibility in a very dynamic space ofenterprise security‒ risk the vendor lock-in‒ SD-WAN enjoys MEF standard, cloud security isevolving26 2020 Nokia A good SASE solution should provideflexibility:‒ A highly scalable and feature-rich SD-WANsupporting connectivity from anywhere - SDWAN is the foundation of SASE‒ Exhaustive native security functions within SDWAN‒ Integration with cloud security platforms foradvanced and evolving security functions This flexibility enables MSP to:‒ Create best-fit SASE solution for enterprise clients‒ Differentiate against single vendor cookie cuttersolution
Details onApproach27 2020 Nokia
Nuage does SASE: Nuage SD-WAN Managed Service Multi-Cloud ConnectivitySecure Multi Cloud and Branch Connectivity by Nuage SD-WAN28 2020 Nokia
Nuage does SASE: Nuage SASE Platform for MSPsNuage SD-WAN Any Access Anywhere Connectivity Nuage SASE Platform29 2020 Nokia
Nuage SASE solutions offers multiple options4AppCentral Office21CPE DMZApplicationsEmbedded orHostedLANCPEAppAppWAN3Logical chain representation(not strictly traffic flows)1.1CPE and Nuage SD-WAN Embedded Functions1.32.2 1 CPE Hosted Firewalls2.430Breakout & Overlay Traffic using best-of-breed FW Solutions,Hub/Spoke model for vNF consumption 2020 NokiaAppData CenterInternet1 Service Chaining to DCHosted Firewall Functions (Adv. Forwarding ACLs)1 Integration with Cloud Hosted Security BrokerszScaler /PA(IKEv1/v2 based integration)
User Access from Anywhere with secure and highly available connectivityNuage SASE PlatformUser selects the SASE POP based on performance toreach Applications in the CloudIaaS / SaaSNetworks performancePOPPOPPOP31 2020 NokiaPOPPOPSelect POP based on underlay quality(package lost, jitter and latency)Gateway loadBalance the traffic to different POP if thegateway overloadedLink resilienceIf there are any peering link issuebetween POP to Cloud, redirect traffic todifferent POP
Connect to Clouds from Service POP via Security SaaS platformVPCVPCVNETVPCVNETPOP01Direct peering with Security SaaS platformPOP02End-to-end traffic encryption from user toNuage SASE POP03Enforce policy including both networkFirewall and URL filtering at end pointsVPCPOPCloud Security PlatformNuage SASE PlatformPOPPOPSmall Retail - POSLarge Call centerSmall Branch32 2020 NokiaPOP04Security SaaS platform handles SWG, CASB,NGFW, ZTNA, DLP and other securityfunctions at their platform
Summary33 2020 Nokia
Foundation of SASE is SD-WANConvergence of SD-WAN and site34 2020 NokiaRetailHead QuartersData CenterRetailBranch Site Cloud delivered and managedSD-WAN service is thefoundation of SASE Security is delivered on top ofSD-WAN as a value addedservice Security defined in cloudenforced in the WAN-edgebased on logical constructs andnot using box-centric approach
Nuage SD-WAN and SASESecurity across entire IT landscape delivered as cloud-managed service PreventDC Data PlaneDetectWAN DataPlaneRespondCloud DataPlane (“branch in the cloud”)WAN Transport(IP/MPLS,Internet) Any Data Center35 2020 NokiaAny WAN TransportAny CloudNuage SD-WAN 2.0 architectureprovides the right architecture todeliver SASEDelivered as a Cloud Managed SDWAN Service offered by 100 ServiceProvider Partners EnterprisesOffers Flexible Cloud DeliveredSecurity Services including:Cloud Managed Embedded Security(NGFW, IDP, Web Filtering Analytics)3rd Party Cloud Security ServicesIntegration (zScaler)Hosted VNFs (UTM) in CSP Cloud
36 2020 Nokia
Embedded L3-L7 Firewall and SaaS Access Control Advanced Security Features Limit branch access to/from internet using stateful . Zero trust network access is a set of technologies that operates on an adaptive trust model, where . According to Gartner, a cloud access security broker (CASB) is an .
