SD-WAN &Cloud-Security
Über T&A SYSTEME GmbH
Typ: Dienstleister / Systemintegrator im Bereich IT-InfrastrukturenWAN Service Provider
Gründung: Dezember 1993
Größe: 40 Mitarbeiter
Sitz: Am Walzwerk 1, 45527 Hattingen
RZ-Power: Redundante Rechenzentren,Full-Managed Betrieb (ITaaS)
Kunden: Nationale & internationale Unternehmen in unterschiedlichen Branchen
Till BockenheimerGeschäftsfü[email protected]
©2017 T&A SYSTEME, Inc. All rights reserved.
©2017 T&A SYSTEME, Inc. All rights reserved.
Angebotsbereiche der T&A SYSTEME
©2017 T&A SYSTEME, Inc. All rights reserved.
Angebotsbereiche im Detail
• Vorstellung VeloCloud, SD-WAN
• SD-WAN managed by T&A SYSTEME
• Vorstellung Zscaler, Cloud-Security
• Integration SD-WAN mit Cloud-Security
Agenda
©2017 T&A SYSTEME, Inc. All rights reserved.
VeloCloud Cloud-Delivered WAN
Fast. Simple. Secure.
6
VeloCloud Company Background• Re-defining Enterprise
Wide Area Networks– Cloud-Based Software Defined
Wide Area Network– Expand the WAN without
replacing it (migration)– Slash the costs of Wide Area
Networking (WAN)• Company Background
– Founded in 2012– 85 headcounts– Team from leading Networking,
Cloud and Virtualization companies
– Backed by NEA, Venrock, March Capital, Cisco Investment and The Fabric
November 2017− Deployed in 600+ Enterprises− Nearly 50,000 Sites
VMware announced the intent to acquire VeloCloud, the market leader in cloud-delivered SD-WAN that enables enterprises and service providers to deploy flexible, secure WAN connectivity.
https://www.vmware.com/company/acquisitions/velocloud.html
VeloCloud’s Innovative WAN Solution
Enable the use of lower cost Internet as a WAN while maintain application performance
Provide flexible WAN architecture for accessing both on-premise applications and SaaS
Simplify WAN/branch deployment, configuration, monitoring, and remote troubleshooting
Cable/LTE/DSL MPLS
DIA
Cloud Delivered SD-WAN
Cloud Network
CABLEDSLLTE
MPLSBranch
Edge DC Edge
Enterprise DC
Cloud Delivered SD-WAN
Cloud Network
CABLEDSLLTE
MPLSBranch
Edge DC Edge
Enterprise DC
Dynamic Multi-Path
Cloud VPN
Smart QoS
Next Gen Firewall
Application Performance Monitoring
Cloud Delivered SD-WAN
Cloud Network
CABLEDSLLTE
MPLSBranch
Edge DC Edge
Enterprise DC
Dynamic Multi-Path
Cloud VPN
Smart QoS
Next Gen Firewall
Application Performance Monitoring
WAN Services OrchestrationBusiness Policy DefinitionNetwork Services Insertion
Cloud-Delivered SD-WAN For Enterprise
Dynamic Multi-pathOptimization
Branch Site
Enterprise DC
VeloCloudEdge
VeloCloudEdge
Enterprise DC
SaaS
HybridCloud
PRIVATE/MPLS
Cloud DC
EnterpriseData Center
INTERNET
Public Cloud Gateways
Orchestrator
• Public and private links • On-prem or cloud apps • DC headend optional• Zero touch, thin branch auto provisioned from cloud
• Cloud orchestration eliminates complexity
• Direct path to enterprise and cloud apps
• Scalable, redundant, pay-as-you-go cloud network
VeloCloud Infrastructure
SSAE16 Type II
Audited Datacenters
99.99%
Reliability SLA
Cloud Scale Redundancy
Direct to SaaS With Internet
Exchange
Ashburn, Atlanta, Chicago, Dallas, Denver, New York, San Jose, Seattle, Los Angeles, Miami
Dublin, Frankfurt, Geneva, London
Hong Kong, Singapore, Sydney, Tokyo
VeloCloud Orchestrator
Network-wide business
policy for data, voice & video
View of link quality with and without VeloCloud
VeloCloudmeasures dynamic
bandwidth on each link
Application visibility,
analytics and bandwidth
usage
100 msec
DSL
MPLS
LTE
• Automatic Link Monitoring• Auto Detection of Provider• Auto Configuration of Link Characteristics,
Routing and QoS Settings• Intelligent Application Learning
• Quality of the connection
Dynamic Multi-Path Optimization
Dynamic Multi-Path Optimization (DMPO)
App performance over broadband, LTE and private circuits
WAN MonitoringAutomatic capacity testing
Continuous link & path quality monitoring
App SteeringAggregate Links
App Aware per Packet SteeringOptimal link & path across Internet
and private
Link RemediationError & jitter correction
Automatic steering for brownouts/blackout
https://www.youtube.com/watch?v=mdNbNn4Ucy4 (2:50 - 5:30)
Dynamic Multi-Path Optimization (DMPO)
17
• Drives automation and optimization
Assured Application Performance over Any Type of Link
• Sub-second steering without session drops• Aggregated bandwidth for single flows
• Protects against concurrent degradation• Enables single link performance
Dynamic Per Packet Steering
On Demand Remediation
Continuous Link Monitoring
VeloCloud Application Recognition
VeloCloud Deep Application Recognition
Deep Packet InspectionApplication recognition & application metadata
Learning databaseCached DPI result to assist with first packet classification
Cloud service directoryUp-to-date database of cloud service IPs
3000+ Applications
Automated QoE
• Application-aware link steering• Bandwidth aggregation for single
flow• On demand remediation
• Error correction, jitter buffering, NACK
• Overlay QoS
• Link performance- packet loss, latency, jitter
• Link capacity• Congestion
Business Priority
Real-Time Link Metrics
App
Rec
ogni
tion +
Business Collaboration Audio/video
VDI,Business App
Infra, Auth , Mgmt, NW Services, Tunneling
IM App , Web,Proxies,
Games, Media, Social
Email Storage,Backup, P2P
Real-time
Transactional
Bulk
HIGH NORMAL LOW
File Sharing
35% 15% 1%
1%7%20%
20% 5% 1%
SaaS Performance Summary
• 10x faster response time
Dual 20Mbps Links / 50 MB Box File TransferWithout VeloCloud VeloCloud
No Loss 22 sec 12 sec2% Packet Loss 134 sec 13 sec
Real World VoIP Results
MOS with VeloCloud
MOS with Internet
60%VoIP calls having
good quality(MOS > 3.6)
Traditional Internet
99%VoIP calls having
good quality(MOS > 3.6)
WithVeloCloud
MOS > 3.6 = Good call
Mean Opinion Score
Internet Can Deliver 99%+ QualityWith VeloCloud’s Cloud-Delivered SD-WAN
Cable DSL Ethernet &Fiber
4G LTE
Ease of Network Services Insertion
Branch Site
Enterprise DCOr
Regional HubsOn Premise Email DLP
Other Web traffic
Salesforce.com
Web email
Internet
• One-click service insertion• Virtual services platform at branch • Optimized performance to remote cloud and
centralized enterprise services • Partner ecosystem
Rapid Branch Rollout
Truck roll and IT personal required to configure & deploy new branch. No centralized control.
Dependency on wired circuit delays branch bring up and reduce productivity
Traditional WAN Deployment
$200-$2000 per truck roll
VeloCloud Zero Touch Deployment No local IT touch. Drop ship the unit and activate. Plug and play - auto-discover WAN links including
bandwidth and ISPs Profile based configuration eliminates tedious
branch-by-branch configuration Optional DC install greatly simplify branch bring-up
$0 truck roll
Run Real-time Voice or Video
Poor Internet performance affects voice and video quality
High cost from using MPLS to deliver high quality voice and video
Traditional WAN
17%The Internet fails
to deliver UC
of the time*
VeloCloud SD-WAN for UC Deliver high quality voice and video over the
Internet
Dynamic error correction mitigates network issues and assure voice ad video performance
> 99%
VeloCloudCloud-Delivered
SD-WAN
of the time*
Combine All WAN Links with Intelligent Link Bonding
Typical setup is active/standby WAN. Complex routing protocol tuning required to enable active/active.
Link performance degradation will severely affect throughput
Traditional WAN VeloCloud Cloud-Delivered SD-WAN Per-packet load balancing utilizes all links to
maximize throughput even for single traffic flow, e.g. large backup
Real time link performance awareness on-demand remediation ensures maximum possible throughput
2-3x higher throughput, better app performance
EnterpriseBackup
Poor WAN link utilization with active/standby
EnterpriseBackup
Any WAN Services Anywhere
Deploy local branch services requires additional appliances and is difficult to manage
Centralize service requires backhauling that increases latency and impact performance
Utilize services in the cloud requires complex routing configuration
Traditional Approach to WAN Services VeloCloud’s Flexible Service Insertion Per-application service insertion policy Run local services, e.g. firewall, IPS on the VeloCloud
hardware. Keep the branch lean. Backhaul select applications to services in the DC Chain cloud services for specific application, e.g. Web
browsing is subjected to cloud Web security
Deploy stack of branch
appliances
Backhaul everything
Complexity of redirecting to cloud services
OR OR
DLP
VeloCloud HA Design – L2 Switch
• The same ISP link mush be connected to the same port on both Edges– Use L2 switch to make the same ISP link
available to both edges• The standby edge does not interfere with any
traffic by blocking all its ports except the failover link (L1 port)
• The session information is synchronized between active and standby edge through the failover link
• If the active edge detects lost of LAN link it will also failover to another edge assuming it has active LAN link
ISP1 ISP2
W1 W2
L1 L1
L2Switch
L2Switch
InternetRouter/CPE
VeloCloud Edge Portfolio
VeloCloud SD-WAN Solution and Benefits
WAN Monitoring Simplify Branch Deployments
• Cloud orchestration enables automated deployments
• Business-policy based configurations
• Fast access with ordinary broadband links incl 4G-LTE
Improve AgilityFast Cloud adoption
• Direct access for SaaS and Cloud deployed applications
• Ensure application performance
• Leverage cloud-based security like Zscaler
Reduce Total Cost of Ownership
• Leverage ordinary broadband internet links to reduce WAN cost
• Move branch services to the cloud to reduce branch sprawl
• Pay-as-you-grow subscription model
Assure Application Performance
• Optimal link & path across Internet and private links
• App Aware per Packet Steering & Link remediation
• Continuous link & path quality monitoring, visibility, control
Compelling Value Proposition for Enterprises
FasterInstalls
LessMoney
FasterSpeed
SD-WANmanaged by T&A
©2017 T&A SYSTEME, Inc. All rights reserved.
• Erfahrungen mit Velocloud Implementation und Betrieb seit 2015• Konzeption und Implementation SD-WAN inklusive Transition• Bereitstellung von Internetleitungen weltweit• Optimierte Inbetriebnahme mittels LTE und Out of Band Management• Management und Entstörung von Internetleitungen weltweit• Management bereits vorhandener Leitungen• Bereitstellung Inband Monitoring für Datacenter<->Site Überwachung• Bereitstellung Management Dashboard für VCO, OoBM, Inband Mgmt.• WAN Operation Center Support: 24x7, 2h• Festpreise für alle Services und Leistungen
Hüttentalk: Rechenzentrum - Quo Vadis?37
T&A managed Velocloud SD-WAN Services Benefits
©2017 T&A SYSTEME, Inc. All rights reserved.
Bofrost (Handel, HQ Straelen)• Ablösung Telekom MPLS durch SD-WAN mit xDSL Internetleitungen• Anbindung von 169 Standorte in der EU innerhalb von 5 Monaten
davon 2 Monate Vorlauf für die Leitungsbeschaffungifm electronic (Industrie, HQ Essen)
• Ablösung Cisco DMVPN durch SD-WAN mit xDSL und Internet-Festleitungen• Anbindung von 25 Standorten in Deutschland + Japan und Singapur • Geplanter Endausbau: 110 Standorte weltweit
Röhlig Blue Net (Logistik, HQ Hamburg)• Ablösung Barracuda VPN durch SD-WAN mit Internet-Festleitungen• Anbindung von 8 Standorten weltweit (China, Indien, Argentinien, Japan,…)• 86 Standorte weltweit
SD-WAN Servicekunden der T&A SYSTEME
©2017 T&A SYSTEME, Inc. All rights reserved.
Bofrost
Ifm electronic
Röhlig Blue Net
Verbindung Latenz (bester - schlechtester Tunnel)
Hamburg / IN-Bangkok 116 ms – 183 ms
Hamburg / AR-Buenos Aires 121 ms – 134 ms
Hamburg / CH-Zhangjang 109 ms – 167 ms (10% packet loss)
Hamburg / FR-Lyon 17 ms – 49 ms
Essen / JP-Chiba-Ken 132 ms – 147 ms
Essen / SG-Singapur 77 ms – 108 ms
Frankfurt / MA-Marrakesh 29 ms – 53 ms
Frankfurt / AT-Wien 8 ms – 9 ms
Frankfurt / DE-Dresden 9 ms – 34 ms
Latenzen im SD-WAN VPN mit Standard-Internetleitungen
SD-WAN Management Dashboard (von T&A)
Out of Band Management
©2017 T&A SYSTEME, Inc. All rights reserved.
WAN Anschluss Equipment (HA)
©2017 T&A SYSTEME, Inc. All rights reserved.
Inband Monitoring
©2017 T&A SYSTEME, Inc. All rights reserved.
©2017 Zscaler, Inc. All rights reserved.47
Secure IT Transformation to a Cloud-Enabled Enterprise
The cloud security leader
IT’S TIME TO BREAK FREE FROM THE OLD WORLD OF IT
Network and Application Access Transformation
©2017 Zscaler, Inc. All rights reserved.48
Zscaler: The market leader in cloud security
TECHNOLOGY INNOVATION
Cloud security platform Purpose-built (100 patents)
Largest security cloud100 data centers
30B requests a day125M threats blocked a day
MARKET LEADERSHIP
Trusted by G20005,000 organizations
15M users in 185 countries
Global partners
FINANCIAL STRENGTH
Accelerating growth125% renewal rate
Solid financial model
Backed by
INDUSTRY ACCOLADES
MQ Leader Wave Leader
©2017 Zscaler, Inc. All rights reserved.49
Zscaler = Zenith of scalability: Three dimensions of scale
PROTECTION ACROSS COUNTRIES
80,000
120,000
162,000
125,000
155,000
400,000
~1.6M
~1.3M
300,000
130125120113 19055 70
5K+ Organizations
15M+ Users
All users – All traffic
MO
NTH
LY O
FFIC
E 36
5 TR
AFFI
C (T
B)
83 TB
44 TB
38 TB
37 TB
35 TB
©2017 Zscaler, Inc. All rights reserved.50
Leader – 6 years in a row
Leading industry analysts agree…
Zscaler is a very strong choice for any organization interested in a cloud gateway.
…On-premises Web content security can’t protect digital business…
©2017 Zscaler, Inc. All rights reserved.51
Cloud and mobility are powerful enablers, but break perimeter security
HeadquartersHub and Spoke Architecture
©2017 Zscaler, Inc. All rights reserved.52
Cloud and mobility are powerful enablers, but break perimeter security
HeadquartersHub and Spoke Architecture
©2017 Zscaler, Inc. All rights reserved.53
Cloud and mobility are powerful enablers, but break perimeter securityUsing ‘90s on-premises controls to secure the
network when the Internet is the new network
Connections are following the path of least resistance
Users are leaving the corporate network
HeadquartersHub and Spoke Architecture
?
If you don’t control the network (Internet), how can you secure it? The traditional network security stack is irrelevant.
? ?
©2017 Zscaler, Inc. All rights reserved.54
Old IT: Business inside the corporate network (static perimeter)Castle and moat: Secure the network to secure servers, apps, and users
NetworkCorporate
©2017 Zscaler, Inc. All rights reserved.55
Old IT: Business inside the corporate network (static perimeter)Castle and moat: Secure the network to secure servers, apps, and users
Outbound Gateway
FW / IPS
URL Filter
NetworkCorporate
Outbound Gateway
©2017 Zscaler, Inc. All rights reserved.56
Old IT: Business inside the corporate network (static perimeter)Castle and moat: Secure the network to secure servers, apps, and users
Outbound Gateway
FW / IPS
URL Filter
Antivirus
DLP
SSL
Sandbox
Outbound gatewaysSecure access to Internet
More threats, more appliances
NetworkCorporate
Outbound Gateway
©2017 Zscaler, Inc. All rights reserved.57
Old IT: Business inside the corporate network (static perimeter)Castle and moat: Secure the network to secure servers, apps, and users
Outbound Gateway
FW / IPS
URL Filter
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
FW/IPS
RAS (VPN)
Internal FW
Internal FW/LB
Outbound gatewaysSecure access to Internet
More threats, more appliances
Inbound gatewaysVPN to access DC apps
More users, more appliances
NetworkCorporate
Moscow
Outbound & Inbound Gateway
©2017 Zscaler, Inc. All rights reserved.58
Old IT: Business inside the corporate network (static perimeter)Castle and moat: Secure the network to secure servers, apps, and users
Outbound Gateway
FW / IPS
URL Filter
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
FW/IPS
RAS (VPN)
Internal FW
Internal FW/LB
Outbound gatewaysSecure access to Internet
More threats, more appliances
Inbound gatewaysVPN to access DC apps
More users, more appliances
NetworkCorporate
Moscow
Outbound & Inbound Gateway
Network Security – ‘90s Design• Expensive to deploy• Complex to manage• Security compromises• Poor user experience
“Afraid of breaking something, no one dares to touch our
gateways/DMZ.” – Head of infrastructure ops, F500
Can you relate to this security stack?
©2017 Zscaler, Inc. All rights reserved.59
An architectural approach for secure IT transformation
IoTON-THE-GO HQ / BRANCHES
Security and Access Control
PRIVATE DC
SAAS
OPEN INTERNET
PUBLIC CLOUD
DC APPS
External Internal
©2017 Zscaler, Inc. All rights reserved.60
An architectural approach for secure IT transformation
IoTON-THE-GO HQ / BRANCHES
Security and Access Control
PRIVATE DC
SAAS
OPEN INTERNET
PUBLIC CLOUD
DC APPS
Allows internal apps to behave like cloud apps
External Internal
Secure the networkSecure Policy-Based Access connecting the right user, to the right app or service
©2017 Zscaler, Inc. All rights reserved.61
Inbound & Outbound Gateway
Ext. FW / IPS
URL Filtering
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext FW/IPS
RAS (VPN)
Internal FW
Internal LB
A new approach to app access and security: Flip the security modelFast, secure, policy-based access connecting the right user to the right service and app
HQ/IOTMOBILE
DC APPS
BRANCH
Securing the network is no longer relevant
©2017 Zscaler, Inc. All rights reserved.62
Inbound & Outbound Gateway
Ext. FW / IPS
URL Filtering
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext FW/IPS
RAS (VPN)
Internal FW
Internal LB
Outbound Gateway Inbound Gateway
ZSCALER INTERNET ACCESSSecure access to the Internet
and SaaS appsX X
A new approach to app access and security: Flip the security modelFast, secure, policy-based access connecting the right user to the right service and app
HQ/IOTMOBILE
DC APPS
BRANCH
Securing the network is no longer relevant
©2017 Zscaler, Inc. All rights reserved.63
Inbound & Outbound Gateway
Ext. FW / IPS
URL Filtering
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext FW/IPS
RAS (VPN)
Internal FW
Internal LB
Outbound Gateway Inbound Gateway
ZSCALER INTERNET ACCESSSecure access to the Internet
and SaaS appsX X
A new approach to app access and security: Flip the security modelFast, secure, policy-based access connecting the right user to the right service and app
HQ/IOTMOBILE
DC APPS
BRANCH
Securing the network is no longer relevant
ZSCALER PRIVATE ACCESS Secure access to private apps: Data center or cloud
©2017 Zscaler, Inc. All rights reserved.64
The largest security cloud: Reliable, available, and fast
30B+Requests/day
125M+Threats
blocked/day
120K+Unique security
updates/day
100 DATA CENTERS – 5 CONTINENTS
PEERING IN INTERNET EXCHANGES150+
Vendors peered
SecureOngoing third-party testing
CertifiedReliableRedundancy within and
failover across DCs
TransparentTrust Portal for service availability monitoring
©2017 Zscaler, Inc. All rights reserved.65
Secure network transformationEnabled by moving security to the cloud
Hub-and-Spoke
Secure the network to protect users and apps
All users must be on-network for protection
Internet traffic backhauled over MPLS for protection
FROM: HUB – AND – SPOKE ARCHITECTURE TO: HYBRID CLOUD ARCHITECTURE
Policy-based access, users to apps
On-net, off-net the user is always protected
Local Internet breakouts
©2017 Zscaler, Inc. All rights reserved.66
POLICY
Secure application access transformationEnabled by moving to software-defined access controls in the cloud
App access requires users to be on the network
App segmentation requires network segmentation
Broad attack surface
App access driven by policy, users never on the network
App segmentation without network segmentation
Minimal attack surface (invisible apps)
FROM: NETWORK-BASED ACCESS TO: POLICY-BASED ACCESS ARCHITECTURE
Inbound Gateway
©2017 Zscaler, Inc. All rights reserved.67
(BROADBAND)
A three-step journey to cloud and mobility transformationSECURE
Up-level your security
Enable secure SD-WAN / local Internet breakouts – optimize backhaul.
Deliver a better and more secure user experience.
TRANSFORMCloud-enable your network
SIMPLIFYRemove point products
Phase out gateway appliances at your own pace.
Reduce cost and management overhead.
Make Zscaler your next hop to the Internet.
Fast to deploy. No infrastructure changes required.
©2017 Zscaler, Inc. All rights reserved.68
Zscaler Internet Access: Secure, fast access to the Internet and SaaSEliminates the appliance mess: Allowing IT to focus on strategic / architectural initiatives.
Easy to forward traffic and authenticate users
MOBILE
Default route to InternetBlock the bad, protect the good
Zscaler App/ PAC File GRE/IPsec
HQ / IoT BRANCH
ID Provider
• You retain full control – policy and admin• Policies by user, locations, AD groups • Follow-the-user policy for the same
protection at any location, any device
Global real-time policy engine• Global visibility - cloud apps and usage• Identify botnet-infected machines that
need to be remediated
Real-life analytics – Actionable info
MPLS
DC APPS
©2017 Zscaler, Inc. All rights reserved.69
Ransomware Attack Livecycle
©2017 Zscaler, Inc. All rights reserved.70
©2017 Zscaler, Inc. All rights reserved.71
©2017 Zscaler, Inc. All rights reserved.72
©2017 Zscaler, Inc. All rights reserved.73
©2017 Zscaler, Inc. All rights reserved.74
©2017 Zscaler, Inc. All rights reserved.75
Zscaler purpose-built multi-tenant cloud security platform
Purchase what you need and you can always expand with a click of a button
Powered by Patented TechnologiesSSMA
All security engines fire with each content scan – only
microsecond delay
ByteScanTM
Each outbound/inbound byte scanned, native SSL
scanning
PageRiskTM
Risk of each object computed inline,
dynamically
NanoLogTM
50:1 compression, real-time global log
consolidation
PolicyNowPolices follow the user for Same on-premise,
off-premise protection
ACCESS CONTROL
CLOUD FIREWALL
URL FILTERING
BANDWIDTH CONTROL
DNS FILTERING
THREAT PREVENTION
ADVANCED PROTECTION
ANTI-VIRUS
CLOUD SANDBOX
DNS SECURITY
DATA PROTECTION
FILE TYPE CONTROLS
DATA LOSS PREVENTION
CLOUD APPS (CASB)
©2017 Zscaler, Inc. All rights reserved.76
Zscaler Private Access: Secure and fast access to private apps New approach to accessing internal apps: Connect a named user to a named app
• User not on the network - App access doesn’t need network access (unlike VPN)
• Invisible apps – Apps not exposed to the Internet (DDoS protection)
• App segmentation – No network segmentation needed
• App can reside anywhere – Azure, AWS, DC
Reduced cost and complexity – Better security and user experience
4 Key Design Tenets
Z-CONNECTOR
Z-APP
POLICY ENGINEUser requests access to SAP (authenticated)1
2 Policy determines if access is permitted (auth before access)
If authorized, Zscaler Cloud initiates outbound connections from Z-Connector and Z-App (per app)
3
Connections are stitched together in the cloud4
How it works
DC APPS
MOSCOW MADRID
Z-CONNECTOR
©2017 Zscaler, Inc. All rights reserved.77
Common Zscaler Private Access use cases
Unmatched security – Simplified IT – Better user experience
M&A and DivestituresDo you feel comfortable in connecting the two networks to access each company’s apps?
Provide named users access to named apps without merging networks.
SECURE PARTNER ACCCESSShould partners/contractors be on your corporate network via VPN?
Only grant partners access to a server in the data center, not the network. (dev teams, contractors)
VPN REPLACEMENTIs your VPN slow? Is it a security risk?
Users get access to specific apps. They are never brought onto the network and apps are never exposed to the Internet – no hardware needed.
ACCESS INTERNAL APPS LIKE SALESFORCEYou moved private apps to a modern IaaS but your access is still legacy VPN.
Securely access private apps without requiring VPN or having to deploy infrastructure.
©2017 Zscaler, Inc. All rights reserved.78
Unmatched security – all users, branches, and devices
Consistent policy and protection
Always up-to-date
Reduced Risk(CISO)
Zscaler: The foundation of a modern access and security architecture
Consolidate point products and simplify IT
Cloud-enabled network
Rapid deployment
IT Simplification(CTO / IT Head)
No Capex, elastic subscription fee
Reduced Opex, no box management
Reduced MPLS costs
Impressive Value(CIO / CFO)
Higher productivity –local breakouts
Prioritize business apps
Empowers users to leverage cloud apps
Fast Response Time(End-Users)
©2017 Zscaler, Inc. All rights reserved.79
©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Zscaler™, SHIFT™, Direct-to-Cloud™ and ZPA™ are trademarks or registered trademarks of Zscaler, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners.
• Securing a distributed and mobile workforce• Securing an SD-WAN transformation • Securing access to apps on AWS or Azure• Office 365 deployment
©2017 Zscaler, Inc. All rights reserved.
Where can you start?
VeloCloud Virtual Services Delivery with
Zscaler
Ease of Zscaler Service Insertion
81
Branch Site
VeloCloud Networks Proprietary & Confidential | © Copyright 2015
CorporateDatacenter
RegionalDatacenter
VeloCloudEdge
VeloCloudGateways
VeloCloudOrchestrator
VeloCloudEdge
VeloCloudEdge
• SDWAN extended to Zscaler security• Eliminate backhaul• Via Gateways and regional Edges to
optimal Zscaler clouds
at VeloCloud or Partner clouds
Zscaler & VeloCloud: Simple, Secure, Reliable
Branch Site
CorporateDatacenter
VeloCloud EdgeHub
VeloCloudEdge
Exploits APTMalware Botnets
Internet and Cloud Apps
VeloCloudGateway
Dynamic Multi-Path Optimization
Zscaler Internet Access
VeloCloud Dynamic Multipath Optimizationover SD-WAN delivers application performance and reliability to Zscaler over Internet
Single-click Application-Aware Policies for security insertion enables enterprise-wide business policies
Secure, fast access to the Internet and SaaS applications with Zscaler Internet Access to block the bad and protect the good
Deploying Zscaler Integration in 3 Easy Steps
Zscaler Web Security
Branch Site
Internet
1. Configure Zscaler web security account
Deploying Zscaler Integration in 3 Easy Steps
Zscaler Web Security
Branch Site
Internet
1. Configure Zscaler web security account
2. Instantiate non-VeloCloud site. Configure VPN, Location, authentication in VeloCloud Orchestrator
Deploying Zscaler Integration in 3 Easy Steps
Zscaler Web Security
Branch Site
Internet
1. Configure Zscaler web security account
2. Instantiate non-VeloCloud site. Configure VPN, Location, authentication in VeloCloud Orchestrator
3. Define business policy in VeloCloud todetermine web security screening
VeloCloud - Zscaler Integration Benefits
Key Features and Benefits
• Cloud SecurityAnti-Virus, Data Loss Prevention, Web Content Filtering, IaaSSecurity, Shadow IT, HTTPS/SSL Scanning
• Security Information & Event Mgmt. (SIEM)SNMP, Sys Log, FW Logging aggregation, analysis, correlation, compliance reporting, and log retention
Integration benefits for Enterprise Customers:• Assurance that critical applications and security
functions are maintained and/or improved• Simple & quick deployment of new services,
features, and apps• Operational simplicity with “single-click/single-
pane” licensing, setup, and mgmt.
Hüttentalk: „Effiziente IT für kleine und mittelständische Unternehmen“87 |
©2017 T&A SYSTEME, Inc. All rights reserved.
Unsere Plattform für den Informations- und Erfahrungsaustausch zu IT-Themen mit aktueller Brisanz.
Live-Sessions zu neuester Technologie &modernsten IT- Management-Verfahren
Erfahrungsberichte aus der Projektpraxis
Aktuellste Informationen und Herstellermaterialien
Wir stehen Ihnen sehr gerne zur Verfügung!
Kontaktdaten
ANSCHRIFTT&A SYSTEME GmbH, Am Walzwerk 1, 45527 Hattingen
TELEFON+49 2324 9258 0
©2017 T&A SYSTEME, Inc. All rights reserved.