The Business Need

In traditional wide-area designs, Internet traffic from remote sites is sent first to a centralized data center or hub site. Then the traffic is pushed through the company's security stack and only then it is routed out to the Internet. The returning traffic also traverses the security stack before it is sent back to the remote site. This is typically done because the cost of installing and operating a security stack in every remote location is very high.

Backhauling Internet traffic through a Datacenter
Figure 1. Backhauling Internet traffic through a Datacenter

However, the fast adoption of Internet-based applications and teleworking created the following issues with this WAN design:

  • Scale - With the ever-increasing Internet demands at each remote branch and the use of SaaS apps such as Office 365 and Salesforce, backhauling the Internet traffic from every branch to the data center creates a bottleneck at the DC's Internet circuits. In addition, the centralized security stack and the network devices at the DC must scale vertically with the number of branches. 
  • Apps Performance -  By re-routing traffic from the branch to DC to the Internet and back, applications incur increased latency. Depending on the underlying geography, this can result in significant performance degradation for some business-critical apps.
  • Cost - Having said the above, it is obvious that the centralized hub site must scale vertically when the number of remote sites increases. This implies higher hardware and WAN costs at the data center location. 

Cisco SD-WAN allows for a better more scalable approach to Internet usage at remote sites. The feature is called Direct Internet Access and as the name implies, it allows particular users and applications to access SaaS/IaaS services directly through the local Internet circuits.

Cisco SD-WAN Direct Internet Access (DIA)

Cisco SD-WAN Direct Internet Access is a solution that improves the user experience for SaaS applications at remote sites by eliminating the performance degradations related to backhauling Internet traffic to central data centers. DIA allows control of Internet access on a per VPN basis. 

Cisco SD-WAN Direct Internet Access
Figure 2. Cisco SD-WAN Direct Internet Access

Security

Cisco SD-WAN allows pushing the security stack directly on the WAN edge devices onsite. This reduces the need for security appliances at every branch, by providing inbuilt security features which include DNS security, Application-aware firewall, URL filtering, IPS/IDS, and Advanced Malware Protection (AMP).

In addition, instead of enabling the security stack at the WAN edge routers, the DIA feature allows for routing the traffic through a cloud security provider. In this case, the traffic from a particular remote site is routed to the cloud security provider through point-to-point IPsec tunnels. The cloud security provider then pushes the traffic through the predefined security policies and route it out to the Internet.

DIA traffic through a cloud service provider
Figure 3. DIA traffic through a cloud service provider

Guest Access

Cisco SD-WAN provides an easy and secure way to create an isolated Guests segment that is isolated from the enterprise network and has its own security policies. Typical DIA traffic policies include:

  • Restricting bandwidth usage of guests users
  • Restricting access to certain Internet resources
  • Restricting access to internal  enterprise resources
  • Protecting the network from malicious content