Cisco Blogs


Cisco Blog > Enterprise Networks

IWAN Wed: The Case for Direct Internet Breakout at Branch and IWAN

Simplify Branch Security with ISRCloud services and SaaS applications is enabling customers to accelerate their business processes and improve employee productivity while lowering their total IT spending. The Cisco IWAN solution is helping organizations adopt cloud applications with an improved user experience by enabling local internet breakout from the branch environment, thus helping eliminate the need to backhaul internet-bound traffic across the WAN link. This helps provide the user improved experience through lower latency for not only internet applications, but also free up bandwidth for application on the WAN link. The reduced WAN link usage also means lower IT spending those links.

However, a study commissioned by Cisco during Jan’14 from 641 customers from US and Europe on their MPLS usage and adoption of local internet breakout found that 68% of the customers responded that enabling direct internet access was an organizational focus for them.  However, 54% of the total respondents reported that lack of sufficient security at the branch environment hindered them from enabling local internet breakout at the branch. This was ranked as the #1 reason to not enable Direct Internet Access at branch sites.

The changing threat landscape

It is no surprise that enabling direct internet access at branch increases the attack surface of the corporate environment, and exposes the organization to a whole new set of attack vectors originating from the outside network. This is validated by the Cisco 2014 Annual Security Report which confirms that the increased attack surface continues to be the #1 security challenge for customers. The report mentions “100 percent of business networks analyzed by Cisco have traffic going to websites that host malware”, and Java exploits in trusted applications being the primary source of attacks related in these environments.

In addition to the increased attack surface, the security model needs to be “continuous” in nature as opposed to a “point-in-time” solution to defend against zero-day vulnerabilities or cyber-crime/malicious behavior which may not be detected by traditional signature based approaches.

Integrated Threat Defense

The Cisco Cloud Web Security solution provides the industry’s most advanced web-security solution to defend against Zero-Day threats, malware, defense against malicious websites and detection of data breaches with innovative analytics. The Cloud Web Security solution truly provides a solution for the entire continuum before using heuristics and signatures based on real-time threat intelligence of 100TB of daily data, 13 billion web requests, 150 million endpoints and 1.6 million security devices. Cloud Web Security also permits appropriate web-usage policies in place for the users, including role-based usage and micro-app access controls.

The Flexible NetFlow capabilities in the ISR routers generate telemetry information on the network traffic which is critical to determining security events and incidents. With the ability to account for every packet that traverses through the network infrastructure and the unique context information that is provided by this provides the ability for a security-centric Flexible NetFlow collector such as a Lancope StealthWatch to alert the administrator to any anomalous behavior, attacks or threats in the network.

Cisco IPS on the ISR routers uses deep-packet inspection techniques protect against worms and mitigate a variety of network-based attacks. The ISR routers also come integrated with an IOS Firewall to defend the branch perimeter with a stateful L4-7 firewall in a single-box solution managed consistently with the router.

Compliance and access policy management 

In addition to rapidly discovering and defending against threats, organizations also have to comply with compliance mandates based on their vertical -- whether PCI in retail, HIPAA in healthcare, or SOX in financial.  As organizations try to roll out new services and experiences in their branch locations -- whether it be BYOD, Guest Wifi, digital signage, access to vendors and partners, etc. compliance with regulatory mandates from a network security perspective becomes a key consideration to enabling new services. Also, with mobility, the challenge to provision a consistent policy at scale across 1000s of locations for a services-rich experience is all the more acute.

This is where solutions such as Cisco TrustSec and its integration with the IOS Zone-Based Firewall can help provide the necessary network segmentation and access-control policies are in place to comply with the regulatory requirements. TrustSec also enables a scalable and business-relevant policy model for the organization where policies are defined centrally in the policy server in terms of business functions rather than per-site-specific IP addresses, and associated dynamically with the network and users without IT intervention. This greatly accelerates deploying new services at scale in the network, while ensuring the appropriate security controls are in place in the network.

Cisco ISR Routers -- Integrated Security for the Real World 

The Cisco ISR routers come with the following security solutions such as Cloud Web Security, IOS IPS, IOS Firewall, TrustSec and Flexible NetFlow in addition to the industry-leading VPN capabilities for a secure router solution for any branch. The Cisco ISR routers enable improved business productivity and user experience at lower IT costs with the IWAN solution,  while addressing advanced security needs to defend against the changing nature of the threat landscape and business requirements.

Join Our May 8th Webinar

We discuss IWAN’s security solutions mentioned above in our webinar on May 8th, Wednesday: “Simplifying Branch Security with Cisco Integrated Services Routers.  Join Cisco experts to learn how you can deploy a secure and cost effective branch.  Click here to register.

Tags: , , , , , , , , ,

Comments Are Closed