BRKSEC-1655.Pdf

A Match Made in the Cloud Cisco Umbrella and SD-WAN Integration Nitin Kumar, Technical Marketing Engineer Cloud Security Group

BRKSEC-1655 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

2009-2011 TAC, Cloud Web Security (Formerly ScanSafe)

2011-2015 Service Deployment Manager, CWS

2015 TME, Cloud Access Security (Elastica)

2016 Cloudlock M&A Team, Technical Due Diligence

2016-2018 TME, Web Security Appliance

2018-Present TME, Cloud Security

• Introduction

• SD-WAN Challenges

• SD-WAN Security

• DNS Security

• DNS Configuration

• Secure Internet Gateway

• IPSec Configuration

• Meraki MX + Umbrella

• Creating Umbrella Policies

• Conclusion

Internet

MPLS VPN

Branch office HQ Roaming/mobile

Internet / SaaS / IaaS

SD WAN DIA/DCA

Branch office HQ Roaming/mobile

DIA & SD-WAN pervasive in branch offices

Source: ESG Research Survey, Cisco Secure Internet Gateway Survey, January 2019

DIRECT INTERNET ACCESS EXPOSES INGRESS & EGRESS POINTS

External Threats SaaS IaaS

Internet • Exposure to malware & phishing due to direct Internet and cloud access NO SECURITY • Data breaches • Guest access liability

Data Center Branch BASIC/NO SECURITY

Corporate Users (guests) Software Devices/IOT Internal Threats

• Untrusted access (malicious insider) SD-WAN Fabric • Compliance (PCI, HIPPA, GDPR) • Lateral movements (breach propagation) WAN Existing Security Edge Device Stack in DMZ

SaaS IaaS PRO CON

Internet ONLY Consistent user and Lacks visibility and device protection in control over Cloud all locations and internal traffic and Security scales on-demand threats

Data Center Branch BASIC/NO SECURITY Corporate Decrypting traffic Users (guests) Visibility into all Software ONLY for malware traffic and protects Devices/IOT detection increases On-Prem against internal and edge device Security external threats footprint SD-WAN Fabric Best balance of On-Prem Complex & costly to security and user deploy and manage experience for & Cloud using different WAN Existing Security Separate Separate Cloud direct internet solutions or vendors Edge Device Stack in DMZ Security Appliance Security Service Security access

DEPLOYING SECURITY APPLICANCE ON-PREMISES

SaaS IaaS PRO CON

Internet ONLY Consistent user and Lacks visibility and NO SECURITY device protection in control over Cloud all locations and internal traffic and Security scales on-demand threats

DEPLOYING SECURITY EVERYWHERE

SaaS IaaS PRO CON

Internet ONLY Consistent user and Lacks visibility and NO SECURITY device protection in control over Cloud all locations and internal traffic and Security scales on-demand threats

Data Center Branch BASIC/NO SECURITY Corporate Decrypting traffic Users (guests) Visibility into all Software ONLY for malware traffic and protects Devices/IOT detection increases On-Prem against internal and edge device Security external threats footprint SD-WAN Fabric Best balance of On-Prem Complex & costly to security and user Cisco integrated deploy and manage experience for solution eliminates &and Cloud Cloud using different WAN Existing Security Separate Separate Cloud direct internet these cons solutions or vendors Edge Device Stack in DMZ Security Appliance Security Service Security access

DEPLOYING CISCO’S INTEGRATED SOLUTION

SaaS IaaS PRO CON

Internet ONLY Consistent user and Lacks visibility and NO SECURITY device protection in control over Cloud all locations and internal traffic and Security scales on-demand threats

Data Center Branch BASIC/NO SECURITY Corporate Secure DIA/DCA Decrypting traffic Users (guests) Visibility into all Software ONLY for malware traffic and protects Devices/IOT detection increases On-Prem against internal and edge device Security external threats Secure footprint WAN access SD-endWAN-to- Fabricend Best balance of On-Prem Complex & costly to security and user Cisco integrated deploy and manage experience for solution eliminates &and Cloud Cloud using different WAN Existing Security Separate Separate Cloud direct internet these cons solutions or vendors Edge Device Stack in DMZ Security Appliance CiscoSecurity SD-WAN Service Security access

On-Prem Cloud Security Security SaaS IaaS Mitigate Internal & Mitigate External External Threats Threats at Scale Internet

Network Enterprise Secure Web DNS-Layer Data Center Branch Segmentation Firewall Gateway Security

Corporate Secure DIA/DCA Users (guests) Software Devices/IOT

IPsec App Malware TLS/SSL URL Secure IPS WAN access Encryp. Controls Protection Decryp. Filtering end-to-end

Snort with AMP with Viptela NBAR2 Umbrella Single Management Console Talos Threat Grid CISCO INTEGRATED TECHNOLOGIES

ENTERPRISE-GRADE SECURITY EMBEDDED Full Edge Security Stack

SaaS IaaS On-Prem Cloud Internet Security Security Mitigate Internal & Mitigate External External Threats Threats at Scale

Data Center Branch

Corporate Secure DIA/DCA Users (guests) Software Devices/IOT •NetworkFirewall and intrusionEnterprise preventionSecure embedded Web forDNS internal-Layer Segmentation Firewall Gateway Security threats plus URL filtering and malware sandboxing for Secure external threats WAN access end-to-end • End-to-end segmentation to stop breach propagation, enforce regulatory compliance, and promote network (and application) layer security IPsec App Malware TLS/SSL URL IPS Single Management Console Encryp.• Zero-trust authenticationControls andProtection full payloadDecryp. encryptionFiltering between edge routers

Snort with AMP with *ManualViptela setup for full-outboundNBAR2 is in limited availability today;Umbrella Threat Grid automation comingTalos soon CISCO INTEGRATED TECHNOLOGIES BRKSEC-1655 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Right Security, Right Place

CLOUD-DELIVERED SECURITY Full Edge Security Stack

SaaS IaaS On-Prem Cloud Internet Security Security Mitigate Internal & Mitigate External External Threats Threats at Scale

Data Center Branch

Corporate Secure DIA/DCA Users (guests) Software Devices/IOT •NetworkFirewall and intrusionEnterprise preventionSecure embedded Web forDNS internal-Layer Segmentation• Integrated connectivityFirewall and cloudGateway-delivered securitySecurity with threats plus URL filtering and malware sandboxing for 100% business uptime Secure external threats WAN access • Secure Internet Gateway protects users and devices and • End-to-end segmentation to stop breach propagation, end-to-end protects data sent to and from the cloud enforce regulatory compliance, and promote network • Intent(and application)-based network layer security security enabled for 100s of sites in IPsec App Malware TLS/SSL URL minutes IPSusing either automated lightweight DNS-layer Encryp.• Zero-trust authenticationControls andProtection full payloadDecryp. encryptionFiltering Single Management Console security or full outbound security stack* between edge routers

Enterprise Firewall +1400 layer 7 apps classified Intrusion Prevention System Most widely deployed IPS engine in the world Cisco URL-Filtering Web reputation score using 82+ web categories Security Adv. Malware Protection With File Reputation and Sandboxing (TG) Secure Internet Gateway DNS Security/Cloud FW with Cisco Umbrella Cisco SD-WAN

Hours instead of weeks and months

vEdge Router cEdge Router

Cisco SD-WAN vEdge routers are delivered as hardware, software, cloud or virtualized components The vEdge Cloud is a virtualized version of the vEdge router, inheriting all the capabilities offered on Viptela’s physical branch that sit at the perimeter of a site, such as remote routers. office, branch office, campus, or a data center. Supported platforms: They participate in establishing a secure virtual • KVM hypervisor overlay network over a mix of any WAN transports. • VM on a VMware ESXi hypervisor • Amazon AWS • Google Cloud Platform

• vEdge Cloud can be used as a Virtual Network Function (VNF) for a Virtual CPE (vCPE) deployment at the branch.

• Can also be used as a Virtual Private Cloud (VPC) Gateway for customers that have workload residing in AWS

• Automatic API Key registration

• VPN-aware policies POP POP POP • Global points of presence and anycast IP for fastest response and high availability

• Block malware, phishing, and non-compliance domain requests WAN Edge • Supports DNScrypt

• Local Domain-bypass option

• Supports TLS decryption Users Users

• Intelligent Proxy

Service-VPN 1 Service-VPN 2 DNS DNS

Allowed Content Umbrella

WAN Edge DNS Request (1) Internet

Allowed Content Umbrella

WAN Edge DNS Request (1) Internet DNS Response

Allowed Content Umbrella

WAN Edge DNS Request (1) Internet DNS Response

Allowed to access destination site

Destination Web Page

Blocked Content Umbrella

WAN Edge DNS Request (1) Internet

Blocked Content Umbrella

WAN Edge DNS Request (1) Internet Umbrella Block Page

Blocked Content Umbrella

WAN Edge DNS Request (1) Internet Umbrella Block Page

Umbrella Block Page request

Umbrella Block Page

Grey List

Umbrella

WAN Edge DNS Request (1)

Internet

Grey List

Umbrella

WAN Edge DNS Request (1)

Umbrella Proxy IP Internet

Grey List

Umbrella

WAN Edge DNS Request (1)

Umbrella Proxy IP Internet

Umbrella proxy redirect

Destination Site

Step 1: Copy API key from Umbrella dashboard

• Umbrella registration token required • Policy configuration as to which categories are allowed, reporting etc. needs to be done in Umbrella Step 2: Input API key into Cisco SD-WAN vManage dashboard dashboard.

Step 3: Configure Umbrella policy

Umbrella Registration Status: We see here it’s already configured based on the first 2 steps

• Setup DNS redirect to Umbrella on vManage • Web Policy configuration done on Umbrella

Note: Security policy configuration (i.e. which categories are allowed, etc.) and reporting is done in Umbrella

Step 4: Apply policy per-VPN and optionally enable DNScrypt

• Identify the VPN(s) which need to be enabled for Umbrella Integration and whether you’d like to enable DNSCrypt

• DNScrypt is a proprietary protocol that encrypts DNS packets with EDNS data (such as private IP address of the client and in the future user ID information as well) and send the packet to Umbrella.

Today Future Features On v-Edge On c-Edge On v-Edge On c-Edge

DNS Redirection (Can be to Google DNS server or Umbrella DNS server)

Auto-Registration (Device Registration via APIs)

DNS Security (DNSCrypt & EDNS)

Policy Alignment via Viptela VPN (Network Devices in Umbrella)

Local Domain bypass

Cloud-delivered firewall • SIG (Secure Internet Gateway) is a SaaS usage platform with many different Web controls (CASB) security services gateway • The current platform includes DNS- layer security, Web Gateway (SWG), Cloud Delivered Firewall, CASB and correlated threat intel Correlated • Currently, Umbrella supports traffic DNS-layer security redirection for SIG services via IPSec threat intel tunnel. Cisco • Viptela vEdge and cEdge will be supported initially with automated Umbrella tunnel creation coming in 1HCY20

CORP NETWORK – HQ/HUBS VoIP WAF Intranet NGFW Internet SIG Servers SWG encompasses Exchange DLP SD-WAN fabric OAUTH APIs

SD-WAN edge

BRANCH OFFICES

By year-end 2018, >40% of branch office SD-WAN deployments will be using SD-WAN embedded security combined with SWG services. Gartner

❖ Supports IPSec tunnels

❖ Outbound firewall only

❖ Currently L3/L4 enforcement

❖ We can still block any port/protocol, source/destination IP

L7 Capabilities In CY20, CDFW will be getting L7 capabilities:

❖ Blocking of non HTTP/S Applications: one example would be blocking use of Tor browser

❖ Deep Packet Inspection: Apart from DPI for web traffic via web gateway, additional engines will provide greater visibility

❖ Enhanced AVC (Application Visibility & Control): Integration into current AVC engine. Single area to configure AVC policies'

Capture all web traffic with full URL logging URL logging and File (including HTTPS traffic) real-time inspection, Enforce acceptable use policies with content reporting sandboxing & filtering and URL blocking blocking Block more malware with URL scanning, file inspection (AMP/AV), and sandboxing (Threat Grid) Content & Control specific activities for a set of Full web proxy SSL traffic app popular SaaS apps decryption and controls inspection Deployment options: IPSec tunnel, AnyConnect, PAC file, proxy chaining

DNS-layer security: First check for domains associated with malware NAT Cloud-delivered firewall (CDFW): Port 21 Next check for IP, port, and protocol 80/443 rules DNS CDFW SWG Secure web gateway (SWG): Final Umbrella check of all web traffic for malware DNS, CDFW, and and policy violations SWG blocks

SD-WAN

2 Umbrella • There are situations when the Umbrella Umbrella DC 2 DC 1 service itself experiences issues 1 3

• In this case, there are multiple instances in each DC to handle customer traffic

• If the entire DC has issues, it is taken Corporate out automatically and another DC in Small/ data center the same region starts serving the home office old DC’s IP address

• Tunnels moves from old DC to a new DC automatically Waltham office SF office

Normal Operations Loss of Tunnel Loss of Site

Site A Site A Site A

Datacenter IP Datacenter IP Datacenter IP Pool Pool Pool

Site B Site B Site B

Under normal conditions the client would In this scenario Tunnel A has been lost and If we lose Site A all connections for all have a VPN tunnel with 2 paths across a pair client traffic will seamlessly pickup on Site B. clients will route to Site B. The prefix for of sites, this would allow for a level of At this stage both Site A and B are up but the Site A (/24) will be moved to Site B as part redundancy for ISP or Umbrella site failure. client has connectivity issues over one of the failover design. Tunnel Path

Traffic Redirection Umbrella Type Method Cloud Traffic orchestrator

DNS DNS based redirection Resolvers Selective Proxy

DNS Web IPSec CDFW Internet All other

Web Client SWG Web PAC file

Web Proxy chaining

Traffic Redirection Umbrella Type Method Cloud Traffic orchestrator

DNS DNS based redirection Resolvers Selective Proxy

DNS Web IPSec CDFW All other Internet

Web Client SWG Web PAC file

Web Proxy chaining

• Increased capacity per tunnel targeted SS FW NAT early CY20 Supported SD-WAN Devices OS Layer • Viptela vEdge, cEdge, Meraki MX Encryption and Authentication • IKEv2 Encryption • PSK Authentication

20 Datacenters SWG + CDFW SWG CDFW

You can access the vManage console with a web browser. By default, the HTTPS port is 8443, but this may vary based on how your vManage is configured.

• In vManage, all the features are configured through templates, once the vEdge devices are registered with vManage

• There are two types of Templates, Device & Feature Templates. First define the device template, then the feature template.

Configure Tunnel Parameters

• Choose a template name and description for the Tunnel interface.

• Choose the Interface name from 1 to 255. In this example, we have set ipsec1 as the interface name.

• Configure IPv4 address

Configure IPSec Details

• Set the IPSec Destination FQDN to Tunnel Headend.

• In this example, we are using na.sig.umbrella.com

• Umbrella datacenters are located globally and we’re continually expanding

Umbrella PSK Configuration • Set the IKE Version to 2.

• Set the IKE Rekey Interval to 28800.

• Leave the default Cipher Suite, which is AES-256-CBC- SHA1.

• Set the IKE DH Group to 14 2048-bit Modulus.

• The Pre-shared key (PSK) is configured on the Umbrella dashboard.

• The Remote endpoint is Umbrella Headend.

• Check tunnel status: Once negotiated, tunnel will show active state

• Additional tunnel details

vManage Screen Shot of the vEdge Device Dashboard showing active IKE-based IPSec tunnel to Umbrella SIG: Look at the status: IKE_UP_IPSEC_UP which means both control and data IPSec connections are up.

Choose Interface to check the status of the IPSec tunnel

BRKSEC-1655 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Verify Tunnel Status: Viptela Full Router config interface ipsec9 ip address 192.168.127.1/30 tunnel-source-interface ge0/0 tunnel-destination 146.112.67.2 ike version 2 Verify PSK details rekey 14400 cipher-suite aes256-cbc-sha1 group 14 authentication-type pre-shared-key pre-shared-secret ^&*HDN;LKAFDGJAOIE&7^&%%^&7 local-id [email protected] remote-id 146.112.67.2

EXP-BR7-vEdge# show ipsec ike sessions

IF SOURCE DEST TUNNEL VPN NAME VERSION SOURCE IP PORT DEST IP PORT INITIATOR SPI RESPONDER SPI CIPHER SUITE DH GROUP STATE UPTIME UPTIME Verify IKE sessions ------0 ipsec9 2 173.37.56.171 4500 146.112.67.2 4500 60a161e9a2b5da86 b6d8e6fa99253c96 aes256-cbc-sha1 14 (MODP-2048) IKE_UP_IPSEC_UP 0:00:07:43 0:00:07:48

See Full Details Additional Filters Identity Types

Choose log types

EU data warehouse facility available • Ease data serenity concerns

• Store data used for Umbrella reports in EU facility

• Use multi-org console for different storage settings for different locations

Today Future Features On v-Edge On c-Edge On v-Edge On c-Edge

Manual Tunnels to Umbrella

Auto Org On-boarding

Automated Tunnels

L7 Health Monitoring (via SIG Template)

Tunnel Visibility and Debugging

Sending DNS inside the Tunnels

• The Umbrella integration on MX is available in public beta in firmware MX15.10+.

• Requires Meraki Advanced Security license plus an Umbrella account you can link to the Meraki dashboard. Requires Meraki Support to enable functionality in order to get access to this functionality.

• GA MX15 firmware targeted for H2 of FY2020.

• Current testing of MX + SIG integration in firmware MX15.12+: If you have an MX, you will be able to configure a full IPSec tunnel to the Umbrella SIG for inspection and filtering.

Generate the Umbrella API Key

Before linking the two dashboards, the Umbrella API Key and associated Secret must first be created on the Umbrella dashboard. This can be done from the Umbrella dashboard by selecting Admin > API Keys.

Once the key has been generated, copy both the Key and the Secret so they can be entered on the Meraki dashboard.

• Once the Umbrella API Key and secret have been generated, they need to be added to the Meraki dashboard to properly link the Meraki network and the Umbrella dashboard.

• Once this information has been saved the Meraki and Umbrella dashboards should now be properly linked, allowing Umbrella policies to be applied to Meraki SSIDs or group policies within the current Meraki network.

• IPSec tunnel configured on Viptela vEdge Firewall policy

• Single branch location needs to Search by application block Tor and BitTorrent for all users

• L7 policies setup on Umbrella

IPSec tunnel on Viptela vEdge

• IPSec tunnel configured on Viptela vEdge

• Choose your identity Network Tunnel • SAML User/Group • AD User/Group • Network • Network Tunnel

• Choose what content to block

• Choose apps to enforce

• IPSec tunnel configured on Viptela vEdge

• Choose your identity Network Tunnel • SAML User/Group • AD User/Group • Network • Network Tunnel

• Choose what content to Content block Categories

• Choose apps to enforce

• IPSec tunnel configured on Viptela vEdge

• Choose your identity Network Tunnel • SAML User/Group • AD User/Group • Network • Network Tunnel Choose Apps • Choose what content to Content block Categories

• Choose apps to enforce Choose options

• Umbrella DNS configured in customer environment

• Select Network as identity type

• Choose security categories to enforce

BRKSEC-1655 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Better Together: Umbrella + SD-WAN Already a Viptela Learn Try https://umbrella.cisco.com/sd-wan https://signup.umbrella.com customer? 1 Input Umbrella API key into vManage Copy the API key from Umbrella into the vManage Umbrella API registration

14-day Free Trial Simplified cloud security for your 2 distributed network What is included? Cisco SD-WAN Threat protection like no other — block malware, C2 Configure Umbrella policies in vManage Cloud-delivered WAN architecture callbacks, and phishing. Apply Umbrella DNS re-direct policies that enables digital and cloud transformation. Predictive intelligence — automates threat protection by 3 uncovering attacks before they launch. Create Umbrella security policies Cisco Umbrella Worldwide coverage in minutes — no hardware to install or Cloud-delivered security service If you’re new to Umbrella, we recommend software to maintain you create policies for your organization. that provides safe access to the Weekly security report — get a personalized summary of The intuitive Umbrella policy wizard walks internet and cloud applications. malicious requests & more, directly to your inbox. you through each step. 1,000+ users? — You're eligible for the Umbrella Security Report, a detailed post-trial analysis.

Breakouts: Breakouts: What’s new in Umbrella, Cisco’s Secure Internet Gateway Cloud Managed Security & SD-WAN from Cisco Meraki BRKSEC-2023 BRKSEC-2998 Tuesday, January 28th: 14:30-16:00 Wednesday, January 29th: 11:00-12:30

Labs: SD-WAN Security (Viptela) Hands-on lab – What’s new in Cisco Umbrella’s Secure Internet BRKRST-2377 Gateway(SIG) Wednesday, January 29: 08:30-10:30 LTRSEC-2010 Thursday, January 30th: 09:00-13:00 Labs: Walk in Lab: Deploying Cisco Meraki at the Branch Walk-in Lab: Cisco Umbrella Lab – Advanced LABCLD-2903 LABSEC-2504 Tech Circle: DevNet: SD-WAN in Real World – How to build SD-WAN networks at scale Learn about Umbrella APIs and solve/implement customers use-cases DEVNET-3196 TCRRST-2800 Wednesday, January 29th: 17:00-17:45 Thursday, January 30th: 13:30-14:30

Tuesday BRKSEC-3016 Friday BRKSEC-2140 Demystifying Zero Trust - What does it really mean? How do 2 birds with 1 stone: DUO integration with you achieve it with Cisco and Duo Security ? Cisco ISE and Firewall solutions Wednesday BRKSEC-2049 Tracking Down the Cyber Criminals: Revealing Malicious Infrastructures with Umbrella

Wednesday BRKSEC-1655 A Match Made in the Cloud: Cisco Umbrella + SD-WAN Integration Tuesday BRKSEC-2023 What's new in Umbrella, Cisco's Secure Internet Gateway

Monday BRKSEC-2382 Application and User-centric Protection with Monday TECSEC 2609 Duo Security Architecting Security for a Zero Trust Future

BRKSEC-1655 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings