Securing SD Infrastructure

Transformational approach to simplify branch office connectivity
Secure local workloads in remote offices

In the data center, Software Defined Networking (SDN) has enabled integration with automated systems, allowing enterprises to build virtual networks, provide L4 microsegmentation, and integrate service chaining. This functionality has demonstrated SDN's value and brings networking a step closer to the automated world enjoyed by data center virtualization professionals. SDN can not only apply to the data center but also to enterprise wide area networks (WANs). Stitching together remote offices via a provider's MPLS network is highly functional -- with L2 or L3 connectivity options and guaranteed privacy and quality of service -- but also expensive. Broadband options lack the rich functionality of a provider's MPLS cloud, but they grant much more bandwidth for the money spent.

Software-Defined Wide Area Network (SD-WAN) has its roots in SDN allowing organizations to deliver services more efficiently across multiple technologies like MPLS, LTE, or broadband (transport independence) by abstracting network hardware and transport characteristics from the applications that utilize the network. SD-WAN moves more of the network control into the “cloud,” using a software approach that allows organizations to use the correct access pipe (e.g. MPLS for corporate data center hosted applications and broadband for Office 365) and take advantage of additional bandwidth capacity in an intelligent manner. This technology is growing in popularity because it makes delivery of business applications more cost effective and also improves branch-IT efficiency through automation.

This technology allows organizations to deliver high bandwidth LAN-like experience over a wide area network and facilitates local workload placement in branch offices and improve application response for latency sensitive applications. In addition, SD-WAN allows users to access cloud services like Office 365, Salesforce, GMail, without having to send traffic to data center over private WAN, only to be sent out to internet and towards the provider cloud. Clearly, this is very cost effective and in many cases will provide a better end user experience. But it also raises a security challenge. Users and local workloads are now more vulnerable to unauthorized access and if compromised, can spread to the main data center(s), where many more workloads can be at risk. These users and local workloads in branch office need to be secured and ideally be part of the same policy construct as the headquarter workloads in data center.

The vArmour Solution

vArmour is an agentless, software-only distributed security platform with a scale out architecture. It offers complete L7 application-aware visibility, segmentation microsegmentation and security policy modeling. vArmour’s approach to secure workloads and critical services is to wrap protection around them with zero trust policies. This means, by default, all communications to and from the asset is blocked except for allowed applications and transactions over a defined path. vArmour’s security fabric can stretch across the WAN and not only protect workloads in the data center but also in local branch offices via security controls that are part of the the same overall construct driving access policies. One fabric, one policy, offering complete protection across the network.

Figure: Global policy with local enforcement
Extend compute footprint securely across WAN

Data center consolidation, compute virtualization, and cloud technologies have greatly simplified organizations’ networks. While this has allowed many remote sites and branch offices to become serverless, there are many instances where a local compute resource is desirable and often necessary. Examples include: transaction processing systems (workload processing and credit card data), branch office VDI server (for session management, compression, file caching) to provide an enhanced user experience, local DNS server to maintain connectivity when WAN link is down. This greatly improves user experience but also means the local asset needs to be micro-segmented and be made part of the overall security profile. vArmour DSS can segment local workloads and make them part of an existing security policy or create a new one that is aligned to the local needs and corporate security posture. Examples, local DNS server can be segmented off as an individual workload and get the same policy governing the internal DNS server in the data center or a transaction processing system with credit card data can be segmented and made part of the same segment in the data center with appropriate controls necessary for PCI regulatory compliance.

Global policy, local enforcement

vArmour’s dynamic, stateful, Layer 7 policy controls can be deployed ubiquitously across the compute environment to create secure cloud enclaves comprising bare metal physical, virtual, and containerized workloads. These enclaves can be joined together via SD-WAN, which handles the data-in-motion encryption and best path forwarding decisions between sites. Most SD-WAN providers now offer virtualized versions of their edge gateways for public cloud deployments, meaning these enclaves aren’t limited only to customer owned or leased data centers. Organizations can now place workloads in whichever enclave makes the most sense for the business, while vArmour applies uniform application layer policy controls and SD-WAN ensures near LAN-like, encrypted connectivity.

Regulatory compliance for local assets in remote sites

Quite often customers need to host workloads in remote sites such as retail locations, hospital labs, and bank branches. This is motivated by application response times, user experience, and business continuity in case of WAN failure. Some of the locally placed workloads may be under the purview of regulatory framework and subject to audits. Customers need to have the same data separation policies at the local site as they have in the data center. Similarly, a common scenario is point of sale system at a retail store that needs to process the transaction and store credit card data. Both these processes are regulated by PCI. vArmour’s security fabric allows customers to apply a consistent security policy regardless of workload residency - in data center or remote site.

  • Secure local workloads in remote sites by extending data center policies over WAN
  • Extend security fabric across WAN while maintaining a consistent security policy construct
  • Maintain compliance for local assets using microsegmentation and existing data center policies