Achieving End-to-End Multi-Cloud Security with vArmour DSS + SD-WAN

Achieving End-to-End Multi-Cloud Security with vArmour DSS + SD-WAN

If you’ve attended any of the various open networking or SDN-centric industry events in the past few years, you may have recently noticed a shift in what folks are talking about and which booths have some of the most prominent displays.  When we IT types think about SDN, we often tend to think primarily of data center networks, but lately the same trend of software smarts in the control plane has made it into our WAN connectivity in a big way, and in relatively short order.  The cost savings to enterprises can be substantial and today there are several successful startups and big companies all playing in this space together. 

We at vArmour are firmly in the camp of smart, cloud-based and distributed software eating traditional static, legacy architectures. However, often these software systems require additional application context in order to program them effectively. 

The intelligence of vArmour’s higher-level, application-aware, distributed security platform benefits countless use cases, especially SD-WAN solutions.  One of the major issues facing any IT shop attempting to configure security inside the data center is knowing how the applications work. It’s always all about the applications, whether they live in data centers or public clouds. The bottom line is this: If you don’t have visibility into how your applications work, you cannot effectively program data center segmentation or microsegmentation policies. You can try without any application context, but especially in brownfield environments, you’re going to break a LOT of applications along the way - Ask this former Security Admin how he knows :)

With the additional flexibility afforded by SD-WAN solutions, WAN administrators are now finding themselves faced with very technically adjacent issues: How do I know what hosts or services to block and when?  How do I know what services need to be prioritized for the best user experience (for example, where are my critical business applications)?  How do I set things like availability thresholds for an IP/Port combination if my visibility stops at L4 and I don’t know which app is which or where my latency-sensitive databases are?  Which pool of users or applications should primarily use the MPLS link and which should take commercial broadband?  While vArmour is primarily focused on the security aspect of network programming, the application level context and visibility we provide can prove an invaluable resource when attempting to configure adjacent solutions such as SD-WAN.

So we’ve covered the programming/configuration use case, but how would a combined solution help solve problems in a few of the more common architecture scenarios?  For instance, how would vArmour’s advanced Layer 7 policy capabilities work with a multi-cloud SD-WAN solution?

vArmour is an agentless, 100% software-only solution with no reliance on specific underlying hardware architecture (it is optimized for commodity x86). Our dynamic, stateful, Layer 7 policy controls can be deployed ubiquitously across the compute environment to create secure cloud enclaves comprising bare metal physical, virtual, and containerized workloads.  These enclaves can be joined together via SD-WAN, which handles the data-in-motion encryption and best path forwarding decisions between sites.  Most SD-WAN providers now offer virtualized versions of their edge gateways for public cloud deployments, meaning these enclaves aren’t limited only to end-user or leased data centers.  Organizations can now place workloads in whichever enclave makes the most sense for the business, while vArmour applies uniform application layer policy controls and SD-WAN ensures near LAN-like, encrypted connectivity.

Real-world ‘Remote Office Branch Office (ROBO)’ user scenario: Consider how we might look to integrate an SD-WAN solution with advanced application layer controls in more of a branch office deployment scenario.  The beauty of these new stacks is in the power of APIs.  Consider the use case as illustrated in the diagram below.

  1. A Remote office PC becomes either physically taken over or infected with malware and attempts to reach out to HQ data center resources.  This may be allowed by the SD-WAN solution, but since the vArmour solution has a tighter security policy, it redirects these abnormal connection attempts to our award-winning Deception solution.
  2. Since vArmour’s Deception is controlled by the vArmour Fabric, the Deception Point can simultaneously assume any IP addresses, public or RFC 1918 - used or unused - all based on the Layer 7 microsegmentation policy configuration.  To the remote machine, it looks like they’re connected to the real thing, and that the target size is unlimited.  While the attacker interacts with the Deception Point, we can monitor behavior and decide whether or not to quarantine the offending machine.
  3. vArmour quarantines the offending IP from being able to access anything in the data center and via an API call from an orchestration plugin, instructs the SD-WAN solution to do the same.  In the case of split tunneling on remote sites (i.e. where the SD-WAN also has responsibility as an internet gateway), this also results in that machine being blocked from accessing cloud services such as Salesforce, Box, Office 365, etc. or from exfiltrating anything it may have discovered locally.

This use case illustrates the power of policy-based Deception technology, tied into microsegmentation and SD-WAN as a highly-effective end-to-end security solution that requires no agents on the endpoints, no complicated service chaining, etc.

SD-WAN is proving to be a highly-disruptive enabler of business, not unlike automated microsegmentation, dynamic application layer policy, and integrated deception technology.  When these non-overlapping but impactful technologies are woven together, the potential use cases are pretty amazing!

Related Posts