Enforcing No Trust Gain Access To with Cisco SD-WAN


As applications become distributed across clouds, information centers, SaaS, and to the edge, business require to make it possible for protected access to these applications for their workforce from anywhere. Executing Secure Gain Access To Service Edge (SASE) is a preferred approach for enabling safe and secure access to distributed applications by a hybrid labor force and the growing number of IoT devices.

Absolutely no trust is one of the most common starting points for enterprises that are starting their SASE journey. Lots of enterprises are either in the procedure of embracing absolutely no trust or have currently embraced it. The preliminary shift was mostly driven by a great deal of remote workers as a result of the pandemic. However, lots of enterprises are now transitioning to hybrid environments with the workforce dispersed from schools to branches to office.

This hybrid workplace, along with increasing reliance on distributed cloud and SaaS applications, requires a network architecture that offers scalable and distributed zero-trust security enforcement near endpoints and individuals utilizing them. This makes the most of bandwidth usage of the WAN link while ensuring that there is no main choke point where all the traffic needs to be redirected. In addition, in order to ward off real-time dangers, IT needs the network to continually monitor and examine the security posture of devices after application access is granted.

The newest enhancements in the SD-WAN security architecture are created to support this new paradigm of dispersed applications and hybrid workforces. Now, the tight combination between Cisco SD-WAN and Cisco Identity Providers Engine (ISE) allows IT to employ zero trust security functions for the traffic that goes through an SD-WAN material.

Cisco ISE Sets Up Security Posture in SD-WAN Fabric for No Trust

Delivering a No Trust method for SD-WAN traffic needs 4 key functionalities: application access policies based upon the preferred security posture (who can access what); security controls for admitted traffic; continuous enforcement; and immediate adjustment to security posture changes– all imposed with a constant model for on-prem, mobile, and remote devices and labor force.

Cisco ISE supports the configuration of security posture policies in SD-WAN fabric. When an individual’s device or an IoT endpoint connects to the network, the posture of the device is evaluated based upon the set up policy, and an authorization decision is made based on that outcome. For instance, a result of a gadget posture examination can be compliant, non-compliant, or unknown. This result of device posture assessment determines an authorization policy, which can include the task of a Security Group Tag (SGT) and other authorization credits to the device and owner. Information about how this is set up in Cisco ISE are captured in this technical article and video.

In addition, Cisco ISE shares the security group tags and session characteristics with the Cisco SD-WAN ecosystem. This info can be leveraged by IT to produce identity groups and associate security policies in Cisco vManage to make it possible for gain access to by particular user groups to applications over the SD-WAN fabric all the way to the edge.

The images of Cisco vManage console in Figures 1– 3 illustrate the procedure of how Cisco vManage learns a set of security group tags from ISE.

Identity groups pulled from ISE and shown in Cisco SD-WAN vManage Figure 1: Identity groups pulled from ISE and displayed in Cisco SD-WAN vManage Figure 2: Creation of identity lists that includes a group ofSecurity policy configuration based on identity listssecurity groups– identity lists are utilized in the security policy setup

Figure 3: Security policy setup based upon identity lists Tracking of Security Posture Guards Against Attacks Cisco ISE also supports a periodic reassessment of device posture (which is described in detail in this video). Any modification in the posture will cause a change of authorization which leads to a different security policy being executed in the SD-WAN edge. This makes it possible for the network and endpoints to work in unison to enable zero trust abilities. Following are 3 use cases to highlight what is possible with the deep combination of Cisco ISE and SD-WAN options.

  • IT can set up a posture policy that needs an Anti-Malware Security (AMP) representative working on endpoints to identify harmful files. When the owner of a device connects to the network, the posture is assessed and figured out to be certified with a running AMP agent. The certified status leads to a particular SGT being assigned to the traffic and associated permission gain access to. As an included benefit in this case, SD-WAN router will not perform the network AMP performance when it is being worked on the endpoint. Nevertheless, if the AMP procedure on an endpoint is terminated either willingly or involuntarily, ISE will spot this through regular posture assessment. The endpoint’s non-compliant status will lead to a more restrictive SGT being assigned. On the SD-WAN router, a policy for non-compliant traffic will lead to the execution of the network-based AMP function for the traffic originating from that endpoint. As a result the network and end-point work in unison to guarantee that the ideal policies continue to perform effectively.
  • IT can set up posture policy that avoids the insertion of a USB gadget in an end-point. When a gadget connects to the network without a USB attached, the posture is assessed by ISE as compliant, and for that reason traffic from the device is permitted to pass through the network. If a USB is connected to the gadget, ISE will right away spot the non-compliant status and do a modification of permission, designating a different SGT which can be utilized by the SD-WAN edge to block all traffic from the device as long as the USB is connected.
  • With Software-Defined Remote Access (SDRA), another essential innovation of Cisco SD-WAN, the traffic from remote employees and their devices is processed by the SD-WAN edge in addition to subjected to ISE posture assessment. This suggests that all the functions for accessing applications based upon posture apply and available to both on-prem and remote endpoints.

Start the Journey to SASE with Zero Trust-Enabled Cisco SD-WAN

Cisco SD-WAN connects the labor force and IoT gadgets to any application using integrated capabilities for multicloud, security, and application optimization– all on a SASE-enabled architecture. No trust is a key capability of SASE, along with SD-WAN, enterprise firewall programs, a cloud access security broker, protected web entrances, malware security, invasion avoidance system, URL filtering, and DNS-layer protection.

As organizations make progress on their journey to SASE, Cisco SD-WAN’s abundant security capabilities allow Zero Trust operates throughout SD-WAN traffic to protect the network and gadgets in a scalable, optimum, and affordable way.

For more details on developments in Cisco SD-WAN

Cisco Innovations Produce a More Secure and Scalable SD-WAN Fabric

Cisco Secure SD-WAN Material is SecOps New Buddy

Cisco SD-WAN Multi-Region Material Unites Dispersed Enterprises

Stay up to date with the latest in Cisco networking, get curated content from networking professionals at the Networking Experiences Material Center.



Leave a Reply

Your email address will not be published. Required fields are marked *