WAN Segmentation for Guest Wireless and Network Security
Retailers and banks are rolling out end-to-end segmentation for isolating POS, Banking Functions, and ATMs from other applications like Guest Wireless, Surveillance video, etc. These segments could have different topologies like full-mesh or hub-and-spoke and automatically be secured by a cloud-security provider like Zscaler.
This webinar covers why segmentation is hard to deploy today, the major vulnerabilities that arise from lack of segmentation, and how to deploy segmentation using the new overlay SD-WAN architecture.
Director Marketing, Viptela
Director, Technical Marketing, Viptela
Lloyd: Thank you everyone for joining the webinar on network segmentation. My name is Lloyd Noronha and I have with me David Klebanov and together we’ll be talking about a very powerful design practice in networking to protect the critical assets of an enterprise. Essentially, network segmentation has been used as a tool to an extent at branches and other smaller locations but it is a powerful tool to protect assets of an enterprise and isolate traffic on an end-to-end basis but it’s not implemented much today. We are going to get into the reasons of it and also explain how we address the problem in the marketplace today.
There is no better way I can make a point about network segmentation than on this slide. This slide covers a presentation I had attended in October of 2015. The presenter is Brian Krebs. You might know him from the blog, KrebsOnSecurity. Essentially he is one of the leading cyber criminal reporters in the marketplace today and he covered most of the hacks, including the Target breach. Now what was interesting about the Target breach was they had conducted an extensive audit at the end of the breach and the audit committee had presented four major findings to mitigate such events again. And one of the biggest findings was the lack of network segmentation—pervasive network segmentation. Now, there were other elements too, but network segmentation was one of the big factors in which they discovered that the one vulnerability in one of the part of the network had exposed all other parts of the network to the problem. For those of you who don’t know, the Target breach was attributed to vulnerability in the business partner’s network, essentially the HVAC. There was a compromise on the IT systems of their partner network which then crept into the POS systems because it had open access to all systems once it could enter the network. This presentation again was done to about 4000 CIOs. It was a very powerful presentation and it pointed to the fact that not having these restricted isolated zones within a network can essentially cause major problems in most enterprise networks, not just in retail networks. The question then arises that if segmentation is such an important aspect of network-based security, why isn’t it implemented pervasively today?
The reason for that is essentially two-fold. The first is if you want to look at how you would roll out segmentation today, there are two major options. One is you can have a carrier-provided solution. Essentially a service provider rolls out an extra VPN or an extra VRF for you within the enterprise and then you have the ability to map applications to these multiple segments that is provided by the carrier. This option, of course, has been available for as long as MPLS itself has been available but it is used only to a certain extent, not pervasively, and the biggest aspect is cost. It is not only costly for an enterprise to implement it is also costly for a carrier to deploy because eventually the entire carrier network is limited on a per segment basis or a per VPN basis. The next option that an enterprise has is essentially “do it yourself”. They have the option to have complex ACLs that are implemented on a per HOP basis. You essentially have intelligence on every segment that happened on a route-by-route basis on every HOP and, of course, this option also again has existed for a while but very complex and very hard to implement and if you were to actually count the number of enterprises that deploy end-to-end segmentation across the globe today you would easily come with a number that you could count with your fingers. It is that complex and it is that hard to do. Essentially, even if you were able to deploy one of these options, the question still arises: how do you deploy segmentation across the full WAN. You are still posed with a problem that a portion of your WAN is MPLS, a portion of your WAN is non-MPLS, or you might have dual MPLS. How do you implement a single segmentation framework across the full WAN? In order to do that you essentially need a single piece of infrastructure that you call the WAN and not this aggregated infrastructure like you have today. In order to explain more about how we solve it today with some real customer examples, I’m going to turn it over to David Klebanov on essentially discussing the overlay piece of the network.
David: Thank you very much, Lloyd, for the introduction, the overview. As you can see, there are quite a few challenges of deploying network segmentation and using the mechanisms that are available today. So, what Viptela makes available to you is a different approach through leveraging the software-defined wide area network capabilities. The way you do that is through the means of virtualizing your wide area network transports. So imagine that you now view your entire wide area network as a collection of capacity and that capacity can be delivered through different means, be that a traditional MPLS network, broadband circuits, or something like a cellular 4G LTE service. All of those tracks were extracted by the software-defined wide area network virtual fabric and now you can operate and you consume those resources in a way that abstracts the complexities of each one of them. As you can see in here you can easily achieve the end-to-end segmentation and segregation of the traffic by employing those on the Viptela CPE devices, which is the customer premise equipment, allowing you to achieve that segmentation across multiple transports. So you no longer have to consider the segmentation techniques of MPOS and the segmentation techniques of broadband or IPsec to make it work. It’s a unified fabric that you can now segment in end-to-end through its software-defined WAN approach.
Now what are the practical examples that we see across our customer base for deploying segmentation? I’m going to focus on the three major ones that we have seen in our deployment. So the first and foremost is an actual functional segregation of traffic across your network. There are, of course, many examples that we encounter but if you consider the main ones there are a few classes of traffic that you would like to segregate across your wide area or across your abstracted wide area networks, and these are many times things like security-conscious things that go to your on-premise or Cloud data centers. This can be segmented into separate segments and we have customers doing that. Now, you have things like unified communications of voice and video that flows between the branches and doesn’t quite touch the data centers and that could be segmented into its own segment. You can have things like guest services that go to the internet and are segmented yet to another portion, another segment on your network. And that creates an isolation of those environments and allows you to compartmentalize each one of them so you can apply security controls to each one of them separately and they don’t mix. So if one of them was compromised, then that would not bleed over to other environment which is exactly what Lloyd has mentioned in the beginning of our webinar. That was the case with the Target breach. The breach of a certain segment in the network, since the network was not really segmented, a breach in certain parts of the network quickly propagates across the entire environment. By creating this compartmentalization of the network connectivity you can get isolation of those networks. Now each one of those, of course, can be deployed with its own topologies and its own security mechanisms. There are quite a lot of details but at the fundamental level you’re looking at functional segmentation of things.
Now in addition to that you can also think about segmenting things like production traffic from test traffic from lab traffic, things of that nature. So it’s not necessarily the high level things like voice, video, security, and guest wireless. It can also be things like production, non-production, staging, HR, ERP systems, point of sale, quite a lot of things you can imagine that you can segment. And again going back to the example or going back to the architecture that I discussed in a previous slide, all of that is easily executed across any step of transports, be that an MPLS and broadband, exclusively broadband, exclusively MPLS, or any combination of the two including the 4G LTE connectivity as well—so all of that becomes a breeze. Now, the second thing is the mergers and acquisitions. It’s also becoming a very predominant case. As we see now there’s quite a lot of acquisitions happening in the market. The challenge that the customers or the organizations are facing with acquiring a company is that how do you integrate that company’s infrastructure into your own infrastructure? There’s a certain period where you may want to run two things in parallel, so you want to provide connectivity and services to that acquired company. However, you want to make sure that those services are inspected. You have security enforcement points to make sure that whatever comes out of that acquired company’s network is basically checked before being admitted to the parent organization.
So, here again the segmentation comes to the rescue. We have seen customers do that by provisioning in isolated segments which accommodate the connectivity to and from the acquired company. You can have finer security controls into how the wider occurs. The mergers and acquisitions has been a very interesting use case behind segmentation. Lastly, if you’re looking at a large organization, a conglomerate, or an organization that has principles of multi-tenancy—and again this could apply equally to the enterprises as well as the service providers. Many times the organizational IT departments like to treat their internal users as tenants. So having this segmentation on a per tenant basis is also something that we’re seeing a strong use case behind segmentation. Each one of the tenants is isolated from each other and the security controls are put on the tenant boundaries so you can control through security checkpoints which traffic is allowed to cross or to go through the cross tenant space. You may want to have the tenants completely isolated, so really the flexibilities are there for you to exercise but at the end multi-tenancy is another strong case. These are the three major cases we’re seeing that customers are deploying with respect to segmentation.
Now let’s move on to a demonstration. Let me just set it up and the conversation in here is that we have a relatively small set network, about 30 sites or so and again this is just the network we’re going to demonstrate on. But imagine that to be as small as just a few sites and as large as a couple of thousand sites and beyond. Our customer base is ranging really across the smaller amount of sites which is counted in single site numbers and to tens, to hundreds, to thousands, and beyond. So the architecture is completely scalable so everything that we talked about so far and everything that I’m going to show you is basically equally applicable to a network of any size. Now imagine the Viptela VH routers which are the customer premise equipment. These are the routers that get positioned on the edges of your wide area network and these are the ones that accommodate the connectivity from different WAN transports and they provide the connectivity to the users that are connected behind it. Everything we do is in the context of a virtual private network. So as you can see in this example it has two entities on the user side of the Viptela router and this is the point of sale and the guest user or guest wireless user. This is just to exemplify that these are two completely separate functions. Of course, you wouldn’t want the point of sale which in a retailer’s case these are the registers. You don’t want this to mix with the guest traffic of somebody who’s just in the store and occasionally browsing the internet. Of course, these are two completely separate functions and you want them to be segregated across different virtual private networks. On the wide area network side, you can have resources that reside in your corporate data centers. You can have resources that reside in your Cloud instances and, of course, you can have the resources that are straight on the Internet and that mostly service the guest wireless. Now by isolating the point of sale unit from the guest wireless, you can make sure that the two types of traffic don’t mix. And you can make sure that the traffic that comes from the guest user is sent over the Internet which is where it’s intended to. Now optionally what you can do is you can still provide a Cloud-based security and in this case we are going to be using a Zscaler integration that we have with Viptela that allows you to define user policies or access policies as to what is permitted or what resources are permitted to be consumed on the Internet. So in our case what we’re going to do is we are allowing straight browsing and we are not allowing this category of movie streaming which in our case is going to be Netflix. So the bottom line is if we want to allow browsing to the guest user so they can enjoy their experience at the same time we want to make sure that they don’t consume the resources unnecessarily and also potentially expose you to a risk that is associated with them going to places that they should not be going. That could open you to different liabilities because you are liable for the services that users that are on your network are consuming even though those could be guest users. So there’s multiple cases that you would want to have this Cloud security control applied to the guest wireless traffic.
So let me go quickly to demo this. So imagine this as being your guest user. In this case this is a wireless guest user so in this case we are using a simple iPad just to show you something that’s similar to the user. Let me just open a browser. I have two destinations I can go to. So let me browse the Viptela website and that opens. This is regular Internet access. Now let me go to a Netflix website. They’re also open. So now I have an unrestricted control or unrestricted access from the guest wireless network. So let me now navigate to a system, to a vManage system. This is a single pane of glass for managing, administering, troubleshooting. It’s an operational tool that is a single pane of glass for the entire Viptela solution. So in here what you can see is we have created a policy that inserts the Cloud security into the guest wireless segment. All we need to do is we need to go and activate this policy. So this policy’s been activated and now it’s being propagated through the entire Viptela network and again it’s a relatively small network in here of about only 30 sites or so, but imagine this going from a single site all the way to thousands of sites. It is exactly the same. So you can see it’s been successful. The policy has been pushed. So let’s go back to the wireless user. So let me close the windows and let me just browse again. So let me go to the Viptela website. The Viptela website still opens. Because it’s regular browsing it has not been classified as a streaming movie or television category.
Now if I try to go to Netflix I will get this response. So what you see in here is basically that Cloud security controls have been applied through the Zscaler which is a leader in Cloud security and we have now made sure that the traffic that goes over this internet connection from that remote site and that traffic is subjected to the Zscaler integration—subject to the Zscaler policy controls because we applied the policy on the vManage. So that’s just an easy way for you to see how the power of segmentation allows you to create multiple functional segments in your network and apply different security controls on a first segment basis.
Lloyd: Wonderful. Thank you for that, David. That’s pretty much done with our session today. We want to open it up for Q&A. I think that was a nice short presentation and demo. We wanted to keep it short so we spend more time on Q&A. As you could see, the policy that David showed you on the guest wireless is a single click policy that you can apply to your guest wireless network across the globe. So if you are an enterprise with three thousand or five thousand sites across the globe, some running broadband, some running MPLS, some running a hybrid mix and you want a single policy to be applicable on a segment everywhere, this is how you would implement. So I want to throw out a couple questions right now. We’ve had a few questions coming in and I also want to clarify that questions are in two categories. So there are questions from a service provider perspective as well as an enterprise perspective. So we’ll clarify that as we ask each one of these questions. So the first question we have is: Can you explain some real customer deployment examples of segmentation that we have today with Viptela?
David: Yes. This is a great question here. The great example we have is with the Fortune 500 retailer that is deploying in over a thousand sites now in production with Viptela technology. And the way that they’ve implemented that, if you remember the three living use cases that we talked about, the main use case was around segmenting different types of traffic across the network. And that’s exactly what this retailer is doing in production. They have between five and seven virtual segments and they map the connectivity from the end host systems into those virtual segments. Those virtual segments have to do with a point of sale, things like guest services, different ERP resources. So segmenting their entire environment that has traditionally been just a single blob, that’s traditionally the way people have treated the wide area networks. Now all of that is segmented end-to-end through between five and seven virtual segments stretching across over a thousand production sites.
Lloyd: And to add to that, in relation to that, the same network has also a separate segment for a POS network which is highly critical and also a separate segment for managing surveillance feeds. And the interesting part of each of these segments is they are on a completely different topology. Some of them are hub and spoke. Some of them are full mesh and some of them are star. For example, the surveillance is a star network where you’re only sharing regional information in a full mesh manner in a region but voice video segments and also some other segments are a full mesh, direct branch-to-branch connectivity and POS systems are, of course, purely hub and spoke. The next question we have it’s more of a carrier focused question: What happens to the QoS implementation on a MPLS network after we have an overlay? Does the VMPS tell me to maintain granular QoS if there’s an overlay running over it?
David: It’s a perfect question. So what we do on our point is that we give you really flexible controls as far as what you would like to do with equality of service before you hand it over to the MPLS network. So obviously many organizations employ different traffic marking mechanisms either at the access layer or sometimes they’ll re-mark things at the WAN edge. So we support both. You can either mark things close to your host and then when that traffic hits the Viptela VH routers we will just copy that marking to the outer IP encapsulation and send it over the virtual network and when that traffic gets to the MPLS network, the MPLS service provider can still apply their QoS controls based on the markings. So we preserve the marking that was applied at the host level all the way into the MPLS. So service provider QoS differentiated treatment is still very much an integral part of what happens. Of course, if the traffic is sent over the Internet, there are no QoS guarantees over the Internet so you are the mercy of the Internet performance. Now we also give you the option to re-mark things at the WAN edge of the VH router so that if you decide that you want to re-mark some of the marking that was done at the host level or the access switch level or you don’t want to trust that you can re-mark it and again we will copy that into the outer IPsec header and send it on its way. So at the end, MPLS quality of service is a still essential piece of the puzzle because it is still an efficient service with QoS guarantees. We just want to make sure that we apply a proper sort of abstraction mechanism to use MPLS and broadband and 4G LTE so you have the flexibility. But the traffic that gets over the MPLS network, the MPLS QoS still had very valid consideration.
Lloyd: The next question is on Zscaler. Zscaler is providing only IPS/IDS protection for traffic on 480 and 443. How would you protect guest users from threats on Internet traffic through any other port? So the answer is you know Zscaler is one of the options for Internet-bound traffic exiting from the Viptela network. That is just an example that we’ve shown you. There are many customers that have deployed with differing security schemes in their network, both in-house and Cloud based. Even without that there is native functionality in Viptela devices that sell that allows us to identify traffic types and essentially apply policy based on that. So we can selectively drop traffic at any point in the network based on your enterprise policy.
David: I would add just two small things to that. First, Zscaler has pretty extensive capabilities for inspecting the traffic including traffic that was encrypted with SSL and traffic that is being tunneled through an HTTP. So it is true that it is sort of a web-based enforcement yet it is very powerful across the stack. As Lloyd mentioned Zscaler is one option. If you want to implement different types of security controls through for example a safer firewall or IDS/IPS appliances that have been sort of specifically deployed for the purpose of deeper analysis, that is absolutely possible and we have a variety of ways that organizations are deploying that. It could be deployed inline. It could be deployed regionally through regional hub facilities and using our service and searching and functionality. It could still be deployed centrally in data centers. You have a wide variety of options to apply in those security controls through a traditional stateful inspection mechanism so firewalls, IDS/IPS, data leak protection, anything using our service insertion functionality.
Lloyd: Another question related to that is how do we protect traffic on the overlay network itself? How do we prevent the overlay network itself from getting attacked? The answer to that is we essentially have a fully encrypted overlay and only certain ports are open for traffic and we essentially authenticate all kinds of traffic that enter through those open ports and we implicitly block everything else.
David: So we employ a zero trust approach where the devices that are deployed or every single element of Viptela solution that is deployed is completely zero trust. So it is hardened by default and by design. So when you’re deploying these elements on the network and sometimes they’re connected to broadband circuits they are implicitly secure and everything that is allowed to communicate in and out of the device itself has to be specifically, sort of automatically, get discovered as the network builds itself. So they are hardened to begin with and then they are dynamically exposing themselves to the types of traffic that they need to be exposed to. And that could be an IPsec traffic or a connection to the controllers or a connection to the management systems. So it automatically sort of goes into the self-learning steps of knowing what kind of traffic it needs to accommodate that is targeted at the device itself.
Lloyd: The next question is: What is the overlay? Is Viptela using an IPsec overlay or some other overlay?
David: Viptela is a big believer in systematization and using standard based approaches. Everything we do is standard based. The overly is standard IPsec using AES-256 bit encryption so it is absolutely completely standard. It’s using SSL mechanism to the control plane. It uses dynamic routing protocols to the service or user side. So everything is completely standard based and can seamlessly integrate into any existing environment.
Lloyd: The only thing I have to add to that is that by default it’s a full mesh of IPsec tunnels in the way we’ve addressed the challenges of IPsec meshes by replacing IKE. Our IPsec tunnel is protected by PKI certificates.
David: Everything we do is mutually authenticated through the use of certificates so we don’t believe in pre shared keys. We don’t deploy pre shared keys. We have a mutual authentication and a mutual trust between every single element of the system so everybody goes through a rigorous mutual authentication and authorization process before they’re being admitted. The vBond, the VH routers or the controllers or the management system, everything authenticates everybody else. So everything is by direction authenticated through PKI. We also give you a certificate lifecycle management as part of the management system. So things like certificate signing, certification installation, things like that, they’re all automated through our management system. So it is sort of a zero touch PKI infrastructure that you just get embedded within the Viptela solution.
Lloyd: Wonderful. The next question is on the enterprise (a focused question) which is based on CPE. Do we need to replace existing CPE and if so how do we cost justify it?
David: So we support full flexibility and so we have customers that have gone both ways. We have customers who have replaced their existing CPE with Viptela routers, VH routers. They are fully functional routers. They do really well networking. They do really well security and they understand application policies. So some customers have decided to replace their existing CPEs with Virtela CPE. The second approach is that some other customers have taken an approach of putting Viptela CPE side-by-side with their existing CPE and again, as I mentioned, we support standard routing protocols, OSPF and BGP, so we would peer with those existing CPEs, we would exchange routing information, and we will build our virtual network on top of the existing CPE. Over time, customers who have opted for the second option of keeping the existing CPE, many of them actually go and expand their Viptela footprint but replacing the existing CPE and just increasing the number of Viptela devices to give them better redundancy on the SD-WAN side. So we have customers who have done it both ways.
Lloyd: Wonderful. I think we’re about four minutes over time right now. We have a few more questions and we will address them one on one with each one of you. We want to really thank you for attending the webinar. We plan to do this on a recurring basis, at least once a month. In the meanwhile, we had a lot of questions on the Viptela architecture. If you want to understand our architecture, even want to understand how large customers have deployed Viptela and they explain the step-by-step method how they’ve deployed it, if you go to our website you will see essentially a 60-minute broadcast by Packet Pushers that talks to three of our most significant enterprises in retail and financial services. Each one of them has a different architecture, a different hybrid network but they’ve been able to use the same technology for different needs. I recommend you attend the podcast and we will catch you on our next webinar. Thank you very much.
David: Thank you for attending.