Transcription
Architecting a SecureBusiness-Driven SD-WANLearn How Unity EdgeConnect Delivers UnmatchedProtection Across the Cloud-Connected Enterprise WANEXECUTIVE SUMMARY Software-driven wide area networks (SD-WAN) areenabling today’s geographically distributed enterprises to realize the transformational promise ofcloud computing, reduce capital and operating costs,provide the highest quality of experience for employees and customers, and adapt quickly to changingbusiness requirements. But cloud computing and business-first networkingintroduce new security challenges. These include:.Whitepaper Protecting data in transit across public networklinksDirectly connecting users in branch offices toapplications using the internet (“internetbreakout”)Overcoming a lack of visibility into dynamicapplication environmentsComplying with requirements for network andapplication segmentationA key benefit delivered by an SD-WAN is the ability to actively utilize low-cost broadband services. However, because broadband services are "public" instead of "private," advanced security capabilities are required to ensure the confidentiality andintegrity of application traffic traversing such connections. By segmenting networksinto zones that span LANs and WANs, SD-WANs isolate traffic and minimize the attack surface to help compliance with industry standards.01
This paper discusses why enterprises are embracingSD-WAN platforms at an accelerating pace, and how acomprehensive SD-WAN security deployment can better safeguard today’s dynamic, cloud-first enterprises.It then goes on to reveal the extensive set of securitycapabilities incorporated in the Unity EdgeConnect Software Defined WAN (SD-WAN) edge platform fromSilver Peak.As you’ll soon come to appreciate, the net result isan SD-WAN platform that supports key use cases(e.g., internet breakout to improve SaaS applicationand IaaS performance) and the key principles of asoftware-defined computing environment (e.g., beingapplication-driven and enabling automation). Today’sSD-WAN technology dramatically improves securityover traditional networking infrastructures, anddelivers a level of protection that meets or exceedsthe security and compliance mandates of themodern enterprise.Why SD-WAN MattersThe primary job of the WAN is to connect distributed users to the applications they need to do theirjobs. As applications and computing models havechanged, that job has become more difficult, andmore important.Enterprises that try to manage WANs using traditional routers or even basic SD-WAN approachesare faced with continual compromises and tradeoffs. Manual processes and complex architecturesprevent organizations from provisioning new applications quickly, or responding to changing conditionsrelated to peak loads, unavailable network links,or denial of service (DoS) attacks. It is impossibleto guaranty service level agreements for real-timeapplications, resulting in inconsistent quality ofexperience for system users. Security concerns canhamper the use of low-cost broadband connectionsand slow the move toward the cloud in general, andSaaS applications in particular.Real-time, peer-to-peer communication is drivingthe need for higher performance and increasinglymeshed connectivity. Then there’s the Internet ofThings (IoT) and big data apps, which are representative on the whole of both the increasing diversityof applications and the growing volume of data thattoday’s WAN must be able to handle ideally in adifferentiated manner that ensures each is treatedaccording to its individual characteristics and needs(e.g., relative to QoS, security, etc.).The impact of these changes to the application landscape is that the enterprise WAN needs to changetoo. Traditional, private line connectivity options(such as multi-protocol label switching, or MPLS) androuting practices — backhauling, in particular — areclearly a poor match for cloud-based apps, burgeoning amounts of internet traffic, and peer-to-peerinteractions. Key shortcomings include the high costof such network services and architectures, the negative impact they have on performance (especiallyfor internet or cloud-destined traffic), and the factthat they are too rigid.In comparison, an advanced SD-WAN platformenables enterprises to shift to a business-first networking model, where the network conforms to theneeds of the business instead of the business beingconstrained by the limitations of the network. In thebusiness-first networking model, resources can beMore than 80 percent of enterprise workloadswill be in the cloud by 2020, with more than40 percent running on public cloud platformsLogicMonitor Cloud Vision 2020 survey102Whitepaper
re-allocated automatically to match the businesspriority and security requirements of every application. The network stays in compliance with businessand security policies. The enterprise can fully leverage low-cost broadband connections, SaaS applications, and cloud computing platforms. The benefitsinclude: Always-consistent application performance andavailabilityReduced WAN total cost of ownership (TCO)Increased network and business agilityEnhanced security2Why Security Is Critical toSD-WAN SuccessStrong security is a prerequisite and integral elementof many of the benefits of a business-driven SD-WAN.For instance, the use of broadband internet as lowcost connectivity option is core to the SD-WAN valueBackhauling and InternetBreakoutThe practice of backhauling is where branchoffice application traffic destined for (orreturning from) the internet is routed via aWAN connection between the branch anda corporate headquarters location. Thisallows it to benefit from the security controls and countermeasures deployed at theheadquarters site before being routed tothe internet. However, backhauling application traffic results in poor performance dueto added latency. The alternative, referred toas local internet breakout, is where selectedbranch office application traffic is routeddirectly to/from the internet (i.e., without theneed to traverse the WAN and pass througha set of centrally deployed security toolsbefore ultimately reaching the cloud-basedapplication).Whitepaperproposition. However, the fact that broadband is“public” instead of “private” introduces the need forcapabilities to ensure the confidentiality and integrityof application traffic traversing such connections.And let’s not forget, too, that inline deployment ofSD-WAN devices places them “in the line of fire” —at least compared to the scenario where a traditionalWAN optimizer is implemented in an out-of-pathconfiguration.Enabling internet breakout is another good example.Although it’s essential for enhancing performanceand reducing the bandwidth (i.e., dollars) needed forbackhauling, it also exposes branch users and theirlocal networks directly to the internet and its myriadthreats. So now you need a way to limit outbounddestinations, block unwanted/unsolicited inboundtraffic and filter allowed/expected traffic for threats.However, not all web applications are created equal,and some web traffic can expose the enterprise toviruses, trojans, DDoS attacks and other vulnerabilities. Therefore, direct internet breakout must alsobe secure. For example, a web traffic security policycould be defined as follows: Send known, trusted business SaaS traffic suchas Office365 and Unified Communications-asa-Service (UCaaS) directly to the internet.Send enterprise data center-hosted applicationtraffic directly to headquarters.Send all untrusted, suspicious and unknown webtraffic (for example, peer-to-peer network trafficand traffic from countries in which the companydoes not do business) to a cloud-hosted securityservice.To implement such a policy, web traffic must besteered granularly to its intended destination. Thisrequires identifying the application on the firstpacket because once an application session hasbeen established, it cannot be redirected to an alternate destination without breaking the flow resultingin application disruption. And because IP addressranges utilized by SaaS applications change almostcontinuously, address table updates must be automated and implemented on a daily basis.03
Granular InternetBreakoutby First-packet iQ Legacy Corporate AppsHQ / Hub /Data CenterCustomAppsBranch Office10,000 Apps300 Million Web DomainsCustomer-specifiedWhitelistAll Other Web TrafficFigure 1: Application traffic must be identified on the first packet to steer traffic to its correct destination to enable granular security policy enforcement. As more applications migrate to the cloud, new cloud-hosted security services have emerged, providing improved application performance.Centralizing security services provides faster response to new threats as they are discovered.Additional areas where security is applicable to thesuccess of an SD-WAN implementation include: Enabling applications with different securityrequirements to share the same physical connectivity Enabling faster deployment and more efficientmanagement — for example, with secure,automated provisioning of SD-WAN devices,automated security policy enforcement, and asecure management planeEnabling consistent enforcement of an application’s specific security policies regardless ofwhere that application is located or accessedIntroducing Silver Peak UnityEdgeConnectThe Silver Peak Unity EdgeConnect SD-WANedge platform, the industry’s only business-drivenSD-WAN solution, provides enterprises with theflexibility to use any combination of transport technologies — including public broadband services — toconnect users to applications without compromisingapplication performance or security. The three maincomponents of the platform include:04 Unity EdgeConnect zero-touch physical orvirtual appliances, which are deployed at anorganization’s branch offices, central sites, andcloud data centersUnity Orchestrator , a centralized managementsystem that enables simplified configuration andorchestration of the entire WAN and providescomplete observability into both legacy andcloud applications; QoS and security policies aredefined centrally and automatically deployedglobally to all appliances in the SD-WAN, increasing operational efficiency and minimizing humanerrors which can jeopardize branch securityUnity Boost , an optional WAN optimizationperformance pack that enables IT teams toengage Silver Peak market-leading WAN optimization capabilities, where needed, simply bychecking a box in the Orchestrator interfaceThe Silver Peak Unity EdgeConnect SD-WAN edgeplatform is designed with an extensive set of capabilities that address the security challenges andrequirements inherent in SD-WAN implementations.Whitepaper
How EdgeConnect Delivers aSecure SD-WANEdgeConnect goes well beyond the basics of ensuring the confidentiality of application traffic traversingpublic networks. An extensive set of security capabilities provides coverage across four essential areas:the data plane, the management plane, partnerintegrations, and compliance. The net result is thefull-spectrum of protection needed for enterprisesto fully realize the benefits of an SD-WAN architecture — enhanced application performance, lowerWAN TCO, and increased business agility — withoutbeing exposed to greater security risks.Unity OrchestratorUnity EdgeConnectPhysicalUnity EdgeConnectVirtualUnity EdgeConnectCloud-basedUnity BoostFigure 2: Silver Peak Unity EdgeConnect SD-WAN Edge PlatformApplication-driven Data PlaneSecurityDifferent applications deserve — or perhaps evenrequire — different treatment when it comes tohow they are handled from a security perspective(not to mention other “perspectives,” such as QoS,performance optimization, and tunnel bondingpolicy). For example, a business application thatis processing sensitive transactions might requireencryption regardless of the type of transport beingused to meet compliance requirements, while SaaSapplications could be left to rely on their own nativeWhitepapercapabilities (e.g., TLS). This is why it’s important tohave an application-driven SD-WAN, where policiesand configuration settings can be implemented on aper-application basis.Relevant security capabilities available withEdgeConnect include:Data-in-Transit Protection: Each EdgeConnect datapath is protected by IPSec tunnels that use AES256-bit encryption to maintain application and dataconfidentiality. EdgeConnect uses an “IKE-less” IPsecUDP protocol; that is, it employs standards-basedIPsec UDP encryption but doesn’t require InternetKey Exchange pre-shared keys. Encryption keys arenever repeated and are directionally unique. UnityOrchestrator manages the encryption keys androtations automatically, which reduces tunnel setuptime without a loss of service. This protocol avoidsproblems encountered when deploying NAT (NetworkAddress Translation) with IKE, such as failures whenbranch offices have multiple devices with differentVPN requirements. Because IKE-less tunnels use different ports over IPsec, they are unlikely to be limitedor blocked by upstream firewalls. These advancedfeatures for protecting data in transit increase theflexibility, security, and robustness of secure communication between remote endpoints.End-to-end network segmentation: EdgeConnectallows enterprises to create multiple applicationspecific virtual WAN overlays (also called businessintent overlays). Each virtual overlay specifies priorityand quality of service requirements for applicationgroups based on business requirements. Usingthese specifications, EdgeConnect automates trafficsteering end-to-end across all underlying WAN transport services.Each virtual overlay is mapped to a LAN-side zone orzones. A zone may be comprised of VLANs, physicaland logical interfaces, and sub-interfaces. Each zonecan be assigned security policies that limit connectivity with other zones. For example, a policy couldallow only outgoing traffic, or allow incoming trafficonly from approved (white listed) applications andservices, or block all traffic from less secure zones.05
With end-to-end network segmentation: Micro-segmentation is extended from the LAN,across the WAN, and to data centers and cloudplatformsTraffic within each zone is isolated from traffic inother segments, reducing unauthorized accessand limiting the scope of incidentsHigh-priority applications enjoy faster, morereliable performance across WANs, increasingapplication availability and improving the experience and productivity of end usersSimple policy creation: IT administrators can createend-to-end network segments in minutes using anintuitive graphical user interface. These segmentscan connect LANs with other LANs (LAN-WAN-LAN)and with data centers (LAN-WAN-data center). Thevirtual WAN overlays are defined based on businessrequirements and intent, not infrastructure detailslike IP addresses. Zone-based security policies aredisplayed in a configuration matrix that makes themeasy to understand.Central orchestration and automated enforcement: Once virtual WAN overlays and zone-basedfirewall policies have been defined, Orchestratordeploys them to all EdgeConnect SD-WAN appliances, where they are automatically enforced. Thisreplaces the time-consuming manual configurationof routers and firewalls every time a policy changes.The benefits include: Consistent security policy enforcement acrossLANs and WANsFewer configuration errorsImproved compliance with regulations andindustry standardsIncreased productivity for security and operations staffsDDoS Defense: With the rising frequency ofdistributed denial-of-service (DDoS) attacks, it isimperative that enterprises establish cost-effectivedefenses for any and all sites that might be affected.With EdgeConnect deployed at branch locations,Figure 3: A security policy configuration matrix greatly simplifies the creation and management of segmentation rules.06White Paper
that’s precisely what you get. In the event a broadband connection is flooded by a DDoS attack,EdgeConnect drops the attack packets early at theinput interface level by matching a hash of the incoming flows against existing LAN initiated flows. Further,EdgeConnect dynamically dynamically leverages otheravailable connections to sustain operations with nodegradation to application performance or impactto SD-WAN manageability. EdgeConnect protects notonly itself, by dropping the offending traffic, but alsoprotects all of the users and systems both on thelocal network and over the remaining, operationalWAN connections.Data-at-Rest Protection: All blocks of data that persist within EdgeConnect appliances as a result of theUnity Boost WAN optimization data de-duplicationcapability are protected with AES 128-bit encryption.BusinessContinuityBroadband/Internet 1100x DDoS AttackISP1 CloudBranch OfficeEdgeConnectNo appdegredationMPLSISP2 CloudAttackersBrown out due to DDoSon broadband linkFigure 4: EdgeConnect protects the SD-WAN from DDoS attacks and routes traffic across an alternate transport service to keep applicationsrunning, enhancng business continuity.Intelligent, Secure Traffic SteeringAlthough it’s not a security capability per se,EdgeConnect First-packet iQ classification playsan important role in the overall effectiveness ofthe Silver Peak SD-WAN edge platform. By identifying applications on the first packet of a session,it enables application-driven traffic steering thatnot only ensures efficient use of WAN resources,but also helps automate security policy enforcement. For example, with First-packet iQ, trustedWhite PaperSaaS and web traffic can be sent directly to theinternet (avoiding the performance impact andcost of backhauling), while unknown or untrusted web traffic can be service chained to moreadvanced corporate or web-based securityservices. Automated SaaS IP address updatesdescribed previously ensure that applicationtraffic is directed correctly according to definedsecurity policies.07
Management Plane and Systemlevel SecurityDespite being less top-of-mind than its data planecounterpart, system and management plane securityis no less important. Relevant EdgeConnect capabilities in this area include:Secure, Zero-Touch Provisioning: A key part of theEdgeConnect value proposition is a plug-and-playdeployment model that enables rapid installation,without the need for a distributed IT presence.Security for this process takes the form of a two-stepauthentication and authorization procedure. Beforereceiving its settings and policies and becoming anactive part of the SD-WAN, each newly connectedEdgeConnect appliance first must be authenticatedby the Silver Peak Cloud portal and then “approved”by an IT administrator using Orchestrator. In addition, Orchestrator can also be used to subsequentlyrevoke access for a given appliance (e.g., if it isstolen or otherwise compromised). This results inany in-flight traffic being dropped, and the specifiedappliance being unable to download configurationinformation or join the SD-WAN.Encrypted Management Communications: Allcommunication sessions between EdgeConnectappliances, Orchestrator, the Silver Peak cloud portal,and administrators’ web browsers are protected withTLS 1.2. Furthermore, all weak protocols (e.g., SSLv2,SSLv3, TLS 1.0, TLS 1.1), weak hashes (e.g., MD5), andweak encryption algorithms (e.g., DES, RC4) aredisabled by default.System Hardening: EdgeConnect is a hardenedappliance that ships with the factory default “harden”mode. This approach ensures out-of-the-box security for appliances plugged in for the first time.”Subsequently, on zero touch provisioning and configuration, a strong password per standard FIPS 140-2guidelines is always enforced on the appliance. Thisprevents malware from using default passwordsto gain unauthorized access to the appliance. Allnon-essential management services like SSH, FTPare closed by default.08Other management plane protections include:Robust user authentication andauthorization Support for local, RADIUS, TACACS , and OAuthfor authentication and authorization with identity management systems such as ActiveDirectory and Okta.Granular role-based access control with readonly users and multiple administrator rolesWhitelisting for Orchestrator that restrictsadministrative access to a specific set of IPaddresses or subnetsExtensive logging for both Orchestratorand EdgeConnect Event logs/alarms — for system errors pertaining to memory, CPU, network interfaces, routing,and management plane connectivityThreshold crossing alerts — configurable,rising and falling thresholds to signal imminent/approaching conditions for concern, such as highmemory or bandwidth utilizationAudit logs — for tracking all access to an activityconducted via any of the available managementinterfaces (CLI, WebUI, or REST APIs)Firewall logs — traffic flows inspected by theSilver Peak Zone-based firewall rules can be“Allowed and Logged” or ”Denied and Logged”.Firewall logs can be streamed to a third partytool (e.g. SIEM).Netflow/traffic logs — for capturing full(non-sampled) flow data so that it can bestreamed to a third-party tool (e.g., Netflowcollector (remove: SIEM)In addition to being critical for network managementand incident response, log data can be valuable forcomplying with standards such as HIPAA.Rigorous processes for for vulnerability management: Silver Peak has made significant investmentsover many years in rigorous processes for detectingand managing vulnerabilities in its technology.White Paper
Branch OfficeEdgeConnectCorporateNG-FirewallHQ/HubFigure 5: EdgeConnect integrated stateful firewall and simplified service chaining to secure web gateways and next-generation firewalls provides acomprehensive security solution for branch offices.A dedicated team continually conducts vulnerabilityassessments and runs penetration tests for everyrelease of every product, including cloud products.Customers and industry researchers are invited tosubmit security issues and vulnerabilities (and canuse a PGP public key to encrypt sensitive information in their reports). The Silver Peak ProductSecurity Incident Response Team (PSIRT) quicklyanalyzes announced vulnerabilities and securityissues, determines if they are applicable to any ofthe company’s products, documents recommendedactions for Silver Peak customers, and publishessecurity advisories on the Silver Peak website.Security Technology Partnershipsand Service ChainingThird-party security products and services are — or,at least should be — another big part of the overalleffectiveness equation for an SD-WAN solution.EdgeConnect supports the integration of third-partysecurity technologies into the SD-WAN architectureas follows:Security Partners: Most organizations already havean existing set of security tools and infrastructure inwhich they’ve made a considerable investment. Plus,when it comes to security, it’s simply not realistic fora single solution provider to do everything on itsown. The scope of threats, risks, and correspondingWhite Papertechnologies is simply too great. The net result isthat it’s not only advisable to work with third-partysecurity solutions, but also necessary. This is whySilver Peak maintains technology partnerships covering solution areas such as next-generation firewalls,secure web gateways, anti-malware tools, and sandboxing products from security companies likeCheck Point, Forcepoint, Infoblox, McAfee, OPAQNetworks, Palo Alto Networks, Symantec, andZscaler.3Service Chaining: To more closely align with theease-of-use, automation, and flexibility objectivesof today’s enterprises, EdgeConnect also enablessimplified service chaining. With this capability,administrators can take advantage of a drag-anddrop interface to logically interwork a combination ofSilver Peak and partner security capabilities in whatever arrangement best meets their needs. A few,straight-forward (yet powerful) examples include: A service chain where internet-bound traffic isrouted through cloud-based security servicesfor Layer 7 access control, threat filtering, andanalyticsA service chain where EdgeConnect and anext-generation firewall are collocated in selectbranch offices that are locally hosting one ormore enterprise applications09
Virtual WAN OverlaysAccess PolicyTopologyConnectionQoSGuest VLANHub SpokeInternetMin. CostData VLANDual Hub and SpokeMPLS – InternetMax. AvailabilityVoice VLANFull MeshMPLS – Internet – LTEMax. QualityWi-Fi and Non-Credit CardCredit Card ProcessingVoIP and VideoTransportMPLSBroadband4G LTEFigure 6: EdgeConnect extends micro-segmentation across the WAN to help enterprises meet compliance standards. A service chain where EdgeConnect and anext-generation firewall are collocated at regional hub/office to provide advanced securityscreening for untrusted applications that are stillbeing backhauledSecurity Certification andComplianceLast, but not least, there are many ways EdgeConnecthelps ease the burden of complying with relevantindustry regulations, including: Health InsurancePortability and Accountability Act (HIPAA) 4, PaymentCard Industry Data Security Standard (PCI DSS)5,Sarbanes-Oxley Act (SOX), the European Union GDPR,and others. One example is certification to the Federal Information Processing Standards (FIPS 140-2),which provides assurance of correct implementationand failure handling for supported cryptographicfunctions.6010Then there are all of the security features covered sofar, most of which are applicable to multiple requirements spanning multiple regulations. Authentication,authorization, and auditing capabilities, for instance,are a fundamental requirement of NIST SpecialPublication 800-53 (Security and Privacy Controlsfor Information Systems and Organizations) — and,therefore, of practically every regulation that invokesit. Notable too, especially for its uniqueness amongSD-WAN solutions, is EdgeConnect’s support formicro-segmentation. The ability to create encrypted,application-specific overlays can help IT teams controlaccess to systems that store and process electronicprivate health information (ePHI) to support HIPAAcompliance, segment off credit transactions andassociated systems to substantially reduce the scopeof their PCI DSS compliance efforts, and reduce therisk of unauthorized access to information aboutcustomers to meet GDPR and other privacy rules.White Paper
ConclusionFully realizing the many compelling benefits of anSD-WAN depends to no small extent on having asolution that accounts for the security issues, challenges, and opportunities that such an approachpresents. In this regard, the extensive security capabilities of the Silver Peak Unity EdgeConnectSD-WAN edge platform go well beyond the minimum-required level of protection afforded by transport-level encryption and message authentication.By combining robust data and management planesecurity features with numerous security technology partnerships, and simplified service chaining,EdgeConnect delivers a level of security that bettermeets the actual protection and compliance needsof today’s enterprises and enables business-first networking, the highest quality of experience for systemusers, and continuous adaptation to changing business and technical conditions.For more information about the EdgeConnectSD-WAN solution from Silver Peak, click here.CSPi Technology Solutions, a Silver Peak Gold Partner, provides the expertiseand service scope - including Managed IT Services, Professional Services, andCloud Services - to help you architect and manage a high-performance, highlyavailable, and highly secure IT infrastructure.For more information about EdgeConnect SD-Wan solution from Silver Peak,call 1(800)-940-1111 or click here to contact us.FOOTNOTES1. LogicMonitor Cloud Vision 2020 survey: f-the-cloud-a-cloud-influencers-survey/2. For details of how SD-WAN delivers improved ap- plication performance and other benefits, click here.3. Related solution briefs are available here.4. For details on how EdgeConnect supports HIPAA compliance, click here.5. For details on how EdgeConnect supports PCI DSS compliance, click here.6. For details on FIPS certification status, click here. CSPi Technology Solutions1182 East Newport Ctr. Dr.Deerfield Beach, FL 33442 Phone:1 (800) 940 - 1111 OnlineEmail: tech solutions@cspi.comWebsite: www.cspitechsolutions.com 2020 Silver Peak Systems, Inc. All rights reserved. Silver Peak, the Silver Peak logo, and all Silver Peak product names, logos, and brands are trademarks or registeredtrademarks of Silver Peak Systems, Inc. in the United States and/or other countries. All other product names, logos, and brands are property of their respective owners.SP-WP-CB-SD-WAN-SECURITY-04XX20White Paper011
engage Silver Peak market-leading WAN opti-mization capabilities, where needed, simply by checking a box in the Orchestrator interface The Silver Peak Unity EdgeConnect SD-WAN edge . platform is designed with an extensive set of capa-bilities that address the security challenges and requirements inherent in SD-WAN implementations. Branch Office Q
