ESG Technical Review: Securing an App-centric SD-WAN with CloudGenix CloudBlades


This ESG Technical Review documents hands-on validation of how CloudGenix’s CloudBlades enable organizations to secure an SD-WAN network while minimizing both capital and operational expenses. We illustrate how organizations can use CloudBlades to integrate third-party cloud-based services with SD-WAN capabilities while enabling high application performance and availability at geographically dispersed remote offices/branch offices (ROBOs).

The Challenge

When ESG research surveyed IT organizations about their top considerations for justifying IT investments, three of the top ten responses included improving overall security, reducing operational expenditures, and reducing capital expenditures (see Figure 1). At the same time, 64% of respondents reported increased spending on public cloud infrastructure services in 2019, with 58% reporting increased spending on public cloud applications.1

Typically, organizations have employed various hardware-based solutions to support the networking and security needs at their remote and branch offices (ROBOs). Whether or not the functionalities were integrated into one box (via hardware blades in an integrated router) or separate boxes (such as a customer edge router and a firewall), organizations would have to wait for the next hardware or software release cycle to leverage the latest product roadmap updates. This approach does not allow organizations to take advantage of best of breed options.

To accelerate and simplify deployment of IT infrastructure, some organizations have adopted network function virtualization. Because network function virtualization does not rely on proprietary hardware, organizations can implement their desired IT infrastructure services while minimizing hardware expense. However, the additional software complexity required for organizations to integrate and manage these virtualized functions can introduce application performance and security risks, as well as increase operational expense given the additional management incurred.

While organizations have simplified the deployment and management of their networks via SD-WAN solutions, implementing network security measures in a simple, cost-effective manner remains a challenge. Organizations can deploy physical firewalls at every location within their networks to prevent attacks and data theft, yet their installation, configuration, and management will incur capital and operational expenses that, ironically, SD-WAN can reduce in the first place. Cloud security gateways have emerged that enable organizations to direct traffic to virtual firewalls, removing the need for installing physical firewalls. However, the operational costs may outweigh the benefits, especially as the numbers of users and applications increase in an organization, requiring the consumption of additional bandwidth over time.

IT organizations need a solution that will not only help them build a secure network that enables high application performance and lower capital costs, but also simplify management and administration. This solution will allow organizations to integrate cloud-based services with minimal complexity and administration. Organizations can choose among the most up-to-date options in security services without being constrained by hardware or software release cycles.

The Solution: CloudGenix CloudBlades

CloudGenix’s CloudBlades can help organizations to integrate cloud-based third-party services with the CloudGenix SD-WAN solution, Autonomous SD-WAN, that will serve a ROBO’s IT infrastructure needs. Using CloudBlades, organizations can leverage cloud-based services to build out capabilities a ROBO needs for networking, security, collaboration, IT management, and multi-cloud deployments. With CloudBlades, organizations can choose from multiple cloud-based services that they consider will best meet their ROBOs’ IT needs without being locked into hardware or software release cycles, while not adding architectural or management complexity.

At the heart of the CloudBlades solution is the Autonomous SD-WAN. As ESG reviewed in 2018, the CloudGenix SD-WAN solution enables application-centric traffic forwarding. Instead of leveraging only network-level metrics to ensure application performance, this solution also leverages application-level metrics so that organizations can easily construct policies for enterprise, cloud, and SaaS applications. Once developed, organizations can deploy these policies once to all sites across the distributed organization: remote and branch offices, data centers, and cloud service providers (CSPs). Policies reflect business rules and end-user expectations of application performance that determine the priority and network connections used to send and receive packets during an application session. The solution continuously updates its knowledge of both network and application health and performance metrics to reroute traffic over alternative network paths if an application session is not adhering to policy.

Using the CloudGenix SaaS-based management portal, organizations configure, deploy, and manage Instant-On Networking (ION) elements across multiple sites. CloudGenix’s Autonomous SD-WAN generates application-level and network-level analytics via these elements using data collected at the endpoints of application sessions (e.g., between a ROBO and a data center). Organizations can gain near real-time and historical visibility of these analytics via the portal. Issues can be identified and resolved quickly, thus maintaining application performance as demanded by the business.2

While CloudGenix provides the networking capabilities, organizations can build out an IT infrastructure at each ROBO to address needs related to security, collaboration, IT management and administration, and multi-cloud deployments. CloudGenix has partnered with multiple cloud service and application providers so that organizations can choose those services that best meet the ROBOs’ needs. Examples include Amazon Web Services and Microsoft Azure for extending the organization’s IT infrastructure into the cloud, and Zoom and Cisco Webex for supporting voice and video communications. Integrating these services is accomplished by the CloudGenix UI, negating the need for additional coding.

When it comes to organizations ensuring network security, CloudGenix leverages multiple methods. To exploit next-generation firewall (NGFW) capabilities for securing the entire network, CloudBlades enables integration with services of third-party security vendors, such as Zscaler Internet Access (ZIA) and Palo Alto Networks’ Prisma Access. (CloudGenix has also partnered with Symantec and Checkpoint Software Technologies.) What makes the integration compelling is that organizations can enforce security policies on application sessions while maintaining active-active connections over any transport. Should a failure occur, switching all traffic (regardless of application type) to backup can introduce network and security latency to individual applications. With Autonomous SD-WAN, IPSec VPN connections between the cloud security provider and the ION element are simply viewed as another path on which application traffic can traverse. Should Autonomous SD-WAN detect that any application metric does not meet a given application-specific SLA threshold, it will simply choose another active path defined by the policy, without introducing additional latency or negatively impacting end-user experience. CloudGenix has also integrated an application-based zone-based-firewall (ZBFW) into the ION element to ensure security at the ROBO level.

ESG Tested

ESG performed hands-on evaluation of CloudGenix’s CloudBlades, focusing on the integration of cloud-based security services, via a joint testing session hosted at CloudGenix’s headquarters in San Jose, CA. During our session, we validated the ease with which the Autonomous SD-WAN solution can integrate with these third-party services, configured policies to set up whitelists/greylists and blacklists, and verified that policies with integrated security rules performed as intended. ESG also validated that users can assign policies globally at both a ROBO and ION device level, with minimal effort.

Testing leveraged an ION 3000 device installed in a ROBO in Santa Clara with two direct Internet access (DIA) connections from AT&T and Wiline (a regional business Internet service provider). Four policies were installed on the ION element (see Figure 2). Our testing focused on how to secure traffic using the first two policies. The General Web Browsing policy rule governed traffic transmitted via the HTTP, SSL, and QUIC protocols, which are destined to the Internet. Traffic would go over a third-party IPSec VPN tunnel over any public circuit (supplied by AT&T or Wiline). We noted that Autonomous SD-WAN can maintain active-active connections, allowing for higher application performance and availability.3 Backup paths were public Internet circuits. The Trusted Apps policy rule defined our whitelist applications, specifically the full Office365 suite. Direct Internet connections, either from AT&T or Wiline, were set up as active-active paths. No backup path was defined.

ESG first integrated CloudGenix with a third-party cloud security service, Zscaler Internet Access (ZIA). We selected CloudBlades under the System menu (located under the user’s email address at the top right-hand corner of the portal interface) and clicked on Zscaler Enforcement Nodes (ZEN) integration4 (see Figure 3). To enable this CloudBlade, we created a partner administrator account on the Zscaler portal and obtained an API key. We inputted the key, the assigned administrator username and password, and the desired Zscaler cloud to be used via the management portal.

ESG then assigned those circuits that Zscaler could use to create VPN tunnels between the Santa Clara office and the ZENs. We navigated to Circuit Categories under the Stacked Policies menu to “tag” specific circuits with the label “AUTO-zscaler,” specifically the Internet Cable circuits (AT&T and Wiline) as the underlay for the Zscaler VPN tunnels. To verify that the integration was complete, ESG navigated to the Zscaler portal and clicked on Administration Management to view the API key, and administrator username and password assigned to CloudGenix (top portion of Figure 4). We also navigated to the Locations and VPN Credentials tabs to see that the branch office site was automatically listed.

To test tunnel configuration, ESG checked the VPN tunnel over the Wiline circuit and found that traffic was transmitting in the ingress direction (see graph in Figure 5). To check that the General Web Browsing policy (from Figure 2) was applied to this tunnel, we logged into a virtual client at the Santa Clara office and saw that it was connected to Zscaler. We also tried to reach and found that we could not access the site, as denied by the Zscaler security policy.

As we completed the previous testing, ESG observed that administrators can leverage the integration to secure the network with less time, effort, and equipment. Administrators no longer have to procure, configure, deploy, and install firewalls for each branch site. Creating the VPN tunnels over any circuit path between ROBOs and the third-party cloud service is simplified via the tagging process with minimal coordination and manual effort. This becomes especially important to minimize the network’s exposure to misconfiguration risk and decrease administration time and effort.

ESG also noted that an administrator can choose the type of Internet traffic to be secured via a third-party cloud security service. An organization may need to point all Internet traffic to a third party in order to take advantage of the cloud security gateways. Subscription costs can increase as more end-users not only access the Internet but also employ more SaaS-based applications. Since an administrator can choose specific applications that use secure VPN tunnels (e.g., Office365 versus general web browsing), usage of the third-party service can decrease and potentially lower subscription costs.

ESG then tested the effects of the VPN tunnel configuration on the General Web Browsing and Trusted Apps policies (see Figure 6). Specifically, we saw how the integration helps to whitelist application traffic. We first checked on how Autonomous SD-WAN would handle Office365 Portal traffic by clicking on Flow Browser under the Activity menu. According to the Trusted Apps policy, Office365 Portal traffic would be transmitted over any direct Internet connection only, as no backup connection was defined. The most recent connections showed that Autonomous SD-WAN adhered to policy. We then checked on traffic, which is governed by the General Web Browsing category. Figure 6 shows that Autonomous SD-WAN transmitted traffic via the Zscaler VPN tunnel over AT&T or Wiline, as they were defined as active paths.

By verifying that the specified application traffic adhered to policy, ESG saw how easily an administrator can assign applications to a whitelist/greylist. Typically, an administrator would need to configure a firewall with all possible IP addresses associated with a given application. As CloudGenix has already defined multiple applications within its solution, an administrator can simply configure policies to send specific application traffic over secure VPN tunnels. The hassle of updating firewalls with IP addresses decreases, further minimizing management and administration costs.

While the General Web Browsing and Trusted Apps policies accounted for applications on this test’s whitelist/greylist, ESG proceeded to set up policies for applications we wanted to blacklist. Instead of using the Zscaler service, we blacklisted application traffic at the device level using the ZBFW. We navigated to Security Policies under the Policies menu of the portal, clicked on Demo ZBFW and added the Deny Facebook rule (see Figure 7). Defining this rule consisted of specifying the trusted and untrusted zones and the actions taken when detecting traffic.

ESG then bound (or attached) the Demo ZBFW policy to the Santa Clara office and its ION 3000 element. We first navigated back to a list of available sites and chose the Santa Clara office, automatically binding the policy with this site. We examined the trusted and untrusted zones (shown in Figure 8) at the site and device levels. Based on the rules in the Demo ZBFW policy, the ZBFW would acknowledge the LAN as a trusted zone and the Internet (AT&T or Wiline) as an untrusted zone. At the device level, the Zscaler tunnel would be a trusted zone. The defined zones in the Deny Facebook rule would prevent any end-user attempting to access from the LAN over the Internet.

To test the Deny Facebook rule, we modified our General Web Browsing policy such that the only active path would be any circuit allowing direct Internet access over AT&T or Wiline, with no backup paths defined. Our attempt to access dropped since we were denied access to the Internet.

Although we configured the ZBFW policy once, an administrator can bind the same policy to multiple sites, as this, and other policies used during this test, are centrally defined. (This is consistent with our findings in our previous validation of Autonomous SD-WAN.) ESG sees how an administrator can save time and effort in deploying policies network-wide; as the need to travel to and configure multiple sites diminishes, operational costs can decrease. From a security perspective, deploying policies in this manner ensures consistency across a network’s ROBOs, thus lowering overall security risk. Finally, an administrator has the option of blacklisting traffic using the ZBFW, rather than using a third-party security service. The organization can further save on cloud security subscription costs when not using bandwidth for blacklisted traffic.

Why This Matters

While organizations have traditionally deployed firewalls (physical or virtual) at their branch offices to maintain network security, the manual-heavy process of procuring, deploying, and managing these devices can increase both capital and operational costs. In addition to the overall need to maintain network security is the need to maintain acceptable levels of application performance and availability that will satisfy end-users. Addressing these issues requires a solution that centralizes control and simplifies how organizations deliver secure and optimized end-user experiences.

ESG validated that CloudGenix’s CloudBlades enable organizations to set up secure active-active connections with third-party cloud security services while maintaining high application performance and availability. We confirmed that the integration of Autonomous SD-WAN with services provided by companies such as Zscaler and Palo Alto Networks can reduce the use of individual firewalls across an organization’s network. The integration also automates the setup, configuration, and management of VPN tunnels over multiple circuit types in the underlay network, which especially helps as organizations scale up existing networks with geographically dispersed offices. Time saved in automating the creation of VPN tunnels also decreases exposure to security risk. Because organizations can deploy VPN tunnels in an active-active scenario, ESG sees how they can maintain high application performance and availability while securing application traffic. The integration ultimately helps organizations to reduce capital and operational expenses while optimizing the end-user experience.

ESG also validated that organizations can leverage the CloudGenix zone-based firewall (ZBFW) to further enhance overall network security at the branch. Through policies enforced at the ZBFW, organizations can forward, isolate, or drop traffic from specific applications without relying on a third-party service. Because these policies are developed via the management portal, organizations can deploy ZBFW policies to multiple sites with minimal time and effort spent on configuring ION elements individually. ESG sees how the use of the ZBFW can decrease operational costs while maintaining security across branch offices consistently.

The Bigger Truth

Organizations have attempted to simplify network operations and administration using SD-WAN solutions. Maintaining network security using traditional firewalls can, ironically, reduce some benefits that may have been gained. Deploying, configuring, and managing firewalls at ROBOs, especially as the network scales, consumes time and resources, thus incurring capital and operational costs. In light of high-profile attacks and breaches, the issue of decreasing exposure to security risk remains a top concern. At the same time, end-users in organizations continue to demand acceptable levels of application performance and availability. Organizations need a solution that provides a secure and performance-optimized end-user experience.

As ESG validated in a previous report5 , the CloudGenix Autonomous SD-WAN enables organizations to maximize application performance and availability according to policies based on business rules and end-user expectations. To help organizations address network security, CloudGenix designed integrations with third-party cloud security solutions, enabled by CloudBlades, to automate and simplify the creation of secure VPN tunnels between the service and the organization’s ROBOs. What makes the integration compelling is that organizations can secure active-active connections at the application level. Combining the active-active path setup with the continuous monitoring of application-centric metrics, the CloudGenix Autonomous SD-WAN can support high application performance and availability and secure traffic at the application level. The zone-based firewall of the ION elements provides additional layers of security at the ROBO and device level.

ESG validated that Autonomous SD-WAN’s integration with third-party cloud security services and the ION element’s ZBFW enable organizations to maintain network security without sacrificing application performance and availability. We found that the integration simplifies how organizations create, configure, and manage secure VPN tunnels between their ROBOs and the service to leverage cloud-based NGFWs. Compared with the traditional approach of deploying and configuring firewalls at all ROBOs, ESG found that the integration can help organizations to save on both capital costs (by consolidating gateways and security appliances at every location) and operational costs (by simplifying the effort to plan, deploy, maintain, manage, and configure remote sites). Because the third-party VPN tunnels can be designed as active paths for traffic at the application level, organizations can configure active-active paths to help maintain high performance and availability. We also observed how the ZBFW can further secure an organization’s network, specifically when blacklisting certain applications. Finally, we saw how organizations can apply security policies (tied either with specific applications or the ZBFW) consistently as they can be created once via the centralized management portal, then deployed across multiple sites and devices remotely, further decreasing operational costs.

The importance of minimizing your network’s exposure to security risk is real, yet compromising application performance or availability is not an option. End-users expect and deserve the best application experience possible. Should your organization face this challenge, we suggest taking a close look at CloudGenix’s CloudBlades.

1. Source: ESG Master Survey Results, 2019 Technology Spending Intentions Survey, March 2019.
2. For more information regarding CloudGenix Autonomous SD-WAN’s capabilities, please refer to ESG Technical Review: Optimizing the End-user Experience with Applications Using CloudGenix AppFabric SD-WAN, October 2018.
3. For more information regarding CloudGenix Autonomous SD-WAN’s capabilities, please refer to ESG Technical Review: Optimizing the End-user Experience with Applications Using CloudGenix AppFabric SD-WAN, October 2018.
4. A Zscaler Enforcement Node (ZEN) is a key component of Zscaler’s cloud security service and acts as a gateway that enforces security, compliance, and firewall policies. Customers who use Zscaler’s ZIA service forward their Internet traffic to these nodes in the Zscaler cloud.
5. ESG Technical Review: Optimizing the End-user Experience with Applications Using CloudGenix AppFabric SD-WAN, October 2018.
This ESG Technical Review was commissioned by CloudGenix and is distributed under license from ESG.
Topics: Cybersecurity Cloud Services & Orchestration