cisco sd-wan · sd-wan fabric corporate software users saas cloud security provider cisco sd-wan...

Maura Fuertes, Technical Solutions Architect

Román Vargas, Sales Specialist

May 2020

Connect any user to any application without compromiseCisco SD-WAN

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Previously, Connecting Users to Data Center was the Priority

Users

Data Center

Applications

WANBranch/Campus

Internet

Best Effort


WAN

Today Applications are Moving to Multiple Clouds

DC/Private Cloud

SaaS

IaaS

Mobile Users

Campus & Branch Users

Devices & Things


CampusX2-5

Branches X100+

Mobile Users

X1000s

Internet Connectivity Becomes Business Critical

More users, things and applications, everywhere

DC/Private Cloud

SaaS

IaaS

Inconsistent user experience

Increasing complexity

Exposure to cyber threats


To help, IT is deploying SD-WAN

Poor user experience –impact in employee productivity

Complexity and cost to introduce new services in the network (manual operation and changes)

Users demand for SaaS apps (shadow-IT)

Requirements to migrate workloads to the public cloud (AWS, Azure, …)

Need to set up new branches in a timely manner even in remote areas

Need for centralized management: Inventory, visibility, reporting, management,config changes, SW upgrades via GUI

SECURITY (segmentation, DIA, etc.)

IT Challenges:

SD-WAN


Secure Cloud Scale SD-WAN Architecture

Internet5G/LTE

MPLS

Branch Security

Application Quality of Experience

Cloud Security

Voice and Collaboration

On-premise | Cloud | Multi-tenant

Automation | Network Insights | Analytics

vManage

Cloud OnRamp

Any Deployment

Any Service

Any Transport

Any Location

Satellite

Branch Colocation Cloud

Open | Programmable | Scalable

AW S

G C P

Azu re


Use Cases – Cloud Integration


Why Backhauling Impacts Application Performance

Branch/CampusData Center

SD-WAN Fabric

CorporateSoftware Users

SaaS

Cloud SecurityProvider

A single path for all mission critical business applications

Single Path to Internet

• Datacenter

• Colocation provider

• Cloud security provider

ColocationProvider



SD-WAN Fabric


SaaS

Cloud SecurityProvider

CiscoSD-WAN

ColocationProvider

Increased reliability and utilization of best path for SaaS applications

SaaS Optimization

Optimization via Multipath

Up to 40% faster Office 365

Performance



Improving Application Experience

Capabilities

• Application SLA

• TCP Optimization

• Forward Error Correction

• Packet Duplication

InternetIaaS/SaaS

Internet

MPLS

Pa

rity1 2

344

OptimizedTCP Connection

Path1: 10ms, 0% lossPath2: 200ms, 3% lossPath3: 140ms, 1% loss

Internet

MPLS

4G LTE

AppA

App Aware Routing PolicyApp A path must have

latency <150ms & loss <2%

Path 2

1

FEC Header

2

FEC Header

P

FEC Header

4

FEC Header

3

FEC Header

Internet

(Secondary)

MPLS

(Primary)

43

21

43

21

42

1

43

21


Extended SD-WAN to IaaS

Internet connectionto IaaS cloud

VPC VNet

VPC

VPC

VPC VNet

VNet

VNet

SD-WAN Fabric

Branch

TransitHub

vManage

Connect to IaaS cloudvia co-location

VPC VNet

VPC

VPC

VPC VNet

VNet

VNet

SD-WAN Fabric

Branch

TransitHub

vManage

Cloud onRamp to IaaS

• Cisco WAN Edges deployed in a Transit Hub, acting as virtual aggregation routers

• Partial extension of SD-WAN Fabric

• Automated deployment process with vManage



SD-WAN Fabric


How SD-WAN exposes new security challenges

Internal & External Threats

External

• Exposure to malware & phishing due to direct internet and cloud access

• Data breaches

• Guest access liability

Internal

• Untrusted access (malicious insider)

• Compliance (PCI, HIPPA, GDPR)

• Lateral movements (breach propagation)

BA

SIC

/NO

S

EC

UR

ITY

NO SECURITY

InternetIaaS/SaaS

Existing Security Stack in DMZWAN Edge Device


Deploying Cisco SD-WAN Security


SD-WAN Fabric


InternetIaaS/SaaS

Single Management Console

Full Edge Security Stack

On-Prem Security

Mitigate Internal & External Threats

CloudSecurity

Mitigate External Threats at Scale

• Enterprise firewall and intrusion prevention embedded for internal threats plus URL filtering and malware sandboxing for external threats

• End-to-end segmentation to stop breach propagation, enforce regulatory compliance, and promote network (and application) layer security

• Zero-trust authentication and full payload encryption between edge routers

• Integrated connectivity and cloud-delivered security with 100% business uptime

• Secure Internet Gateway protects users and devices and protects data sent to and from the cloud


Enterprise Firewall+1400 layer 7 apps classified

Intrusion Protection SystemMost widely deployed IPS engine in the world

URL-FilteringWeb reputation score using 82+ web categories

Simplified Cloud SecurityEasy Deployment for Cisco Umbrella

Cisco SD-WAN

Cisco Security

Hours instead of weeks and months

Combining Best of Breed in Security and SD-WAN

Adv. Malware ProtectionWith File Reputation and Sandboxing

(ThreatGrid)


Segmentation across the Stack

VPN1UC

VPN2Finance

End-to-end segmentation across public and private Data Centers

VPN3HR

VPN1UC

VPN2Finance

GatewayVPC VPN2

VPN3

Finance Resources

HR Resources

VPC

VPCHR

Finance

UC Data Center

VPN3HR

Resources

HR

Finance

SD-WAN


How is SD-WAN Threat Defense Delivered?

Internet

Branch

VPN FW URLF AMPIPS

Internet

Branch

VPN FW URLF AMPIPS

Internet

Branch 1 Branch 2

Reg ional Hub

VPN FW URLF AMPIPS

Internet

Branch 1 Branch 2

Cisco Umbrella

Integrated Dedicated Service Chaining Cloud Delivered


How is Security Delivered?

Internet

Branch 1 Branch 2

Cisco Umbrella

Cloud Delivered

Internet

Branch 1

Cisco Umbrella

Cloud Delivered

Branch to internet Roaming to internetInside Branch

Internet

Branch 1

Cisco Umbrella

Integrated+

Cloud Delivered

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialEasiest way to protect all of your users and endpoints in minutes

ANY DEVICE ON NETWORK

ROAMING / MOBILE

BRANCH OFFICES

• Safe DNS

• Content control

• Application control

• Advanced web content control

• Advanced web application control

• L3/L4/L7 Firewalling

• Data at rest control

wwwCASB

DNSControls

CloudNGFW

www

CloudProxy

53 80-.443

Umbrella

Cisco UmbrellaSASE


SD-WAN Management

Single Monitoring Dashboard

• Configuration: OnRamp, Security, Devices, Policies, Templates

• Lifecycle management

• Role based access/Multi-tenant

One management dashboard for branch, co-location, cloud and Security

Cisco vManage


SD-WAN Analytics

Real-Time Information

• Future planning and what-if scenarios

• Recommendations for predictable app performance

• Benchmarking

Cisco vAnalytics


Cisco Umbrella Management

Cisco Umbrella

DEMO

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

v

Why Cisco SD-WAN?

*Gartner Critical Capabilities for WAN Edge Infrastructure, December 2018

Right Security, Right PlaceProtect all users, devices and applications by deploying the right security, on-premise and cloud delivered, in the right place, quickly.

Simplicity at Enterprise ScaleDelivering Intent-based Networking with best of breed technologies across every domain with consistent policy and assurance integration

Predictable Application ExperienceNo matter where your applications are hosted Cisco SD-WAN delivers the best user experience, securely across any cloud.


Learn more about improving Office 365 connectivity with Cisco SD-WAN: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white_paper-c11-741353.html

https://www.cisco.com/c/es_es/products/security/cloud-security/umbrella-sd-wan.html

Additional Resources: www.cisco.com/go/sdwan

Contact your channel partner or Cisco sales team for more information

Learn More

cisco sd-wan · sd-wan fabric corporate software users saas cloud security provider cisco sd-wan...

Documents