VMware SD-WAN e09: Security Considerations

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone today's session is all about security and the reason this is important with any sd1 solution not just a fellow cloud is because you're going away from that model in which you bring all the traffic to your data center via private lines and then they had at the peering with the internet you just get a firewall cluster so that is the one point in which you would be able to specify your security policies your content filtering etc now you want to introduce direct Internet access up all the branches any more locations and that poses a new security threat because anybody can exploit this hack into your branch and then from there follow all the overlays and have access to your entire estate so again with an ESD one solution security is one of the most critical concerns now focusing on fellow cloud ever since their inception the founders were interested in purely the sd1 aspect so this means making sure that when a user is accessing cloud application or a data center application they will be able to do that as smoothly as possible because the locale never had a their own next-generation security that actually forced them to take a step back look what's out there in the market what's trending etc and make sure to build that flexibility in the solution so no matter if you want to go with an on-prem version in which each of your branches have a firewall in them or you want backhaul all the traffic to your own data centers who take cloud security company like zed scalar or Symantec for example you'll be able to do that extremely easily so in today's session I'm going to be focusing on a few different things first of all what's the security that's already inbuilt in the edges including the segmentation piece and also the application aware firewall then looking into the options of adding next generation security so there are two things that we will be exploring that first of all the traditional way in which you deploy hey UTM at each of your sites which is greatly simplified because you'll be able to take the software code and run it on the edges themselves as opposed to get an extra box Oh the newer approach in which you will be using cloud firewall services that you add a scalar or semantic and you just send all the traffic to them and they all do it security and filtering for you again remember you know you might not be getting next-generation security services from fellow pal at the moment however this has some benefits because you'll be able to look in the market compare different vendors with each other compare different methods of delivering those security services and from there decide so we give you the flexibility and make sure that no matter your decision you'll be able to implement that in just a few clicks so let me show you how so let's take a simple example we have a branch connected with a few lines to the internet we then have a hub on the right hand side you'll see the main sites firewall here and this is where we used to set policies back in the old days where everything was flowing back to the data center and then off the internet and then we also have one of the gateways so we'll use this as a third-party gateway towards cloud security services the first point in which we can implement any sort of security is on the edge itself so this is where we can use things such as the layer 7 stateful firewall we can also use segmentation policies so we have up to 16 seconds very similar to vrf like in cisco and so this means that if you have let's say IOT traffic yes traffic maybe you are providing services to different tenants you keep each of them in a different segment each segment has its own routing table and there is no leaks between them so you know you just make sure that for example you guess you'll never be able to reach your corporate devices and those hackers cannot use on these unsecured devices to get into your estate another thing you can use this obviously DNS redirect there are loads of services out there that build security just by inspecting DNS queries so obviously when you set up your DHCP pools etc on the branch edge you can do DNS redirect but what about things such as intrusion prevention maybe content filtering based on lists etc there are few ways you can do this first of all you can obviously tunnel the traffic you want things to be inspected with the overlays back to the hub in your data center you can do that per segment so for example the guest segment you can just let it flow out to the internet but in your corporate segment can be part of a hub-and-spoke topology and then you use your firewall cluster at data center to do everything and this method will resemble very closely the way that we used to do things another option is to use vnfs on the local device here so number two vnfs and there are few options you can choose whatever that's foul also you get the VM series from them for T nets you can get the 48 codes or you can use checkpoint vnfs also a few things to note here you will need separate licenses although I make it very easy for you to upload the code in the orchestrator and you know push it to the edges all the management of the policies and all the reporting will need to be done in its own UI so depending on the vendor you have they'll have their own ways to interact with the vnfs obviously if you have firewalls at other places and they're all managed from the same centralized platform you'll be able to manage everything including the the edges here and last but not least not all the low cloud edges support vnfs so at the moment we have the likes of the 520 v the 840 so they support all the three providers I just mentioned and then we have the new six series the six 26:40 and 680 we just released them and they're currently that you support checkpoint further news will be coming on Palo Alto and 14m I'm going to show you the datasheet but do have in mind that once you turn the vnf capability on you will see a decrease in throughput so some of these boxes will allow you to carry up to 100 Meg all the way to 500 depending on the branch size also there is no requirement to have everything filtered by the vnfs so you can filter segments or even in the same segment you can just specify what VLANs need to be inspected so you have your local area network traffic hits the internal switch on the edge then it gets forwarded to the security vnf that makes a decision and if traffic is allowed to pass that goes into the main sd1 a routing process so the vnf kicks in before the sd1 process does last but not least you can use a cloud security service so i think zed scalar is one of the best examples here but then you get all these other companies like Symantec and checkpoint and Palo Alto everybody is now migrating to this model of having firewall services delivered from the cloud and the way that you access this is simply by pointing traffic and redirecting it towards an address on the Internet right now there are two ways of doing this you can do this via the gateway so this is where you define the security service as a non Belo Cloud site so this means that we bring the overlay to Gateway the advantage of this is obviously you can do the NPO across the circuits and then from the third-party gateway we connect via IPSec now we have lots of templates depending on the providers here but well oh cloud has a lot of flexibility when it comes to you know authentication and encryption mechanisms you can use gateway wise this third-party gateway as we previously discussed and video dedicated to gateways is chosen based on the proximity with the third party so if you have multiple branches and you spin off let's say another one here and connect it to the same security service then you will start seeing a hub-and-spoke topology being formed now there is another way of connecting this and this is called cloud security service and this actually allows you to bypass the Gateway and create an IPSec tunnel directly from the edge into the cloud security service of choice so I'm going to show you how this looks like in the orchestrator but again it depends if you define it as a non Bella cloud site so this list gateways or as a cloud security service and this will use the edges default ability to create IPSec tunnels directly now although I don't want to cram this diagram you'll see that when you start defining these services you have the option of high availability so you'll be able to define two peering points on the third-party side and also utilize two different gateways so just to summarize we looked at the security capabilities of the edge itself including the way that we can segment traffic and we can apply stateful firewall rules here we have discussed how you can still use your main datacenter firewalls to impose policy bringing all the brunch traffic back then you can do that for a segment so you don't need to bring everything back you can bring only the traffic that you want to get filtered we have discussed about the capability of running via Neffs here and specify the fact that there are specific edges that allow you to run this and obviously you need to license that product and run it from its own UI although we make the deployment extremely easy and also we discussed that if you want to take advantage of the new way of enforcing security and that is via the cloud security service you can do that either via the third party gateway or directly from the edge I wanted to show you quickly the latest data sheet as you see this has been updated recently to include the new models and as you scroll down you'll see on page number six the throughput capabilities of each of the new edges so six twenty six forty and six eighty there is the one eight forty here at five hundred Meg's interestingly the five twenty V is currently missing although the capability is extremely similar to the six twenty here so if I scroll up you'll see here the five twenty V with a note saying I can sustain up to a hundred makes when the viral DNA is enabled not really sure why this has been missed in this table here but if you don't remember it again just scroll a page up so let's look inside the orchestrator I have a home and you'll actually see that the monitor page does allow you to have a high-level view and understanding of the edges that have vnf enabled and which ones are running and which ones are don't also an idea of the non value cloud sites so one of the primary ways of connecting to cloud security services and configuring it is actually very easy let's look at the inbuilt security just fire up a profile and then you see this firewall tab this is actually someone new and has been introduced over the last year you'll see that you can turn on the stateful firewall you can select the segment so each of your segments can have different rules and then from here you just specify the rules you match a particular traffic where does it come from where does it go potentially define an application as well and then you can have this idea of allow and drop traffic the segment's can be defined here in the segment AB you have up to 16 of them there is a service villain I left empty but if you using any sort of VN apps you need different service VLANs so the vnf actually understands what segments the traffic is coming from and once you define these you will then be able to to see them as options inside the profiles I obviously showed you the option of the firewall but you then you will see that they are options for the business policies for the quality of service and also options on the way that you configure the routing and the cloud VPN functionality if you remember this is where I mentioned that you can for example bring your traffic back to your hub just by enabling branch to hub and selecting your hubs and you can leave that obviously turned off for your guests traffic and leave that in their own separate segment now in order to connect to any sort of third party including the services like that scalar for example you need to configure either non value on sites for cloud security services here remember the difference is that the non value cloud site uses a gateway in the middle that's closest geographically to that side while the cloud security service allows you to connect the edge directly and once you define them you'll then be able to call them in the profiles so as you can see here I can create a new value cloud site I can specify the third party I'm connected to in my case I have a set scaler termination to two of their gateways I can click advanced then I can also use redundant cloud gateways so now I have two terminations on my slide here you also be able to define your vnfs and applied the vnf licenses you'll see the three vnfs we have once you select them then we'll ask you where the image is stored and how you obviously want to authenticate while downloading it and the checksum to make sure that the image is not corrupted and once that happens you'll actually be able to deploy the vnfs on the edges unfortunately I don't have an age 5 20 V or any of the new six series to show you but I can quickly show you how easy it is to call the third-party site so you just go inside the profile here you click on the device you need to turn on the club EPN and you have an option for the non Vela cloud sites as you see I enable it and this is the a list of all the options I have remember you have to define them here in the network services first and then call them they will not be able to appear here automatically oh I can use the cloud security service so this is where I can connect the H that ectly via IPSec if the edge was supporting vnf configurations then I will have a vnf tab here that will largely allow me to call the right vnf and then specify what part of the traffic I want to expect

Info

Channel: Dimitrie Sandu

Views: 892

Rating: 5 out of 5

Keywords:

Id: f56BK7Q2xpY

Channel Id: undefined

Length: 19min 38sec (1178 seconds)

Published: Tue May 05 2020