top of page
1.jpg

PROJECT OVERVIEW: SECURE CISCO SD-WAN DESIGN

 HOME > PROJECT OVERVIEW: SECURE CISCO SD-WAN DESIGN 

Introduction

This case study showcases our successful collaboration with a security-sensitive pharmaceutical company in designing a secure Cisco SD-WAN network. The project aimed to establish a robust and compliant WAN infrastructure connecting their headquarters, data center, and remote branches. Our solution addressed critical challenges such as securing cloud-based applications, protecting against external and internal threats, and ensuring secure internet transport.

Image by JJ Ying

Design Objectives

  1. Cloud Migration: With the migration of enterprise applications to the cloud, the absence of a defined network perimeter needed to be considered.

  2. Threat Protection: Robust measures were required to safeguard against external threats like DoS attacks, ransomware, and phishing emails.

  3. Internal Security: Protection against inside-out threats such as privilege escalation, unauthorized access, and data exfiltration was crucial.

  4. Cost-Effective Connectivity: Expensive MPLS connectivity was to be replaced with a secure internet transport for cloud-based applications.

Proposed Solution: Cisco SD-WAN Network

To address these challenges, we implemented a Cisco SD-WAN network design because it met the customer's requirements in the following ways:

1. Cloud Migration:

  • Solution: The Cisco SD-WAN solution offers a secure and flexible architecture that accommodates the migration of enterprise applications to the cloud.

  • Reasons:

    • Zero-Trust Security Model: SD-WAN ensures all edge routers are fully authenticated before joining the network, providing secure access to cloud resources.

    • Secure Transport: A TLS or DTLS tunnel is established between edge routers and controllers, encrypting traffic and ensuring secure communication with cloud-based applications.

    • Scalability: SD-WAN enables efficient scaling of network connectivity to accommodate cloud services, ensuring seamless cloud migration.

2. Threat Protection:

  • Solution: The Cisco SD-WAN solution incorporates comprehensive security features to safeguard against external threats such as DoS attacks, ransomware, and phishing emails.

  • Reasons:

    • IPSec Encryption: SD-WAN uses IPSec tunnels with AES-256 encryption, ensuring the confidentiality and integrity of user traffic and protecting against data breaches.

    • Firewalling: Integrated Next-Generation Firewall (NGFW) capabilities provide advanced security features, including deep packet inspection and threat prevention.

    • Secure Internet Gateway: SD-WAN routers redirect internet traffic to a Secure Internet Gateway (SIG) or Cloud Security Provider (CSP) for additional filtering and protection against external threats​

3. Internal Security:

  • Solution: The Cisco SD-WAN solution offers robust internal security measures to protect against inside-out threats such as privilege escalation, unauthorized access, and data exfiltration.

  • Reasons:

    • Microsegmentation: SD-WAN enables the identification and segmentation of important assets through separate Virtual Routing and Forwarding (VRF) instances, ensuring secure access control.

    • Application Firewall: An application firewall filters all traffic to and from the segmented VRF, enforcing zero-trust policies and preventing unauthorized access.

    • Centralized Management: The SD-WAN solution's centralized management platform (vManage) allows efficient configuration changes, monitoring, and access control, ensuring strong internal security.

4. Cost-Effective Connectivity:

  • Solution: The Cisco SD-WAN solution provides a cost-effective alternative to expensive MPLS connectivity for cloud-based applications.

  • Reasons:

    • Secure Internet Transport: SD-WAN utilizes secure internet transport for connecting to cloud resources, eliminating the need for costly MPLS connections.

    • Optimized Routing: SD-WAN intelligently routes traffic over the most efficient and cost-effective paths, utilizing diverse internet transports while ensuring data integrity and security.

    • Traffic Isolation: Through Virtual Routing and Forwarding (VRF), SD-WAN isolates traffic, allowing for efficient use of bandwidth and cost-effective connectivity options.

Figure 2-10: Proposed SD-WAN solution

R1b.png

Planning and Implementation Steps

  1. Assess Current Network Infrastructure:

    • We evaluated the existing WAN architecture, including network devices, connectivity, and traffic patterns.

    • Leveraged the customer's existing Solarwinds network monitoring tool to ensure that we had a comprehensive inventory of all IT assets.

  2. Define Design and Deployment Strategy:

    • In order to meet the customer's requirements, it was necessary to establish a data center as the central point for tunneling any data associated with sensitive workloads, both inbound and outbound.

    • We used the service chaining feature to ensure the sensitive workloads went through firewall inspection.

    • SD-WAN controllers (vManage, vSmart, vBond) were to be hosted on AWS cloud.

    • Each site had at least one customer edge router (vEdge) and the bigger sites had a redundant pair of vEdge routers. Instant configuration was done using Zero-Touch Provisioning (ZTP)

    • Customer required the ability to centrally manage network traffic and apply QoS policies. To meet this requirement, we implemented the hub-and-spoke topology with the data center as the hub and all other sites as the spokes.

  1. Plan Network Connectivity and Security:

    • Customer had two internet services providers and one MPLS services provider. The SD-WAN solution was going to be implemented as an overlay over these connections.

    • SD-WAN orchestrates the utilization of these existing connections, ensuring that internet connections meet predefined thresholds for loss, latency, and jitter. The MPLS connection is employed only when none of the internet links meet the specified SLA, resulting in significant cost savings by reducing reliance on expensive MPLS services.

    • Encryption was implemented through technologies like IPSec to protect data transmitted between WAN edge routers, while firewalling and access control mechanisms are implemented to regulate traffic and restrict unauthorized access.

    • We also implemented threat prevention mechanisms, such as URL filtering and advanced malware protection, as safeguards against potential security threats and attacks.

  2. Prepare the Infrastructure:

    • For this project, we selected hardware platforms including, vEdges (specifically vEdge 2000 and vEdge cloud), and cEdges (Catalyst 8000) devices, which replaced the customer's older routing platforms.

    • Connections were made to the routers in the HQ, data center and branches. Appropriate configuration was instantly applied through the use of ZTP.

    • Integrate the SD-WAN devices into the SD-WAN overlay using the zero-trust security model. Through the use of digital certificates, the routers are authenticated to join the overlay network.

  3. Configure SD-WAN Policies and Traffic Routing:

    • Define SD-WAN policies based on business requirements, such as application prioritization, traffic steering, and quality of service (QoS) parameters.

    • Configure traffic routing policies, including load balancing, link aggregation, and dynamic path selection.

    • Set up policies for security features like encryption, firewall rules, and intrusion prevention.

  4. Test and Validate:

    • We simulated the customer's network on EVE-NG Pro and used this simulation to conduct through testing to ensure the proper functioning of the SD-WAN deployment.

    • Validated the network connectivity, application performance, failover mechanisms, and security measures.

    • Address any issues or fine-tune configurations as needed.

  5. Implement the Migration:

    • We planned a phased migration approach, starting with pilot sites or less critical locations.

    • Coordinated with stakeholders, including IT teams, service providers, and end-users.

    • Deployed the SD-WAN solution gradually, monitoring the impact on network performance and user experience.

    • Ensured seamless integration and cutover from the traditional WAN to the SD-WAN infrastructure.

  6. Provide Training and Support:

    • We trained IT staff on managing and operating the new SD-WAN environment and perform day to day tasks such as track performance metrics and troubleshoot issues.

    • Established support processes and provide documentation to address common issues and troubleshooting steps.

    • Ensure ongoing support and collaboration with the SD-WAN vendor and service providers.

Project Summary

The secure Cisco SD-WAN design successfully met the objectives of the pharmaceutical company, providing a robust and compliant WAN network. By implementing advanced security measures, securing cloud-based applications, and facilitating secure connectivity, the solution addressed the challenges of the evolving network landscape. The pharmaceutical company achieved enhanced security, compliance, efficient management, and protection against internal and external threats.

bottom of page