manager, technical marketing - sccug · 2019-05-03 · kureli sankar, ccie security #35505 manager,...
TRANSCRIPT
Kureli Sankar, CCIE Security #35505Manager, Technical Marketing
Dana Yanch, CCIE/CCDATechnical Solutions Architect
BRKCRS-2114
SD-WAN Security
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Direct Internet Access
• Ent Firewall App Aware
• Intrusion Prevention
• URL-Filtering
• DNS/web-layer Security
• Demo
• Resources
BRKCRS-2114 3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
Cs.co/ciscolivebot#BRKCRS-2114
BRKCRS-2114 4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
About – Kureli Sankar
• BS in Electrical and Electronics Engineering
• 2006 – 2013 TAC Engineer
• CCIE Security #35505
• 2013 – 2018 TME
• 2019 – Present TME, Manager
• Areas of expertise
• IOS and IOS-XE security features
• SD-WAN Security solutions
• 2018 - Distinguished Speaker Cisco Live (EUR and ANZ)
# 35505
BRKCRS-2114 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
About – Dana Yanch
• 10 years of WAN and DC Architecture• CCIE #25567 / CCDE #2013::71
• 4 years of multi-vendor SD-WAN Design and Implementation
• Cisco SD-WAN (Viptela) TSA for Enterprise
• Areas of Expertise• SD-WAN, Nexus, UCS, Design, DC technologies
BRKCRS-2114 6
Introduction
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Current WAN Challenges
InsufficientBandwidth
No Cloud AppsReadiness
FragmentedSecurity
LimitedScale
HighCost
ComplexOperations
Is Your WAN BusinessReady ?
ApplicationsDowntime
Limited ApplicationAwareness
BRKCRS-2114 8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-WAN?
Software Defined WAN is a new user friendly approach to centrally provisionWAN edges, manage, monitor, report and troubleshoot.
• Lowers Operational Cost• Increases Application Performance across the WAN• Improves Quality of Experience• Offers Security and Data Privacy
BRKCRS-2114 9
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
APPLICATIONS
SDWANCloudOnRamp
IoTEdge Computing
.…
Fabric
USERS
DC
IaaS
SaaS
vDCSECURE SCALABLE
DEVICES
THINGS
Cisco SD-WAN Holistic Approach
Highly
AutomatedRich
AnalyticsMultitenant/
Cloud-Delivered
APP AWARE
BRKCRS-2114 10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN Solution Differentiation
ApplicationQuality of Experience(Cloud or On-Prem)
FlexibleOperations
DeploymentCredibility
Cloud or On-prem DeliveredSDN Architecture
ComprehensiveSecurity
BRKCRS-2114 11
Secure Infrastructure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIs
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
WAN Edge Routers
4GMPLS
INET
• Orchestrates control and management plane
• First point of authentication (white-list model)
• Distributes list of vSmarts/ vManage to all WAN Edge routers
• Facilitates NAT traversal
• Requires public IP Address [could sit behind 1:1 NAT]
• Highly resilient
Orchestration Plane
Cisco vBond
Orchestration Plane
BRKCRS-2114 13
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Control Plane
Cisco vSmart
• Facilitates fabric discovery
• Dissimilates control plane information between WAN Edges
• Distributes data plane and app-aware routing policies to the WAN Edge routers
• Implements control plane policies, such as service chaining, multi-topology and multi-hop
• Dramatically reduces control plane complexity
• Highly resilient
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
WAN Edge Routers
4GMPLS
INET
APIs
Control Plane
BRKCRS-2114 14
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data PlanePhysical/Virtual
WAN Edge
• WAN edge router
• Provides secure data plane with remote WAN Edge routers
• Establishes secure control plane with vSmart controllers (OMP)
• Implements data plane and application aware routing policies
• Exports performance statistics
• Leverages traditional routing protocols like OSPF, BGP and VRRP and HSRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
APIs
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
WAN Edge Routers
4GMPLS
INET
Data Plane
BRKCRS-2114 15
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Plane
Cisco vManage
• Single pane of glass for Day0, Day1 and Day2 operations
• Multitenant with web scale
• Centralized provisioning
• Policies and Templates
• Troubleshooting and Monitoring
• Software upgrades
• GUI with RBAC
• Programmatic interfaces (REST, NETCONF)
• Highly resilient
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
WAN Edge Routers
4GMPLS
INET
APIs
Management Plane
BRKCRS-2114 16
Device Identity
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware in IOS is a Real Threat
2011 2012 2013 2014 2015
✖ ✖ ✖✖ ✖
Malware: 6 Observed VariantsIncident 4
Runtime infection
C&Cdata exfil.ROMMONmodular
Incident 3
Runtime infection
C&C; data exfil.multi-archLine cards
Incident 2
Runtime infection
C&Cdata exfil.
Incident 0
Static infection
Crypto(DH keys)
Incident 1
Static infection
Crypto (DH keys)
SynfulKnock
Staticinfection
C&C; modular
2016
✖
BRKCRS-2114 18
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Trust Anchor Module (TAm)
• Anti-Tamper Chip Design
• Built-In Crypto Functions
• Secure Storage
Tamper-Proof Storage
Crypto Functions
SUDIBoot Measurements
• HW Authenticity Check• Secure PnP• Integrity VerificationTAM Services Libraries
Integrity Applications
BRKCRS-2114 19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Unique Device Identification (Secure – UDI)
Tamperproof ID for the device
Binds the hardware identity to a key pair in a cryptographically secure X.509 certificate PIDduring manufacturing
Connections with the device can be authenticated by the SUDI credential
IEEE 802.1AR Compliant
BRKCRS-2114 21
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Only authentic signed Cisco software boots up on a Cisco platform
The boot process stops if any step fails to authenticate
Cisco Secure Boot
Anchors Secure Boot in Hardware to Create a Chain of Trust
Cisco Secure BootBoot Code Integrity Anchored in Hardware
Step 1
HardwareAnchor
Microloader
CPU
Microloader
Step 2
Microloaderchecks
bootloader
CPU
Bootloader
Step 3
Bootloaderchecks OS
CPU
OS
Step 4
OS launched
BRKCRS-2114 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Router Identity
• Each physical router is uniquely identified by the chassis ID and certificate serial number
• Certificate is stored in on-board Temper Proof Module (TPM)
- Installed during manufacturing process
• Certificate is signed by Avnet root CA- Trusted by Control Plane elements
• DigiCert root CA chain of trust is used to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust can be used to validate Control Plane elements
- Can be automatically installed during ZTP
TPMChip
Root Chain
During Manufacturing
In Software
Device Certificate
BRKCRS-2114 23
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Router Identity
• OTP/Token is generated by vManage- One per-(chassis ID, serial number) in the
uploaded WAN Edge list
• OTP/Token is supplied to Cloud router in Cloud-Init during the VM deployment
- Can activate from CLI post VM deployment
• vManage signs certificate(s) for the Cloud router post OTP/Token validation
- If vManage cluster, each member signs- vManage removes OTP to prevent reuse
• DigiCert root CA chain of trust is used to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust can be used to validate Control Plane elements
- Can be provided in Cloud-Init
Device Certificate(s)
Root Chain
Signed by vManage(If cluster, each member signs)
In Software
BRKCRS-2114 24
Secure Control Plane
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network-wide Control Plane
Network Control Plane
Data Plane + Local Control Plane
O(n) Control ComplexityHigh Scale
O(n^2) Control ComplexityLimited Scale
Integrated Control and Data Plane
Cisco SD-WAN Traditional
BRKCRS-2114 26
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overlay Management Protocol (OMP)
• TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmartcontrollers and between the vSmart controllers
- Inside TLS/DTLS connections
• Leverages address families to advertise reachability for TLOCs, unicast/multicast destinations, service routes, BFD up/down stats and Cloud onRamp for SaaS probe stats
• Distributes IPSec encryption keys, and data and app-aware policies
vSmart vSmart
vSmart
WAN Edge
Note: WAN Edge routers need not connect to all vSmart Controllers
WAN Edge
BRKCRS-2114 27
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Locator (TLOC) OMP IPSec Tunnel
WAN Edge
WAN EdgeWAN Edge
WAN Edge
WAN Edge
vSmart
Local TLOCs(System IP, Color, Encap)
TLOCs advertised to vSmarts
vSmarts advertise TLOCs to all WAN Edges*
(Default)
Full Mesh SD-WAN Fabric
(Default)
* Can be influenced by the control policies
Transport Locators (TLOCs)
BRKCRS-2114 28
Secure Dataplane
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
OMP Update: Reachability – IP Subnets, TLOCs Security – Encryption Keys Policy – Data/App-route Policies
BGP, OSPF, Connected, Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF, Connected, Static
vSmart
OMPUpdate
OMPUpdate
WAN Edge WAN Edge
Subnets Subnets
TLOCs TLOCs
PoliciesOMPUpdate
OMPUpdate
SD-WAN Fabric Operation Walk-Through
BRKCRS-2114 30
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport1
Transport2
Data Plane Privacy
Control Plane
AES256-GCM/CBCIP UDP Original Packet
Encrypted
ESP
Each WAN Edge advertises its local IPsec encryption keys as OMP TLOC attributes
Encryption keys are per-transport
Can be rapidly rotated
Symmetric encryption keys used asymmetrically
Local (generated)
Remote (received)
Local (generated)
Remote (received)
vSmartControllers
WAN EdgeWAN Edge
OMPUpdate
Encr-Key1
Encr-Key2OMPUpdate
Encr-Key3
Encr-Key4
BRKCRS-2114 31
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IngressWAN Edge
VPN 3
VPN 1
VPN 2SD-WAN
IPSecTunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
EgressWAN Edge
Interface
VLAN
• Segment connectivity across fabric w/o reliance on underlay transport
• WAN Edge routers maintain per-VPN routing table
• Labels are used to identify VPN for destination route lookup
• Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
End-to-End Segmentation
BRKCRS-2114 34
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Critical Applications SLA
Path1: 10ms, 0% loss, 5ms jitterPath2: 200ms, 3% loss, 10ms jitterPath3: 140ms, 1% loss, 10ms jitter
vManage App Aware Routing PolicyApp A path must have:
Latency < 150msLoss < 2%
Jitter < 10ms
WAN Edge Routers continuously perform path liveliness and quality measurements
Internet
MPLS
4G LTE
IPSec Tunnel
Remote Site
RegionalData CenterPath 2
vSmarts
BRKCRS-2114 35
Direct Internet Access
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security – Use Case 1: PCI Compliance
Data Center
Applications
Internet
BRKCRS-2114 37
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security - Use Case 2: Guest Access
Internet
BRKCRS-2114 38
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security – Use Case 3: Direct Cloud Access
GuestEmployee
VPN2 Data Center
Applications
SD-WAN
HQ Destined Traffic
Employee Internet Traffic
VPN1
Direct Cloud Access
Employee SAAS Traffic
SaaS
Guest Internet Traffic
Internet
BRKCRS-2114 39
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
GuestEmployee
VPN2 Data Center
Applications
SD-WAN
HQ Destined Traffic
Employee Internet Traffic
VPN1
Direct Internet Access
Employee SAAS Traffic
SaaS
SD-WAN Security - Use Case 4: Direct Internet Access
Internet
BRKCRS-2114 40
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sing Pane of Glass
• Provision
• Manage
• Monitor
• Report
• Troubleshoot
Embedded
• Ent. Firewall App Aware
• IPS
• URL-Filtering
• AMP and Threat Grid *
Cloud
• DNS/web-layer Security
Platforms
• ISR 1K
• ISR 4K
• ENCS (ISRv)
• CSR
• ASR 1K (Ent FW App Aware and
DNS/web-layer security)
• vEdges (FW and DNS/web-layer
security)
Manage in Cloud or On-Prem
Full EdgeSecurity
Branch Edge
Edge Router
Flexibility
* March 2019BRKCRS-2114 41
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Essentials
DNA Advantage
SD-WAN Security Licensing
Ent FW – App-AwareIntrusion PreventionURL filtering* DNS-Layer security monitoring
Ent FW – App-AwareIntrusion PreventionURL filtering* DNS-Layer security monitoring
Advanced SD-WAN Topology
Cloud App Discovery
* Need Umbrella Subscription for enforcement
BRKCRS-2114 42
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Zone Policies
• Application Visibility and Granular control
• 1400+ layer 7 applications classified
• Block traffic by group, category or specific application
• Segmentation
• PCI compliance
Ent Firewall App Aware
Outside Zone
InsideZone
GuestZone
Edge Device
Users
Service-VPN 1
Devices
Service-VPN 2
SaaS
Internet
Inspect policy allows only return traffic to be allowed.
BRKCRS-2114 43
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge
VPN1
Zone1SD-WAN
Fabric
SD-WAN Site A
Host Host
WAN Edge
VPN1
Zone1
SD-WAN Site B
Host Host
Action: D I P
D - DropI – InspectP – Pass
BRKCRS-2114 44
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ent. Firewall App Aware : Inter-Zone Security
WAN Edge
VPN1
Zone1SD-WAN
Fabric
Host Host
WAN Edge
VPN1
Zone1
Host Host
VPN2
Zone2
VPN1-VPN2Route Leaking
Action: D I P
SD-WAN Site A SD-WAN Site B
vSmart
D - DropI – InspectP – Pass
BRKCRS-2114 45
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage - Ent FW App Aware - Configuration
BRKCRS-2114 46
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
zone security OUTSIDEVPN 0
Zone security INSIDEVPN 1
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASSmatch protocol ftp match protocol tcp match access-group name match protocol udp match protocol icmp
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS inspect
class class-default drop
Ent Firewall with Zone Policy - CLI rendered
zone security INSIDEzone security OUTSIDE
Data Center
Remote Site
ISP
SD-WANFabric
Security Zone OUTSIDE
VPN 0
VPN 1
Security ZoneINSIDE
For YourReference
BRKCRS-2114 47
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
zone security OUTSIDE
VPN 0
Zone security INSIDEVPN 1
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASSmatch protocol ftp match protocol httpmatch protocol https match access-group namematch protocol dnsmatch protocol tcp match protocol udp match protocol icmp
policy-map type inspect INSIDE-TO-OUTSIDE-POLICYclass type inspect INSIDE-TO-OUTSIDE-CLASS inspect service-policy avc AVC-POLICY
class class-default drop
Ent. FW App Aware – CLI renderedzone security INSIDEzone security OUTSIDE
class-map match-any AVC-CLASSmatch protocol yahoomatch protocol amazonmatch protocol attribute category consumer-streamingmatch protocol attribute category gamingmatch protocol attribute category social-networking
policy-map type inspect avc AVC-POLICYclass AVC-CLASSdenyclass class-defaultallow
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
For YourReference
BRKCRS-2114 48
Intrusion Prevention
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intrusion Prevention
• Most widely deployed Intrusion Prevention solution in the world
• Backed by TALOS, signature update is automated
• Signature whitelist support
• Real-time traffic analysis
• PCI compliance
On-site Services
IPS
BRKCRS-2114 50
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vM
anage -
Intr
usi
on
Pre
vention
BRKCRS-2114 51
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vM
anage -
Intr
usi
on
Pre
vention
BRKCRS-2114 52
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2 Configure Port Groupsinterface VirtualPortGroup0
description Management interfacevrf forwarding 65529ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1description Data interfaceip address 192.0.2.1 255.255.255.252
Step 4 Configuring UTD (service plane)
utd engine standard multi-tenancythreat-inspection whitelist profile Sig-white-list
generator id 3 signature id 22089generator id 3 signature id 36208
threat-inspection profile IPS-POLICY threat [protection | detection]policy [security | connectivity | balanced]whitelist profile Sig-white-list logging level [alert | info | ….. ]Step 3 Activate virtual service and configure
ioxapp-hosting appid utdapp-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252app-resource package-profile urlf-lowstart
Step 5 Enabling UTD (data plane)
policy utd-policy-vrf-1vrf 1all-interfaces fail [open | close] threat-inspection profile IPS-POLICY
Step 1 Configure virtual serviceapp-hosting install appid utd package bootflash:utd.tar
Intrusion Prevention – CLI rendered For YourReference
BRKCRS-2114 53
URL-Filtering
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 82+ Web Categories with dynamic updates from Webroot/BrightCloud
• Block based on Web Reputation score
• Create custom Black and White Lists
• Customizable End-user notifications
URL Filtering
Block/Allow based on
Categories,
Reputation
Requests for “risky” domain requests
URL Filtering
White/Black lists of
custom URLs
BRKCRS-2114 55
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vM
anage -
UR
L F
iltering
BRKCRS-2114 56
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vM
anage -
UR
L F
iltering
BRKCRS-2114 57
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Filtering – CLI renderedStep 4 Configure (optional) white and black list
parameter-map type regex wlist1 pattern www.google.compattern www.cisco.com
parameter-map type regex blist1 pattern www.exmaplehoo.compattern www.bing.com
Step 5 Configure block page
web-filter block page profile block-URL-FILTER-POLICY
text “WHAT ARE YOU DOING??!!!”
Step 2 Configure Port Groupsinterface VirtualPortGroup0
description Management interfacevrf forwarding 65529ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1description Data interfaceip address 192.0.2.1 255.255.255.252
Step 3 Activate virtual service and configure
ioxapp-hosting appid utdapp-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252app-resource package-profile urlf-lowstart
Step 1 Configure virtual serviceapp-hosting install appid utd package bootflash:utd.tar
For YourReference
BRKCRS-2114 58
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Filtering – CLI rendered
Step 7 Configure data plane
utd globallogging syslog
!policy utd-policy-vrf-1all-interfacesfail closevrf 1web-filter url profile URL-FILTER-POLICY
Step 6 Configure web-filter profile
web-filter url profile URL-FILTER-POLICYblacklist
parameter-map regex blist1whitelist
parameter-map regex wlist1categories block
abortionabused-drugsadult-and-pornographybot-netscheatingconfirmed-spam-sourcescult-and-occult
alert all block page-profile block-URL-FILTER-POLICYreputation
block-threshold moderate-risk
For YourReference
BRKCRS-2114 59
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Users and Devices
• Leading Security Efficacy for malware, phishing, and unacceptable requests by blocking based on DNS requests
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption
• Intelligent Proxy
DNS/web-layer security
Safe requests
Blocked requests
Cisco Umbrella
BRKCRS-2114 60
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS/web-layer Security - Solution Overview
Martha
Internet
WAN Edge
Web Servers
DNS Request (1)
DNS Response (4)
Approved Content (5)
Cisco Umbrella
Safe request
Blocked request
BRKCRS-2114 61
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage –
DN
S/w
eb-
laye
r S
ecurity
BRKCRS-2114 62
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage –
DN
S/w
eb-
laye
r S
ecurity
BRKCRS-2114 63
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage -
DN
S/w
eb-
laye
r S
ecurity
BRKCRS-2114 64
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS/web-layer security – CLI rendered
Configure local domain bypass (optional)parameter-map type regex dns_wlpattern www.cisco.compattern .*eisg.cisco.*
Configure token and enable DNS security
parameter-map type umbrella globaltoken 57CC8010687FB1B2A7BA4F2373C00247166 no dnscrypt (enabled by default)udp-timeout (to change the udp –timeout)resolver-ip <>vpn 21
dns-resolver-ip < Umbrella > [bypass-local-domain]vpn 22
dns-resolver-ip < Umbrella > [bypass-local-domain]
For YourReference
BRKCRS-2114 65
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security Support on vEdges – 18.3.1
Need Umbrella Subscription for enforcement
Platforms/Features Ent FW DPIDNS/web-
layer Monitoring *
Viptela - (100, 1000, 2000 and 5000) Y Qosmos Y
BRKCRS-2114 66
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security IOS-XE Routers – 16.10.1
* Need Umbrella Subscription for enforcementEnt FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Platforms/FeaturesEnt FW with
App Awareness
IPS/IDSURL
Filtering
DNS/web-layer
Monitoring *
Cisco - CSRY Y Y Y
Cisco – ENCS (ISRv)Y Y Y Y
Cisco – ISR4K (4451, 4431, 4351, 4331, 4321, 4221-X) Y Y Y Y
Cisco – ISR1K (1111X-8P)Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX, 1001-X, 1002-X) Y N/A N/A Y
BRKCRS-2114 67
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security App Hosting Profile & Resources
4331 / 4351
PPE1 PPE2
PPE3I/O
Crypto
IOS
SVC2 SVC3
SVC1
Linux
Control Plane(4 cores)
Data Plane(4 cores)
4321 / 4221 / 1K
PPE I/O
Crypto
IOS SVCControl Plane
(2 cores)
Data Plane(2 cores)
IOS
SVC2 SVC3
SVC1
Linux
Control Plane(4 cores)
PPE1 PPE2 PPE3 PPE4 PPE5
PPE6PPE7 PPE8 PPE9
!/OCrypto
Data Plane
(10 core)
4431 / 4451
PlatformsTotal No of CP Cores
Total No of CP Cores for Security
Default Profile (URL-F Cloud Lookup)
High Profile (URL-F On-Box Lookup)
4321/4221/1K 2 1 1 -
4331 4 2 2 2
4351 4 2 2 2
4431 4 2 2 2
4451 4 2 2 2
CPP Code
Linux
BRKCRS-2114 68
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS / URL-F App Hosting
Profile
Security Profile Features Memory requirement Platform Supported
DefaultIPS + URLF (Cloud Lookup only) 8GB Bootflash 8GB Memory ISR1K/4221/4321
4/8 vCPU CSR/ISRv4331/4351/44xx *
High
IPS + URLF (On-box DB + Cloud Lookup)
16GB Bootflash & 16GB Memory
4/8 vCPU CSR/ISRv4331/4351/44xx *
Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Security App Hosting Profile & Resources
* 44XX support – March 2019Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
BRKCRS-2114 69
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP DestLookup
1NBAR 2
DNS Security
3VFR 4 CEF 5
Ingress G0/0
Egress G0/1
SD-WAN Security Features – Order of Operation
LAN to WAN
IPS URL-F FW 1 NAT 4NBAR 3
UTD – Unified Threat Defense
G0/0 – LAN facingG0/1 – WAN facing
2DNS
Security 5
BRKCRS-2114 70
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Layer 1
VFR 2 NAT 3 CEF 4
Ingress G0/1
Egress G0/0
SD-WAN Security Features – Order of Operation
WAN to LAN
IPSFW 1DNS
Layer 3NBAR 4URL-F
UTD (Unified Threat Defense)
G0/0 – LAN facingG0/1 – WAN facing
2
BRKCRS-2114 71
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
PlatformTraffic Profile
HTTP
Throughout (Mbps)IPSEC
Throughout (Mbps)
IPSEC + EntFW
Throughout (Mbps)
IPSEC + Ent FW + IPS + URLF
Throughout (Mbps)
NAT DIA + Ent FW + IPS + URLF
ISR 4351
16k 300 295 95 162
64k 620 375 115 213
1024k 850 520 180 229
ISR 4331
16k 300 250 90 101
64k 430 330 105 145
1024k 600 450 150 170
C1111x-8P
16k 211 190 65 97
64k 212 189 68 99
1024k 214 180 69 100
SD-WAN Security - Performance
XE SD-WAN 16.10.1 vManage 18.416k, 64k, 1024k – object size, entire http payload
For YourReference
BRKCRS-2114 72
Demo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security - Demo in a Box
Management Network
ESXi 6.7 Google Fiber
Internet
BRKCRS-2114 74
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Basic connectivity - Install and Configure controllers on ESXi, OpenStack or KVM
• After connectivity, your next step is to do the certificate work, otherwise control elements will not establish DTLS connection between themselves and obviously the overlay is not going to be functional.
• Basic steps are as followed:
1. Make initial CLI config on vBond, vSmart, vManage. Need to specify site-id (can be the same for all), system-ip (unique per-device, but doesn’t have to be reachable, like router-id), organization name, vBond VPN0 IP address (on vBond give own IP and add “local” keyword). Also obvious need to configure interfaces for reachability between the controllers.
2. Install Root CA and generate root cert. I use openssl on a Linux VM.
3. Upload (scp) root cert into vBond, vSmart, vManage.
4. Install root CA on vBond, vSmart, vManage (request root-cert-chain install)
5. Generate CSR on vBond, vSmart, vManage (request csr upload /home/admin/<blah>.csr. Org name of the CSR should match the org name you defined on the vManage.
6. Download (scp) CSRs into CA
7. Sign CSRs with CA
8. Upload certificates back to vBond, vSmart, vManage (put them into /home/admin folder)
9. Install certificates on vBond, vSmart, vManage (request certificate install)
10. Add controllers on vManage
Basic Steps (1/2)
BRKCRS-2114 75
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• After controller setup, log in PnP Connect and:
• Add Controller Profile (provide vBond and Org Name)
• Add hardware devices
• Add software devices (vEdgeCloud, ISRv, CSR1000v)
• Download Provisioning File (Serial File)
• Upload Serial File to vManage
Basic Steps (2/2)
BRKCRS-2114 76
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Topology
1.1.1.110.118.34.8 admin/admin
1.1.1.2
1.1.1.3
Internet
192.168.1.1
MgmtN/W
BRKCRS-2114 77
Resources
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Release Notes and Image Download Links
Release Notes for both 16.10.1 and 18.4: https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-WAN_Release_18.4
16.10.1 Software Download Link for ISR 1K/4K and ASR: ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.10.1ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.10.1ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.10.1ISRv: https://software.cisco.com/download/home/286308662/type/286321980/release/16.10.1
18.4 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/18.4.0
18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/18.4.0
BRKCRS-2114 79
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security – External Resources
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_
Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301
Cisco Validated Design: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf
BRKCRS-2114 80
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
SD-WAN Security – External Resources
BRKCRS-2114 81
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Action
World Of Solution – SD-WAN Security Booth
Whisper Suite – SD-WAN Security Booth
Checkout other SD-WAN Sessions
Try It (dCloud coming soon)
Test It
Buy It
BRKCRS-2114 82
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monday Tuesday Wednesday Thursday Friday
TECCRS-2014Deep Dive
TECSEC-2355Security
TECCRS-2191Deployment / BCP
Your SD-WAN learning map at CLEUR
BRKCRS-2110The Foundation
BRKCRS-2111Migration
BRKCRS-2112Serviceability
BRKRST-2560Analytics / ML
BRKCRS-2114Security
BRKRST-2558SD-WAN as a
Managed Service
BRKRST-2559On-prem
Deployment
BRKCRS-2113Cloud OnRamp
BRKCRS-2117Design
Deployment
BRKCRS-2114 83
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Complete your online session survey
BRKCRS-2114 84
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in the Cisco Showcase
Walk-in self-paced
labs
Meet the engineer
1:1 meetings
Related sessions
Continue Your Education
BRKCRS-2114 85
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
Cs.co/ciscolivebot#BRKCRS-2114
BRKCRS-2114 86
Thank you