Print

VeloCloud SD-WAN 6.4 - Design Guide - Reference Architecture Print

Reference Architecture

The reference architecture describes the basic topology, use cases, and functionality of the EFS components when activated for accessing applications in a multi-cloud environment, whether it be for branch-to-branch traffic, branch-to-hub traffic, or when accessing SaaS applications on the public cloud.

Topology

This guide uses the following topology. The topology illustrates use of the Edge at the branches and at the hub site with EFS functionality.
Figure 1. Topology Diagram

Use Cases

Table 1. Use Cases
Use Case Description
Private Access Private Access refers to those inter and intra-branch communications. While perimeter security is essential, internal traffic protection with EFS ensures that potential threats within the network are promptly identified and neutralized, thus maintaining the integrity and confidentiality of organizational assets.
Internet Access without Secure Web Gateway (SWG) Direct Internet Access (DIA) provides direct connectivity to the Internet, which can improve efficiency and user experience. However, it also introduces new security challenges. Deploying EFS ensures that this convenience does not come at the cost of security, safeguarding your Enterprise from potential threats.
Internet Access with Secure Web Gateway (SWG) A more comprehensive approach for securing Internet/SaaS traffic would be to pair EFS with a third party SSE (Secure Service Edge) and its many security capabilities, such as sandboxing, SSL decryption, URL and content filtering, Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB).

EFS Features

IDS/IPS

The following diagram illustrates the signature flow. The Edge employs a Suricata solution for IDPS engine and signatures. The Arista VeloCloud Security team carefully curates and verifies signatures from third-party agencies. To ensure the Edge has the most up-to-date signatures, the Orchestrator queries the VeloCloud Threat Intelligence cloud every 4 hours.
Figure 2. Signature Flow Diagram

Hosted Logging

Regionally hosted logging is included in the base VeloCloud SD-WAN license. This means that logs are stored in the same region as the Orchestrator (virtual controller). By default, 15 GB of logs per Enterprise or seven days of logs per Edge, whichever comes first, kept. Logs can be viewed under the Firewall Logs section of the dashboard. There are options to search and filter for the specific data needed for troubleshooting or investigating. From this view, there is also a button to export the logs locally into a CSV format.

Note: Arista strongly recommends not enabling firewall logging on allow rules. Non-DENY logs will be rate-limited to 50K messages per hour.

 

Figure 3. Hosted Logging View

Security Overview Dashboard

The Security Overview dashboard provides a comprehensive overview of your Enterprise's threat landscape. A quick response is essential in addressing threats. This dashboard displays threats and their severity, the source of attacks, and the affected Edges, allowing you to take corrective action quickly.

Figure 4. Security Overview Dashboard

Solution Components

  • VeloCloud Orchestrator (Hosted by Arista or On-prem)
    • On-prem deployments require additional conversation and configuration. Contact the VeloCloud Support team.
  • VeloCloud Edge. All actively selling Edge types (physical and virtual) support Enhanced Firewall Services (EFS).

System Requirements

To benefit from Enhanced Firewall Services (EFS), use a Premium V2 Arista VeloCloud license or an add-on license (SDEX-EFS-100M-1M) with all other SD-WAN license editions.

..