Enforcing Zero Trust Access with Cisco SD-WAN

By
Ztec 100
-
0
546

[ad_1]

As purposes change into distributed throughout clouds, knowledge facilities, SaaS, and to the sting, enterprises have to allow safe entry to those purposes for his or her workforce from anyplace. Implementing Secure Access Service Edge (SASE) is a most well-liked technique for enabling safe entry to distributed purposes by a hybrid workforce and the rising variety of IoT gadgets.

Zero belief is without doubt one of the most typical beginning factors for enterprises which are embarking on their SASE journey. Many enterprises are both within the strategy of adopting zero belief or have already adopted it. The preliminary transition was primarily pushed by numerous distant staff because of the pandemic. However, many enterprises at the moment are transitioning to hybrid environments with the workforce distributed from campuses to branches to house workplaces.

This hybrid work setting, together with rising reliance on distributed cloud and SaaS purposes, requires a community structure that gives scalable and distributed zero-trust safety enforcement near endpoints and other people utilizing them. This maximizes bandwidth utilization of the WAN hyperlink whereas making certain that there isn’t any central choke level the place all of the site visitors must be redirected. In addition, with the intention to thwart real-time threats, IT wants the community to repeatedly monitor and assess the safety posture of gadgets after software entry is granted.

The newest enhancements within the SD-WAN safety structure are designed to assist this new paradigm of distributed purposes and hybrid workforces. Now, the tight integration between Cisco SD-WAN and Cisco Identity Services Engine (ISE) permits IT to make use of zero belief safety capabilities for the site visitors that goes by means of an SD-WAN cloth.

Cisco ISE Configures Security Posture in SD-WAN Fabric for Zero Trust

Delivering a Zero Trust methodology for SD-WAN site visitors requires 4 key functionalities: software entry insurance policies primarily based on the specified safety posture (who can entry what); safety controls for admitted site visitors; steady enforcement; and speedy adaptation to safety posture adjustments—all enforced with a constant mannequin for on-prem, cell, and distant gadgets and workforce.

Cisco ISE helps the configuration of safety posture insurance policies in SD-WAN cloth. When an individual’s machine or an IoT endpoint connects to the community, the posture of the machine is evaluated primarily based on the configured coverage, and an authorization determination is made primarily based on that final result. For instance, an final result of a tool posture analysis will be compliant, non-compliant, or unknown. This final result of machine posture analysis determines an authorization coverage, which might embody the project of a Security Group Tag (SGT) and different authorization attributes to the machine and proprietor. Details about how that is configured in Cisco ISE are captured in this technical article and video.

In addition, Cisco ISE shares the safety group tags and session attributes with the Cisco SD-WAN ecosystem. This data will be leveraged by IT to create identification teams and affiliate safety insurance policies in Cisco vManage to allow entry by particular person teams to purposes over the SD-WAN cloth all the best way to the sting.

The photos of Cisco vManage console in Figures 1 – 3 illustrate the method of how Cisco vManage learns a set of safety group tags from ISE.

Identity groups pulled from ISE and shown in Cisco SD-WAN vManage
Figure 1: Identity teams pulled from ISE and proven in Cisco SD-WAN vManage
Creation of identity lists which includes a group of security groups – identity lists are used in the security policy configuration
Figure 2: Creation of identification lists which features a group of safety teams – identification lists are used within the safety coverage configuration
Security policy configuration based on identity lists
Figure 3: Security coverage configuration primarily based on identification lists

Monitoring of Security Posture Guards Against Attacks

Cisco ISE additionally helps a periodic reassessment of machine posture (which is defined intimately on this video). Any change within the posture will trigger a change of authorization which leads to a special safety coverage being applied within the SD-WAN edge. This permits the community and endpoints to work in unison to allow zero belief capabilities. Following are three use circumstances as an example what is feasible with the deep integration of Cisco ISE and SD-WAN options.

  • IT can configure a posture coverage that requires an Anti-Malware Protection (AMP) agent working on endpoints to determine malicious recordsdata. When the proprietor of a tool connects to the community, the posture is evaluated and decided to be compliant with a working AMP agent. The compliant standing leads to a particular SGT being assigned to the site visitors and related authorization entry. As an additional advantage on this case, SD-WAN router is not going to execute the community AMP performance when it’s being run on the endpoint. However, if the AMP course of on an endpoint is terminated both voluntarily or involuntarily, ISE will detect this by means of periodic posture evaluation. The endpoint’s non-compliant standing will lead to a extra restrictive SGT being assigned. On the SD-WAN router, a coverage for non-compliant site visitors will consequence within the execution of the network-based AMP operate for the site visitors originating from that endpoint. As a consequence the community and end-point work in unison to make sure that the precise insurance policies proceed to execute correctly.
  • IT can configure posture coverage that stops the insertion of a USB machine in an end-point. When a tool connects to the community with no USB hooked up, the posture is evaluated by ISE as compliant, and subsequently site visitors from the machine is allowed to cross by means of the community. If a USB is linked to the machine, ISE will instantly detect the non-compliant standing and do a change of authorization, assigning a special SGT which can be utilized by the SD-WAN edge to dam all site visitors from the machine so long as the USB is hooked up.
  • With Software-Defined Remote Access (SDRA), one other key expertise of Cisco SD-WAN, the site visitors from distant staff and their gadgets is processed by the SD-WAN edge in addition to subjected to ISE posture analysis. This implies that all of the capabilities for accessing purposes primarily based on posture are relevant and accessible to each on-prem and distant endpoints.

Start the Journey to SASE with Zero Trust-Enabled Cisco SD-WAN

Cisco SD-WAN connects the workforce and IoT gadgets to any software utilizing built-in capabilities for multicloud, safety, and software optimization—all on a SASE-enabled structure. Zero belief is a key functionality of SASE, together with SD-WAN, enterprise firewalls, a cloud entry safety dealer, safe net gateways, malware safety, intrusion prevention system, URL filtering, and DNS-layer safety.

As organizations make progress on their journey to SASE, Cisco SD-WAN’s wealthy safety capabilities allow Zero Trust capabilities throughout SD-WAN site visitors to safe the community and gadgets in a scalable, optimum, and cost-effective method.

 

For extra data on improvements in Cisco SD-WAN

Cisco Innovations Create a More Secure and Scalable SD-WAN Fabric

Cisco Secure SD-WAN Fabric is SecOps New Best Friend

Cisco SD-WAN Multi-Region Fabric Unites Distributed Enterprises

Keep up with the newest in Cisco networking, get curated content material from networking consultants on the Networking Experiences Content Hub.

Share:

LEAVE A REPLY

Please enter your comment!
Please enter your name here