This is part two of a three-part blog post describing Nuage Networks’ single-platform approach for the software-defined DC and SD-WAN. Read part one here.
Nuage Networks is the only vendor to provide true end-to-end seamless connectivity and policy across the DC, WAN, and Public Cloud.
The first blog addressed SD-WAN, which covers SD-WAN Beyond Connectivity and Advanced Networking with SD-WAN.
This second blog addresses SD-WAN and DC, which covers Security and Analytics for DC & WAN.
The third and last part of this blog post will address the DC, which covers Policy-automated 100G Switching and NFV & Telco Cloud.
SD-WAN and DC
Security and Analytics for DC & SD-WAN
In a multi-cloud environment, traditional security approaches that rely on perimeter security and segregate DC from the WAN for flow analysis, are inadequate. Nuage Networks introduced the industry’s first distributed, end-to-end (cloud, DC, branch) SDN security, visibility and security automation solution in late 2016. Nuage Networks’ Virtualized Security Services (VSS) complemented what the VSP does in terms of micro-segmentation to protect workload, and added the ability to detect security threats, while monitoring compliance using contextual network visibility and security analytics. It also enables the network to respond in near real-time to incidents by dynamically automating security remediation processes to neutralize known threats.
The 5.0 release expands the VSS flow logic significantly to provide:
- Automated firewall rule generation based on real-time flow data
- Advanced ACL constructs that allow for complex rules to be expressed in simple hierarchical building blocks
- Support for Hyper-V environments in the DC
VSS has enhanced SD-WAN by adding Application-aware (L7) ACLs and (early availability of) URL Filtering based on dynamic categorization.
Application-aware (L7) ACLs
L4/port-based security controls do not provide sufficient granularity to allow or block specific applications from the branch to outside. With L7 or application-aware ACLs, Nuage utilizes intelligent DPI and heuristics to identify underlying applications per flow in real-time. The output is then fed to the firewall rule engine. With this capability, a branch administrator can allow/deny the branch or a branch user group access to specific applications (e.g., Skype or Facebook). It also provides application-level visibility for traffic leaving the branch perimeter, and this capability can accelerate the response to attacks by enabling the definition of dynamic policies for branch traffic based on L7 traffic analytics (e.g., DNS traffic exceeding a specified threshold).
With URL filtering, users or administrators can secure local internet breakout from branch locations by blocking access to inappropriate or malicious content. Cloud-based controls can be used to define individual domain/URL-based whitelist/ blacklist policies as well as category-based filtering policies (to block pornography or botnet sites, for example).