Cisco SD-WAN Security

Kureli Sankar, Technical Marketing Manager BRKRST-2720

#CiscoLiveAPJC About Kureli Sankar BS in Electrical and Electronics Engineering 2006 – 2013 TAC Engineer CCIE Security #35505 2013 – 2018 TME 2019 – Present TME Manager Areas of expertise IOS and IOS-XE security features SD-WAN Security solutions 2018 - Distinguished Speaker Cisco Live (EUR and ANZ) # 35505

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Introduction • Secure Infrastructure • Device Identity • Secure Control Plane • Secure Data Plane • Secure Branch • Ent Firewall App Aware • Intrusion Prevention • URL - Filtering • DNS/Web-layer Security • Advanced Malware Protection + Threat Grid • Secure Management • Demo

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 SD-WAN Exposes New Security Challenges DEFENDPOLICYDIRECT ANDINTERNET AGAINST ACCESS BADACCESS GAPS DESTINATIONS EXPOSESEXPAND ATTACKINGRESS & DATA SURFACE POINTS BREACHES

SaaS IaaS Outside-in threats

Internet • ExposedUnauthorized ingress access points as traffic is no longer backhauled to the data • Denial of service attacks center NOCLOUD SECURITY EDGE • Ransomware Remote Corporate Inside-out threats

Software

BASIC/NO SECURITY BASIC/NO

EXISTING SECURITY EXISTING EXISTING SECURITYEXISTING EXISTING SECURITY EXISTING • UsersMalware and infection devices request access

Users Devices WAN EDGE WAN WAN EDGE WAN • toCommand infrastructure & control and applications Critical InfrastructureInfrastructure • Phishing attacks Branch • Untrusted users/devices SD-WAN Fabric IOTIOT Users Mobile (guests)(guests) devices Internal threats DataData CenterCenter && Campus • TrafficUntrusted must access be encrypted and Campus • Lateralaccess mustmovement be segmented end to • Complianceend • Man-in-the-Middle

SIMPLIFIEDSECUREENTERPRISE INTERNAL CLOUD-GRADE CONNECTIONSSECURITY SECURITY EMBEDDED

SaaS IaaSIaaS OutsideInsideFullInternal edge-out-in Internet Internet SDsecurity-WAN security stack • Mitigate external security risks SECURE CLOUD EDGE • EndUmbrella’sFirewallwith to integrated end and segmentationSecure intrusion threat Internet preventiondefense to stop breachGatewayembeddedfrom the propagation, WANprotects plus to URL cloudusers filteringenforce edgeand and Remote regulatorydevicesmalware and sandboxing compliance, protects datafor and inside -out promotesent to and network from the (and cloud Corporate • Single console to manage routing

Software application) layer security

SECUREEDGE WAN

SECURE WAN EDGE WAN SECURE EDGE WAN SECURE EDGE WAN SECURE

SECURE WAN EDGE WAN SECURE EDGE WAN SECURE EDGE WAN SECURE SECURE WAN EDGE WAN SECURE • Duo’sand security Multi-Factor Authentication • Zeroverifies-trustThin, that authentication only rich trusted or users and full and Users Devices • Shortest time to threat detection Critical payloaddevices accessencryption cloud between & on-prem edge Critical poweredfull- stackby Talos router Infrastructure BranchBranch routersapps • Mitigate internal security risks with SD-WANSecure Fabric IOTIOT Users Mobile a secure SD-WAN fabric with (guests)(guests) devices SD-WAN Fabric simple or flexible routing configurations DataDataData Center CenterCenter &&& CampusCampus Campus

Multitenant/ Rich Highly Cloud-Delivered Analytics Automated

USERS Cloud IoT SD-WAN .… OnRamp Edge Computing

DEVICES APPLICATIONS Fabric IaaS

SaaS

THINGS SECURE SCALABLE APP AWARE vDC

Orchestration Plane Management Plane vManage • First point of authentication • Single pane of glass for Day0, Day1 and • Distributes list of vSmarts/ Day2 operations vManage to all vEdge routers APIs • Multitenant or single-tenant • Facilitates NAT traversal 3rd Party • Centralized provisioning, vBond Automation troubleshooting and monitoring • RBAC and APIs vAnalytics Data Plane Control Plane • Physical or virtual vSmart Controllers • Dissimilates control plane information • Zero Touch Provisioning between vEdges • Distributes data plane policies • Establishes secure fabric MPLS 4G • Implements control plane policies • Implements data plane policies INET • Exports performance statistics WAN Edge Routers

Cloud Data Center Campus Branch CoLo

vManage

Smart Account or Virtual Account details specified on order used for Overlay Sync Smart Account Push Device List creation

Smart Account Automation PnP Cloud Service vBond

Device list is passed to PnP

Cisco Commerce Workspace Add a vBond Controller Profile and Associate with Org-Name

WAN Edge Customer Service Provider End Customer

Incident 0 Incident 1 Incident 2 Incident 3 Incident 4 Incident 5 “SYNful Knock”

Date Discovered 2011 2012 2013 2013 2014 2015

Device(s) Affected Cisco 2800 and Cisco 2800 and Cisco Cisco Cisco 1800,3800, Cisco 1841, 2811, 3800 Families 3800 Families 7600 IOS & line 7600 IOS & line 7200 IOS & 3825 cards cards ROMMON

Infection Method Modifications to Modifications to Modification of in- Modification of in- Modification to Modifications to IOS IOS binary IOS binary memory IOS memory IOS both ROMMON, binary and in-memory code

Remote Via crypto analysis Via crypto analysis C2 protocol C2 protocol Not Directly Yes Detectability

Preventions To Be Trust Anchor Trust Anchor Strong admin Strong admin Secure Boot, Trust Strong admin Taken Technology, Secure Technology, Secure credentials & credentials & Anchor credentials, Secure Boot, & Image Boot, & Image authorization authorization Technologies + Boot, Image Signing Signing Signing Image Signing

Complexity Level Low Low Medium Medium High Low

Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)

▪ Prevents malicious code from booting ▪ Tamper-resistant chip with X.509 cert ▪ Protects against injection of malicious on a Cisco platform installed at manufacturing code into running software ▪ Automated integrity checks ▪ Provides unique device identity and anti- ▪ Makes it harder for attackers to exploit ▪ Monitors startup process and shuts counterfeit protections vulnerabilities in running software down if compromised ▪ Secure, non-volatile on-board storage and ▪ Runtime technologies include ASLR, ▪ Faster identification of threats RNG/crypto services BOSC, and X-Space ▪ Enables zero-touch provisioning and minimizes deployment costs

Trustworthy technologies enhance the security and resilience of Cisco solutions

• Tamperproof ID for the device

• Binds the hardware identity to a key pair in a cryptographically secure X.509 certificate PID during manufacturing

• Connections with the device can be authenticated by the SUDI credential

• IEEE 802.1AR Compliant

Validation Check at Customer Site Software 1 5 Image

SHA-512 = Cisco’s public key stored Image is hashed to a on the router is used to unique 64 byte object decrypt digital signature SHA512 (Cisco’s PUBLIC key )

2 (Encrypted with Cisco’s PRIVATE key) Digital signature with 3 the hash appended to Hash is encrypted final image 4 Customer downloads WWW image onto + device

BRKRST-2720 © 2020© 2020 Cisco Cisco and/or and/or its itsaffiliates. affiliates. All Allrights rights reserved. reserved. Cisco Cisco Public Public 20 20 Cisco Secure Boot Software and Hardware Integrity Checks Hardware authenticity check

Step 5 Step 6 Software authenticity checks

Step 1 Step 2 Step 3 Step 4

FPGA

Hardware CPU CPU CPU CPU CPU Anchor Microloader Bootloader OS OS OS Microloader (root of trust) Microloader Bootloader OS launched Authenticity and Trust Anchor Microloader checks Bootloader checks OS license checks module provides stored in FPGA critical services

First instructions run on CPU stored in tamper-resistant hardware TAm = Trust Anchor module Secure boot checks images and verifies that software is authentic and unmodified before it is allowed to boot

vSmarts advertise TLOCs to all vSmart WAN Edges* (Default)

Full Mesh SD-WAN Fabric TLOCs advertised to vSmarts (Default) WAN Edge

Local TLOCs WAN Edge (System IP, Color, Encap)

WAN Edge

WAN Edge WAN Edge * Can be influenced by the control policies Transport Locator (TLOC) OMP IPSec Tunnel

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Data Plane Privacy vSmart Controllers ▪ Each WAN Edge advertises its local IPsec ▪ Can be rapidly rotated encryption keys as OMP TLOC attributes ▪ Symmetric encryption keys used ▪ Encryption keys are per-transport asymmetrically

Encr-Key3 Encr-Key1 OMP OMP Encr-Key4 Local (generated) Update Update Encr-Key2 Local (generated)

Transport1

WAN Edge Transport2 WAN Edge

Remote (received) Remote (received)

IP UDP ESP Original Packet DP: AES256-GCM/CBC Encrypted CP: AES256-GCM

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 SD-WAN Fabric Operation Walk-Through OMP Update: vSmart ▪ Reachability – IP Subnets, TLOCs ▪ Security – Encryption Keys OMP ▪ Policy – Data/App-route Policies DTLS/TLS Tunnel OMP OMP IPSec Tunnel Update Update BFD OMP Policies OMP Update Update

Transport1 WAN Edge WAN Edge TLOCs TLOCs

VPN1 VPN2 Transport2 VPN1 VPN2 BGP, OSPF, BGP, OSPF, Connected, Connected, Static A B C D Static Subnets Subnets

vSmart Edge-B Internet

Edge-A

Edge-C

LAN IPSec/GRE DTLS A’s Encryption Key for B A’s Encryption Key for C

Enterprise Firewall +1400 layer 7 apps classified Intrusion Protection System Most widely deployed IPS engine in the world

URL-Filtering Cisco Web reputation score using 82+ web categories Security Adv. Malware Protection With File Reputation and Sandboxing (TG) Secure Internet Gateway DNS Security/Cloud FW with Cisco Umbrella

COMING SOON! TLS/SSL Proxy Cisco SD-WAN Detect Threats in Encrypted Traffic

Hours instead of weeks and months

1. Avoid Backhauling

Benefit: Better use of WAN bandwidth SaaS/IaaS/ Private Cloud/Internet 2. Benefit Regional SaaS PoP

Benefit: Improves application performance

3. Enable DIA

Benefit: Improves user experience Data Center Branch

4. Centralized Policy/Monitoring Cloud Firewall/IPS Branch Security Security Benefit: Consistent Security Policy & monitoring

Use Case: Use Case: Use Case: Direct Internet Access Guest Services Industry Compliance

Cisco Umbrella Firewall AMP+TG Firewall URL Filtering vManage IPS URL Filtering Firewall IPS AMP+TG

Direct Internet Access SD-WAN

Internet VPN1 VPN3 Data Center Applications VPN2 Applications

Employees Contractors Guests

Internet Internet Internet Cloud Security Co-Location

Cloud Security Integrated Security @Regional Hub

• Lean Branch with • Single platform for • Security Services as VNF Security in the cloud Routing and Branch at Regional Colocation Security at the Branch Hub

Internet Data Center Applications

Use Cases Requirements

• PCI-DSS - Retail stores • Segmentation • HIPAA - Hospitals/Clinics • Perimeter Control • FERPA – Schools/Colleges/Universities • Intrusion Prevention

Internet

Use Cases Requirements

• Retail stores • Segmentation • Hospitals/Clinics • Application Control • Schools/Colleges/Universities • Liability Protection

Internet

VPN1 VPN2 Data Center SaaS Applications HQ Destined Traffic Employee Guest Employee Internet Traffic Employee SaaS Traffic Guest Internet Traffic

Use Cases Requirements

• SaaS applications • Controlled Redirection • Applications in IaaS: AWS/Azure • Application Control • Extranet or partner cloud applications • Intrusion Prevention • Partner Applications • Malware Prevention

Internet

VPN1 VPN2 Data Center Applications SaaS HQ Destined Traffic Employee Internet Traffic Employee Guest Employee SAAS Traffic Guest Internet Traffic

Use Cases Requirements

• SaaS applications • Application Control • Applications in IaaS: AWS/Azure • Intrusion Prevention • Web Conferencing / Social Media • Malware Prevention • Video Streaming Applications • Web Content Filtering

• Access Control Lists (Network Access Control)

• Stateful Firewall (Layer 4 inspection)

• Application Control (Layer 7 inspection)

• IPS (Signature Detection)

• DNS/Web/Content Filtering (Application inspection)

• IP Reputation (Block known bad IPs)

• File Reputation (Block known bad Files)

• Anti-Malware / Anti-Virus (Signature / Heuristic Detection)

• Sandboxing Capabilities (Zero-day threats)

• CASB (Cloud Access Security Broker) (Cloud Applications)

• TLS/SSL Decryption (Man in the Middle (MiTM)) (Encrypted Applications)

Access Control Lists Access Control Lists

• Network Access Control • Prevent Unauthorized access Data URL HTTP SYN TCP Port Dst IP Src IP • IP or Protocol Port level • No Directional Control

Stateful Firewall

Firewall Access Control Lists • Deep inspection • Session Tracking Data URL HTTP SYN TCP Port Dst IP Src IP • Stateful inspection • Application Layer Gateway • Protocol Misbehaviors App Identification • Directional Control • Stricter Layer 4 Control

AppAware Firewall

Next-Gen Firewall Firewall Next-Gen Firewall

Stateful Firewall • Deep inspection • Deep inspection • Stateful inspection • Stateful inspection • Application identification • Protocol Misbehaviors URLF Access Control by L7 inspection • Directional Control • Directional control • Stricter Layer 4 Control • User Id / Context based policy Data URL HTTP SYN TCP Port Dst IP Src IP • Intrusion Prevention • URL/DNS/Web Content Filtering • Anti-Malware / Anti-Virus AMP AppID • Advanced logging / alerting • SIEM Integration • TLS/SSL Inspection • Threat Intel Integration

IPS

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Intrusion Detection/Prevention System (IDS/IPS) drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc- activity; sid:5808; rev:10;)

100101000101000111010011000101100011100011001111001 • Protocol engines check for protocol level misbehaviours MAC IP TCP HTTP HTTP_CLIENT_BO DY • Detection engine matches attack signatures Signature • Rules (Signatures) are updated as and IPS Engine rules when new attacks are identified

Alerts, Packet Detection Output Logs Pkt Decoder Preprocessors Engine Module

L3 – 7, L2/3 sessions, File, AppId Verdict

Block Page BlackList Category

White List Reputation 3

URLF Engine

User-1 1 2 Data Centre Applications

4 HQ Destined Traffic Allowed Internet Traffic Blocked Internet Traffic

WAN Edge

User-2 Internet

Blocked request DNS Request (2)

UMBRELLA User-1 WAN Edge Blocked Content (5)

DNS Request (1) DNS Response (3)

Allowed Internet Traffic Blocked Internet Traffic

Allowed Content (5)

User-2 Internet

Good Files Bad Files f11c3d6770b6… 8e8ca2642a6e… How it works? 91f59420a752… 8e8f460c74b0… File Verify (4)

Cache File Reputation • File download intercepted Service • File sha calculate FRS Engine • Reputation lookup • File released or blocked • Local or Cloud Database File Sha(3) (5)Verdict File Request (1) File Download (2) What it does? File Allowed (6) Internet Martha WAN Edge • File Sha match • Good or Bad Files Mac CLI Database • Known bad files blocked • File Database updated frequently File Filename • File Retrospection sha256 Web Servers

Good Files Bad Files f11c3d6770b6… 8e8ca2642a6e… 91f59420a752… 8e8f460c74b0… File Verify (4)

Cache File Reputation Service File Analysis Service FRS Engine How it works?

• File Sha(3) (7)Allow File sha lookup • Unknown Reputation File Request (1) File Download (2) Internet • File Transfer to FAS • File Runs in a virtual env. • Bad files blocked File Allowed (7) Martha WAN Edge What it does?

• Execute file in a VM • Analyze file execution • Analyze file content • Detect Malicious behavior Web Servers

How it works?

• Forward Proxy • Reverse Proxy • API Node

MPLS INET What it does? CASB • Visibility • Policy Compliance • Security Branch • Authentication • Authorization WAN Edge • Device Profiling

Users • Encryption • Data Loss Prevention • Malware Prevention

• More Apps/Data-cloud hosted • Internet going dark • >80% Internet traffic encrypted Why do you need it ? • Lack of security control Data Centre • Malwares hidden in encrypted traffic Applications

• URL request intercepted Internet • Server certificate checked • Proxy resigns server Certificate How does it work? • User traffic redirected via HQ Destined Traffic proxy • Decrypt and inspect Employee Internet Traffic G0/0/0 • Re-encrypt and send

10 101 10

Clear Text • Proxy runs a cert signing G0/0/1 authority • Re-signs server certificate What does it do? • Redirects traffic through security stack • Enforce security control • Inspect for malware

Single Pane of Glass Embedded Platforms • Provision • Ent. Firewall App Aware • ISR 1K • IPS • ISR 4K • Manage • URL-Filtering • ENCS (ISRv) • AMP and Threat Grid • CSR

• Monitor • ASR 1K (Ent FW App Aware and Cloud DNS/web-layer security) • vEdges (FW and DNS/web-layer • • Report DNS/web-layer Security security) • Secure Internet Gateway • Troubleshoot

Configuration > Security

• Stateful Firewall, Zone Policies Internet • Application Visibility and Granular control Inspect policy allows Outside Zone • 1400+ layer 7 applications classified only return traffic to be allowed. • Drop traffic by application category or specific application Edge Device • Segmentation • PCI compliance Inside Guest Devices • HSL Logging Users Zone Zone • Self Zone Policy Service-VPN 1 Service-VPN 2

WAN Edge WAN Edge

Zone1 Zone1 SD-WAN VPN1 VPN1 Fabric

Action: D I P

D - Drop I – Inspect

Host Host P – Pass Host Host

SD-WAN Site A SD-WAN Site B

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Ent. Firewall App Aware: Inter-Zone Security vSmart WAN Edge WAN Edge VPN1-VPN2 Route Leaking Zone1 Zone2 Zone1 SD-WAN VPN1 VPN2 VPN1 Fabric

Action: D I P

D - Drop I – Inspect

Host Host P – Pass Host Host

SD-WAN Site A SD-WAN Site B

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Ent. Firewall App Aware: Self-Zone Security WAN Edge WAN Edge Self Zone Zone3 Self Zone VPN0 Cloud (Control Plane) (Control Plane) Zone2 Zone1 NAT Zone1 SD-WAN VPN1 VPN2 VPN1 Fabric

Action: D I P

Host Printer Host Host

SD-WAN Site A SD-WAN Site B

• Snort is the most widely deployed

• Intrusion Prevention solution in the world

• Backed by global threat intelligence (TALOS), signature update is automated

• Signature whitelist support

IPS • Real-time traffic analysis On-site Services

• PCI compliance

• 82+ Web Categories with dynamic updates URL Filtering

• Block based on Web Reputation score White/Black lists of custom URLs

• Create custom Black and White Lists

Block/Allow based on Categories, • Customizable End-user notifications Reputation

• Block malware, phishing, and non- compliance domain requests

• Automatic API Key registration POP POP POP

• Supports DNScrypt

• VPN-aware policies WAN Edge • Local Domain-bypass

• TLS decryption Users Users

• Intelligent Proxy Service-VPN 1 Service-VPN 2 DNS DNS

• Integration with AMP File reputation Internet Check Signature File retrospection • Integration with ThreatGrid File Analysis • Inspects traffic in VPNs of interest Check file • Leverages Snort engine to identify file Malware Sandbox transfers

ThreatGrid

IPS/URL- F/AM&TG

LXC Control Plane Virtual Ethernet

IOSd App-Hosting Manager Linux OS Management VPG Virtual Ports (VPG) Traffic VPG Data Plane Traffic Path Data Plane

- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources - Traffic is punted to Container using Virtual Port Group (VPG) interface - Reserved CPU and memory for Container process enables deterministic performance

4461 / 4451 / 4431 4351 / 4331 4321 / 4221 / 1K 4451 and 4431 – 10 Data Plane Control Plane Data Plane Control Plane Control Plane IOS SVC 4461 – 16 Data Plane cores (4 cores) (4 cores) (4 cores) (2 cores)

IOS SVC PPE PPE PPE PPE PPE PPE1 PPE2 1 I/O Data Plane 1 2 3 4 5 IOS SVC1 PPE (2 cores) Crypto I/O PPE3 SVC2 SVC3 PPE PPE7 PPE8 PPE9 BQS SVC SVC Crypto 6 2 3 Linux CPP Code Linux Linux

Total No of DP Total No of CP Total No of CP Cores Platforms Cores Cores for Security 4321/4221/1K 2 2 1 DP = Data Plane 4331 4 4 2 CP = Control Plane 4351 4 4 2 SVC = Services 4431 6 4 2 4451 10 4 2 4461 16 4 2

DNS/web- Ent FW App URL Platforms/Features Ent FW IPS/IDS AMP/TG layer security Awareness Filtering * Viptela - (100, 1000, 2000, 5000 and 1100- Y N ** N/A N/A N/A N 4G/6G)

Cisco - CSR Y Y Y Y Y Y

Cisco – ENCS (ISRv) Y Y Y Y Y Y Cisco – ISR4K (4461, 4451, 4431, 4351, 4331, Y Y Y Y Y Y 4321, 4221-X) Cisco – ISR1K Y Y Y Y Y Y Cisco - ASR1K 1001-HX, 1002-HX, 1001-X, Y Y N/A N/A NA Y 1002-X)***

* Umbrella Subscription required for enforcement ** Stateful Firewall and DPI using Qosmos are separate on the vEdges Ent FW App Aware and DNS/web layer security is supported with default 4GB DRAM

IPS / URL-F App Security Profile - Features Minimum Platform Platform Hosting Profile requirement Supported

ISR1K/4221X/4321 IPS + URLF (Cloud Lookup only) + AMP 8GB Bootflash & 8GB Memory 4331/4351/44xx Default (File hashing) 1 / 2 service plane cores 4/8vCPU CSR / ISRv

IPS + URLF (On-box DB + Cloud Lookup) + AMP (File hashing) + Threat Grid (TG) 16GB Bootflash & 16GB Memory 4331/4351/44xx High 2 service plane cores 4/8vCPU CSR/ISRv

Enterprise FW and DNS/web-layer security will work with default 4 GB DRAM

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 For Your SD-WAN Security Features – Order of Operation Reference G0/0 – LAN facing IP Dest DNS NBAR G0/1 – WAN facing Lookup Security VFR CEF Ingress G0/0

LAN to WAN DNS FW IPS URL-F AMP&TG NBAR NAT Egress G0/1 Security

DNS VFR NAT CEF Security Ingress G0/1

WAN to LAN DNS FW IPS URL-F AMP&TG Security NBAR Egress G0/0

Secure Management

• Local Database / RADIUS / TACACS

• Single-Sign ON Redirect Resource Challenge Auth to SSO Supplied Credentials Response 2 8 4 6 Identity vManage Provider

Admin

1 7 3 5

Contact Access Auth Credentials Response SSO Resource Supplied

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 For Your RBAC by VPN Feature Reference Admin user: • Create VPN dashboards: ✓ Create/discover VPN segments in a network ✓ Create VPN groups ✓ New VPN dashboard for each VPN group • Create users with VPN group access: ✓ Link user group to VPN group ✓ Create users with access to VPN group

VPN group user: • Access to VPN Dashboard only ✓ Monitor devices, network, and application status via VPN dashboard ✓ VPN dashboard information restricted to devices with segments in VPN group ✓ Monitor option restricted to devices with segments in VPN group ✓ Interface monitoring on device restricted to interfaces of segments in the VPN group

VPN Dashboard (Restricted access)

VPN Group: British Airways (VPN 1, 2)

Device British_Airways VPN health details status

Application status

Simplified management & security protection Advanced SD-WAN with enhanced security for feature- Advanced SD-WAN security will mitigate the most for the cost-conscious customer rich & varied branch deployment models sophisticated threats to your business Cisco DNA Essentials Cisco DNA Advantage Cisco DNA Premier

Enterprise firewall with Cisco AMP with SSL proxy Cisco Umbrella Insights® Talos-powered IPS and app controls URL filtering Cisco Threat Grid® Cisco Umbrella DNS Monitoring Cisco Umbrella app discovery

Application-based SLA Cloud OnRamp for IaaS, SaaS, and Colo Basic WAN & path optimizations AppQoE & WAAS RTU Single centralized management console Integrated border plus orchestration for in the cloud or on-prem campus, branch & DC Forward Error Correction (FEC) Packet duplication Integrated voice/UC gateways Flexible topology & dynamic routing (hub/spoke, partial/full mesh) vAnalytics

Up to 50 Cisco DNA Advantage Device overlay Cisco DNA Essentials Cisco DNA Essentials

#CiscoLiveAPJC BRKRST-2720 FC Topology

Internet

192.168.1.1 1.1.1.1 10.118.34.9 admin/admin

Mgmt 1.1.1.2

N/W 1.1.1.3

Orchestration Management Data Plane Control Plane Plane Plane Physical/Virtual Cisco vSmart Cisco vBond Cisco vManage WAN Edge • Orchestrates control • Facilitates fabric • Single pane of glass • Provides secure data plane and management plane discovery • Multitenant with scale • Establishes secure control • First point of • Disseminates control • Centralized provisioning plane with vSmart authentication plane information • Policies and Templates controllers • Distributes list of between WAN Edges • Troubleshooting and • Implements data plane and vSmarts/ vManage to • Distributes data plane Monitoring application aware routing all WAN Edge routers policies and app-aware routing • Software upgrades • Facilitates NAT traversal policies to the WAN • Exports performance • GUI with RBAC and per • Requires public IP Edge routers statistics VPN visibility Address [or 1:1 NAT] • Implements control • Leverages protocols OSPF, • Programmatic interfaces • Highly resilient plane policies BGP, EIGRP and VRRP (REST, NETCONF) • Reduces control plane • Zero Touch Provisioning complexity • Highly resilient • Highly resilient

#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Recap - SD-WAN Security Capabilities Requires 4 GB of additional DRAM = 8 GB per platform Ent. Firewall App Intrusion URL Advance Malware DNS/web-layer Aware Prevention Filtering Protection and TG security

SaaS URL-F AMP DNS-layer Sec Internet Requests for “risky” domain requests Blocked Inspect policy Safe requests automatically Outside requests allows Zone response Check traffic. Signature Edge Device Edge White/Black lists of Device custom URLs Guest Inside Internet Zone Zone Block/Allow based on Categories, Check file Users Devices Reputation Malware Sandbox

On-site Services Users and Devices Service Service VPN 1 VPN 2 ThreatGrid

Release Notes for both 19.2.x https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/19-2/sd-wan-rel-notes-19-2.html#id_102854

16.12.2r Software Download Link for ISR 1K/4K and ASR: ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.12.2r ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.12.2r ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.12.2r

19.2.1 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/19.2.1

19.2.1 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/19.2.1

Cisco SD-WAN: Enabling Firewall and IPS for Compliance: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2019nov.pdf

SD-WAN on-prem controller setup guide: http://cs.co/sd-wan-controller-setup

Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936

Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_ Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering

Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301

Cisco SD-WAN - http://www.cisco.com/go/sdwan

Network World - https://tinyurl.com/yabey6f2

WSJ - https://tinyurl.com/yb75loxn

Lightreading - https://tinyurl.com/yba9zb4s

FB: https://tinyurl.com/y9u375hk

YouTube Network Field Day (demo): https://tinyurl.com/y955ufde