Contact
Contact
All Posts By

Sprint Networks

May 10

Transition of Security Service and SD-WAN Paradigm with SASE

By Superfast IT Networks No Comments

Transition of Security Service and SD-WAN Paradigm with SASE

Corporates leverage cloud fabrics provided by cloud service providers for transferring data over secure channel between Data centeres and remote branches through cloud secure gateway(SD-WAN Overlay Fabric).

Remote Users and roaming users access to cloud services or on-prem services at data centres through secure channels via cloud secure gateways.

Cloud based secure gateways or POPs(Point of Presences) provide underlay connection as the closest point to SD-WAN appliances and secure Internet gateways to remote/roaming users.

Cloud based secure gateways as the crucial part of SASE connect provide multi-stacked security features, like Secure Web Gateway(SWG), Cloud Access Security Broker(CASB), Zero Trust Netwrok Access(ZTNA), Firewall As A Service(FWaaS), DNS layer security and so on.

All Internet or cloud-bound traffics among data centres, branches and remote/roaming users are inspected or protected by a single pack providing multi-layerd security features.

Apr 08
Hari VPN2.0

SASE, the VPN 2.0

By Superfast IT Networks No Comments

SASE, the VPN 2.0

Traditional VPN’s allow two IP enabled devices to communicate with each other through a secure tunnel remotely over the Internet, just as if the devices were connected on the same physical local network. VPN’s were originally designed to allow few employees within a company to work remotely. However, as a result of a global pandemic, majority of the businesses were forced to allow employees to work remotely, thus putting a massive strain on traditional VPN’s. Although traditional VPN is widely used and suits the general purpose of interconnecting remote networks quite well, it has some serious drawbacks for security, monitoring, management of end points and not built with the massive adoption of cloud applications in mind.

Untitled

Figure 1 – Traditional VPN Setup

From a technology management perspective, VPNs are highly demanding. They require configuration, deployment, troubleshooting, monitoring, and decommissioning of each user. As VPNs are the gatekeepers of the entire corporate network, they require constant attention. And a number of additional systems are needed to support a VPN to deliver daily connectivity, onboarding, offboarding, and general monitoring. Furthermore, these legacy solutions rely on aging and cumbersome hardware and software, and as a result, can be quite difficult to integrate with the many other components of an enterprise’s technology and security stack. The continuous bandwidth required to keep VPNs afloat is not only costly, but also often taps senior IT resources, distracting them from more proactive, impactful, and innovative business imperatives.

From a technology management perspective, VPNs are highly demanding. They require configuration, deployment, troubleshooting, monitoring, and decommissioning of each user. As VPNs are the gatekeepers of the entire corporate network, they require constant attention. And a number of additional systems are needed to support a VPN to deliver daily connectivity, onboarding, offboarding, and general monitoring. Furthermore, these legacy solutions rely on aging and cumbersome hardware and software, and as a result, can be quite difficult to integrate with the many other components of an enterprise’s technology and security stack. The continuous bandwidth required to keep VPNs afloat is not only costly, but also often taps senior IT resources, distracting them from more proactive, impactful, and innovative business imperatives.

SASE (Secure Access Service Edge) is a simpler and safer access solution that companies can embrace to take advantage of the true power of the cloud. SASE enables IT personnel to closly monitor all inbound firewall ports, and can combine intelligence into decision making — looking at users, devices, and locations, as well as patterns of access, which up levels security. As SASE is cloud-based, it doesn’t need to backhaul internet traffic through data centers. Instead, SASE sends traffic through globally distributed “PoPs” (Points of Presence). The PoP inspects and then sends traffic over the internet or SASE architecture to its destination.

For example, suppose an employee is VPNing into his corporate network from his Sydney home, and the data center happens to be in Melbourne. Ordinarily the traffic would all be directed to Melbourne data center. However, if he’s accessing internet content, it would be optimal to egress that traffic directly out of the device in Sydney, SASE enables this. Only when the user wants to access resources in the Melbourne office will his traffic be backhauled to the data center. All internet traffic will exit directly out of the nearest POP while maintaining the same level of security seen at the data center.

SASE the VPN 2.0

Figure 1 – SASE Setup

As shown in the image above SASE is a global cloud backbone which has multiple functions built right in such as Network Security, DNS filtering, Firewall as a Service (FWaaS), Data Loss Prevention (DLP). SASE is not just another VPN, its so much more. The beauty in SASE is a set of capabilities that you can adopt or introduce at your own pace. Adopting services that are right for your business, your budget and your use-cases. Some SASE capabilities, such as Secure Access or Zero Trust, are a set of security controls that follow the user. Whether they are at home or in the office. SASE puts you in control to adopt at your own speed, whether you need to sweat VPN assets or provide more business centric security and rigour to support good posture for internal or external compliance/regulatory standards.

Mar 16
Dad Our Resident Mr. Fix It 1

Cloud Access Security Broker (CASB)

By SASE No Comments

CASB

CASB Is an on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies.  A CASB can offer a variety of services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware. CASB sales have soared as cloud security concerns have grown, especially the use of “Shadow IT” cloud services that IT security teams don’t know about.

Four foundation of CASB architecture

  1. Visibility

CASB gives enterprises visibility over user activity in the cloud. Cloud applications that are off site and prone to governance risk, compliance processes of the organization. The visibility features that CASB offers allows controllers to view who uses which cloud app, departments, geo-locations and devices affiliated to the users.

  1. Compliance

CASB enforces Data loss prevention policies at a granular level to meet compliance requirements. It helps in identifying sensitive data in the cloud that might be vulnerable and of high risk.

  1. Data Security

Data security features such as encryption, tokenization, access control including information rights management is governed by CASB.

  1. Threat Protection

CASB’s layout as a middle man helps detect and respond to malicious threats, privileged user threats and compromised accounts.

Dad Our Resident Mr. Fix It 1

Why do we require CASB?

With enrollment of various cloud features and service technology, end point users are facing hardships maintaining database integrity in cloud. Even for an enterprise when it comes to cloud computing they are not aware of the human errors, data leaks they might be facing onsite even before the data path is created for an offsite transmission.

CASB has multiple use-cases for the enterprise:

  • Secure Shadow IT

Shadow IT is the unauthorized use of cloud services by line of business staff. IT teams are usually not aware of the Shadow IT. It has no governing policies, is not subject to corporate security and compliance. This exposes the enterprise to a huge deal of security risks.

A recent survey by Intel security shows that more than 2000 IT personnel, 40 percent of cloud services are running without the involvement of IT. The result of which, IT professionals think that shadow IT is interfering with their ability to keep cloud services secure. Majority of the respondents have said that malware has been tracked from those cloud applications.

  • Govern Device Usage

CASB can simultaneously monitor and control user activities as the users are browsing cloud services from endpoint devices, app or client. It helps identify device ownership class, privileged accounts and prevents unauthorized activities in the cloud.

  • Secure Data

CASBs can prevent data exfiltration from an approved to an unsanctioned cloud service, enforce separate policies for personal and corporate instances of the same cloud service, enforce a policy at the activity or data level across a group of services, enforce conditional activity-level policies, enforce layered policies, and apply encryption when it comes to data protection.

  • Block Malware

CASB can provide an enterprise protection against threats, shield and remediate malware in a sanctioned cloud service to and from a unsanctioned cloud service. It also alerts the enterprise about login anomalies, excessive downloads, uploads  and prevents data infiltration involving new employees.

Where does CASB run?

CASB is found in both onsite premises and offsite in the cloud. But logically it sits between the user and the cloud acting as the middle man. Considering the physical location, a CASB has to be in either of the two places i.e. in a corporate data center or in the cloud itself. It depends on the user choice and as to what sort of network deployment they prefer. CASB can be used as a SaaS or hosted on a physical or virtual appliance.

How does CASB function?

CASB mainly operates in 2 ways. It can either be set up as a proxy i.e. Forward proxy or a Reverse proxy – or it can function in API mode using the cloud service providers APIs to maintain cloud access and apply security policies. Increasingly CASBs are becoming “mixed mode” or “multi-mode”.

Forward Proxy

All types of cloud applications can use forward proxy. All the data passes through forward proxy, but a requirement to that is the installations of self-signed certificates on every single device that accesses the proxy. In a large corporate organization, it can be difficult to deploy because of the distributed environment they might have. One with a large number of employees and owned mobile devices.

Reverse Proxy

A reverse method is much easier because it is accessible from any device, anywhere, without the need for special configuration or certificate installation. The backside to reverse proxy is that it can’t work with a client-server type application, which have hard coded hostnames.

API-Based Systems

API based systems are easy to be deployed in comparison to the other two. The drawback to this is that the range of cloud applications they can work fully is limited as not all applications can provide API support.

“Proxy or API architectures from CASB have different abilities to perform different actions, which have various implications for how that provider delivers the four pillars for a specific cloud service,” Gartner says.

In over the few years. Gartner expects many cloud service providers to have their own API.

One CASB may not be enough

The various capabilities of CASBs- forward proxy, reverse proxy, API based or multimode vary. CASB differs from each other as the development of each might differ at the mercy of the vendors who have developed it. Just because a CASB supports one application doesn’t mean it might support as much or to the extent of another CASB.

Choosing a CASB that supports the application an enterprise uses now, and are likely to use in the future might be a challenge. Mostly office apps like CRM, HR and ERP are generally well supported but industry specific apps e.g., healthcare industry might not be.

One of the advices handed out by Gartner is that,” be cautious when entering into long-term contracts. Build in flexibility as you may require more than one CASB or may need to change from a current provider to the one that supports your enterprise use case thoroughly.

CASB Market size

The CASB market size has grown by a significant number as the demands for cloud security and middle man data security rises. The CASB market is expected to grow from $3.4 billion in 2015 to $7.5 billion in 2020, with a compound growth rate of 17.6%.

The increasing adoption of cloud-based applications such as Office 365, Salesforce, Google Apps is a playing a major role in fueling the growth of CASB market.

More than dozens of CASB startups have been launched since 2010 and a number of major CASB vendors have been acquired by bigger players in IT security.

Major CASB vendors include:

·         Bitglass

·         Blue Coat (owned by Symantec)

·         CipherCloud

·         CloudLock (owned by Cisco)

·         Forcepoint (through Skyfence acquisition; owned by Raytheon)

·         Microsoft (through Adallom acquisition)

·         Netskope

·         Skyhigh Networks (acquired by McAfee)

    Feb 16
    png transparent cisco meraki cisco systems wireless access points cloud computing wi fi cloud computing computer network text logo

    Cisco Meraki SD-WAN Auto VPN

    By SD-WAN, Superfast IT Networks No Comments

    Cisco Meraki SD-WAN Auto VPN

    Cisco Meraki SD-WAN Auto VPN

    Site-to-Site VPN is an essential part as SD-WAN provides secure data transport across sites
    Cisco Meraki allows you to build up easily and quickly Site-to-Site VPN connections across remote sites using Auto VPN. Auto VPN as a proprietary technology developed by Meraki uses VPN Registry in Meraki Cloud to control VPN connections.

    Meraki MX security appliances interact with VPN Registry by exchanging Register messages that contains the IP address and the UDP port that MX appliances communicate on, and the MX appliances request the contact information of their peer MX appliances.

    VPN Registries respond to MX appliances with the contact information of the peers the MX appliances should establish tunnels with.

    Once the information is shared with MX appliances about their peers, VPN tunnels are established between MX appliances. The Meraki Cloud pushes a key to MX appliances used to establish AES encrypted IPSec tunnels.
    Local subnets for VPN communications are shared across VPN.
    VPN routes are pushed from the Dashboard to MX appliances for this process. Finally, the Dashboard dynamically pushes VPN peer information to each MX appliance. Every MX appliances store this information in a separate routing table.

    Feb 01
    Versa Monitor 4

    Versa Titan Application Monitoring

    By SD-WAN, Superfast IT Networks No Comments

    Versa Titan Application Monitoring

    From the perspective of network management and troubleshooting, visibility to the networks are addressed as challenging with traditional WAN. A third party NMS needs to be implemented to monitor traditional WAN. However, with advanced SD-WAN, monitoring is a built-in feature. 

    Versa Titan Application Monitoring

    From the last blog, we shown that you can monitor live traffic on remote sites. Will that be enough? When there is a congestion happened on the circuits, you properly want to know what applications consumed the bandwidth and caused the congestion. It can be easily done from the Versa Titan management portal that is hosted on the Versa Cloud and is accessible from everywhere through connectivity. In addition, it can also be accessed and managed from a dedicated mobile application.

    Versa Portal provides a basic monitoring features on edge devices , such as device information including CPU, Disk, Memory utilizations; SD-WAN connectivity; interface status; bandwidth usage etc. Also you can have visibility on the circuit for application usage as shown in the below pictures. 

    Versa Monitor 1
    Versa Monitor 3
    Jan 28

    Platform Exchange Grid

    By Superfast IT Networks No Comments

    Platform Exchange Grid

    Keeping a network and its connected devices secured and operating smoothly requires numerous IT tools and platforms. This is especially true in today’s IT infrastructure. The information which has been created in between is not shared. These tools and platform works perfectly within their own domains, but the information cannot be shared with other platforms to help to build self-adapt ecosystem. While this issue has been addressed using purpose-build, platform-independent APIs, but the number of platforms indicates the cost of learning those APIs and master them will be unacceptable and could create further unnecessary tasks.

    Platform Exchange Grid

    Cisco Platform Exchange Grid, known as pxGrid, enables multivendor, cross-platform network system collaboration among parts of the IT infrastructure such as security monitoring and detection systems, network policy platforms, asset and configuration management, identity and access management platforms, and virtually any other IT operations platform. When business or operational needs arise, ecosystem partners use pxGrid to exchange contextual information with Cisco products that support pxGrid.

    Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate to pxGrid once, then share context either unidirectionally or bidirectionally with many platforms without the need to adopt platform-specific APIs. pxGrid is secure and customizable, enabling partners to share only what they want to share and consume only context relevant to their platform.

    Platform Exchange Grid

    Key features of pxGrid include

    • Ability to control what context is shared and with which platforms: Because pxGrid is customizable, partners can “publish” only the specific contextual information they want to share and can control the partner platform that information gets shared with.
    • Bidirectional context sharing: pxGrid enables platforms to both share or publish context as well as consume or “subscribe to” context from specific platforms. These features are orchestrated and secured by the pxGrid server.
    • Ability to share context data in native formats: Contextual information shared via pxGrid is done in each platform’s native data format.
    • Ability to connect to multiple platforms simultaneously: pxGrid enables platforms to publish only the context data relevant to partner platforms. Numerous context topics may be customized for a variety of partner platforms, yet always shared via the same reusable pxGrid framework. Furthermore, only sharing relevant data enables both publishing and subscribing platforms to scale their context sharing by eliminating excess, irrelevant data.
    • Integration with Cisco platforms: pxGrid provides a unified method of publishing or subscribing to relevant context with Cisco platforms that utilize pxGrid for third party integrations.
    Jan 27
    merakinew

    Cisco Meraki SD-WAN Bandwidth Control

    By SD-WAN, Cisco Meraki No Comments

    Cisco Meraki SD-WAN Bandwidth Control

    The bandwidth control is necessary to keep business critical traffic performing properly over WAN links.
    In many cases, We apply QoS policies using DSCP based marking for business-critical or latency-sensitive traffics in order to guarantee services.
    QoS policy setup is relatively complicated and it takes long time to apply and update it to the entire network.
    In fact, there is the limitation about the stable performance with only queue scheduler based control.
    Granular level of control, for example per-client base or up/down bandwidth control is required to effectively consume WAN bandwidth and eventually it will result in the better performance.

    Cisco Meraki provides their optimal solution for WAN bandwidth control on the security SD-WAN platform through Meraki Cloud Dashboard.
    The simple and intuitive menu  helps you create and apply policies and features quickly to Meraki platform networks.

    Cisco Meraki SD-WAN

    Global bandwidth limits allows you to limit on each client device’s total networks traffic(incoming/outgoing).
    Enabling SpeedBurst provides faster Internet browsing experience by allowing users to exceed their assigned limit for short period time.

    Meraki Shaping rule

    Administrators can create and add traffic shaping rules by Traffic shaping rules.
    Definition on each rule defines traffic matching criteria on pre-defined or user-defined traffics.
    Matched traffics are applied with enhanced bandwidth limitation rules, priority and DSCP tagging.

    And Web cache feature is available on some Meraki appliance platforms, which will improve end-user experience by reducing page load times and
    file download times for frequently accessed web content.

    ×