00:08gartner predicts that by 2023
00:10ninety-three percent of organizations
00:11will be doing some form of st Wayne for
00:14the win edge and the reason for this
00:15disruption are obvious save money by not
00:18being as reliant on private circuits
00:20better application performance with
00:21intelligent monitoring and steering and
00:23simplified management with orchestrators
00:25and zero-touch provisioning but with all
00:27of these moving parts come old and new
00:29security concerns I'm Andy with the
00:31Cecil perspective and today we're gonna
00:32look at five considerations for securing
00:34ST win first thing to realize is a not
00:38all SD win is created equal with the
00:40explosion of SD win over the last few
00:42years we're seeing more and more vendors
00:43incorporate SD win as a feature into
00:46their existing product offering that
00:48means that we have an influx of
00:49traditional networking when optimization
00:51and security vendors who are now
00:53competing with the pure-play Sdn vendors
00:55while this means more options for the
00:58you also have an abundance of SD wine
00:59vendors to pick from with varying levels
01:01of proficiency the security offerings
01:03from the various vendors can't be
01:05grouped into three general categories
01:06cloud-based third party integrators or
01:09built-in security cloud-based security
01:12means ESD when device is not doing any
01:14local inspection and instead it offloads
01:16all the packets that require inspection
01:18to a cloud service that means that for
01:20every packet that needs to be inspected
01:21the SD one device is forwarding it off
01:23to a cloud for security inspection third
01:26party integration usually comes in the
01:27form of service chaining using VMs
01:29server shaming is an SDN terminology to
01:32describe multiple virtual services
01:33working together within a physical box
01:35in most cases Sdn would provide the
01:38networking service while the security
01:39vendor would provide the security
01:40services all this happening on the same
01:42physical box using a hypervisor and an
01:45SDN controller built in security
01:47offering means a security inspection is
01:49happening in the sd1 appliance itself
01:51these are generally traditional security
01:53devices like a UTM or next-gen firewall
01:55they have Sdn as a feature all three
01:59options have their pros and cons but
02:00from a security perspective there's one
02:02option Dacian only use as a last resort
02:04and that leads us to the first item on
02:06our list number one offer on premise
02:10security whenever possible from a
02:12security perspective on premise security
02:14is always preferred over
02:16the cloud for a number of reasons not
02:18only does it provide additional services
02:19that a cloud-based solution doesn't
02:21offer but it also lowers your bandwidth
02:23costs and increases performance at the
02:25edge for cloud inspection to work
02:26properly all branch internet traffic
02:28must be forwarded to the cloud through a
02:30GRE or an IPSec tunnel that means a
02:32regular user traffic needs to be
02:34forwarded to the nearest cloud
02:35datacenter inspected and then forward it
02:38off to the destination that means that
02:40if you have an SD win rule to route an
02:41application like office 365 directly out
02:44to the internet without going through
02:45the cloud inspection first it bypasses
02:47security altogether in other words
02:49everything needs to route through
02:51security cloud this removes almost all
02:53the benefit of implementing SD win in
02:55the first place it also means higher
02:57when usage which leads to higher costs
02:59particularly if you're using a 4G card
03:01as a backup link which charges per
03:03megabyte on Prem security can be
03:05accomplished with an SD one vendor that
03:07either provides security services
03:08natively on the box or through service
03:11chaining with a security vnf both
03:13options greatly increase the performance
03:15on traffic that require security
03:16inspection while also lowering the cost
03:18by reducing the amount of traffic that
03:20is sent off through the win not to
03:22mention the number of security services
03:23that cannot be performed in the cloud
03:25like segmentation access layer security
03:28intrabrand security inspection for
03:30example scanning malware on a file share
03:33at the branch breach containment
03:35quarantine and even local authentication
03:37has a lot of caveats if you're behind
03:39the net so look out for that and how
03:41that's being handled by the particular
03:42Sdn vendor ultimately cloud security
03:45services should only be used when
03:46on-premise security is simply not an
03:48option this seems to be the case with a
03:50lot of the more popular pure-play as the
03:52wine vendors who partner with cloud
03:53security vendors to provide that
03:55security number two application routing
03:59best practices if you ultimately decide
04:01to offload security inspection to the
04:03cloud and this point becomes all the
04:05more important in SD when we create
04:08rules that specify where to route
04:09application or groups of application so
04:12a question you'll have to ask yourself
04:13is what do I do with applications it may
04:16before you get to that point you have to
04:18first identify the applications that are
04:20actually in use next identify which of
04:22these applications need to be back
04:24hauled to your cloud or data center
04:26these will be called known corporate
04:29for applications they use a direct
04:30internet connection let's call them
04:32known SAS applications for business
04:34continuity it's critical that these
04:36applications always work at all times
04:39through redundant paths the next group
04:41of applications can be a group called
04:44these can be applications that posed
04:45little to no security risk and are
04:47allowed out to the Internet to provide
04:48business functionality now we want to
04:51group the applications that pose a
04:52security risk and if you're choosing a
04:54nesting web product that does not have
04:56built-in security this part may be
04:58non-existent which is why you'll need to
05:00forward it off to a cloud security
05:01service for inspection again non-ideal
05:04SEO and products with built-in security
05:06will offer layer 7 identification of
05:08potentially risky application this
05:10category can include things like botnet
05:12activity security evasion software proxy
05:15avoidance and many more we'll also want
05:17to create an application group for
05:19applications that we know should never
05:20be used for example if your company is
05:22using an internal file share we can
05:24block all other forms of file sharing
05:26like Dropbox and Google Drive ultimately
05:29these unwanted categories should be
05:30blocked before ever leaving the site if
05:32your SD wind does not support blocking
05:34make sure it's being black cold or sent
05:36off to the security device for more
05:38inspection number 3 look out for network
05:41leakage MPLS broadband LTE and IPSec
05:45tunnel overlays are just a few of the
05:47interfaces that Sdn has to manage to
05:50simplify administration s deal and
05:51vendors will usually group these
05:53interfaces into a single interface to
05:55remove the complexity of having to
05:56manage rules and policies for each LAN
05:58interface in some cases this could lead
06:00to lessen desirable route to and from
06:02protected zones let's use a following
06:04example your MPLS link broadband and
06:07IPSec overlay are all part of your SD
06:09lan interface you receive default
06:11gateways from your MPLS and broadband
06:13provider which means users now have two
06:15routes to the data center from either
06:17the MPLS or the broadband link so you
06:19create a policy to allow internal users
06:21out to your Sdn interface which includes
06:23these multiple individual interfaces
06:24except internal users should never go
06:27out through the broadband link to your
06:28data center without routing through your
06:30IPSec tunnel overlay so you create an SD
06:32win rule that allows users to your data
06:34center through the IPSec tunnel in the
06:36event your MPLS link goes down here's a
06:39part you have to be careful with some
06:40vendors treat SD land rules like
06:42firewall policies with a generic
06:43catch-all in the bottom that routes
06:45everything it doesn't have a rule for
06:46and rules are sometimes only active as
06:49long as their health checks or SLA s are
06:52being met so in a scenario where your
06:53MPLS link is unavailable and your backup
06:56IPSec tunnel is underperforming your sd1
06:58rule won't take into effect and you end
07:00up using the default catch-all which
07:02goes to your routing table and since we
07:04have default gateways through our
07:06broadband link we end up with internal
07:08users going out through the public
07:09Internet and leaking private IP
07:11information there's many examples and
07:13scenarios we could review but the
07:14takeaway is this analyze your network
07:16requirements and make sure your vendor
07:18gives you the flexibility to make
07:20individual interface decisions this can
07:22vary greatly by vendor so make sure you
07:24understand the different scenarios in
07:25which routing can be influenced by an
07:27SDN rule when not used properly the
07:30simplicity of Sdn can bring on
07:31unexpected security challenges that were
07:33not seen on traditional routers number
07:36four transport security as companies
07:39move away from private circuits and
07:41utilize the unsecure public internet to
07:43transport data into private resources
07:45strong encryption and your VPN tunnels
07:47become critical this means making sure
07:49you have strong VPN encryption settings
07:50and have it tunneled back to your data
07:52center or cloud services for starters
07:55you need to make sure you're utilizing a
07:56VPN anytime you're accessing private
07:58resources across a win this means both
08:01private circuits and direct internet
08:02access like broadband or LTE cards in a
08:05common scenario with one MPLS and one
08:07broadband connection this means having
08:09at least one IPSec tunnel through each
08:10wind port if your data center has we're
08:12done in ports or paths
08:14you'll also need we're done in IPSec
08:15tunnels to each port so you can see that
08:17even in this most basic setup we already
08:20have four IPSec tunnels and if you have
08:22a backup LTE or 4G card consider using
08:24an on-demand IPSec tunnel that will only
08:26come up when the other ports are down
08:28this is gonna save you on mobile data
08:29charges next let's talk about VPN best
08:32practices always always always use a
08:35secure protocol like IPSec if you have
08:37legacy requirements for GRE or l2tp make
08:40sure they write over that IPSec tunnel
08:42first these older protocols do not
08:44encrypt the data in transport so you
08:46should always write over a secure tunnel
08:47like IPSec this partner is especially
08:49critical if you're using cloud security
08:51which sometimes they recommend to use
08:53unsecure protocols for traffic
08:55floating like GRE or HTTP proxies when
08:58using IPSec consider the following best
09:00practices use certificates over
09:02pre-shared keys and if you need to use
09:04pre-shared keys make sure that they're
09:05longer than 20 characters in length use
09:07Ike version 2 whenever possible avoid
09:09weak encryption methods like des and
09:12Triple DES avoid weak hashing algorithms
09:15like md5 or sha-1 and avoid
09:17diffie-hellman groups 1 and 2 don't
09:20assume these basic requirements are a
09:21given on any modern sd1 vendor many of
09:24these vendors have actually simplified
09:25the deployment process to the point
09:27where basic IPSec changes are either
09:29impossible or difficult to do at scale
09:32number 5 Class B part of the appeal with
09:37Sdn is the ability for remote offices
09:39and branch locations to access their
09:41cloud applications directly without
09:42having to write back an expensive MPLS
09:44circuit to get there securely from a
09:47business perspective I mean want branch
09:48locations to only write that expensive
09:50MPLS circuit for services in my data
09:52center or cloud but use a cheaper
09:54broadband for couldn't direct the
09:55internet connection of my SAS
09:57applications this creates a massive
09:58problem for security admins as more and
10:00more organizations use cloud
10:02applications like Salesforce and office
10:03365 to store sensitive data so how can
10:06we secure and control access to our SAS
10:08applications one way is to use Cosby in
10:11combination with our Sdn at the branch
10:13Cass B stands for cloud access security
10:15brokers and it enforces security and
10:18global policies for all of our cloud
10:20applications this means that we can have
10:22much greater visibility and policy
10:24enforcement to these applications that
10:25we couldn't otherwise get with the
10:27traditional security appliance with Cass
10:29B you can now see and control down to
10:32the file how your data is being used
10:34some common use cases could be a user
10:36downloading sensitive data to an
10:38unsanctioned device or a user moving PII
10:40data on or off a cloud service these are
10:43things that we would have been blind to
10:44without a Cosme solution but when
10:46working in conjunction with your sa
10:48wayne appliance you can now do global
10:50enforcement of all of these policies so
10:53if my organization is using office 365
10:54cache B gives me control of what they
10:57can and cannot do with that particular
11:00if Mike as me has an integration with SD
11:02when I can now do things like quarantine
11:04that user who started to move files
11:05suspiciously or cut that user off down
11:08the access layer if we notice that
11:10malware is coming from the endpoint as
11:11the digital transformation moves more
11:13more services to servers that we cannot
11:16Cosby is becoming as crucial to our
11:18security plan as a firewall once was in
11:20fact partner prediction by 2020 60% of
11:23all large enterprises are going to be
11:25using Cosby to govern cloud services
11:27well that does it for this video you
11:29guys and I hope you found it informative
11:32you can now visit me at the seaso
11:34perspective comm for my blog entries
11:36past video research questions and
11:38suggestions for future videos you can
11:40also reach me at the seaso perspective
11:42at gmail.com as always please comment
11:45hit like subscribe to stay on top of our
11:47latest releases here at the Cecil