Security Configuration Guide for Vedge Routers, Cisco SD-WAN Release 20

Security Configuration Guide for Vedge Routers, Cisco SD-WAN Release 20

Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 First Published: 2019-05-23 Last Modified: 2019-08-20 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2019–2020 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 Read Me First 1 CHAPTER 2 What's New in Cisco SD-WAN 3 CHAPTER 3 Security Overview 5 Cisco SD-WAN Security Components 5 Security for Connections to External Devices 6 Control Plane Security Overview 6 DTLS and TLS Infrastructure 7 Control Plane Authentication 8 Control Plane Encryption 10 Control Plane Integrity 11 Data Plane Security Overview 11 Data Plane Authentication and Encryption 12 Data Plane Integrity 14 Carrying VPN Information in Data Packets 17 Security Provided by NAT Devices 17 CHAPTER 4 Configure Security Parameters 19 Configure Control Plane Security Parameters 19 Configure DTLS in Cisco vManage 20 Configure Security Parameters Using the Security Feature Template 21 Configure Data Plane Security Parameters 24 Configure Allowed Authentication Types 25 Change the Rekeying Timer 26 Change the Size of the Anti-Replay Window 27 Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 iii Contents Configure IKE-Enabled IPsec Tunnels 29 Configure an IPsec Tunnel 29 Configure an IPsec Static Route 30 Enable IKE Version 1 30 Enable IKE Version 2 31 Configure IPsec Tunnel Parameters 33 Modify IKE Dead-Peer Detection 34 Configure Other Interface Properties 34 CHAPTER 5 Enterprise Firewall 35 Overview of Enterprise Firewall 35 Restrictions 36 Configure Firewall Policies 37 Start the Security Policy Configuration Wizard 37 Create Rules 38 Apply Policy to a Zone Pair 39 Create Policy Summary 40 Apply a Security Policy to a Device 40 Monitor Enterprise Firewall 41 Zone-Based Firewall Configuration Examples 41 CHAPTER 6 Cisco Umbrella Integration 45 Overview of Cisco SD-WAN Umbrella Integration 45 Restrictions for Umbrella Integration 47 Prerequisites for Umbrella Integration 48 Configure Cisco Umbrella Registration 48 Define Domain Lists 49 Configure Umbrella DNS Policy Using Cisco vManage 49 Attach DNS Umbrella Policy to Device Template 50 Monitor Umbrella Feature 50 CHAPTER 7 IPsec Pairwise Keys 51 Supported Platforms 51 Pairwise Keys 52 Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 iv Contents IPsec Security Association Rekey 52 Configure IPSec Pairwise Keys 52 Configure IPsec Pairwise Keys Using Cisco vManage 52 Configure Pairwise Keys and Enable Rekeying on the CLI 53 Verify IPSec Pairwise Keys on Cisco vEdge Routers 53 CHAPTER 8 Integrate Your Devices With Secure Internet Gateways 55 Options to Integrate Your Devices with Secure Internet Gateways 57 Automatic Tunnels 57 Manual Tunnels 58 Configure Tunnels 59 Configure Automatic Tunnels Using Cisco vManage 59 Prerequisites 59 (Optional) Manually Create Custom Trackers 59 Create SIG Feature Template 59 Create SIG Credentials Template 61 Redirect Traffic to a SIG 62 Modify Service VPN Template 62 Create the SIG Device Template 63 Attach the SIG Template to Devices 63 Configure Manual Tunnels Using Cisco vManage 64 Configuring Manual Tunnels to an SIG 64 Configuring a GRE Tunnel or IPsec Tunnel from Cisco vManage 66 Monitor Tunnels 68 CHAPTER 9 Configure Single Sign-On 71 Configure Single Sign-On Using Okta 71 Enable an Identity Provider in Cisco vManage 71 Configure SSO on the Okta Website 72 Assign Users to the Application on the Okta Website 74 Configure SSO for Active Directory Federation Services (ADFS) 75 Import Metadata File into ADFS 75 Add ADFS Relying Party Trust 76 Add ADFS Relying Party Trust Manually 77 Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 v Contents Configure SSO for PingID 78 Configure SSO on the PingID Administration Portal 79 Configure SSO for IDPs in Cisco vManage Cluster 81 CHAPTER 10 Security CLI Reference 83 Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 vi CHAPTER 1 Read Me First Related References • Release Notes • Cisco SD-WAN Controller Compatibility Matrix and Server Recommendations User Documentation • Cisco SD-WAN (Cisco vEdge Devices) • Cisco SD-WAN Command Reference Communications, Services, and Additional Information • Sign up for Cisco email newsletters and other communications at: Cisco Profile Manager. • For information on the latest technical, advanced, and remote services to increase the operational reliability of your network visit Cisco Services. • To browse and discover secure, validated enterprise-class apps, products, solutions, and services, visit Cisco Devnet. • To obtain general networking, training, and certification titles from Cisco Press Publishers, visit Cisco Press. • To find warranty information for a specific product or product family, visit Cisco Warranty Finder. • To view open and resolved bugs for a release, access the Cisco Bug Search Tool. • To submit a service request, visit Cisco Support. Documentation Feedback To provide feedback about Cisco technical documentation use the feedback form available in the right pane of every online document. Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 1 Read Me First Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 2 CHAPTER 2 What's New in Cisco SD-WAN Note The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product. Cisco is constantly enhancing the SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the Cisco SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes. What's New in Cisco SD-WAN (vEdge) Release 20.x Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 3 What's New in Cisco SD-WAN Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 4 CHAPTER 3 Security Overview Security is a critical element of today's networking infrastructure. Network administrators and security officers are hard pressed to defend their network against attacks and breaches. As

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    90 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us