With this integration, we are easing our customers’ ability to secure their internet bound traffic with visibility beyond just basic IP addresses. In a Catalyst SD-WAN branch, people and things are grouped using VPNs aka VRFs. We are now able to send this VPN/VRF tag/label from SD-WAN to Secure Access in the data flow, so we are able to inspect the traffic and enforce different policies for different tags/labels. The use of the VPN/VRF offers deeper context than using just IP addresses. Typically, it is difficult to compromise a network that is segmented, and every single Catalyst SD-WAN customer can benefit from this context aware policy leveraging VRF/VPN which, we refer as macro segmentation.
Many of our customers have Cisco ISE in their network. Cisco ISE can tag user and device traffic and offers the ability to further segment the user and things with those tags otherwise known as SGT (Security/Scalable Group Tag). We refer to this as micro segmentation. Micro segmentation provides more granular control over traffic flows, enabling organizations to reduce the attack surface of the network by limiting the lateral movement of threats. The seamless integration experience between Secure Access and ISE is enabled via Context Service on Security Cloud Control, a core platform providing a standard and consistent representation of SGTs.
We are now able to send both VPNs and SGTs from SD-WAN to Secure Access to consistently enforce security policies in both the branch and in the cloud. Additionally, we are now able to associate SGT to VPNaaS users, enabling the unique capability to maintain common policy and consistent security, whether users are in office or remote.
