Cisco SD-WAN Security
Kureli Sankar, Technical Marketing Manager BRKRST-2720
#CiscoLiveAPJC About Kureli Sankar BS in Electrical and Electronics Engineering 2006 – 2013 TAC Engineer CCIE Security #35505 2013 – 2018 TME 2019 – Present TME Manager Areas of expertise IOS and IOS-XE security features SD-WAN Security solutions 2018 - Distinguished Speaker Cisco Live (EUR and ANZ) # 35505
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Introduction • Secure Infrastructure • Device Identity • Secure Control Plane • Secure Data Plane • Secure Branch • Ent Firewall App Aware • Intrusion Prevention • URL - Filtering • DNS/Web-layer Security • Advanced Malware Protection + Threat Grid • Secure Management • Demo
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Introduction
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 SD-WAN Exposes New Security Challenges DEFENDPOLICYDIRECT ANDINTERNET AGAINST ACCESS BADACCESS GAPS DESTINATIONS EXPOSESEXPAND ATTACKINGRESS & DATA SURFACE POINTS BREACHES
SaaS IaaS Outside-in threats
Internet • ExposedUnauthorized ingress access points as traffic is no longer backhauled to the data • Denial of service attacks center NOCLOUD SECURITY EDGE • Ransomware Remote Corporate Inside-out threats
Software
BASIC/NO SECURITY BASIC/NO
BASIC/NO SECURITY BASIC/NO
BASIC/NO SECURITY BASIC/NO
EXISTING SECURITY EXISTING EXISTING SECURITYEXISTING EXISTING SECURITY EXISTING • UsersMalware and infection devices request access
Users Devices WAN EDGE WAN WAN EDGE WAN • toCommand infrastructure & control and applications Critical InfrastructureInfrastructure • Phishing attacks Branch • Untrusted users/devices SD-WAN Fabric IOTIOT Users Mobile (guests)(guests) devices Internal threats DataData CenterCenter && Campus • TrafficUntrusted must access be encrypted and Campus • Lateralaccess mustmovement be segmented end to • Complianceend • Man-in-the-Middle
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Comprehensive SD-WAN Security
SIMPLIFIEDSECUREENTERPRISE INTERNAL CLOUD-GRADE CONNECTIONSSECURITY SECURITY EMBEDDED
SaaS IaaSIaaS OutsideInsideFullInternal edge-out-in Internet Internet SDsecurity-WAN security stack • Mitigate external security risks SECURE CLOUD EDGE • EndUmbrella’sFirewallwith to integrated end and segmentationSecure intrusion threat Internet preventiondefense to stop breachGatewayembeddedfrom the propagation, WANprotects plus to URL cloudusers filteringenforce edgeand and Remote regulatorydevicesmalware and sandboxing compliance, protects datafor and inside -out promotesent to and network from the (and cloud Corporate • Single console to manage routing
Software application) layer security
SECUREEDGE WAN
SECURE WAN EDGE WAN SECURE EDGE WAN SECURE EDGE WAN SECURE
SECURE WAN EDGE WAN SECURE EDGE WAN SECURE EDGE WAN SECURE SECURE WAN EDGE WAN SECURE • Duo’sand security Multi-Factor Authentication • Zeroverifies-trustThin, that authentication only rich trusted or users and full and Users Devices • Shortest time to threat detection Critical payloaddevices accessencryption cloud between & on-prem edge Critical poweredfull- stackby Talos router Infrastructure BranchBranch routersapps • Mitigate internal security risks with SD-WANSecure Fabric IOTIOT Users Mobile a secure SD-WAN fabric with (guests)(guests) devices SD-WAN Fabric simple or flexible routing configurations DataDataData Center CenterCenter &&& CampusCampus Campus
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly Cloud-Delivered Analytics Automated
USERS Cloud IoT SD-WAN .… OnRamp Edge Computing
DC
DEVICES APPLICATIONS Fabric IaaS
SaaS
THINGS SECURE SCALABLE APP AWARE vDC
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Secure Infrastructure
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Cisco SD-WAN Architecture
Orchestration Plane Management Plane vManage • First point of authentication • Single pane of glass for Day0, Day1 and • Distributes list of vSmarts/ Day2 operations vManage to all vEdge routers APIs • Multitenant or single-tenant • Facilitates NAT traversal 3rd Party • Centralized provisioning, vBond Automation troubleshooting and monitoring • RBAC and APIs vAnalytics Data Plane Control Plane • Physical or virtual vSmart Controllers • Dissimilates control plane information • Zero Touch Provisioning between vEdges • Distributes data plane policies • Establishes secure fabric MPLS 4G • Implements control plane policies • Implements data plane policies INET • Exports performance statistics WAN Edge Routers
Cloud Data Center Campus Branch CoLo
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 High Level View of Ordering and On-Boarding
vManage
Smart Account or Virtual Account details specified on order used for Overlay Sync Smart Account Push Device List creation
Smart Account Automation PnP Cloud Service vBond
Device list is passed to PnP
Cisco Commerce Workspace Add a vBond Controller Profile and Associate with Org-Name
WAN Edge Customer Service Provider End Customer
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Device Identity and Integrity
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 History of Malware Found on Cisco IOS Devices
Incident 0 Incident 1 Incident 2 Incident 3 Incident 4 Incident 5 “SYNful Knock”
Date Discovered 2011 2012 2013 2013 2014 2015
Device(s) Affected Cisco 2800 and Cisco 2800 and Cisco Cisco Cisco 1800,3800, Cisco 1841, 2811, 3800 Families 3800 Families 7600 IOS & line 7600 IOS & line 7200 IOS & 3825 cards cards ROMMON
Infection Method Modifications to Modifications to Modification of in- Modification of in- Modification to Modifications to IOS IOS binary IOS binary memory IOS memory IOS both ROMMON, binary and in-memory code
Remote Via crypto analysis Via crypto analysis C2 protocol C2 protocol Not Directly Yes Detectability
Preventions To Be Trust Anchor Trust Anchor Strong admin Strong admin Secure Boot, Trust Strong admin Taken Technology, Secure Technology, Secure credentials & credentials & Anchor credentials, Secure Boot, & Image Boot, & Image authorization authorization Technologies + Boot, Image Signing Signing Signing Image Signing
Complexity Level Low Low Medium Medium High Low
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Key Trustworthy Technologies
Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)
▪ Prevents malicious code from booting ▪ Tamper-resistant chip with X.509 cert ▪ Protects against injection of malicious on a Cisco platform installed at manufacturing code into running software ▪ Automated integrity checks ▪ Provides unique device identity and anti- ▪ Makes it harder for attackers to exploit ▪ Monitors startup process and shuts counterfeit protections vulnerabilities in running software down if compromised ▪ Secure, non-volatile on-board storage and ▪ Runtime technologies include ASLR, ▪ Faster identification of threats RNG/crypto services BOSC, and X-Space ▪ Enables zero-touch provisioning and minimizes deployment costs
Trustworthy technologies enhance the security and resilience of Cisco solutions
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Secure Unique Device Identification (Secure – UDI)
• Tamperproof ID for the device
• Binds the hardware identity to a key pair in a cryptographically secure X.509 certificate PID during manufacturing
• Connections with the device can be authenticated by the SUDI credential
• IEEE 802.1AR Compliant
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Image Signing: Integrity & Non Repudiation
Validation Check at Customer Site Software 1 5 Image
SHA-512 = Cisco’s public key stored Image is hashed to a on the router is used to unique 64 byte object decrypt digital signature SHA512 (Cisco’s PUBLIC key )
2 (Encrypted with Cisco’s PRIVATE key) Digital signature with 3 the hash appended to Hash is encrypted final image 4 Customer downloads WWW image onto + device
BRKRST-2720 © 2020© 2020 Cisco Cisco and/or and/or its itsaffiliates. affiliates. All Allrights rights reserved. reserved. Cisco Cisco Public Public 20 20 Cisco Secure Boot Software and Hardware Integrity Checks Hardware authenticity check
Step 5 Step 6 Software authenticity checks
Step 1 Step 2 Step 3 Step 4
FPGA
Hardware CPU CPU CPU CPU CPU Anchor Microloader Bootloader OS OS OS Microloader (root of trust) Microloader Bootloader OS launched Authenticity and Trust Anchor Microloader checks Bootloader checks OS license checks module provides stored in FPGA critical services
First instructions run on CPU stored in tamper-resistant hardware TAm = Trust Anchor module Secure boot checks images and verifies that software is authentic and unmodified before it is allowed to boot
BRKRST-2720 © 2020© 2020 Cisco Cisco and/or and/or its itsaffiliates. affiliates. All Allrights rights reserved. reserved. Cisco Cisco Public Public 21 21 Secure Control Plane
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Transport Locators (TLOCs)
vSmarts advertise TLOCs to all vSmart WAN Edges* (Default)
Full Mesh SD-WAN Fabric TLOCs advertised to vSmarts (Default) WAN Edge
Local TLOCs WAN Edge (System IP, Color, Encap)
WAN Edge
WAN Edge WAN Edge * Can be influenced by the control policies Transport Locator (TLOC) OMP IPSec Tunnel
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Secure Data Plane
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Data Plane Privacy vSmart Controllers ▪ Each WAN Edge advertises its local IPsec ▪ Can be rapidly rotated encryption keys as OMP TLOC attributes ▪ Symmetric encryption keys used ▪ Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1 OMP OMP Encr-Key4 Local (generated) Update Update Encr-Key2 Local (generated)
Transport1
WAN Edge Transport2 WAN Edge
Remote (received) Remote (received)
IP UDP ESP Original Packet DP: AES256-GCM/CBC Encrypted CP: AES256-GCM
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 SD-WAN Fabric Operation Walk-Through OMP Update: vSmart ▪ Reachability – IP Subnets, TLOCs ▪ Security – Encryption Keys OMP ▪ Policy – Data/App-route Policies DTLS/TLS Tunnel OMP OMP IPSec Tunnel Update Update BFD OMP Policies OMP Update Update
Transport1 WAN Edge WAN Edge TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2 BGP, OSPF, BGP, OSPF, Connected, Connected, Static A B C D Static Subnets Subnets
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Pairwise IPSec Keys for SA
vSmart Edge-B Internet
Edge-A
Edge-C
LAN IPSec/GRE DTLS A’s Encryption Key for B A’s Encryption Key for C
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Combining Best of Breed in Security and SD-WAN
Enterprise Firewall +1400 layer 7 apps classified Intrusion Protection System Most widely deployed IPS engine in the world
URL-Filtering Cisco Web reputation score using 82+ web categories Security Adv. Malware Protection With File Reputation and Sandboxing (TG) Secure Internet Gateway DNS Security/Cloud FW with Cisco Umbrella
COMING SOON! TLS/SSL Proxy Cisco SD-WAN Detect Threats in Encrypted Traffic
Hours instead of weeks and months
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Secure Branch
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Why SD-WAN Branch Security?
1. Avoid Backhauling
Benefit: Better use of WAN bandwidth SaaS/IaaS/ Private Cloud/Internet 2. Benefit Regional SaaS PoP
Benefit: Improves application performance
3. Enable DIA
Benefit: Improves user experience Data Center Branch
4. Centralized Policy/Monitoring Cloud Firewall/IPS Branch Security Security Benefit: Consistent Security Policy & monitoring
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 SD-WAN Security Use Cases
Use Case: Use Case: Use Case: Direct Internet Access Guest Services Industry Compliance
Cisco Umbrella Firewall AMP+TG Firewall URL Filtering vManage IPS URL Filtering Firewall IPS AMP+TG
Direct Internet Access SD-WAN
Internet VPN1 VPN3 Data Center Applications VPN2 Applications
Employees Contractors Guests
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Security Deployment Models Flexible Security based on customer needs
Internet Internet Internet Cloud Security Co-Location
Cloud Security Integrated Security @Regional Hub
• Lean Branch with • Single platform for • Security Services as VNF Security in the cloud Routing and Branch at Regional Colocation Security at the Branch Hub
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Use Case 1: PCI Compliance
Internet Data Center Applications
Use Cases Requirements
• PCI-DSS - Retail stores • Segmentation • HIPAA - Hospitals/Clinics • Perimeter Control • FERPA – Schools/Colleges/Universities • Intrusion Prevention
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Use Case 2: Guest Access
Internet
Use Cases Requirements
• Retail stores • Segmentation • Hospitals/Clinics • Application Control • Schools/Colleges/Universities • Liability Protection
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Use Case 3: Direct Cloud Access SD-WAN
Internet
VPN1 VPN2 Data Center SaaS Applications HQ Destined Traffic Employee Guest Employee Internet Traffic Employee SaaS Traffic Guest Internet Traffic
Use Cases Requirements
• SaaS applications • Controlled Redirection • Applications in IaaS: AWS/Azure • Application Control • Extranet or partner cloud applications • Intrusion Prevention • Partner Applications • Malware Prevention
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Use Case 4: Direct Internet Access SD-WAN
Internet
VPN1 VPN2 Data Center Applications SaaS HQ Destined Traffic Employee Internet Traffic Employee Guest Employee SAAS Traffic Guest Internet Traffic
Use Cases Requirements
• SaaS applications • Application Control • Applications in IaaS: AWS/Azure • Intrusion Prevention • Web Conferencing / Social Media • Malware Prevention • Video Streaming Applications • Web Content Filtering
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Why Multi-Layered Security and How does it Work?
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Multi-layer Security
• Access Control Lists (Network Access Control)
• Stateful Firewall (Layer 4 inspection)
• Application Control (Layer 7 inspection)
• IPS (Signature Detection)
• DNS/Web/Content Filtering (Application inspection)
• IP Reputation (Block known bad IPs)
• File Reputation (Block known bad Files)
• Anti-Malware / Anti-Virus (Signature / Heuristic Detection)
• Sandboxing Capabilities (Zero-day threats)
• CASB (Cloud Access Security Broker) (Cloud Applications)
• TLS/SSL Decryption (Man in the Middle (MiTM)) (Encrypted Applications)
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Access Control Lists
Access Control Lists Access Control Lists
• Network Access Control • Prevent Unauthorized access Data URL HTTP SYN TCP Port Dst IP Src IP • IP or Protocol Port level • No Directional Control
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Stateful Firewall
Stateful Firewall
Firewall Access Control Lists • Deep inspection • Session Tracking Data URL HTTP SYN TCP Port Dst IP Src IP • Stateful inspection • Application Layer Gateway • Protocol Misbehaviors App Identification • Directional Control • Stricter Layer 4 Control
AppAware Firewall
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Firewall vs Next-Gen Firewall - What’s the difference?
Next-Gen Firewall Firewall Next-Gen Firewall
Stateful Firewall • Deep inspection • Deep inspection • Stateful inspection • Stateful inspection • Application identification • Protocol Misbehaviors URLF Access Control by L7 inspection • Directional Control • Directional control • Stricter Layer 4 Control • User Id / Context based policy Data URL HTTP SYN TCP Port Dst IP Src IP • Intrusion Prevention • URL/DNS/Web Content Filtering • Anti-Malware / Anti-Virus AMP AppID • Advanced logging / alerting • SIEM Integration • TLS/SSL Inspection • Threat Intel Integration
IPS
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Intrusion Detection/Prevention System (IDS/IPS) drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc- activity; sid:5808; rev:10;)
100101000101000111010011000101100011100011001111001 • Protocol engines check for protocol level misbehaviours MAC IP TCP HTTP HTTP_CLIENT_BO DY • Detection engine matches attack signatures Signature • Rules (Signatures) are updated as and IPS Engine rules when new attacks are identified
Alerts, Packet Detection Output Logs Pkt Decoder Preprocessors Engine Module
L3 – 7, L2/3 sessions, File, AppId Verdict
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 URL-Filtering Solution Overview
Block Page BlackList Category
White List Reputation 3
URLF Engine
User-1 1 2 Data Centre Applications
4 HQ Destined Traffic Allowed Internet Traffic Blocked Internet Traffic
WAN Edge
User-2 Internet
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 DNS-Filtering Solution Overview
Blocked request DNS Request (2)
UMBRELLA User-1 WAN Edge Blocked Content (5)
DNS Request (1) DNS Response (3)
Allowed Internet Traffic Blocked Internet Traffic
Allowed Content (5)
User-2 Internet
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 File Reputation & Retrospection Service – Solution Overview
Good Files Bad Files f11c3d6770b6… 8e8ca2642a6e… How it works? 91f59420a752… 8e8f460c74b0… File Verify (4)
Cache File Reputation • File download intercepted Service • File sha calculate FRS Engine • Reputation lookup • File released or blocked • Local or Cloud Database File Sha(3) (5)Verdict File Request (1) File Download (2) What it does? File Allowed (6) Internet Martha WAN Edge • File Sha match • Good or Bad Files Mac CLI Database • Known bad files blocked • File Database updated frequently File Filename • File Retrospection sha256 Web Servers
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 File Analysis (Sandbox) – Solution Overview
Good Files Bad Files f11c3d6770b6… 8e8ca2642a6e… 91f59420a752… 8e8f460c74b0… File Verify (4)
Cache File Reputation Service File Analysis Service FRS Engine How it works?
• File Sha(3) (7)Allow File sha lookup • Unknown Reputation File Request (1) File Download (2) Internet • File Transfer to FAS • File Runs in a virtual env. • Bad files blocked File Allowed (7) Martha WAN Edge What it does?
• Execute file in a VM • Analyze file execution • Analyze file content • Detect Malicious behavior Web Servers
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Cloud Access Security Broker (CASB) – Solution Overview
How it works?
• Forward Proxy • Reverse Proxy • API Node
MPLS INET What it does? CASB • Visibility • Policy Compliance • Security Branch • Authentication • Authorization WAN Edge • Device Profiling
Users • Encryption • Data Loss Prevention • Malware Prevention
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 TLS/SSL Decryption (MiTM Proxy)– Solution Overview
• More Apps/Data-cloud hosted • Internet going dark • >80% Internet traffic encrypted Why do you need it ? • Lack of security control Data Centre • Malwares hidden in encrypted traffic Applications
• URL request intercepted Internet • Server certificate checked • Proxy resigns server Certificate How does it work? • User traffic redirected via HQ Destined Traffic proxy • Decrypt and inspect Employee Internet Traffic G0/0/0 • Re-encrypt and send
10 101 10
Clear Text • Proxy runs a cert signing G0/0/1 authority • Re-signs server certificate What does it do? • Redirects traffic through security stack • Enforce security control • Inspect for malware
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Edge Manage in Full Edge Branch Cloud or On- Router Security Edge Prem Flexibility
Single Pane of Glass Embedded Platforms • Provision • Ent. Firewall App Aware • ISR 1K • IPS • ISR 4K • Manage • URL-Filtering • ENCS (ISRv) • AMP and Threat Grid • CSR
• Monitor • ASR 1K (Ent FW App Aware and Cloud DNS/web-layer security) • vEdges (FW and DNS/web-layer • • Report DNS/web-layer Security security) • Secure Internet Gateway • Troubleshoot
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 SD-WAN Security: vManage Provisioning Wizard
Configuration > Security
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Enterprise App Aware Firewall
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Enterprise App Firewall SaaS
• Stateful Firewall, Zone Policies Internet • Application Visibility and Granular control Inspect policy allows Outside Zone • 1400+ layer 7 applications classified only return traffic to be allowed. • Drop traffic by application category or specific application Edge Device • Segmentation • PCI compliance Inside Guest Devices • HSL Logging Users Zone Zone • Self Zone Policy Service-VPN 1 Service-VPN 2
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1 SD-WAN VPN1 VPN1 Fabric
Action: D I P
D - Drop I – Inspect
Host Host P – Pass Host Host
SD-WAN Site A SD-WAN Site B
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Ent. Firewall App Aware: Inter-Zone Security vSmart WAN Edge WAN Edge VPN1-VPN2 Route Leaking Zone1 Zone2 Zone1 SD-WAN VPN1 VPN2 VPN1 Fabric
Action: D I P
D - Drop I – Inspect
Host Host P – Pass Host Host
SD-WAN Site A SD-WAN Site B
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Ent. Firewall App Aware: Self-Zone Security WAN Edge WAN Edge Self Zone Zone3 Self Zone VPN0 Cloud (Control Plane) (Control Plane) Zone2 Zone1 NAT Zone1 SD-WAN VPN1 VPN2 VPN1 Fabric
Action: D I P
Host Printer Host Host
SD-WAN Site A SD-WAN Site B
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 For Your vManage - Ent FW App Aware - Configuration Reference
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Intrusion Prevention
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Intrusion Prevention
• Snort is the most widely deployed
• Intrusion Prevention solution in the world
• Backed by global threat intelligence (TALOS), signature update is automated
• Signature whitelist support
IPS • Real-time traffic analysis On-site Services
• PCI compliance
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 For Your vManage - Intrusion Prevention Reference
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 URL Filtering
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 URL Filtering Requests for “risky” domain requests
• 82+ Web Categories with dynamic updates URL Filtering
• Block based on Web Reputation score White/Black lists of custom URLs
• Create custom Black and White Lists
Block/Allow based on Categories, • Customizable End-user notifications Reputation
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 For Your vManage - URL Filtering Reference
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 DNS/Web-layer Security
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 DNS/web-layer Security Cisco Umbrella
• Block malware, phishing, and non- compliance domain requests
• Automatic API Key registration POP POP POP
• Supports DNScrypt
• VPN-aware policies WAN Edge • Local Domain-bypass
• TLS decryption Users Users
• Intelligent Proxy Service-VPN 1 Service-VPN 2 DNS DNS
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 vManage – DNS/web-layer Security
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Advanced Malware Protection and Threat Grid
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Advanced Malware Protection and Threat Grid AMP
• Integration with AMP File reputation Internet Check Signature File retrospection • Integration with ThreatGrid File Analysis • Inspects traffic in VPNs of interest Check file • Leverages Snort engine to identify file Malware Sandbox transfers
ThreatGrid
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 For Your vManage – AMP + ThreatGrid Reference
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 For Your IPS, URL-F & AMP Architecture Reference
IPS/URL- F/AM&TG
LXC Control Plane Virtual Ethernet
IOSd App-Hosting Manager Linux OS Management VPG Virtual Ports (VPG) Traffic VPG Data Plane Traffic Path Data Plane
- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources - Traffic is punted to Container using Virtual Port Group (VPG) interface - Reserved CPU and memory for Container process enables deterministic performance
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 For Your Security App Hosting Profile & Resources Reference
4461 / 4451 / 4431 4351 / 4331 4321 / 4221 / 1K 4451 and 4431 – 10 Data Plane Control Plane Data Plane Control Plane Control Plane IOS SVC 4461 – 16 Data Plane cores (4 cores) (4 cores) (4 cores) (2 cores)
IOS SVC PPE PPE PPE PPE PPE PPE1 PPE2 1 I/O Data Plane 1 2 3 4 5 IOS SVC1 PPE (2 cores) Crypto I/O PPE3 SVC2 SVC3 PPE PPE7 PPE8 PPE9 BQS SVC SVC Crypto 6 2 3 Linux CPP Code Linux Linux
Total No of DP Total No of CP Total No of CP Cores Platforms Cores Cores for Security 4321/4221/1K 2 2 1 DP = Data Plane 4331 4 4 2 CP = Control Plane 4351 4 4 2 SVC = Services 4431 6 4 2 4451 10 4 2 4461 16 4 2
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 For Your SD-WAN Security Support Reference
DNS/web- Ent FW App URL Platforms/Features Ent FW IPS/IDS AMP/TG layer security Awareness Filtering * Viptela - (100, 1000, 2000, 5000 and 1100- Y N ** N/A N/A N/A N 4G/6G)
Cisco - CSR Y Y Y Y Y Y
Cisco – ENCS (ISRv) Y Y Y Y Y Y Cisco – ISR4K (4461, 4451, 4431, 4351, 4331, Y Y Y Y Y Y 4321, 4221-X) Cisco – ISR1K Y Y Y Y Y Y Cisco - ASR1K 1001-HX, 1002-HX, 1001-X, Y Y N/A N/A NA Y 1002-X)***
* Umbrella Subscription required for enforcement ** Stateful Firewall and DPI using Qosmos are separate on the vEdges Ent FW App Aware and DNS/web layer security is supported with default 4GB DRAM
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Security App Hosting Profile & Resources
IPS / URL-F App Security Profile - Features Minimum Platform Platform Hosting Profile requirement Supported
ISR1K/4221X/4321 IPS + URLF (Cloud Lookup only) + AMP 8GB Bootflash & 8GB Memory 4331/4351/44xx Default (File hashing) 1 / 2 service plane cores 4/8vCPU CSR / ISRv
IPS + URLF (On-box DB + Cloud Lookup) + AMP (File hashing) + Threat Grid (TG) 16GB Bootflash & 16GB Memory 4331/4351/44xx High 2 service plane cores 4/8vCPU CSR/ISRv
Enterprise FW and DNS/web-layer security will work with default 4 GB DRAM
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 For Your SD-WAN Security Features – Order of Operation Reference G0/0 – LAN facing IP Dest DNS NBAR G0/1 – WAN facing Lookup Security VFR CEF Ingress G0/0
LAN to WAN DNS FW IPS URL-F AMP&TG NBAR NAT Egress G0/1 Security
DNS VFR NAT CEF Security Ingress G0/1
WAN to LAN DNS FW IPS URL-F AMP&TG Security NBAR Egress G0/0
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 Secure Management
Secure Management
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 vManage Authentication Methods
• Local Database / RADIUS / TACACS
• Single-Sign ON Redirect Resource Challenge Auth to SSO Supplied Credentials Response 2 8 4 6 Identity vManage Provider
Admin
1 7 3 5
Contact Access Auth Credentials Response SSO Resource Supplied
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 RBAC
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 For Your RBAC by VPN Feature Reference Admin user: • Create VPN dashboards: ✓ Create/discover VPN segments in a network ✓ Create VPN groups ✓ New VPN dashboard for each VPN group • Create users with VPN group access: ✓ Link user group to VPN group ✓ Create users with access to VPN group
VPN group user: • Access to VPN Dashboard only ✓ Monitor devices, network, and application status via VPN dashboard ✓ VPN dashboard information restricted to devices with segments in VPN group ✓ Monitor option restricted to devices with segments in VPN group ✓ Interface monitoring on device restricted to interfaces of segments in the VPN group
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 vManage Admin Dashboard (full access)
VPN Dashboard (Restricted access)
VPN Group: British Airways (VPN 1, 2)
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 VPN Dashboard View
Device British_Airways VPN health details status
Application status
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Cisco DNA SD-WAN Licensing Capability Based Packaging
Simplified management & security protection Advanced SD-WAN with enhanced security for feature- Advanced SD-WAN security will mitigate the most for the cost-conscious customer rich & varied branch deployment models sophisticated threats to your business Cisco DNA Essentials Cisco DNA Advantage Cisco DNA Premier
Enterprise firewall with Cisco AMP with SSL proxy Cisco Umbrella Insights® Talos-powered IPS and app controls URL filtering Cisco Threat Grid® Cisco Umbrella DNS Monitoring Cisco Umbrella app discovery
Application-based SLA Cloud OnRamp for IaaS, SaaS, and Colo Basic WAN & path optimizations AppQoE & WAAS RTU Single centralized management console Integrated border plus orchestration for in the cloud or on-prem campus, branch & DC Forward Error Correction (FEC) Packet duplication Integrated voice/UC gateways Flexible topology & dynamic routing (hub/spoke, partial/full mesh) vAnalytics
Up to 50 Cisco DNA Advantage Device overlay Cisco DNA Essentials Cisco DNA Essentials
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Demo
#CiscoLiveAPJC BRKRST-2720 FC Topology
Internet
192.168.1.1 1.1.1.1 10.118.34.9 admin/admin
Mgmt 1.1.1.2
N/W 1.1.1.3
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 Recap - Cisco SD-WAN Controllers
Orchestration Management Data Plane Control Plane Plane Plane Physical/Virtual Cisco vSmart Cisco vBond Cisco vManage WAN Edge • Orchestrates control • Facilitates fabric • Single pane of glass • Provides secure data plane and management plane discovery • Multitenant with scale • Establishes secure control • First point of • Disseminates control • Centralized provisioning plane with vSmart authentication plane information • Policies and Templates controllers • Distributes list of between WAN Edges • Troubleshooting and • Implements data plane and vSmarts/ vManage to • Distributes data plane Monitoring application aware routing all WAN Edge routers policies and app-aware routing • Software upgrades • Facilitates NAT traversal policies to the WAN • Exports performance • GUI with RBAC and per • Requires public IP Edge routers statistics VPN visibility Address [or 1:1 NAT] • Implements control • Leverages protocols OSPF, • Programmatic interfaces • Highly resilient plane policies BGP, EIGRP and VRRP (REST, NETCONF) • Reduces control plane • Zero Touch Provisioning complexity • Highly resilient • Highly resilient
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Recap - SD-WAN Security Capabilities Requires 4 GB of additional DRAM = 8 GB per platform Ent. Firewall App Intrusion URL Advance Malware DNS/web-layer Aware Prevention Filtering Protection and TG security
SaaS URL-F AMP DNS-layer Sec Internet Requests for “risky” domain requests Blocked Inspect policy Safe requests automatically Outside requests allows Zone response Check traffic. Signature Edge Device Edge White/Black lists of Device custom URLs Guest Inside Internet Zone Zone Block/Allow based on Categories, Check file Users Devices Reputation Malware Sandbox
On-site Services Users and Devices Service Service VPN 1 VPN 2 ThreatGrid
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 For Your Release Notes and Image Download Links Reference
Release Notes for both 19.2.x https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/19-2/sd-wan-rel-notes-19-2.html#id_102854
16.12.2r Software Download Link for ISR 1K/4K and ASR: ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.12.2r ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.12.2r ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.12.2r
19.2.1 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/19.2.1
19.2.1 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/19.2.1
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 For Your SD-WAN Security – External Resources Reference
Cisco SD-WAN: Enabling Firewall and IPS for Compliance: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2019nov.pdf
SD-WAN on-prem controller setup guide: http://cs.co/sd-wan-controller-setup
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_ Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 For Your SD-WAN Security – External Resources Reference
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 Thank you
#CiscoLiveAPJC BRKRST-2720 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 #CiscoLiveAPJC