SD-WAN and Cloud Security · 2018. 5. 17. · LOG CONTROL Sandbox DLP LB Full AV SSL Proxy IPS NGFW DNS Increased X latency X X Inefficiency Impaired performance Legacy technology

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION1 ©2017 Zscaler, Inc. All rights reserved.

Cloud-First Branch Transformation withSD-WAN and Cloud Security Riverbed Zscaler solution

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2

SecureOngoing third-party testing

CertifiedReliableRedundancy within and

failover across DCs

TransparentTrust portal for service availability monitoring

Zscaler – the largest security cloud. Reliable. Available. Fast.

35B+Requests/day

125M+Threats

blocked/day

120K+Unique security

updates/day

100 data centers across 5 continents

Peering in Internet exchanges

150+Vendors peered


PROTECTIONACROSS COUNTRIES

190

130

125

113

70

LOCATIONSPROTECTED

30,000

12,000

6,000

900

500

EMPLOYEESPROTECTED

400K

125K

120K

80K

1.6M

1.3M

OFFICE 365MONTHLY TRAFFIC

83 TB

44 TB

38 TB

37 TB

35 TB

Unparalleled cloud scale

All users – All traffic


Leader – 7 years in a row

Leading industry analysts agree…

Zscaler is a very strong choice for any organization interested in a cloud gateway.

…On-premises web content security can’t protect digital business…

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION55 ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION

Cloud and mobility require a fundamental change in network and security architectures


HQBranch

Branch

Branch

Branch

Branch Branch BranchBranch

Home, Coffee Shop Airport, Hotel

SaaS Open Internet IaaS

Cloud and mobility break network security

The Internet is Your New Corporate Network

“GE will run 70 percent of its workload in the cloud by 2020”

Jim Fowler, CIO

“The Internet will be our new corporate network by 2020” Frederik Janssen, Head of Infrastructure

“Office 365 was built to be accessed via direct Internet connection”

How do you secure a network (Internet) you don’t control?

EMEAAPJ


Cloud and mobility break network security

HQEMEA

Branch

APJ

Branch

Branch

Branch

Branch Branch BranchBranch

Zscaler enables secure network and application transformation

NEW SECURITY MODELSecure the Network

Securely connect users to apps

Direct to InternetBroadband / Wi-Fi / LTE / 5G

NEW NETWORK MODEL

OLD SECURITY MODEL

Hub-and-SpokeMPLS / VPN

OLD NETWORK MODEL

Secure the Corporate Network


Home, Coffee Shop Airport, Hotel


Internet Gateway: Complex, expensive, and poor user experience

Aggregation Firewall Load Balancers

& VPNs

Web Filter

Sandbox

Flow Management

Edge Next-Gen Firewall

DLP

SSL

11

9

8

7

6

5

4

3

21

12

10

13

14

16

17

18

19

20

21

22 2324

25

26

2728

https://

15

Content Inspection

A simple web request takes 28 hops

Despite this massive investment, breaches are on the rise

Internet

HQ

WHAT’S YOUR RISK SCORE? FIND OUT AT SECURITYPREVIEW.ZSCALER.COM/RIVERBED


Building a cloud with single-tenant appliances Zscaler built from scratch a highly scalable and ultra-fast multitenant cloud security architecture

THE ZSCALER CLOUD

• Disparate redundant control, logging, and enforcement policies• Multiple appliances, multiple hops — slow user experience• Expensive and complex to scale and manage

• Integrated control, logging, and enforcement • Single pass architecture — performance SLA and security efficacy • Infinitely scalable — cost effective

Would you build a power plant with home generators?

HOME POWER GENERATORS

POWER PLANT

NY

USER A (policy

follows)

USAEU

USER A

Private

London Sydney

ENFORCE

LOG

CONTROLSandbox

DLP

LB

Full AV

SSL Proxy

IPS

NGFW

DNS

Increased latencyX

X

X

Inefficiency

Impaired performance

Legacy technology cannot be repurposed for the cloud


Cloud-First transformation from hub-and-spoke to local internet breakouts with SD-WAN

Nothing bad comes in, nothing good leaks out


Direct to InternetBlock the bad, protect the good

The best approach for SD-WAN

Zscaler Internet Access – Fast, secure access to the Internet and SaaS

Data CenterAPPSMPLS

HQMOBILEBRANCHIOT

Your security stack as a service

Data Loss PreventionCloud Apps (CASB)File Type Controls

Data Protection

Cloud FirewallURL FilteringBandwidth ControlDNS Filtering

Access ControlAdv. ProtectionCloud SandboxAnti-VirusDNS Security

Threat PreventionReal-time policy enginePolices follow the userChanges are immediately enforced, worldwide

Business analyticsGlobal visibility into apps and threats blockedIdentify botnet infected machines for remediation

Real-time policy and analytics

SaaS Open Internet


Cutting edge security capabilities in the cloud

CONTROLBANDWIDTH

SECURE ALLPORTS & PROTOCOLS

MULTIPLE PROPRIETARY INSPECTION METHODS

ADVANCED THREAT PROTECTION

BehavioralAnalysis

Sandbox

CLOUDEFFECT

SSMA™All security engines fire with

each content scan – only microsecond delay

ByteScan™Each outbound/inbound byte scanned, native SSL scanning

PageRisk™Risk of each object computed

inline, dynamically

NanoLog™50:1 compression, real-time

global log consolidation

PolicyNow™Polices follow the user for Same

on-premise, off-premise protection™

120,000Unique updates per day

125 MillionThreats blocked per Day

Dynamic Content Classification

ProprietaryRisk Index

Anti-Malware

XSS Protection

CVE ProtectionBandwidth

Control

QoSURL Filtering

Proxy (SSL)

Block ListsFile Type Control

DNS Filtering

Cloud FW (NGFW)

Browser Control

Full Inline Inspection & Correlation of Threat Indicators

60+ threat feeds

Find once, block everywhere

35 BillionRequests per Day


Secure SD-WAN

1. Reduces cost and complexity (no hardware or backhauling)

2. Enables a fast user experience (fast response times)

3. Simplifies operations (local breakouts, single console, all ports)

4. Security and scale (no compromises, full inline inspection, SSL)

5. Rapid deployment of new services (no upgrades, configuration changes)

Zscaler to Secure SD-WAN: Five Reasons why


Enterprise Networking for the Cloud EraSteelConnect Components

SteelConnect ManagerA centralized and multi-tenant management portal that provides an intuitive and simplified workflow for designing, deploying and managing distributed and hybrid networks

SteelConnect GatewayA line of physical and virtual secure WAN gateways that provide unified connectivity and enforcement of global policy across on-premises and cloud network environments, zero-touch provisioning, automated VPN management and firewall and threat protection capabilities.

SteelConnect Switches & Access PointsA line of LAN switches and Wi-Fi access points that support zero-touch provisioning, automate global enforcement of access control policies and provide complete visibility into connected users and devices.


A cloud-first architecture for cloud-first businessesRiverbed SD-WAN + Zscaler Cloud Security

• Securely transform to a cloud-first enterprise

• Increase IT agility and responsiveness

• Simplify branch operations and reduce costs

• Provide fast, secure user experiences

• Enforce security policies that follow users, no matter where they connect


Riverbed + Zscaler: Best-of-Breed Joint Solution

Riverbed ZscalerRi

verb

edSt

eelC

onne

ct WAN optimization and visibilityTraffic steering & Network path control

Application and User Identification

Centralized Policy

Local Network Services (DNS, DHCP)

Basic Perimeter Firewall (with VPN, NAT capabilities)

Zsca

lerC

loud

Sec

urity

Pl

atfo

rm

Threat Prevention – Malware Detection, Sandbox, Content Scrubbing

Access Control – Next Gen Firewall, URL/DNS Filtering, Bandwidth control

Inline Data Protection – Data Loss Prevention (DLP), Cloud Access Security Broker (CASB)

Acceptable Use Policy Enforcement, Other InfoSec Compliance Requirements


Solution Architecture

SD-WAN

SDI-GWClient

The Cloud

IPSEC

SH

SHClientGRE

HQ

BRANCH Zscaler Cloud


SD-WAN solution integrated with Zscaler to seamlessly provide

protection for employees directly connected to Internet for web or cloud applications / resources.

Simplify Branch Operations and Improve Business Agility


Summary

Zscaler and Riverbed make it easy to migrate to a Cloud-First branch architecture

Increase AgilityReduce Costs

Simple

SecurePowerful


Branch Transformation for the Cloud-First Enterprise


Better User Experience Reduced Business Risk Business Agility Lower TCO Competitive Advantage

APP ACCESS TRANSFORMATIONDATA CENTER CLOUD (SAAS/IAAS)

SECURITY TRANSFORMATIONUSER AND DATA SECURITYNETWORK SECURITY

NETWORK TRANSFORMATIONHUB AND SPOKE DIRECT-TO-CLOUD

FW / IPS

URL Filter

Antivirus

DLP

SSL

Sandbox

Global LB

DDoS

Ext. FW/IPS

RAS (VPN)

Internal FW

Internal LB

Internet & VPN Gateway

BRANCH

HQ

BRANCH


Riverbed SD-WAN and Zscaler Cloud SecurityAccelerate cloud transformation without sacrificing performance, agility, or control

Powerful

Deliver fast connectivity to apps and data, regardless of network type or

user location, by enabling local Internet breakouts. Seamless protection with

largest cloud security platform, peered with all major cloud providers.

Secure

Provide identical protection for users wherever they connect, by enforcing

advanced threat prevention, data protection, and access controls for Internet-bound traffic (incl. SSL), without performance penalties.

Simple

Simplify branch operations and improve business agility with

centralized, cloud-based management of network and

security functions.

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION23©2017 Zscaler, Inc. All rights reserved. Zscaler™, SHIFT™, Direct-to-Cloud™ and ZPA™ are trademarks or registered trademarks of Zscaler, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. | ZSCALER CONFIDENTIAL INFORMATION


Zscaler Cloud Firewall –Security and access controls for all ports and all protocols

• Stateful firewall policies— Apply allow/block security policy based on source and destination IP address, ports, and protocols

• Standard NGFW policies — Apply granular allow/block security policies based on apps and users using a Deep Packet Inspection (DPI) engine

• Fully Qualified Domain Name policies– Easily configure and manage access policies for apps hosted on dynamic IPs (Azure/AWS) or across multiple IPs - Move apps to the cloud without changing the policy

• Real time, granular policy control and visibility — Configure policies across locations and get instant visibility into traffic usage, threats, and apps by users, groups and locations - No extra licenses and no extra cost

• Cloud security services – Get the same protections everywhere, unlimited inspection capacity, and find more threats


Allow access to

dynamic IPs

based upon

FQDN

Granular policy controlDefine and immediately enforce all policies for all locations from a single console

Allow FTP for IT

users only

Block all P2P

apps except

Skype for Bus.

HTTP/HTTPS

traffic only on

guest Wi-Fi


Real-time reporting and analytics for all users, all ports and protocolsEasily drill-down into detailed insight

Instant drill-down by

application

View top rules hit

Centralizes Visibility Instant ReportingLogs Every Session


Zscaler Bandwidth ControlEnsuring business application traffic is prioritized over YouTube

Office365 guaranteed 40%YouTube capped at 50%

• Policies are defined in a single console and immediately enforced globally

• Policies are enforced in the cloud, before the last mile bottleneck

• Window shaping and bandwidth throttling deliver a smooth user experience


• Unmatched security - all users, branches, devices

• Consistent policy & protection

• Always up-to-date

Reduced RiskCISO

• Consolidate point products & simplify IT

• Cloud-enabled network• Rapid deployment

IT SimplificationCTO / IT Head

• No Capex, elastic subscription fee

• Reduced Opex - no box management

• Reduced MPLS costs

Impressive ValueCIO / CFO

• Fast response time – local breakouts

• Prioritize business apps• Empowers users to

leverage cloud apps

ProductivityEnd-users

A Trusted & Reliable PartnerCommitment to Quality & Customer Success

Technology Innovator - Market Leader - Financially Strong

Why Zscaler?

Documents

SD-WAN and Cloud Security · 2018. 5. 17. · LOG CONTROL Sandbox DLP LB Full AV SSL Proxy IPS NGFW DNS Increased X latency X X Inefficiency Impaired performance Legacy technology