Zscaler Cloud Security with Viptela SD-WAN Best Practices
Gartner estimates that by the end of 2019, 30% of enterprises will use SD-WAN technology in all their branches, up from less than 1% today. This is because SD-WAN is a transformational approach to simplifying branch office networking and optimizing performance. However, security is a critical factor for SD-WAN adoption, especially for cloud and Internet applications.
With Zscaler and Viptela you can now secure all internet traffic without having to backhaul it to centralized DMZs. Customers have seen more than 50% WAN cost-savings while keeping their branch offices and employees protected.
Join Ramesh Prabagaran, VP of Product Management & Partnerships, Viptela, Inc., and Steve House, VP of Product Management, Zscaler, Inc., for a compelling webcast discussing best practices approach for securing your distributed enterprise leveraging cloud security and SD-WAN.
This webinar will cover:
- Common use case scenarios from Viptela and Zscaler of their widely adopted solution
- Best practices for improving your security posture with cloud security
- How to rapidly deploy 100% cloud based and easy to manage secure SD-WAN
Don’t miss this compelling webcast. See today!
Source – http://blogs.gartner.com/andrew-lerner/2015/12/15/predicting-sd-wan-adoption/
Ramesh Prabagaran has a track record of bringing disruptive and innovative networking products to market focused on carriers and enterprises. Most recently at Juniper Networks, he was a senior product line manager establishing the product vision for enterprise and datacenter routing products, and WAN-focused solutions for Fortune 100 companies.
Steven leads the Zscaler Product Management team driving strategy, product and execution. He helps Zscaler transition to the next level as the organization navigates rapid growth in an important and fast-growing market.
Sajad: All right, let’s get started. Good morning, good afternoon, based on the part of the world you’re watching this webcast from. My name is [Sajad] and I’ll be your host for today’s webcast. A very warm welcome to everybody participating in today’s live webcast on cloud security for SD-WAN, best practices for branch office transformation. Before we get started, let’s cover some logistics. We love your questions, comments, suggestions and feedback. Please type your questions in the chatbox and we’ll compile them and address them during the end of the session.
If you face any technical difficulties, like the slides are not advancing, please write to us at email@example.com. I repeat, it’s firstname.lastname@example.org. Finally, I encourage everyone to participate in a short survey at the end of the session, just to let us know how we did. We take these suggestions very seriously to improve the production of these webinars and webcasts for you. Let’s move on. I’m very excited to introduce our keynote speakers for today’s webcast.
Ramesh Prabagaran. Ramesh is vice president of product management at Viptela. He plays a critical role in the network architecture for global enterprises and tier-one service providers. Ramesh brings over two decades of experience in this webinar to talk about latest trends in the networking industry, and why SD-WAN is a transformational approach to simplify branch office networking and optimizing performance.
Our second guest speaker for today’s webcast is Steve House, vice president of product management at Zscaler. Steve is a product management leader with over 20 years of experience in networking and security industries. At Zscaler, Steve is responsible for driving product strategy and execution. In this webcast, people who shared best practices for securing your distributed enterprise leveraging cloud security and SD-WAN. In fact, Steve and Ramesh will also share a joint case-study of their widely-adopted solution at the end, so stay tuned. With that, it’s my pleasure to hand it over to Ramesh. Ramesh, over to you.
Ramesh: Thank you, Sajad, and a warm welcome to everybody, wherever you are in this globe. It’s really exciting to see the networking industry go through this transformation. One particular area of focus here is the wired area. Now, many of you are wondering what is SD-WAN and why is it important. I cannot articulate this any better than example that one of our customers actually went through. The CIO of a pretty large bank, this was last year, 2015 summer, a line of business reached out to the CIO and said, “I have a brilliant idea to bring hundreds of millions of additional revenue. All you have to do is roll out high-definition video to your branches.”
The CIO thought, “Okay, that should not be so difficult. I’m able to stream high-def video to my home on a $50 circuit, so this should be possible,” and he was pretty excited. Then, he went down the path of researching into how to operationalize something like this. Very quickly, he found that the T1 lines that he is using at each one of these branches, skinny pipes cannot support high-def video, and so started to look at bandwidth augmentation options. Either increase the current bandwidth on the MPLS circuits, which comes at a cost, or completely transform the underlying network infrastructure and start to augment his private-line connectivity with public infrastructure like broadband internet.
Interestingly, going through that transformation is when the customer embarked on the Office 365 journey, and very quickly also realized that the network in the middle needs to be transformed to provide optimal user experience and security to SaaS applications. In a nutshell, that’s really what SD-WAN is driving towards. There are lots of bells and whistles, and lots of other use-cases around it, but the transformation is around how do I architect my wired area so that I can ride the cloud strategy, and at the same time get plenty of bandwidth for really low cost.
It’s no surprise to us that some of the industry analysts here have endorsed this and have said, as you can see in the first quote, about 30% of the enterprises will have this in 2019. In the second one, it’s going to be a multi-billion-dollar business. Now, before we get into the details of what is SD-WAN, what are we trying to solve and how are we trying to solve it, I’m sure many of you are also wondering, who’s Viptela. Steve, to the next slide.
At a high level, we’re a 4-year-old company in the SD-WAN space, with lots of customer deployments. Twenty-five of the Fortune 500 customers have used the technology that we have built to radically transform their wired area network and realized the cloud-first, bandwidth-first, flexibility-first, agility-first type infrastructure. We are in over six continents. An interesting data point I’d like to provide is about 15,000 of these devices and endpoints that are in production networks. For a technology that’s really nascent, that’s really only, I would say, about 2, 2-1/2 years since wide adoption, this is really, really an interesting data point, because there are customers who are betting their wired area on a transformational technology like this, and this runs the gamut from retail to healthcare to financial to many other industry verticals as well.
We are also heavily backed by the venture capitalists, so we have about roughly 110 million in venture capital. The number itself is less significant. The percentage that relates to overall funding that’s gone into this industry, we have roughly about 55% of that funding. Now, let’s start to talk a little bit about SD-WAN in the next slide, and what problems is it really trying to solve. Going back to the example I provided, the need to augment bandwidth going from private line to a combination of private and public infrastructure, there are multiple things that need to be considered and also that come in the way.
The first thing is really on complex operations. If you look at how the networking industry has typically evolved, it’s mainly, “I have a branch. I have one or two MPLS circuits that I provide to that branch and the provider in the middle kind of takes care of all the connectivity.” In this brave new world of software-defined everything, there is an interesting dynamic between the provider and the enterprise arm who has control and who needs to be able to make these decisions. Ultimately, it’s going to be the provider that’s providing a managed service to enable all of that.
Operations become a interesting topic of conversation. Also, as you start to move from purely private infrastructures to a combination of private and public, security is absolutely, absolutely a concern. The reason for that is think of a large retailer, for example, that has thousands of sites. The minute you move from all private to private and public, you have multiple points in the network that are exposed. Typically, that’s not good for anything that’s transactional traffic, anything that’s considered sensitive, critical traffic and so forth.
Security absolutely needs to be thought about, and that’s really the topic of today’s conversation here. As the industry is going through this transformation to a hybrid model, where you have private MPLS, public internet, it could be cable, DSL and 4G LTE and so forth, how do I bring security into the mix? How do I consume these security aspects of it, as well? That’s why when we started to talk to enterprise customers about this transformation, one of the things that absolutely keeps coming up multiple times and multiple customers have actually deployed this as well now is around cloud security.
How do I shut all the holes that I have in my network, have just a few points into the Zscaler infrastructure, and then exit out to the internet or content or SaaS-based applications as well? It really brings everything together and complete the SD-WAN story as well.
Another interesting thing is that multiple customers have always been looking for, but have never gotten out of their wired area is application awareness. You would like to know how much of your traffic is going towards your critical applications like ERP, CRM and so forth, and how much of that traffic is really going towards cat videos on YouTube. Typically, policies are put at the at the kitchen level without really considering the impact that it has on the network.
QoS has been the tool of choice to provide this level of application control and also policy control as well. In this brave new world of software-defined everything, customers are looking for final control so that they can exactly pinpoint this is the application that I need to protect, these are the applications that I don’t need to care about. Many of the challenges that you see today are around operations, around scale, around security, around application awareness, and then finally around cloud as well. I touched on the topic of cloud in a good amount of detail. Let me start to talk about how this problem can be addressed architecturally first, in the next slide.
If you really look at the solution, and I would highly encourage you to do your research on SD-WAN, and what it can bring to the table, but to us, as we started to develop the solution in a clean piece of paper, here were some of the things that we considered. First, at the root of it, what you need is a completely transferred-independent fabric. What I mean by that is it’s not enough to have a site that’s dual connected, one to MPLS and one to broadband, but I could have sites that are only on broadband. I could have sites that are only on MPLS. I could have sites that are hanging off of just an LTE connection.
How do I make sure that all these sites talk to each other securely? At the same time, how do I make sure that when they have to go from those sites to the internet and so forth, all of these things can be consumed in a really simple way. That’s really what brings us to the delivery platform, which is a combination of things that you’re traditionally used to with respect to routing, security and so forth, QoS, multicast, and at the same time, bringing important elements of security into the mix.
Security comes in multiple different forms and shapes. We’ll talk a lot about cloud-based security with Zscaler, securing the perimeter as well, in your enterprise. Another element of security here is really around segmentation. How do I segment my network? Today, data centers are typically segmented through V-LANs. I have different lines of business, I have different applications that are on different security groups and so forth, but typically the wired areas on the branches are not as well-segmented. There’s an enormous amount of interest in creating the segmentation end to end so that I can delineate different types of lines of business, brands and so forth. At the same time, I can keep the attack vectors pretty small as well.
So, those are some of the things that really come into the picture as we start to talk about SD-WAN in the context of security in particular. There are a few elements around cloud as well, especially as you start to access infrastructure at the servers and SaaS applications, how do I bring all these things together? We’ll talk a little bit about that in subsequent slides, as well. All of these things have to be consumed using a single pane of glass, in this, again, brave new world of software defining everything, it is about access to information. It is about one-click provisioning. It is about how do I do things in the most simple way without having to send skilled feels technicians out on site to fix problems, to connect to that in a centralized way and so forth.
That’s really what is the underlying guts of the solution that we provide. Now, moving on to the next slide, we can talk a little bit about the components that compose the solution. We talked about the philosophy a little bit. We’ve talked about the various things that need to go into the platform. What really needs to be built and delivered now? Fundamentally, two components to the Viptela solution. One is what we call the VH router. These are, think of them as physical or virtual appliances that sit at the edge of the network.
The edge here would be your branch, your data center, your campus, and you can actually extend this into infrastructure as a service AWS [unintelligible 00:13:58] and so forth as well. All of the connectivity between the sides are purely between themselves, so if you have a user the branch trying to access information inside my data center, the traffic flows freely between those two. The networkwide intelligence, the networkwide connectivity policy and visibility, all of that is provided by this centralized controller and management infrastructure. We call it the Viptela cloud.
Really, these two elements that you can use to build a large-scale infrastructure. There are multiple customers, there’s the very large retailer with about 1,400 sites that have radically transformed the network already using this type of an infrastructure. They just have a few of these controllers at strategic locations. One in APAC, one in the ME and a couple of them in the US, and they are able to control their wired area infrastructure with a global footprint using that.
A large bank, roughly about 3,000 sites, has done exactly the same thing. Brought in multiple transports, MPLS and broadband and 4G LTE into the mix and they’re able to get all of the application visibility and infrastructure as well using that. Now, let’s talk a little bit about cloud. That’s an important topic of conversation for multiple customers in the next slide. If you look at cloud in particular, there are two elements, and this is not new news. This is how the evolution has happened. One is infrastructure as a service that you see around applications that are built in AWS and Azure and so forth.
Hutto accesses? How do I make the cloud part of my wired area? That’s one topic of conversation. Traditionally, this has been a challenge for many enterprises. What we have done is we have instantiated an instance of our VH, essentially, inside the public cloud so that you can actually just extend the secure overlay fabric all the way up to the cloud itself. That helps with applications that are homegrown, applications that you have built yourself, as well.
Now comes the question of SaaS, especially applications like Office 365 and Salesforce.com and so forth. How do I access these applications? I have a few things to worry about here. Do I need to aggregate them as my DMZ and then exit out to access the application? If the distances between those two are pretty large, then I do have some optimal user experience to worry about. Or, do I regionally aggregate and then exit out to the internet, or do I have to go by what the O365 guys are saying, which is, “Hey, just exit out directly at the branch and access the cloud.”
The answer really depends on where you are in the globe and how quickly can you access and what the latencies are and so forth, but there is a fundamental element of security that needs to be brought forth. That’s a perfect segue into the next few slides. Over to you, Steve.
Steve: Thank you, Ramesh. That was an excellent segue into talking about Zscaler, which provides a cloud security platform. Before we go into the details, I thought I’d give a quick introduction to who Zscaler is and tell you a little bit about us. On the technology side, we have been around for a number of years and have over 80 patents filed. A good chunk of those of been granted already. We have a worldwide footprint with over 100 data centers now blocking over 105 million threats every single day and we are completing over 25 billion transactions through us every single working day.
That shows the scale that we have been able to achieve by being the gateway to the internet for over 5,000 customers, including a significant portion in the Fortune 500. We have over 15 million users coming through our service every day, coming from over 185 countries around the world. We’ve been recognized by Gartner Forrester as leaders in providing secure Internet access and we have a network of global partners that can help deliver our service and service our customers. From a financial standpoint, we have a very strong track record of having over a 100% renewal rate. What that means is when a contract comes up for renewal, customers not only re-buy the service, they typically add more users or add your services onto their existing subscription.
That goes to show that our customers like our service and are loyal to us. From a funding standpoint, last year we took a round from Google Capital and TPG to really solidify us and bring us into our next phase of growth here at Zscaler. When the name Zscaler came about, it originally stood for Zenith of Scalability. The entire concept was; for us to be successful, we have to be able to scale to the breadth of the largest companies in the world. The vision is that there’ll be a billion connected devices. All of those need security. We need to build a system that can take every one of those onto us.
Over the last few years, we really proven that to be the case. We measure scalability across a number of different axes. The first one will talk about here is countries. I mentioned 185 countries. Our largest customer in terms of location is British American Tobacco with 185 different countries that they do business in. The second axis is pure location. There, the Mormon church has over 30,000 meeting houses directing their traffic to us, and Edward Jones, Game Stops, very large organizations and financial services, retail, human resources, healthcare, etc. with lots and lots of sites around the world.
The last axis is around number of users. We scale to some of the largest enterprises in the world, like General Electric, Barclays, Procter & Gamble, Siemens, Nestlé, Shell, Exxon. The list goes on and on. A couple at the top I’ll point out, one is the National Health Service has over 1.6 million employees. It’s about the fifth largest employer in the world. All of the hospitals, clinics, etc. and all of the United Kingdom. MCNC is the education network in North Carolina with dominantly students but over 1.3 million students. In fact, MCNC pumps over 45 gigabytes per second through us on a school day.
Right now, it’s still the end of the summer, but that will be ramping back up. That is a significant amount of traffic going into our cloud, so when people ask us, “Oh, I’ve got 5 Gb per second and 100,000 users, can you handle us?” It’s like we won’t even feel that. We have built this cloud to scale in a massive way.
I mentioned the analysts just to show a little bit. We have now, for six years in a row, been in a leaders’ quadrant of Gartner. If you go back about three years ago, there were five dots in the leaders’ quadrant. Three of them have moved out into the challengers and there’s down to two that are left. We are seen as the most visionary, if you measure that by the distance to the right and that’s because the world, including Gartner, believes that the future is delivering security at the cloud service, and that’s why they put us at the top of the visionary list.
Then Forrester, they’ve done a wave not just on secure web gateway and all the functions they are, but specific to delivering security as a service. When you look at it that way, Zscaler is far and away the highest and the most right, as well as the largest stock in terms of market presence. While some of those vendors in the Gartner magic quadrant might do more revenue than it Zscaler, no one does nearly as much revenue, customers, traffic, any metric you want to do through a cloud security service as Zscaler. We are far and away the leader in cloud-delivered security.
Now, I’ll shift gears into why that’s really important. You heard a lot about what Ramesh talked about earlier in terms of transforming the network into this world of cloud. That really does open up a new set of challenges around new attack vectors, potentially around appliance sprawl, if you have to get appliances out to directly connected branches because you need to add security there, and how do you ease adoption of these cloud-based applications to both improve productivity and speed to revenue and provide a better user experience.
When you think through those challenges, you have to take into account what you should be doing with security. If you look at the typical way that a large enterprise would build a internet egress point security system, there is a number of different appliances that your traffic might flow through. Everything from a secure web gateway to a sandbox to a DLP system, and SSL inspection device, a next-generation firewall, load balancers, etc.
This is a real drawing from a customer, a Fortune 100 bank, and they counted 28 hops going out and then back into their network through their internet egress point. This by itself was very complex, costly, hard to manage, and each one of those devices added a little bit of latency. If there was any problem, let’s say one of the devices got overloaded, one of them had a bug, one of them turned on a feature that brought down the throughput, you had to spend a lot of time troubleshooting that and trying to figure out what might be wrong, where do I need to buy more appliances? Every time you turned on a new SaaS application, you now have more traffic going through this gateway and you have a potential to have to upgrade one or more multiple of these stacks.
When you think about this move to the cloud where you want to directly connect your users to the Internet, to improve their performance and save money, then you have the real challenge of could I possibly replicate this stack, instead of five regional data centers at 100 or 1,000 branch offices, and that’s just not practical but it’s not realistic. That’s where a cloud-based security solution really comes into play and becomes a natural place to do security. We’ll talk a little bit of this as we go, but you can provide better overall security in a much simpler manner that is really all about enabling that transformation, that move to the cloud.
In our mind, this is inevitable. This is the same thing that happened in multiple other markets. For instance, the CRM market with Salesforce where you go forward five years and you hardly see anybody using the old, on premise style. That shift is natural and is going to happen with security as well. If you think about the list of customers already using Zscaler, that shift is well underway. It’s not the future. It’s the today. The way that we’ve done this is by providing your entire security stack as a cloud service.
We’ve essentially put a perimeter around the internet, so no matter where your employees are, they go through Zscaler before they get to their Internet resources, there SaaS applications, etc. To do this, you just point your router or local firewall to Zscaler via a GRE or IPSec tunnel. Or, you use the Zscaler app to protect your users when they’re not in one of your buildings. If they go to a coffee shop, they’re working from home, they still get the same protections that they got when they’re in the office.
With a cloud-based security solution, there’s only one place you can fit your policies. You do it once by user group location, time of day, application, URL category, whatever it might be. You configure those policies and they are instantly deployed across the entire cloud. If the user leaves and goes to another country, they are directed to the closest data center and they get their policy automatically and instantly. Then, from a reporting invisibility, as soon as a flow happens, that for an entire organization is collected in seconds into your log database.
We call that an analog, and available to do reporting and even stream onto your premise into a SIEM, like a Splunk or an Arcsight, etc. you get instant visibility from every user around the world. There is no process of collecting logs, loading those in, merging them together. It all happens in real time within seconds of that transaction happening.
Zscaler was built from the ground up to be a cloud security platform. As I mentioned before, over 100 data centers, 25 billion transactions every single day, we have over 100,000 security updates that you get propagated throughout our cloud every single day. Those are things that our research team finds. It’s things that our sandbox designates and finds to be malicious, but we also have third-party feeds from over 40 companies, like Google, fish tank, Microsoft, Adobe, etc., where if anybody out there is finding things as malicious, you are instantly protected across our entire network.
On top of that platform, we layer a number of different services. Zscaler started out in 2008 with a secure web gateway that was URL filtering and antivirus, but over the years in that same platform with the same architecture has added in next-generation outbound firewalls so you don’t need to put a firewall out at the branch when you directly connected. We added cloud sandboxing, so every file that has never been seen before will get sent into the sandbox, and it will protect the entire cloud if it turns out to be malicious.
We’ve added data leakage protection, QoS, but application security brokerage functionality, so we’ve continue to build on the single platform in a way that a traditional appliance vendor would typically do by adding different appliances with different user interfaces and reporting and different training that’s needed. Here, it’s all a single, integrated platform.
Focusing a little bit on the security, what really sets Zscaler apart are a few things. First, we don’t make trade-offs. We inspect every file that comes to our network. We don’t say, “Oh, this is from a trusted site, no reason to scan it.” Or, “This is from a CPM, it’s probably safe.” We scan every file. If it’s never been seen before, we’ll send them to our sandbox. We do that because while it’s usually safe, sometimes good insights do get breached and they serve a piece of malware. More and more, the criminals are using content distribution networks to host their malware.
Anytime you’re bypassing something because it’s probably safe, you’re leaving yourself open for compromise. We also do a real-time threat correlation. All of our different modules are tied together, so we can see exactly what’s happening and quickly block destinations, similar signatures, the exact file that shows up on another site, etc. We have that cloud intelligence where any one of our users find something the first time, we instantly protect for the other 15 million users on our system.
We have settings where even a zero-day exploit that has never been seen by anyone that could be targeted specifically for you, created so it’s not in any cache or known place, you can put a policy that says, if I’m going to download an executable, if it’s never been seen before anywhere, by any of our users, we are going to do something called quarantine it, where we’ll put up a page that says, “Come back in a few minutes. We’re scanning that file.”
You would never do that for word docs or PDFs or other things that are frequently changing and usually safe, but if someone is downloading an executable and you allow it, maybe it’s your IT group, and nobody in our cloud has ever seen it, you’re going to want to quarantine that, put it in a sandbox and analyze it first. That’s a unique capability of Zscaler. No one else can do it. Finally, I mentioned already, we have a fantastic research team, but we don’t count on just our own team.
We have over 40 different feeds, like some of the ones you see like Virus Total, etc., where we are taking a collection of brains around the world, and if they’ve found something to be bad, we integrate it into our cloud and instantly propagate it to all of our users. Most of our customers start with Zscaler and either step one or step two here, but would like to say it’s a journey. The ultimate goal of many of our customers is to get to that fully transformed network. That was what Ramesh was talking about earlier. They want to directly connect their branches to the internet in a safe way to enable more throughput, better performance and savings on things like MPLS.
The first step is to often just point your existing infrastructure to Zscaler. We add an extra layer there. We prove out that we provide security not only as well as them but better than the existing solutions. Then, you start to simplify our environment. You whip out some of those appliances that are just adding cost and complexity to where you have an appliance with architecture, and then when you’re ready to move a site directly to an internet connection, security doesn’t change. You’ve already got the policies in place. It doesn’t matter whether they came from a hub and spoke internet egress point or directly from a branch, because the policies are the same. Once you’ve done one, it’s easy to move to number two and number three because your security is already in place.
Why Zscaler? It depends on who you ask. If you’re asking the CISO, it’s because we can provide unmatched security with a consistent policy for every user that’s always up-to-date, always patched. If you acquire a new company, you can instantly get them on the exact same security as the rest of the organization. If you’re talking to a CTO or a head of IT, it’s about IT simplification, consolidating a bunch of point products into one and really enabling that adoption of cloud. If you’re a CIO, CFO, it’s about eliminating some of that CapEx and turning it into an operating expense, lowering your operating expenses on MPLS.
So you can take a big chunk out. Often, you can pay for an entire Zscaler deployment and more with the reduction in MPLS cost. Finally, from an end-user perspective, it’s about faster response time. If you are directly breaking out, you are closer to those resources. You can get out to the Internet right away. If you are an international company, you can get localized content. You don’t have to get whatever content your internet egress point is, and it really does enable smooth transition to SaaS applications, etc.
With that, I will turn it back over to Ramesh to talk through a joint customer success story. This is a customer using both Viptela and Zscaler.
Ramesh: Excellent. Thank you, Steve. Just to bring both elements together here, both SD-WAN and security, let’s use a frame of reference here, which is really this picture. As Steve was mentioning, we do have multiple customers, large enterprises who have already deployed this infrastructure, but typically this is a kind of what that architecture would look like at a very high level. At the bottom, you have your home offices, your small retail locations, your branches, campuses, data centers, cloud-based locations and so forth.
All the traffic kind of flows freely between them if it’s site-to-site or a user trying to access an application directly in the data center and whatnot. The minute you have to inspect something, and you could put a policy that says, “I want to inspect everything,” then there is a dynamic decision that is made to send traffic securely to the Zscaler cloud at the top. Multiple customers have used it in multiple ways. It could be just purely for content. It could be for all your enterprise-critical applications, a mix of the two, and also SaaS as well.
The decision to enter Zscaler through the internet or through some kind of a secure type is entirely controlled through the mechanism that we provide inside of our platform. You could decide, “Hey, I want to inspect all Port 80 and Port 443 traffic only to begin with.” That’s an application, finer grained control that you could have. Or, you could say, “I want to inspect everything.” You can also have full control over what elements of security you want to control from within the Zscaler dashboard as well. The decision on what needs to go to the Zscaler cloud, and how it needs to go is controlled through the Viptela infrastructure.
The decision on what needs to be inspected and all of the threat protection capabilities that Zscaler provides is actually controlled using the Zscaler infrastructure. That, at a high-level, is how the customers have been able to pull all of these things together. Now, in order to enable this and deploy this, it’s actually very, very simple. All you have to do, as Steve was mentioning, is put all of the policies in place on the Zscaler cloud for the applications of interest. Then, go to the Viptela portal and say, “These are the sites. These are the applications. Go to Zscaler.” It’s really that simple.
There is an automatic tunnel that gets established between our devices into the Zscaler cloud and we can actually start sending traffic right away. If you’re talking about time to capability, if you are talking about enforcing policies really quickly, this is really the core of what we do. Now, this is, again, and architecture. Now, let’s talk about this in the context of a specific customer in the next slide.
The customer is a Fortune 500 healthcare equipment company. They did a recent owner’s presentation as well. The company is Agilent. They have 100+ locations worldwide, extremely stringent from a regulatory compliance and security standpoint. We have employees that are global. A pretty large company, so you can imagine there is an intersection of healthcare equipment, security constraints, highly regulated, and they need to make something work. The journey that they embarked on a was really around having a network with pure MPLS, and how do you augment that with a broadband based offering?
For variety of reasons; sites that need to be turned on quickly, access to high amounts of bandwidth that’s economical and also reach as well. How the architect the network so that you get the most optimal performance for the network? Because there is a broadband connection at every single site and location, the natural tendency was to look at, “Okay, can I exit out to the internet locally at the branch and get the most optimal performance as well?” All of the centralized security functions along with all of the firewalling, the IPS, IDS, URL filtering and many of the other elements of security that Steve was talking about.
They were looking at that in combination. The transformation was really around moving from private to hybrid, and as a result of that, having full control over the infrastructure and still realizing the benefit of cost, realizing the benefits of time to capability and also all of the elements of security. What we demonstrated in the first and the last and then in their pilot sites and soon in the production network was exactly that.
How do you architect the network? Make it really, really simple so that all they have to think about our sites, all you have to think about are the size of the sites, how many connections do I have in terms of private and public and how do I access security? The conversation was really around network architecture and also policies, very quickly, which was really where you want to be as you start to architect this type of financial structure.
Some of the key elements that stood out were really around DPI-based policies. Right? At the site, Viptela infrastructure can give you final application control so you can say, “These are the applications that are of interest, and please send this to the Zscaler cloud for inspection and for outbound processing as well, and do the same thing in the reverse direction.”
The conversation then started to gravitate from IP addresses and ports and DICPs to these are the applications that I really want to consider and that I want to protect and that I want to enforce policies around as well. The other element is everything is centrally controlled and cloud controlled. Steve was talking about the power of cloud-based security and the infrastructure that we provided at the Viptela is also entirely cloud-based as well, so the controls that we provide and the management platform that we provide are entirely cloud-based.
You can consume this technology, as well, really simply. You do not have to involve your IT infrastructure for integration, for management and so forth. You can actually almost instantly turn it on and start to consume as well. The same thing is applicable irrespective of the type of content, whether it’s for internet-bound content or SaaS or guest Wi-Fi and so on and so forth. This architecture we know works. It scales to not just a few hundred locations, but thousands of locations worldwide, as well.
It gives you the peace of mind, it gives you the high availability required as well. Interesting, the few data points that came about as a result of this prayer the performance for some of the elements of voice are better on the internet as opposed to just a pure private network, which actually caught us by surprise as well. A few other things are the high availability of the solution, because now you’re breaking this into smaller chunks and your providing redundancy for every single one of those components.
The overall high availability of the solution grows dramatically, and you do get dual redundancy for all of the components of the solution, whether it’s for site-level redundancy, whether it’s for access into Zscaler, and certainly all elements of cloud inside of Zscaler are already redundant. It helps with your cost. This helps with your time to capability, it helps with your security and, essentially, you’re moving in the direction of cloud-ifying everything, as well.
There are a lot more details behind not just this case study, but multiple other customers that we have jointly deployed together. I would highly encourage the attendees in the audience to reach out to us and learn more and will certainly be happy to provide a demonstration of that, as well. With that, I’ll turn this over to Sajad as well.
Sajad: Thank you, Ramesh. Thank you so much. I think it was a great case study. I’m sure a lot of our audience can actually relate to a lot of challenges with the current or traditional appliance-based model. I think the LT-WAN and cloud security is a very deadly combination and that’s something that everybody should consider as they move forward. To our audience, we are moving on to our next segment, which is the Q&A. At this time, you can type in your questions in the chat panel or the Q&A panel. We’ll compile them and I’ll have Steve and remission help me in answering those questions.
Before that, we want to really cover some of our next steps. What you see on your screen right now is a freeze security self-check. You can run a quick and safe security check with Zscaler. The link is right there on your screen. It’s completely safe. There’s not going to be any virus that’s going to be downloaded on your machine, and within less than two minutes you’ll actually be able to see a report and it will give you a detailed analysis of your security posture. You’re more than welcome to get back to us if you want to share the results, and for the next steps. Thank you.
A couple of other things for the next steps before we get into the Q&A. From Zscaler, there are a couple of webinars. Our upcoming live webcast on Rio Olympic 2016 on August 25, on Thursday. We’ll definitely follow up with a link for you guys to register, so please stay tuned. We also do these live product demos weekly. Our next couple of demos are scheduled for August 25 and September 1. On Viptela’s site, they also do a bunch of these live webinars and product demos. The upcoming one is on August 30 on optimizing the WAN for AWS and Azure, and there is a link for all of their upcoming live demos as well.
With that, let’s move on to our Q&A section. Ramesh, our first question to you. The question is, “Do I need to rip and replace the current CISCO infrastructure to accommodate SD-WAN?”
Ramesh: At the great question. It’s actually a question that comes up quite often from our customers looking at this technology. The short answer is you can deploy this in one of two ways. Right? For the ultraconservative/you want to kick the tires and understand how things work, you can put the Viptela device behind your existing WAN router, at which point we would be the WAN router. We would do all the elements of path management. We would automatically measure loss, latency, jitter, do the application steering, provide the network-based security.
The WAN router in the front would be no more than a transport device. What we have seen though is the vast majority of customers go and replace the WAN router because we do provide all of the router capabilities. We are a WAN router as well, so they go ahead and rip and replace. It’s not that you have to, because we fully understand that for a period of time, especially if your network is pretty large, you will have to coexist with other equipment vendors, so we certainly can interoperate, and that’s the model we would recommend, as well.
The short of it is the in-state architecture would be seen in the vast majority of customers as all Viptela.
Sajad: Great, thank you. There is a follow-up question on your last slide, Ramesh. It said something about dual redundancy everywhere, meaning dual Viptela devices at each location. Is that correct?
Ramesh: Yes. We have seen a mixed bag in terms of deployment models. In retail in particular, we have seen a single device. It could be for cost reasons, it could be for a multiple of other reasons. There is a single device that’s dual connected to multiple circuits, essentially either dual broadband or MPLS and broadband, and so forth. What we have seen in healthcare and financials and government is a fully redundant deployment where you do have multiple devices at a site, and you can terminate different circuits on each of those devices.
We in the technology, we can automatically figure out what the available circuits are across multiple devices and optimally use them as well.
Sajad: Great. The next question for Steve. Steve, the question is would this kind of Viptela solution work if the customer wants to use MPLS and broadband as the overlay network?
Steve: Yeah, absolutely. From a Zscaler perspective, that’s transparent. The traffic destined for the public internet would go through the Zscaler service. Any SaaS applications, public websites, etc. Ramesh can comment on this as well, but Viptela can absolutely work with the MPLS and using broadband at the same time as part of either a transition or a strategy to reduce costs and/or improve performance.
Ramesh: That is correct.
Sajad: Sorry for that, Ramesh. Next question, Steve. I think this is a follow-up to one of your slides, and the question is, “How is it securely transferred to Zscaler? That part is always breezed over. Proxy doesn’t seem secure and DM/VPN or EZ VPN tunnels are not specified. How does it work with Viptela?”
Steve: Yeah, I’ll start, and I’ll turn it over to Ramesh. The way we philosophically look at it is if the traffic, again, if it’s destined to a public site. It’s either SSL or HTTP. If it’s SSL, it’s already encrypted, so you’re going to a SaaS application; Gmail or YouTube now or Facebook. Many, many sites use SSL, so that has its own tunnel with encryption, etc. If it’s a regular, non-encrypted site, then someone is going to CNN, we don’t encrypt it between the user and us because it would just be in the clear from us to CNN anyway.
I say that, we do optionally support IPSec encryption where you can encrypt everything, but that’s not a recommended deployment. It’s not something that we see as necessary, but it is supported if somebody would like to do that. As I said, the nonprofit traffic doesn’t need to be encrypted. For internal-based traffic, that wouldn’t typically go through us, and Viptela would just handle that, and Ramesh can comment on the way that that traffic is secured.
Ramesh: Yeah, that’s right, Steve. You covered it well. If you look at it, there are two traffic types. One is site-to-site, or consumer to application, and that typically goes directly. The Viptela infrastructure provides the full-blown security, network security whereby we can encrypt everything going between a pair of sites automatically. For traffic destined outbound through Zscaler, we automatically set up a pair of redundant GRE tunnels around keeper lines inside, and we can, through some of the integration work, send traffic directly over one of the GRE tunnels and that takes care of sending it out to the internet or a phantom site or on the way back in, which would use the same GRE tunnels back to here.
The control over what application needs to go through that GRE tunnel can be done through the Viptela V-Manage platform, so you can say these are the applications of interest and this is what needs to go through the GRE tunnel.
Steve: Ramesh, next question is for you. Can you review what hardware and software is required at the headquarters then? What hardware and software is needed at the remote site?
Ramesh: Sure. In terms of simplicity, we just have a few flavors of hardware. We have a 100 meg, 1 gig, 10 gig type encryption devices that are also serving the full function of routing, path management and so forth. Think of it as a WAN router that you can put at the head end. We really don’t delineate between a site and a head end. We advocate a full-mesh model, because in this brave new world, everybody wants to talk to everyone and so you need to kind of have that full mesh connectivity.
Think of it as you size the device based on the sites that you have, and that can be a sort of physical or a virtual device. Then, all of the underlying elements are controlled using a cloud based infrastructure, and that can be in the Viptela cloud, it can be in a managed service providers cloud or it can be on-prem as well, if you are a highly-regulated industry. Those are really the two components. Think of it as the cloud component that helps with it the networkwide connectivity, intelligence and management, and then the actual devices that do all of the heavy lifting by sending packets and so forth.
Sajad: Awesome, thank you. Next question is I think for both of you, and maybe Ramesh, you can start and then Steve can add on. With Viptela and Zscaler integration, is there a GRE tunnel or IPSec tunnel between Viptela branch devices and Zscaler cloud?
Ramesh: Yeah. I think we covered this in the previous question. Yes, there is a GRE tunnel. That’s the on ramp from the enterprise branch into the Zscaler cloud. It is configured through a very simple few clicks on V-Manage and this would automatically set up a GRE tunnel. For liveliness detection, we do it on keep-alives inside, so that traffic can move over to the other GRE tunnel that is automatically set up in case there is a failure.
Sajad: Steve, do you want to add anything?
Steve: No, I think that covered it.
Sajad: All right, awesome. I’m getting a lot of questions on whether the presentation is going to be available on demand. The answer is yes, we’ll definitely make the presentation available on demand as well as we will follow-up with a link to the recorded version, and will also share the copy of the presentation with you guys, as well. I think we have time to take one or two more questions. Steve, the next one is for you. How do you ensure performance or stability for an LT line in comparison with an MPLS line, where you have a fixed-route managed by one vendor?
I think that is more with Ramesh, but I think there is another question, follow-up question on performance and stability with the Zscaler cloud also.
Steve: Yeah, I’ll let Ramesh take the first half of that question, because the internal traffic doesn’t go through Zscaler, so that’s really a question for the Viptela side. In terms of our performance and stability, first of all, we wouldn’t be able to have likes of the customers that we do in terms of Fortune 500 using us for their entire internet if we weren’t stable enough, because the Internet is a mission-critical part of so many businesses right now.
From a performance standpoint, I mentioned earlier we’re in over 100 data centers. That means we are close to forever the locations might be, so the traffic doesn’t have to travel far. We peered directly with all the major service providers around the world, which means the traffic gets from your location onto us in a single hop, through your service provider. We even peer directly with a large percentage of the major content providers out on the internet, people like Microsoft if you’re running Office 365. That means you can one hop skip to us to provide the security and we can directly go from us into the content providers without ever crossing the “public internet” part.
It’s all a very well-known path into it. You know, obviously, if you’re a smaller site in a random server around the world, there are some unknowns, but that’s always going to be the case. What we do is we ensure the performance to the major service providers, the major content providers are all single-hop with very high-speed, low-latency connections. Ramesh, maybe you can comment on the first part of that connection.
Ramesh: Yeah. Performance is a pretty broad topic, but I can touch on a couple of things and then certainly have an off-line conversation with the person that asked the question as well. With respect to performance, a few things that you need to consider. If you have multiple circuits, different types of connections, what you would want to know is what is the SLA I can possibly get over those? This is a provider-provided SLA, which is usually in a contract, and then there is the real-time SLA that you can realize on the network itself.
It could be that it is a four-nines available network, but the instant that you’re looking at it, it is going to a blackout or brownout. What you need is the ability to steer around those things. We have developed enough into solutions and the capabilities so that you can automatically not just get visibility into what the underlying SLA is for each of the circuits that you are using. This is any site to any site, so it could be from branch to data center, branch to cloud, branch to other site, and know instantly what those SLAs look like.
I can make decisions in real time on which application needs to take what type and SLA. Many of our customers have put policies in there that say, “Hey, this is my WebEx. This is my critical application, and I need to get a near-zero loss and less than 100 millisecond path through the network.” That’s an example of a centralized policy. This gets instantiated on every single device, which measures in real-time and steers application traffic down a path that will provide that level of performance SLA.
Once again, this is a pretty broad topic, but that’s one of the ways that you can actually make sure that your application to get the performance SLA that you’re looking for.
Sajad: Great. Thank you, Ramesh, and thanks, Steve. Thanks for this compelling presentation. At this time, I would like to now conclude this webcast. We’ve got a ton of questions and we’re sorry if we were not able to get through to your questions, but will make sure that the Zscaler and Viptela team will get back to you and help you individually answering those questions that you may have. I would also like to thank our wonderful audience for taking out time from their busy schedule and spend the last hour with us.
I hope you enjoyed the webcast. Please do give us your feedback before leaving. You all have a great day or evening and hope to see you in our future presentations. Bye for now. Thank you, Steve. Thanks, Ramesh.
Ramesh: Thank you.
Steve: Thanks, everyone.