Cisco Umbrella

SD-WAN SASE

 

 

SD-WAN SASE

Although more and more enterprises are moving workloads and applications to the cloud, we also need to consider the secure and fast connection to the Internet with minimal latency and packet loss to affect application performance. The following post discusses SD-WAN SASE and how to start your security SASE journey. In particular, we will examine the SASE Cisco approach to deploying a SASE network. To gain all the benefits of security SASE, you need a strategy, and the best way is to start with SD-WAN. And you can label this journey as SD-WAN SASE.

 

Before you proceed, you may find the following post helpful for pre-information:

  1. SASE Definition
  2. DNS Security Solutions
  3. Cisco Umbrella CASB

 



Security SASE

Key SD-WAN SASE Discussion Points:


  • Introduction to SD-WAN SASE and what is involved.

  • Highlighting the details of how to start a SASE network.

  • Critical points on integrating SD-WAN and SASE. Deploying SASE Cisco.

  • Technical details on the different ways you can connect SD-WAN to Cisco Umbrella.

  • Technical details on optimizing the connectivity from SD-WAN to Cisco Umbrella.

 

SASE Network

We have a common goal to achieve this. To move users closer to the cloud services they are accessing. However, traffic sent over the Internet is all best-effort and is often prone to bad actors’ attacks and unforeseen performance issues. Over 14,000 BGP incidents last year, so if BGP is unstable, cloud access over the Internet varies. There is no one approach to solve everything, but deploying SASE ( secure access service edge ) will give you a solid posture. Secure Access Service Edge deployment is not something you take out of a box and plug in.

It needs a careful strategy, and a recommendation would be to start with SD-WAN. Specifically, SD-WAN security creates an SD-WAN SASE design. SD-WAN is now mainstream, and cloud security integration is becoming critical, enabling enterprises to evolve to a cloud-based SASE architecture. The SASE Cisco version is called Cisco Umbrella.

 

Security SASE

As organizations have shifted how they connect their distributed workforce to distributed applications in any location, the convergence of networking and cloud security has never been more critical. And that is what security SASE is all about—bringing these two pillars together and enabling them from several cloud-based PoPs. In today’s constant attacks, designing, deploying, and managing end-to-end security for your network is essential. Zero Trust SASE lays the foundation to help customers adopt a cloud-delivered policy-based network security service model.

 

Security SASE

SD-WAN SASE

Then we have Cisco SD-WAN, a cornerstone of the SASE Solution. In particular, we have Cisco SD-WAN integration with Cisco Umbrella enables networks to securely access cloud workloads and SaaS applications with one-touch provisioning, deployment flexibility, and optimized performance. We have several flexible options to journey to the SASE Cisco with Cisco SD-WAN. Cisco has a good solution that can combine the Cisco SD-WAN and cloud-native security, which is Cisco Umbrella, into a single offering that delivers complete protection. We will get to how this integrates in just a moment.

However, to get to this integration point, you first need to understand your stage in your SASE journey. Everyone will be at different stages of the SASE journey, as everyone has unique networking and security requirements. For example, you may still be at the SD-WAN with on-premises security. Then others may be further down the SASE line with SD-WAN and Umbrella SIG integration or even partially at a complete SASE architecture. As a result, there will be a mixture of thick and thin branch site designs.

 

SASE Network: First steps 

A mix of SASE journey types will be expected, but you need a consistent, unique policy over this SASE deployment mix. Therefore, we must strive for a compatible network and security function anywhere for continuous service. As a second stage to consider, most are looking for multi-security services, not just a CASB or a Firewall. A large number of organizations are looking for multi-function cloud security services. And once you move to the cloud, you will increase efficiency and gain the benefits of multi-fiction cloud-delivered security services.

 

SASE Network

 

SASE Network: Combined all security functions

So the other initial step to SASE is to combine security services into a cloud-delivered service. Now we have all security functions delivered from one place, dispersed throughout the globe with PoPs. And this can be done with Cisco Umbrella. Cisco Umbrella is a multi-function security SASE solution. Cisco Umbrella integrates multiple services to manage protection to have all of this in one platform. Then you can have this deployed to what locations it is needed. Some sites only need the DNS-layer filtering; for others, you may need full CASB and SWGs.

 

SASE Network: Combine security with networking 

So, once we have combined all security functions, we need to bring networking into security, which requires a flexible approach to meet multi-cloud at scale. This is where we can introduce SD-WAN as a starting point of convergence. The benefits of SD-WAN are clear. Dynamic segmentation, application optimization, cloud networking, integrated analytics & assurance. So we are covering technology stacks and how the operations team consumes the virtual overlay features.

Cisco SD-WAN use cases that can help you transform your WAN edge with deeper cloud integration and rapid access to SASE Cisco. So you can have Cisco Umbrella cloud security available from the SD-WAN controller and vice versa. This is a good starting point.

 

 

Secure Access Service Edge

New connectivity structures

Let us rewind for a moment. The concept of Secure Access Service Edge is based on a few reasons. And several products can be put together to form a SASE offering. The main reason for SASE is the major shift in the IT landscape. We have different types of people connecting to the network, using our network to get to the cloud, or there can be direct cloud access. This has driven the requirements for a new security architecture to match these new connectivity structures. Nothing can be trusted, so you need to evolve your connectivity requirements. 

 

Shift Workflows to the cloud

There has been a shift of workloads moving to the cloud. Therefore there are better approaches than providing a data center backhaul to users requesting cloud applications. Backhauling to a central data center to access cloud applications is an actual waste of resources. And should only be used for applications that can’t be placed in the cloud. This will result in increased application latency and unpredictable user experience. The cloud is driving a significant network architect shift; you should take advantage of this.

 

SASE Network: New SASE design

Initially, we had a hub and spoke architecture with traditional appliances that have moved to a design where we deliver network and security capabilities. This puts the Internet at the center, creating a cloud edge around the globe where it makes sense for the users to access, not just to go to central data because it’s there. And this is the paradigm shift we are seeing with the new architecture of SASE. So users connect directly to this new cloud edge, the main headquarters joins the cloud edge, and also branch offices can connect via SD-WAN to the cloud edge.

So this new cloud edge contains all data and applications. And then, you can turn other security and network functions needed by each cloud edge PoP to a suite that branch site or remote user connecting.

 

SASE Cisco

 

Secure Access Service Edge Consideration

The need for DIA

Firstly, most customers want to leverage Direct Internet Access (DIA) circuits because they want the data center to be something other than the aggregation path for most of the traffic going to the cloud. Then we have complications or, say, requirements for some applications, for example, Office 365. In this case, there is a specific requirement from Microsoft. Such an application can not be subject to the proxy. Office365 demands DIA and should be provided with, for example, Azure ExpressRoute.

 

Identity Security

Then we have the considerations around identity and identity security. We have new endpoints and identities to consider. And we need to consider multiple contextual factors when determining the risk level of the identity requesting access. Now that the premier has shifted, how do I have complete visibility of the traffic flow and drive consistent identity-driven policy? And not just for the user but for the devices too. Also, segmentation. How do you extend your segmentation strategy to the cloud and open up new connectivity models? For segmentation, you want to isolate all your endpoints, and this may include IoT, CCTV, and other devices. 

 

Identity Security Technologies

Multi-Factor Authentication (MFA) can be used here, and we can combine multiple authentication factors to grant access. And this needs to be a continuous process. I’m also a big fan of Just in Time access. Here we grant access to only a particular segment for a specific time. Once that time is up, access is revoked. This certainly does reduce the risk of Malware spreading. You can isolate privileged sessions and use step-up authentication to access critical assets.

 

SASE Cisco
Diagram: SASE Cisco and Enhanced Identity Security.

 

Security SASE 

SASE Cisco takes the connectivity aspect, which is the network, along with the security aspect and converges these two as a service consumed by users. SASE is an alternative to the traditional on-premises approach to security. And instead of having separate silos for network and security, SASE unifies networking and security services and delivers edge-to-edge security. SASE is more of a journey to reach than an all-in-one box you can buy and turn on. We know SASE entails Zero Trust Network Access (ZTNA), SD-WAN, CASB, FWaaS, RBI, and SWG, to name a few. SASE effectivity wants to consolidate adequate security and threat protection through a single vendor with a global presence and peering relationships. 

 

SASE Cisco

SASE connectivity: SD-WAN SASE

Connectivity is where we need to connect users anywhere to applications everywhere. And this is where the capabilities of SD-WAN SASE come to play. SD-WAN brings advanced technologies such as application-aware routing, WAN optimization, per-segment topologies, and dynamic tunnels. Now we have SD-WAN that can handle the connectivity side of things. Then we need to move to control based on the security side of things. Control is needed for end-to-end threat visibility and security. So, even though the perimeter has shifted, you still need to follow the zero trust model outside of the traditional boundary. 

Multiple forms of security drive SASE that can bring this control; the main ones are secure web gateways, cloud-delivered firewalls, cloud access security brokers, DNS layer security, and remote browser isolation. So we need both of these central pillars of network and security to converge into a unified model. So it can be provided as a software-as-a-service model.

 

Building the SASE architecture 

To form this architecture, there can be several approaches. We can have a Virtual Machine (VM) for each of the above services, place it in the cloud, and then call this SASE. However, too many hops between network and security services in the VM design will introduce latency. As a result, we need to have a SASE approach that is born for the cloud. A bunch of VMs for each network and security service is not a scalable approach.

Therefore a better approach would be to have a microservices, multi-tenancy container architecture with a lot of flexibility to optimize and scale. So, consider the SASE architecture to be a cloud-native architecture. A multitenant cloud-native approach to WAN infrastructure enables SASE to service any edge endpoint, including the mobile workforce, without sacrificing performance or security. It also means the complexities of upgrades, patches, and maintenance are handled by the SASE vendor and abstracted away from the enterprise.

 

  • A key point: Cisco Umbrella

Cisco Umbrella is built on a cloud-native microservices architecture. Umbrella is not alone in providing SASE, and it needs to be integrated with other Cisco products from Cisco to provide the SASE architecture. Let’s start with Cisco SD-WAN.

 

Cisco SD-WAN creating SD-WAN SASE

SD-WAN grew in popularity as a more agile and cloud-friendly approach to WAN connectivity. With large workloads shifting to the cloud, SD-WAN gave enterprises a more reliable alternative to Internet-based VPN and a more agile, affordable alternative to MPLS for several use cases. By abstracting away underlying network transports and enabling a software-defined approach to the WAN, SD-WAN helped enterprises improve network performance and address challenges such as the high costs of MPLS bandwidth and the trombone-routing problem. 

SD-WAN is essential for SASE success and is a crucial building block for SASE. SASE Cannot Deliver Ubiquitous Security without the Safeguards SD-WAN Provides, Including:

  • Enabling Network Address Translation (NAT)
  • Segmenting the network into multiple subnetworks
  • Firewalling unwanted incoming and VLAN-to-VLAN traffic
  • Securing site-to-site/in-tunnel VPN

So, SD-WAN can ride on top of any transport, whether you have an MPLS or internet breakout, and onboard any users and consumption model. And this is a good starting point for SASE. Here we can use SD-WAN embedded security as a starting point for SASE.  

 

SD-WAN SASE
Diagram: SD-WAN SASE – Connecting to Cisco Umbrella

 

SD-WAN Security Stack: SD-WAN SASE

The SD-WAN security stack is a complete stack consistent on-premises and in the cloud. SD-WAN supports the enterprise firewall that is layer 7 aware, intrusion prevention system built on SNORT, URL filtering, advanced malware protection, and SSL proxy. A container architecture enables everything except for the enterprise firewall; there are automated security templates for this. So based on the intent, the SD-WAN component of vManage will push the config to the WAN edge so that the security services can be turned on.

And all of this can be done with automated templates from the SD-WAN controller. It is essentially configuring the Cisco Umbrella from Cisco SD-WAN. What I find helpful about this is the excellent integration between vManage—essentially, streamlining security. There are automated templates in vManage that you can leverage for this functionality in Cisco Umbrella.

 

Cisco Umbrella: Enabling Security SASE

The next level of the SASE journey would be with Cisco Umbrella. So we still have the SD-WAN network and security capabilities enabled. So there is an SD-WAN fabric that provides a secure connection to connect to Cisco Umbrella, gaining all the benefits of the SD-WAN connecting model, such as auto tunnel and intelligent traffic steering. Now, this can be mixed with the capabilities of cloud security from Cisco Umbrella. Now with these two products combined, we are beginning to fill out our defense in the depth layer of security functions. It will also be multiple security features that work together to strengthen your security posture.

 

The first layer of defense

I always consider the DNS layer security as the first layer. Every transaction needs a DNS request, so it’s an excellent place to start your security. And if the customer needs an additional measure of defense that can introduce the other security functions that the Cisco Umbrella offers. So you turn on and off security functions based on containers as you see fit.

 

SD-WAN SASE: Connecting the SASE Network 

For SD-WAN to connect to Cisco Umbrella, we use a secure IPsec tunnel. An IPsec tunnel is set up to the Cisco Umbrella by pushing the SIG feature template. Therefore there is no need to establish a tunnel for each WAN edge at the branch. So, the IPsec tunnels at the branch are auto-created to the Cisco Umbrella headend. This does provide deep integration and automation capabilities between Cisco SD-WAN and Cisco Umbrella. So you don’t need to design this; this is done for you.

 

IPsec Tunnel Capabilities

What type of IPsec capabilities do you have? Remember that each single IPsec tunnel can support 250 Mbps and burst higher if needed. In the case of larger deployments, multiple tunnels can be deployed to support higher capacity. So active-active tunnels can be created for more capacity. There is also an excellent high available with this design. You have an IPsec tunnel established to primary Cisco Umbrella PoP. If this Cisco Umbrella goes down, all the services can be mapped to a secondary Umbrella data center in the same or a different region if needed. It is doubtful that two SASE PoPs will go down in the same regions.

So the failure to secondary SASE PoP or DR site is handled by hybrid Anycast. You don’t need to design this; it is done automatically for you. So with this design, Cisco has what is known as a unified deployment template called the “Secure Internet Gateway Template.” 

 

Cisco Umbrella
Diagram: Cisco Umbrella connectivity.

 

Active-active tunnels

The Cisco SD-WAN vManage, auto-template allows up to 4 active tunnels, operating at 250 Mpbs each from a single device. The Cisco SD-WAN can then ECMP load-balance traffic on each of the tunnels. Eight tunnels can be supported in total, but only four can be active. These tunnels are established from a single Public IP address using NAT-T, and NAT-T opens up various design options for you. Now you can have active-active tunnels, weighted load balancing, and flexible traffic engineering. All with a unique template.

So we know that each tunnel support 250 Mbps. For increased throughput capabilities, we now have support for 4 tunnels with ECMP. These 4 tunnels can give you 1Gbps from the branch to the Cisco Umbrella headend. So as a network admin, you can pass 1Gpbs of traffic to the Umbrella SIG to maintain performance. 

 

IPsec Tunnel configuration 

For the weighted load balancing, we can have, let’s say 2 tunnels to the Cisco Umbrella with the same weight. These are two DIA circuits with the same bandwidth. So when the weight is confirmed the same for the different ISP, the traffic will be equally load balanced. Cisco uses per-flow load balancing and not per-packet load balancing. So the Cisco load balancing is done by flow pinning, where a flow is dictated by hashing the 4 Tuple. 

So, for example, there will be a static route pairing to both tunnels, and the metric will be the same; you can also have an unequal-cost multi-path use case. You may have small branch sites with dual DIA circuits with different bandwidths and entitlements. To optimize the WAN, you can have traffic steered at 80:20 over the DIA circuits. If you had a static route statement, you could see that there would be different metrics. 

 

Policy-Based Routing to Cisco Umbrella

You can also have policy-based routing to Cisco Umbrella. This allows you to configure flexible traffic engineering. Let’s say you want only specific application traffic from your branch to Umbrella. So at one branch site, you should send Office 365 or GitHub traffic to Cisco Umbrella, then at Branch 2, you should send all traffic. This would include all cloud and internet-bound traffic. So we can adopt the use case for each design requirement. 

Policy-based routing to the Cisco Umbrella allows you to select which applications are sent to the Umbrella, limiting what types of traffic are routed to Umbrella in accordion with their presence; here, we are leveraging Deep Packet Inspection (DPI) for application classification within data policy. All of this is based on a data policy that is app aware. 

 

Layer 7 Health check 

You will also want to monitor the IPsec tunnel health in the event of brownouts. This could be from an underlay transport issue. And dynamically influence traffic forwarding based on high-performing tunnels. Here Cisco has an L7 tracker with a custom SLA that can be used to monitor the tunnel health. The L7 tracker sends an HTTPing request to the Umbrella service API ( service.sig.umbrella.com) to measure RTT latency and then compares this to the user’s configured SLA. If tunnels do not meet the required SLA, they are marked down based on the tracker status. The traffic will then go through the available tunnels.  

 

 

Matt Conran
Latest posts by Matt Conran (see all)

Comments are closed.