Solving Cloud and Branch SD-WAN Security Challenges with Riverbed SteelConnect
If you are going to solve your security challenges in the cloud and branch, you are going to need more than one security super hero on the job.
"Crimes in cyberspace cost the global economy $445 billion in 2016—more than the market cap of Microsoft ($411 billion), Facebook ($314 billion), or ExxonMobil ($332 billion)"—according to an estimate from the World Economic Forum's 2016 Global Risks Report.
With SteelConnect, Riverbed’s SD-WAN solution, security lives in the DNA of the system. It’s based on some core security precepts.
- Secure the design
- Implement trusted industry standards
- Protect perimeters with access control
- Empower and secure guests
- Make visible the problems you can’t see
Security is important for a host of reasons from the cost of containing losses to customer confidence that you do business safely.
Read more about SteelConnect SD-WAN security in this paper.
SteelConnect—architected for software-defined WAN security
Secure the design
SD-WAN is a relatively new and promising technology. Riverbed wants to keep your experience of SD-WAN secure and trouble-free so you can use SD-WAN as it was intended—realizing the full potential of digital branch and cloud transformation.
Riverbed SteelConnect is a complete SD-WAN solution for securely connecting users and business to the applications they need, wherever they reside—on a remote LAN, in a data center, or in the cloud—over any network.
SteelConnect has built-in SD-WAN security, that is, security was part of SteelConnect’s design—not added later to respond to security breaches. For example, the management console port typical of a router-based approach simply does not exist for SteelConnect, thus reducing attack/vulnerability surfaces.
Traditional WANs often added security to the architecture after the original design. In contrast, SteelConnect is architecturally different from traditional WAN deployment architectures.
SteelConnect pointedly and uniquely avoids the notion of multiple control planes and multiple controllers. Instead, SteelConnect conflates the control plane function into the SteelConnect Manager for ease and speed of design and deployment.
With SteelConnect, software-defined WAN security is part of your system design, since you control levels of security for users and devices with user- and role-based policies. Security is a core tenet of SteelConnect’s management configuration profile resulting in one integrated approach across all devices and planes, woven into an overlay network.
Not only is SD-WAN security designed within SteelConnect, but policies can be easily deployed, managed, and changed universally throughout the system—without any command-line interface (CLI) configuration that is often prone to human error.
Change any time
A centralized, secure, global management system based on the single global policy automates services like security and can be easily changed for rapid response to changing conditions or new needs. And by deploying a centrally managed suite of products (Gateways, Switches and Access Points) designed from the ground up to work together, you get a complete, unified view into your application and network health, so that you can see and troubleshoot security breaches and other problems.
Implement trusted industry standards/approaches
Fundamental to the secure operations of SteelConnect is the establishment of a secure overlay Virtual Private Network (VPN) and SD-WAN security policies for traffic flows. Based on the sites and WANs available, SteelConnect Manager automatically calculates a route map through a process referred to as AutoVPN.
AutoVPN, based on the industry standard IPsec with AES 256 encryption, is a fast way to create a resilient, secure VPN backbone between all your sites. You can deploy AutoVPN between gateways, between an access point and gateway, between access points, as well as connect to a third-party VPN (ClassicVPN). Secure, encrypted AutoVPNs are supported over all WAN types including Internet and MPLS. In addition to the establishment of AutoVPN and ClassicVPN, SteelConnect Manager maps and enforces security policies onto the appropriate overlay VPN.
In addition to automated VPN based on IPsec with AES 256 encryption, SteelConnect Gateways also provide distributed firewalling, simple network services to zones (segmentation), and extended reporting. VPN links are constantly monitored, and traffic is included in policy controls. SteelConnect also works in combination with existing firewalls and switches, extending existing installations with new functionality.
The SteelConnect Gateway firewall functionality provides excellent branch firewall capability, negating the need for a separate firewall in the majority of branch situations. SteelConnect Gateways are not intended to provide Unified Threat Management (UTM) functions, but will work with them when the customer chooses to deploy them, which is typical in data center environments.
Network segmentation offers yet another secure approach. Based on policy, SteelConnect zoning provides unified segmentation of LAN and WiFi users and devices–-dynamically and in all locations. Organization-wide virtual SteelConnect network zones reduce attack surfaces and contain possible breaches. When SteelConnect Gateway is handling gateway functionality for a zone, it will provide DHCP, NTP and DNS services automatically. It also provides security for devices and reporting functionality for connected zones.
Hardening is still another secure approach used by SteelConnect. In addition to providing robust security features, SteelConnect’s system has been architected to reduce exposures that would otherwise have to be secured. Tools used to harden the system include automated operations and minimized attack surfaces. For example, in terms of attack surfaces, SteelConnect Role-Based Access Controls prevent certain UI options from being displayed to lower RBAC categories.
Protect perimeters with access control
User identity control is central to allowing direct Internet access, since direct Internet access is not a VPN based on IPsec with AES 256 encryption and thus is inherently less secure. Direct Internet access poses security challenges that include network isolation, data confidentiality/integrity, intrusion/attack prevention, content inspection and malware detection.
SteelConnect Manager provides an easy and intuitive way to define any network access by user identity. SteelConnect associates those accessing the networks with the devices they are using, providing granular and automated user-to-device assignments, with an interface in each zone.
Organizations assign users to a virtual network zone only once. From then on, these virtual zones automatically follow users across all locations, no matter which device is used. Smart roaming streamlines connectivity handover between access points and sites, and user-based network access control secures bring-your own-device (BYOD) environments.
Empower and secure guests
With SteelConnect, Guest WiFi access utilizes authenticated (via the authentication portal or social media) and identity-based registration and then directs all guest traffic over the Internet—with a firewall between the guest zones and the internal zones. Guest restrictions are based on the policy attached to each guest device. For maximum convenience and secure control of device proliferation, guests can self-register each device in a matter of minutes, and then the administrator attaches the security policy to each device registered by that user. Web content restriction and malware filtering are also based on the SteelConnect policy you set up.
Make visible the problems you can’t see
SteelConnect with its management dashboard offers a unified at-a-glance view of your network topology, including registered and online appliances, and new events. It also provides continuous automatic monitoring of network events, site, and tunnel status.
In addition to network visibility, SteelConnect and SteelCentral insights are integrated, providing analysis of shared flow data into information reports and problem–focused troubleshooting. The integration provides path quality and QoS reporting with events overlaid on reports and four SteelConnect SD-WAN specific views and reports: Network, Site, Application, and User Summary.
The ability to validate that policies, especially security policies, are working as expected, troubleshoot problems quickly, and plan for changes can help ensure the success and security of your SD-WAN.
Leverage SteelConnect, a software-defined networking solution, today for:
- Ubiquitous and unified connectivity: SteelConnect provides a software-defined and application-defined connectivity fabric that spans WANs, remote office LANs and cloud infrastructure networks.
- Business-aligned orchestration: SteelConnect bridges the performance gap between business needs and IT capabilities with meaningful visualization of networks and plain-language policies that drive zero-touch provisioning and easy change management.
- Cloud-centric, secure workflow: Design first, then deploy. SteelConnect enables network architects to first virtually design their environments and networks before deploying a single, self-programming piece of hardware to any remote location.
Try out SteelConnect for yourself.
Read more about SteelConnect SD-WAN security in this paper.
Learn more about Riverbed SteelConnect.