Dell Networking

Secure SD-WAN

Pham Tuan Minh

Network Specialist
T H A N K S F O R Y O U R G R E AT
PA R T N E R S H I P
 Scan below or search for
“Dell Technologies Heroes”
in your store
DOWNLOAD your
Heroes mobile app
Find the right events and
technical content most Download for iOS

relevant to you

Build stronger relationships

by connecting with
Heroes members Download for
Android

Internal Use - Confidential © Copyright

© Copyright
2019 Dell
2019Inc.
Dell Inc.
• Dell Customer Communication - Confidential

TRANSFORMING THE BRANCH

FROM TO
Interne
Internet MPLS MPLS
t

WAN Router Appliance

SD-WAN Appliance

WAN Optimization Appliance

NGFW Appliance
LTE WAN backup
LAN
LAN
Wi-Fi AP

Complex, Expensive Multi box solution Zero Touch One Box

Cost: $$$$$ Cost: $
• Dell Customer Communication - Confidential

WHAT PROBLEM ARE WE SOLVING?

Resources & Internet

Applications
Data Centers

Securely connect all our sites and remote users.

Enable Segmentation (enterprise, guest, IOT, etc.)
Transition to SD-WAN for all the documented
benefits.
Analytics
Provide a secure-access solution for ‘work from
home’ and road-warriors. Comprehensive support for brownfield
deployment.
Apply a single unified security policy across the
enterprise.

Sites & Users

Branch Sites Stores HQ Work From Home Road Warriors
Users
• Dell Customer Communication - Confidential

VERSA SECURE SD-WAN VERSA

Execute SD-WAN & Routing Functions.

Can enforce the enterprise security

policy at the branch.
Data Center
Also serve as remote access servers.
Versa Versa Versa

Director

Network & Security Policy

Management

CAPABILITIES
Interne
MPLS
t
Analytics
Scale to 1000’s of branches.
WAN, LAN & Security Analytics
Scale to millions of remote users.

Open API’s into every element.

Versa Versa
Exceptional high availability.
Existing Enterprise
Authentication Server Complete multi-tenancy.
Versa

Branch Sites HQ Remote Users

• Dell Customer Communication - Confidential

VERSA ANALYTICS: VISIBILITY AND CONTROL

VERSA SD-WAN COMPONENTS

Versa Director Versa OS Versa Analytics Versa Controller

Management Plane Data Plane Big Data Analytics Platform Control Plane
Orchestration and Portal Single Pass Architecture Integrated with 3rd Party Exchanges info on
implementing all L2, L3, FM/PM solutions dynamically changing
Single pane of glass for L4-7 functions network conditions.
provisioning, management
& monitoring Setup paths for best
outcome
 Versa SDWAN overview Versa SD-Branch: High-Level Solution Components

Analytics
Director
Analytics
Director

Controller
Hub Controller
Headend

Control-Plane Flows MPLS Internet Control-Plane Flows

IKE Channels
NetConf/YANG
SSH
IPFIX/Netflow

Branch1 Branch2 Branch3

 Versa SDWAN overview Versa SD-Branch: High-Level Solution Components

Analytics
Director
Analytics
Director

Controller
Controller
Headend

Data-Plane Flows MPLS Internet

Full Mesh
Partial Mesh
Hub-and-Spoke
Spoke-Hub-Hub-Spoke

Branch1 Branch2 Branch3

 Versa SDWAN overview Versa SD-Branch: High-Level Solution Components

Active-Standby Director
Analytics
Cassandra Cluster
Analytics
Director

Route Reflector Cluster Controller

Geo-Redundant
Controller
High Availability Headend
LTE
Aggregated Ethernet
Dynamic Routing Protocols Redundant Controller Connections
BFD MPLS Internet OAM
VRRP IPSec Dead Peer Detection
8 WAN Links
Traffic Steering
SLA Monitoring Stateful HA
FEC, Cloning, Striping
MOS TE
Load Balancing
Branch1 Branch2 Branch3
 Versa SDWAN overview Logical Components of any SDWAN network
Let’s pull controller’s
Let’s change IP on
statistics and
MPLS interface of
shutdown an
Branch1
interface on branch3
Data Plane
▪ Set of encrypted/unencrypted tunnels
between branches

Controller
Control Plane
Hi, I’m Branch1. I’m a HUB.
▪ Signaling between branches I have IP X on interface MPLS
My encryption method is Y
▪ Topology creation I have subnets 10.0.0.0/24 and
192.168.0.0/24
▪ Key exchange between branches
▪ Must be protected fil
e
Branch1 Branch3

Management Plane
▪ Centralized configuration of devices Ok. Message accepted.
I’m a Spoke, so I need to establish
▪ Provides visibility into what’s happening with your SDWAN Branch2 connection to the HUB.
I will use encryption Y and establish a
data-plane tunnel to the IP X on MPLS
▪ Examples: telnet, GUI, ssh, REST API, etc. network.
Also, I will add subnets 10.0.0.0/24 and
192.168.0.0/24 to my routing table with
the next-hop Branch1.
 Versa Multi-Tenancy

Master Tenant

Full Stack Multi-Tenancy

Director
Enterprise A Enterprise B Guest IOT X Analytics
Controllers
Hubs
Branches
Network Policy
Security Policy
Support for up to 512 tenants
1
4
Support for 5 levels of tenancy
Multi-tenancy extends all the way to the branch network appliance.

Versa delivers the most complete segmentation.

 Versa SDWAN overview Multitenancy in Management plane (continue)

▪ Each tenant will see both devices and their ▪ Each tenant will only be able
CPU/memory/HDD utilization to configure its own policies
but will not be able to see
▪ Each tenant will only see traffic that belongs to his configuration/statistics of
ports and networks other tenants on the same
INTERNET devices

Branch SDWAN device DC SDWAN device

Tellers network

ATM network
 Versa SDWAN overview VRFs

▪ Virtual routing and forwarding (VRF) is a technology included in IP (Internet

Protocol) network routers that allows multiple instances of a routing table to exist
in a router and work simultaneously. This increases functionality by allowing
network paths to be segmented without using multiple devices
▪ Similar to VLANs but virtualizes routers, not switches

Computer A Computer C
IP: 10.2.1.3/24 IP: 172.16.10.5/24

Router
Virtual routing table 1: Virtual routing table 2:
- 10.2.1.0/24 - 172.16.10.0/24
- 192.168.1.0/24 - 192.168.1.0/24
Computer B Computer D
IP: 192.168.1.2/24 IP: 192.168.1.2/24
 Versa SDWAN overview Data plane multitenancy

▪ Each tenant will have its own independently encrypted ipsec tunnels between SDWAN
devices. If any of the ipsec tunnels gets compromised other tenants are not affected
▪ Each tenant will only see traffic that belongs to his ports and networks
▪ Each tenant will only see his own ports and not the ports of other tenants on the device
▪ Each tenant can configure only its own routing protocols, firewall rules and SDWAN policies

Branch SDWAN device DC SDWAN device

encrypted tunnel 1
encrypted tunnel 2 Tellers
network

ATM
network
 Versa SDWAN overview Control Plane multitenancy

Controller

SDWAN SDWAN
Engine 1 Engine 1 DC SDWAN device
Branch SDWAN device encrypted data tunnel 2

VRF A VRF B encrypted data tunnel 4 Tellers

network

ATM
network
 Versa SDWAN overview How can it be used

VRF A VRF B

VRF B
VRF B
VRF A Branch-2
Branch-1 Branch-3

Underlay Cloud

Branch-6
Branch-4
VRF A
Branch-5
VRF A

VRF B VRF A
 Versa SDWAN overview Summary

SDWAN Management Plane Multitenancy

▪ Independent RBAC for each tenant
▪ Users of a tenant can see only devices of
that particular tenant only

SDWAN Control Plane Multitenancy

▪ Independent SDWAN engines for each
SDWAN Data Plane Multitenancy
tenant
▪ Routing tables separation
▪ Independently encrypted secure tunnels
▪ Each tenant can have up to 1024 VRFs with Controllers for each tenant
▪ Data Plane independently encrypted tunnel ▪ Independent topologies for each tenant
between SDWAN devices
▪ Independent instances of a routing table,
BGP instances, OSPF instances, etc.
 Versa SDWAN overview What is SD-WAN headend?

Headend is a central point of:

• Management
• Storage of configurations
• Monitoring
• Logs storage
• Branches get information how to
connect with each other through
headend
Versa Headend components:
• Director (management, configs storage, monitoring)
• Analytics (logs, statistical data)
• Controller (communication between branches)
Versa SDWAN overview Where to deploy headend

➢ Versa hosted
• Dedicated
• Shared
➢ Customer hosted
• On premises in your own DC
• Co-location
• Cloud deployments
- AWS
- MS Azure
- GCP
- Alibaba
- Oracle
Versa SDWAN overview What if the license expire?

1) Analytics – nothing happens.

Continues to work with no changes
2) Director – the engine will shutdown
3) VOS™ – everything continue to work
for the next 45 days. After 45 days
system will limit the number of
sessions to 30
VERSA DEPLOYMENT FLEXIBILITY

HQ

DC
HQ HO/Private DC
Branch Branch

100% ON-PREMISE HYBRID CLOUD HEAVY

Secure SD-WAN for site networks. I want to move to VERSA Cloud
My business required Security!
everything on-site.
Versa cloud gateways for ZNTA + SWG
Ultra Lightweight branch
Compliance requirement
Min firewall features on-site and max
features on cloud
VERSA SASE DEPLOYMENT OVERVIEW

Cloud Leisure
SaaS

PRIVATE DC
VERSA CLOUD
GATEWAYS(VCG)

SDWAN (VCG)
FABRIC

(VCG)

VSA VSA
VSA

HQ STORES WFH WFA WFA WFA Branch Office

SD-WAN Sites WFH/ Mobile Workers 3rd Party Router
 Secure SD-WAN

Internal Use - Confidential 26 of Y © Copyright 2021 Dell Inc.

 VERSA SASE SECURITY CAPABILITIES
SECURE WEB GATEWAY CASB/DLP
• Application Firewall • Application Access Visibility
• URL Categorization and Filtering • Application Access policy
• IP Reputation and Filtering enforcement
• DNS Filtering • Inline to present violation of
• DNS Proxy compliance in real-time
• NG-IPS • OOB and/or API calls to scan
• NG-Anti Malware ‘data at rest’*
• SSL Decrypt • User Entity & Behavior (UEBA)*
• File Filtering • Context Analysis*
• File based DLP
VERSA SECURE ACCESS (ZTNA) • Document Finger Printing
• IKEv2/IPsec base secure • Document Checksum
connectivity to DC • Watermark Validation
• Application (L7) Policy/Firewall • OCR*
• Custom Applications (FQDN/IP • Document Signature
Subnet) • Image Classification
• User/User Group based policy • Document Tagging
• Network Obfuscation for pre- • Risk Assessment
defined applications
ANTI-VIRUS
• AV Scan Profiles based on
Application/File types
SECURE THE NETWORK.
* Feature available in preliminary release as of 9/25. MITIGATE RISK TO THE ENTERPRISE.
IDS/IPS PROFILES USER AUTHENTICATION
• Signature/Anomaly Based Detection • 2FA
• Support for Custom IDS Rules (in • LDAP
Snort rule format) • Kerberos
• Lateral Movement Detection • SAML
• Active Directory Integration
HTTP/HTTP PROXY
• Certificate checks SECURITY UPDATES
• Transparent • Full/Incremental updates daily
• Explicit • Real Time Updates several times
• DNS and AD integration during the day
• Proxy Chaining
CERTIFICATION
REMOTE BROWSER ISOLATION* • ONUG
• Malware Protection • NSS
• Anonymous Browsing • FIPS, Common Criteria (Q4 2021)
• Risky websites are rendered on
Remote Browsers
DEVICE AUTHENTICATION
• Identification, Visibility and Policy
Control
• 802.1x Authentication
VERSA SECURE ACCESS(VSA) WF /HOME AND ANYWHERE
Enterprise ZTNA for Corporate devices and BYOD

Micro-Segmentation Per Application Authorization

Per Application & Gateway segmentation Granular, per user application control

Isolate applications to specific gateways User Authentication with preferred identity mgt system

Segment critical applications/gateways from users Per user policy controls access to each application
who don’t need to access

Multi Factor Authentication Network & User Visibility

Integrates MFA to verify user identity Real-time and historical visibility
OTP – Email, MSFT/Google/DUO Authenticators User/Application information
supported
VERSA SASE SOLUTION TIERS Ent Apps
Versa Secure (Private) Access
• Secure connectivity to Intranet

• Securely access applications hosted in

HQ DC, Branch, or Public Cloud
Internet Ent Apps • Zero Trust Network Access

SaaS Provider Secure Internet Access (SWG)

Data Center
• Security as-a Service for remote workers &
Enterprise branches

• Secure Web browsing and Internet

application access

Legacy DOS, Routing & Next Gen

SSL Proxy
Router Versa Cloud CGNAT Firewall SD-WAN with VSA & SWG
Gateway
•
File Filtering, DNS Security, Device CASB
Versa SD- AV, IPS Identification DLP Combination of use-cases covered by VSA,
WAN Malware Detection and
SWG, and SD-WAN from Branch to Cloud
ZTNA
Prevention GW
SAML/AD
Authentication
Network Obfuscation
• Private Access + Secure Internet Access +
SD-WAN
ZTNA + SD-WAN based access + SASE Client
SASE Client App on
End-User device
VERSA SECURE ACCESS
Ent Apps Use Cases
Ent Apps
• VPN based connectivity
Ent Apps • Securely access applications hosted in DC,
Branch, or Public Cloud

HQ • Secure Private Access

Public Cloud
Data Center
• Zero Trust Network Access

Network Services
Versa Cloud • User/User Group based Policy
Gateway
Routing & Posture App FW & • Integration with Enterprise Authentication
CGNAT Check DOS

Network SAML/AD
• Application Firewall
ZTNA
Obfuscation
• Network Obfuscation and Hiding
Auth

SASE Client App on

End-User device
TRAFFIC SEGMENTATION & BREAKOUT BY VERSA SASE
At client, gateway, and/or enterprise

End-User Devices
with Corporate
Certificates
Mobile devices,
laptops, desktops, Internet, MPLS,
Internet
SD-WAN routers Direct Connect Corporate HQ
IPSec Backhaul or Data Center
Secure Tunnel Secure Tunnel Versa SWG Gateway

Enterprise Router/
SD-WAN Gateway
DATA LEAK PREVENTION (DLP)
Data Security Data Format Compliance Data Leak
Prevention
• Detect mis-configuration • Protocol Supports: HTTP, • Recognize 100s of • Context, ID, Content
• Encryption and SMTP, FTP Etc Identifiable Info based policy
Tokenization • Document Format • Compliancy and • Redaction & Encryption
• BYOD Policy Support: XLS, DOC, PDF Certification • Watermarking
• Support for OCR and etc Requirement • Quarantine
document formats • Proxy: SSL/TLS, Email • Scanning and Auto- • 3rd Party Integration
Proxy etc Remediation

Out of Band In-line DLP

Network DLP On-Premise or Cloud API based Integration
Delivered
Protecting On-premise Data Cloud DLP
Protecting Data in the SaaS Cloud

Data Leak Prevention

 InternalUse
Internal Use -Only
Confidential 33 © Copyright 2020 Dell Inc.