Centrally Orchestrated End-to-End Segmentation

The Unity EdgeConnect SD-WAN Solution Enforces Granular Security Policies across the LAN-WAN-Data Center

Network Security has been a Manual, Device-Centric Approach

Software-defined Wide Area Networks (SD-WAN) have transformed the way users connect to applications. In contrast to the traditional rout- er-centric approach that uses TCP/IP addresses and Access Control Lists (ACLs), an SD-WAN employs a more intelligent and more automated application-driven model to control how traffic traverses the WAN.

With the Silver Peak Unity Unity EdgeConnect™ SD-WAN solution, enterprises create multiple application-specific virtual WAN overlays. Each virtual overlay — or business intent overlay — specifies priority and quality of service requirements for application groups based on business require- ments or intent. With these definitions in place, EdgeConnect auto- mates traffic steering on an end-to-end basis across all underlying WAN transport services including MPLS, broadband and 4G/LTE, providing the ability to deliver an application Quality of Experience that is better than what can be provided by any of the underlying transport services individually.

However, to date, security policy definition and enforcement across the traditional WAN remains a manual, fragmented, device-centric approach. Multiple disparate policies must be defined for the LAN, the WAN and the data center. Current zone- based firewalls and other security devices must be programmed manually, device-by-device and then stitched together with separate policies defined across the WAN. Not only is this time-consuming and expensive, it leads to inconsistent security policies that expose the enterprise to unnecessary risks due to configuration errors.

Consistent Policies with End-to- End Network Segmentation

EdgeConnect centrally orchestrates end-to-end segmentation spanning the LAN-WAN-LAN and the LAN-WAN-Data center. The Silver Peak Unity OrchestratorTM enables distributed enterprises to easily segment users, applications and WAN services into secure end-to-end zones1 in compliance with predefined security policies, regulatory mandates and business intent. This results in consistent secu- rity policies and automates enforcement across the enterprise. Orchestrator centralized security admin- istration pares down the task of defining multiple end-to-end zones to a matter of minutes.

The example shown in Figure 1 below represents typical zone or segment definitions for a retail chain.

In this example, independent end-to-end segments have been defined for Point of Sale (POS) traffic, HVAC control applications, resource planning and for internet-bound traffic with independent policies for guest Wi-Fi, trusted SaaS applications and recrea- tional web applications. Segments extend from the LAN, across the WAN and to the data center or to the cloud service provider. Traffic within a segment is isolated from traffic in other segments, prevent- ing unauthorized access. If a threat were to surface, its impact is contained to the segment in which it emerged. Zone-based security policy definitions also define the transport topology and failover policies for each segment.

The segmentation described in this example would have likely prevented the now-famous Target credit card breach that occurred in 2013. Attackers used stolen HVAC credentials to gain access to Target’s in- ternal data network, exploited a vulnerability to gain control of Target servers and injected malware onto POS data servers. Attackers exploited the security breach and misappropriated personal identifiable information for more than 40 million credit and debit cards2. While the Target attack was sophisticated and involved multiple security enforcement breakdowns, secure, end-to-end zone-based segmentation could have prevented access to the POS applications from any other zones or segments.

End to End Segmentation
Figure 1: Sample configuration designed for a retail organization to create isolated segments for Points of Sale traffic, HVAC application traffic, resource planning traffic and internet-bound traffic.

1A zone is a collection of interfaces and network segments attached to the interfaces. A zone may comprise VLANs, physical and/or logical interfaces and sub-interfaces. Each zone is mapped to one and only one EdgeConnect business intent overlay (BIO). However, multiple zones may be mapped to a single BIO.

2https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/

Security policies enable LAN to WAN traffic within a zone
Figure 2: Security policies enable LAN to WAN traffic within a zone (segment) but deny traffic between zones until IT explicitly whitelists or allows specific communication between zones. For example, in the configuration shown, printer traffic is allowed in multiple zones.

Centralized Orchestration Improves Operational Efficiency

Using an intuitive graphical user interface, an IT ad- ministrator can define segments spanning the LAN and the WAN. Each LAN-side zone may be mapped to a business intent overlay, extending micro-seg- mentation across the WAN. Multiple LAN-side zones may be mapped to a single business intent overlay. However, the traffic from a single LAN-side zone can be mapped only to a single business intent overlay.

Application traffic within a zone is enabled across the LAN and mapped to the corresponding WAN segment, but all other traffic is denied by default. IT can “whitelist” or allow specific applications to access users or devices in a different zone. This may include policies for traffic that remains within the branch LAN such as that for a printer shared between multi- ple zones. A matrix view from Orchestrator, shown in Figure 2, provides an easy-to-read, intuitive visualization of configured zones and defined whitelist excep- tions. Orchestrator also supports a standard table view, similar to that provided by firewall management applications, making the transition to the end-to-end segmentation model seamless for security profes- sionals.

Automated Enforcement and Threat Containment Reduces Risk

Once end-to-end segments, zone-based policies and any exceptions have been defined, Orchestrator programs the policies automatically to every Edge- Connect SD-WAN appliance, eliminating time-con- suming manual configuration of routers and firewalls. EdgeConnect automates consistent security policy enforcement across the LAN and WAN and to the data center to help enterprises meet compliance requirements, reduce threat risks and ensure contin- uous business operations.

Conclusion

The zone-based firewall fully integrated with Edge- Connect meets the security requirements of most branch offices. End-to-end segmentation and secu- rity policy enforcement adds no additional latency in the data path and has no impact on application performance.

By combining routing, firewall, segmentation, optional WAN optimization, application visibility and control and SD-WAN in a single solution, EdgeCon- nect can greatly simplify branch WAN edge archi- tecture. A centralized, automated architecture is inherently more robust and reliable than one that relies on traditional, fragmented, site-by-site manual configuration. In addition to consistent end-to-end security policy enforcement spanning the LAN, WAN and data center, enterprises can realize significant operational efficiencies through the centralized orchestration of all essential wide area network func- tions from a single pane of glass.

EdgeConnect Solution Benefits - Business Outcomes