EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFSecure Direct Internet Access
Secure Direct Internet Access
In the traditional WAN, network administrators deploy their networks to backhaul internet traffic from remote sites to a central location to deploy security services. Security services inspect the internet-bound traffic and route it back to the remote site. However, as the demand for internet traffic increased, using cloud services or internet-based applications, the model of backhauling traffic to the HQ site is no longer scalable. Backhauling traffic causes increased bandwidth utilization and latency, negatively impacting application performance.
The primary requirement within the DIA use case is to allow users to route internet traffic directly from the remote site WAN Edge Router via the local internet exit. This approach helps to reduce bandwidth consumption, latency, and cost savings on WAN links by offloading internet traffic from the private WAN circuit and improving branch office user experience by providing DIA for users at remote site locations.
The second requirement is to secure remote site internet access from intrusion or other malicious activities or threats. The network administrator will configure the Enterprise firewall with Application Awareness to inspect and limit access to cloud applications in this use case. Snort IPS and intrusion detection system (IDS) to inspect and block a known attack or malware signatures, Cisco URL Filtering for content filtering, Cisco Secure Endpoint to prevent the download of malicious content or file, and DNS layer security an extra layer of protection at the DNS layer.
The primary Cisco SD-WAN features leveraged within this use case include:
- Secure Segmentation to segment user traffic into zones and VPNs.
- Centralized data or a NAT DIA route enables local internet exit at the remote site.
- Enterprise Firewall with Application Awareness, IPS, Cisco URL Filtering, Cisco Secure Endpoint, and DNS layer Security to maintain a secure branch network.
In addition to the on-box security services, the WAN Edge devices can integrate with cloud security services, such as Cisco Umbrella, to provide an extra level of security, such as web or content filtering, in the cloud. You can use this feature at sites where the devices do not support the entire stack of security services or lack the power required to implement the entire stack of security services without impacting the performance.
Security Policy Use Case Wizard
To secure Direct Internet Access deployment, you use Cisco vManage to apply security policies to the edge devices. Cisco vManage provides a use case-based security policy wizard, as shown in the figure. DIA is among the available use cases. If you prefer, you can instead use a custom security policy workflow to give you complete control over the specific security features within the security policy.
LEAVE A COMMENT
Please login here to comment.