manager, technical marketing - sccug · 2019-05-03 · kureli sankar, ccie security #35505 manager,...

Kureli Sankar, CCIE Security #35505Manager, Technical Marketing

Dana Yanch, CCIE/CCDATechnical Solutions Architect

BRKCRS-2114

SD-WAN Security

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Introduction

• Secure Infrastructure

• Device Identity

• Secure Control Plane

• Secure Data Plane

• Direct Internet Access

• Ent Firewall App Aware

• Intrusion Prevention

• URL-Filtering

• DNS/web-layer Security

• Demo

• Resources

BRKCRS-2114 3


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

Cs.co/ciscolivebot#BRKCRS-2114

BRKCRS-2114 4


About – Kureli Sankar

• BS in Electrical and Electronics Engineering

• 2006 – 2013 TAC Engineer

• CCIE Security #35505

• 2013 – 2018 TME

• 2019 – Present TME, Manager

• Areas of expertise

• IOS and IOS-XE security features

• SD-WAN Security solutions

• 2018 - Distinguished Speaker Cisco Live (EUR and ANZ)

# 35505

BRKCRS-2114 5


About – Dana Yanch

• 10 years of WAN and DC Architecture• CCIE #25567 / CCDE #2013::71

• 4 years of multi-vendor SD-WAN Design and Implementation

• Cisco SD-WAN (Viptela) TSA for Enterprise

• Areas of Expertise• SD-WAN, Nexus, UCS, Design, DC technologies

BRKCRS-2114 6

Introduction


Current WAN Challenges

InsufficientBandwidth

No Cloud AppsReadiness

FragmentedSecurity

LimitedScale

HighCost

ComplexOperations

Is Your WAN BusinessReady ?

ApplicationsDowntime

Limited ApplicationAwareness

BRKCRS-2114 8


What is SD-WAN?

Software Defined WAN is a new user friendly approach to centrally provisionWAN edges, manage, monitor, report and troubleshoot.

• Lowers Operational Cost• Increases Application Performance across the WAN• Improves Quality of Experience• Offers Security and Data Privacy

BRKCRS-2114 9


APPLICATIONS

SDWANCloudOnRamp

IoTEdge Computing

.…

Fabric

USERS

DC

IaaS

SaaS

vDCSECURE SCALABLE

DEVICES

THINGS

Cisco SD-WAN Holistic Approach

Highly

AutomatedRich

AnalyticsMultitenant/

Cloud-Delivered

APP AWARE

BRKCRS-2114 10


Cisco SD-WAN Solution Differentiation

ApplicationQuality of Experience(Cloud or On-Prem)

FlexibleOperations

DeploymentCredibility

Cloud or On-prem DeliveredSDN Architecture

ComprehensiveSecurity

BRKCRS-2114 11

Secure Infrastructure


APIs

vSmart Controllers

vAnalytics3rd Party

Automation

vManage

Data Center Campus Branch SOHOCloud

vBond

WAN Edge Routers

4GMPLS

INET

• Orchestrates control and management plane

• First point of authentication (white-list model)

• Distributes list of vSmarts/ vManage to all WAN Edge routers

• Facilitates NAT traversal

• Requires public IP Address [could sit behind 1:1 NAT]

• Highly resilient

Orchestration Plane

Cisco vBond

Orchestration Plane

BRKCRS-2114 13


Control Plane

Cisco vSmart

• Facilitates fabric discovery

• Dissimilates control plane information between WAN Edges

• Distributes data plane and app-aware routing policies to the WAN Edge routers

• Implements control plane policies, such as service chaining, multi-topology and multi-hop

• Dramatically reduces control plane complexity


vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

WAN Edge Routers

4GMPLS

INET

APIs

Control Plane

BRKCRS-2114 14


Data PlanePhysical/Virtual

WAN Edge

• WAN edge router

• Provides secure data plane with remote WAN Edge routers

• Establishes secure control plane with vSmart controllers (OMP)

• Implements data plane and application aware routing policies

• Exports performance statistics

• Leverages traditional routing protocols like OSPF, BGP and VRRP and HSRP

• Support Zero Touch Deployment

• Physical or Virtual form factor

APIs

vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

WAN Edge Routers

4GMPLS

INET

Data Plane

BRKCRS-2114 15


Management Plane

Cisco vManage

• Single pane of glass for Day0, Day1 and Day2 operations

• Multitenant with web scale

• Centralized provisioning

• Policies and Templates

• Troubleshooting and Monitoring

• Software upgrades

• GUI with RBAC

• Programmatic interfaces (REST, NETCONF)


vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

WAN Edge Routers

4GMPLS

INET

APIs

Management Plane

BRKCRS-2114 16

Device Identity


Malware in IOS is a Real Threat

2011 2012 2013 2014 2015

✖ ✖ ✖✖ ✖

Malware: 6 Observed VariantsIncident 4

Runtime infection

C&Cdata exfil.ROMMONmodular

Incident 3

Runtime infection

C&C; data exfil.multi-archLine cards

Incident 2

Runtime infection

C&Cdata exfil.

Incident 0

Static infection

Crypto(DH keys)

Incident 1

Static infection

Crypto (DH keys)

SynfulKnock

Staticinfection

C&C; modular

2016

✖

BRKCRS-2114 18


Cisco Trust Anchor Module (TAm)

• Anti-Tamper Chip Design

• Built-In Crypto Functions

• Secure Storage

Tamper-Proof Storage

Crypto Functions

SUDIBoot Measurements

• HW Authenticity Check• Secure PnP• Integrity VerificationTAM Services Libraries

Integrity Applications

BRKCRS-2114 19


Secure Unique Device Identification (Secure – UDI)

Tamperproof ID for the device

Binds the hardware identity to a key pair in a cryptographically secure X.509 certificate PIDduring manufacturing

Connections with the device can be authenticated by the SUDI credential

IEEE 802.1AR Compliant

BRKCRS-2114 21


Only authentic signed Cisco software boots up on a Cisco platform

The boot process stops if any step fails to authenticate

Cisco Secure Boot

Anchors Secure Boot in Hardware to Create a Chain of Trust

Cisco Secure BootBoot Code Integrity Anchored in Hardware

Step 1

HardwareAnchor

Microloader

CPU

Microloader

Step 2

Microloaderchecks

bootloader

CPU

Bootloader

Step 3

Bootloaderchecks OS

CPU

OS

Step 4

OS launched

BRKCRS-2114 22


Router Identity

• Each physical router is uniquely identified by the chassis ID and certificate serial number

• Certificate is stored in on-board Temper Proof Module (TPM)

- Installed during manufacturing process

• Certificate is signed by Avnet root CA- Trusted by Control Plane elements

• DigiCert root CA chain of trust is used to validate Control Plane elements

• Alternatively, Enterprise root CA chain of trust can be used to validate Control Plane elements

- Can be automatically installed during ZTP

TPMChip

Root Chain

During Manufacturing

In Software

Device Certificate

BRKCRS-2114 23


Cloud Router Identity

• OTP/Token is generated by vManage- One per-(chassis ID, serial number) in the

uploaded WAN Edge list

• OTP/Token is supplied to Cloud router in Cloud-Init during the VM deployment

- Can activate from CLI post VM deployment

• vManage signs certificate(s) for the Cloud router post OTP/Token validation

- If vManage cluster, each member signs- vManage removes OTP to prevent reuse

• DigiCert root CA chain of trust is used to validate Control Plane elements

• Alternatively, Enterprise root CA chain of trust can be used to validate Control Plane elements

- Can be provided in Cloud-Init

Device Certificate(s)

Root Chain

Signed by vManage(If cluster, each member signs)

In Software

BRKCRS-2114 24

Secure Control Plane


Network-wide Control Plane

Network Control Plane

Data Plane + Local Control Plane

O(n) Control ComplexityHigh Scale

O(n^2) Control ComplexityLimited Scale

Integrated Control and Data Plane

Cisco SD-WAN Traditional

BRKCRS-2114 26


Overlay Management Protocol (OMP)

• TCP based extensible control plane protocol

• Runs between WAN Edge routers and vSmartcontrollers and between the vSmart controllers

- Inside TLS/DTLS connections

• Leverages address families to advertise reachability for TLOCs, unicast/multicast destinations, service routes, BFD up/down stats and Cloud onRamp for SaaS probe stats

• Distributes IPSec encryption keys, and data and app-aware policies

vSmart vSmart

vSmart

WAN Edge

Note: WAN Edge routers need not connect to all vSmart Controllers

WAN Edge

BRKCRS-2114 27


Transport Locator (TLOC) OMP IPSec Tunnel

WAN Edge

WAN EdgeWAN Edge

WAN Edge

WAN Edge

vSmart

Local TLOCs(System IP, Color, Encap)

TLOCs advertised to vSmarts

vSmarts advertise TLOCs to all WAN Edges*

(Default)

Full Mesh SD-WAN Fabric

(Default)

* Can be influenced by the control policies

Transport Locators (TLOCs)

BRKCRS-2114 28

Secure Dataplane


OMP Update: Reachability – IP Subnets, TLOCs Security – Encryption Keys Policy – Data/App-route Policies

BGP, OSPF, Connected, Static

BFD

IPSec Tunnel

OMP

DTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN2

B

VPN1

C

VPN2

D

BGP, OSPF, Connected, Static

vSmart

OMPUpdate

OMPUpdate

WAN Edge WAN Edge

Subnets Subnets

TLOCs TLOCs

PoliciesOMPUpdate

OMPUpdate

SD-WAN Fabric Operation Walk-Through

BRKCRS-2114 30


Transport1

Transport2

Data Plane Privacy

Control Plane

AES256-GCM/CBCIP UDP Original Packet

Encrypted

ESP

Each WAN Edge advertises its local IPsec encryption keys as OMP TLOC attributes

Encryption keys are per-transport

Can be rapidly rotated

Symmetric encryption keys used asymmetrically

Local (generated)

Remote (received)

Local (generated)

Remote (received)

vSmartControllers

WAN EdgeWAN Edge

OMPUpdate

Encr-Key1

Encr-Key2OMPUpdate

Encr-Key3

Encr-Key4

BRKCRS-2114 31


IngressWAN Edge

VPN 3

VPN 1

VPN 2SD-WAN

IPSecTunnel

20

IP

8

UDP

36

ESP

4

VPN

…

Data

EgressWAN Edge

Interface

VLAN

• Segment connectivity across fabric w/o reliance on underlay transport

• WAN Edge routers maintain per-VPN routing table

• Labels are used to identify VPN for destination route lookup

• Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs

VPN1

VPN2

Interface

VLAN

VPN1

VPN2

End-to-End Segmentation

BRKCRS-2114 34


Critical Applications SLA

Path1: 10ms, 0% loss, 5ms jitterPath2: 200ms, 3% loss, 10ms jitterPath3: 140ms, 1% loss, 10ms jitter

vManage App Aware Routing PolicyApp A path must have:

Latency < 150msLoss < 2%

Jitter < 10ms

WAN Edge Routers continuously perform path liveliness and quality measurements

Internet

MPLS

4G LTE

IPSec Tunnel

Remote Site

RegionalData CenterPath 2

vSmarts

BRKCRS-2114 35

Direct Internet Access


SD-WAN Security – Use Case 1: PCI Compliance

Data Center

Applications

Internet

BRKCRS-2114 37


SD-WAN Security - Use Case 2: Guest Access

Internet

BRKCRS-2114 38


SD-WAN Security – Use Case 3: Direct Cloud Access

GuestEmployee

VPN2 Data Center

Applications

SD-WAN

HQ Destined Traffic

Employee Internet Traffic

VPN1

Direct Cloud Access

Employee SAAS Traffic

SaaS

Guest Internet Traffic

Internet

BRKCRS-2114 39


GuestEmployee

VPN2 Data Center

Applications

SD-WAN

HQ Destined Traffic

Employee Internet Traffic

VPN1

Direct Internet Access

Employee SAAS Traffic

SaaS

SD-WAN Security - Use Case 4: Direct Internet Access

Internet

BRKCRS-2114 40


Sing Pane of Glass

• Provision

• Manage

• Monitor

• Report

• Troubleshoot

Embedded

• Ent. Firewall App Aware

• IPS

• URL-Filtering

• AMP and Threat Grid *

Cloud

• DNS/web-layer Security

Platforms

• ISR 1K

• ISR 4K

• ENCS (ISRv)

• CSR

• ASR 1K (Ent FW App Aware and

DNS/web-layer security)

• vEdges (FW and DNS/web-layer

security)

Manage in Cloud or On-Prem

Full EdgeSecurity

Branch Edge

Edge Router

Flexibility

* March 2019BRKCRS-2114 41


DNA Essentials

DNA Advantage

SD-WAN Security Licensing

Ent FW – App-AwareIntrusion PreventionURL filtering* DNS-Layer security monitoring

Ent FW – App-AwareIntrusion PreventionURL filtering* DNS-Layer security monitoring

Advanced SD-WAN Topology

Cloud App Discovery

* Need Umbrella Subscription for enforcement

BRKCRS-2114 42


• Zone Policies

• Application Visibility and Granular control

• 1400+ layer 7 applications classified

• Block traffic by group, category or specific application

• Segmentation

• PCI compliance

Ent Firewall App Aware

Outside Zone

InsideZone

GuestZone

Edge Device

Users

Service-VPN 1

Devices

Service-VPN 2

SaaS

Internet

Inspect policy allows only return traffic to be allowed.

BRKCRS-2114 43


Ent. Firewall App Aware: Intra-Zone Security

WAN Edge

VPN1

Zone1SD-WAN

Fabric

SD-WAN Site A

Host Host

WAN Edge

VPN1

Zone1

SD-WAN Site B

Host Host

Action: D I P

D - DropI – InspectP – Pass

BRKCRS-2114 44


Ent. Firewall App Aware : Inter-Zone Security

WAN Edge

VPN1

Zone1SD-WAN

Fabric

Host Host

WAN Edge

VPN1

Zone1

Host Host

VPN2

Zone2

VPN1-VPN2Route Leaking

Action: D I P

SD-WAN Site A SD-WAN Site B

vSmart

D - DropI – InspectP – Pass

BRKCRS-2114 45


vManage - Ent FW App Aware - Configuration

BRKCRS-2114 46


zone security OUTSIDEVPN 0

Zone security INSIDEVPN 1

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASSmatch protocol ftp match protocol tcp match access-group name match protocol udp match protocol icmp

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect INSIDE-TO-OUTSIDE-CLASS inspect

class class-default drop

Ent Firewall with Zone Policy - CLI rendered

zone security INSIDEzone security OUTSIDE

Data Center

Remote Site

ISP

SD-WANFabric

Security Zone OUTSIDE

VPN 0

VPN 1

Security ZoneINSIDE

For YourReference

BRKCRS-2114 47


zone security OUTSIDE

VPN 0

Zone security INSIDEVPN 1

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASSmatch protocol ftp match protocol httpmatch protocol https match access-group namematch protocol dnsmatch protocol tcp match protocol udp match protocol icmp

policy-map type inspect INSIDE-TO-OUTSIDE-POLICYclass type inspect INSIDE-TO-OUTSIDE-CLASS inspect service-policy avc AVC-POLICY

class class-default drop

Ent. FW App Aware – CLI renderedzone security INSIDEzone security OUTSIDE

class-map match-any AVC-CLASSmatch protocol yahoomatch protocol amazonmatch protocol attribute category consumer-streamingmatch protocol attribute category gamingmatch protocol attribute category social-networking

policy-map type inspect avc AVC-POLICYclass AVC-CLASSdenyclass class-defaultallow

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

For YourReference

BRKCRS-2114 48

Intrusion Prevention


Intrusion Prevention

• Most widely deployed Intrusion Prevention solution in the world

• Backed by TALOS, signature update is automated

• Signature whitelist support

• Real-time traffic analysis

• PCI compliance

On-site Services

IPS

BRKCRS-2114 50


vM

anage -

Intr

usi

on

Pre

vention

BRKCRS-2114 51


vM

anage -

Intr

usi

on

Pre

vention

BRKCRS-2114 52


Step 2 Configure Port Groupsinterface VirtualPortGroup0

description Management interfacevrf forwarding 65529ip address 192.168.1.1 255.255.255.252

Interface VirtualPortGroup1description Data interfaceip address 192.0.2.1 255.255.255.252

Step 4 Configuring UTD (service plane)

utd engine standard multi-tenancythreat-inspection whitelist profile Sig-white-list

generator id 3 signature id 22089generator id 3 signature id 36208

threat-inspection profile IPS-POLICY threat [protection | detection]policy [security | connectivity | balanced]whitelist profile Sig-white-list logging level [alert | info | ….. ]Step 3 Activate virtual service and configure

ioxapp-hosting appid utdapp-vnic gateway0 virtualportgroup 0 guest-interface 0

guest-ipaddress 192.168.1.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 1 guest-interface 1

guest-ipaddress 192.0.2.2 netmask 255.255.255.252app-resource package-profile urlf-lowstart

Step 5 Enabling UTD (data plane)

policy utd-policy-vrf-1vrf 1all-interfaces fail [open | close] threat-inspection profile IPS-POLICY

Step 1 Configure virtual serviceapp-hosting install appid utd package bootflash:utd.tar

Intrusion Prevention – CLI rendered For YourReference

BRKCRS-2114 53

URL-Filtering


• 82+ Web Categories with dynamic updates from Webroot/BrightCloud

• Block based on Web Reputation score

• Create custom Black and White Lists

• Customizable End-user notifications

URL Filtering

Block/Allow based on

Categories,

Reputation

Requests for “risky” domain requests

URL Filtering

White/Black lists of

custom URLs

BRKCRS-2114 55


vM

anage -

UR

L F

iltering

BRKCRS-2114 56


vM

anage -

UR

L F

iltering

BRKCRS-2114 57


URL Filtering – CLI renderedStep 4 Configure (optional) white and black list

parameter-map type regex wlist1 pattern www.google.compattern www.cisco.com

parameter-map type regex blist1 pattern www.exmaplehoo.compattern www.bing.com

Step 5 Configure block page

web-filter block page profile block-URL-FILTER-POLICY

text “WHAT ARE YOU DOING??!!!”

Step 2 Configure Port Groupsinterface VirtualPortGroup0

description Management interfacevrf forwarding 65529ip address 192.168.1.1 255.255.255.252

Interface VirtualPortGroup1description Data interfaceip address 192.0.2.1 255.255.255.252

Step 3 Activate virtual service and configure

ioxapp-hosting appid utdapp-vnic gateway0 virtualportgroup 0 guest-interface 0

guest-ipaddress 192.168.1.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 1 guest-interface 1

guest-ipaddress 192.0.2.2 netmask 255.255.255.252app-resource package-profile urlf-lowstart

Step 1 Configure virtual serviceapp-hosting install appid utd package bootflash:utd.tar

For YourReference

BRKCRS-2114 58

http://www.cisco.com/


URL Filtering – CLI rendered

Step 7 Configure data plane

utd globallogging syslog

!policy utd-policy-vrf-1all-interfacesfail closevrf 1web-filter url profile URL-FILTER-POLICY

Step 6 Configure web-filter profile

web-filter url profile URL-FILTER-POLICYblacklist

parameter-map regex blist1whitelist

parameter-map regex wlist1categories block

abortionabused-drugsadult-and-pornographybot-netscheatingconfirmed-spam-sourcescult-and-occult

alert all block page-profile block-URL-FILTER-POLICYreputation

block-threshold moderate-risk

For YourReference

BRKCRS-2114 59


Users and Devices

• Leading Security Efficacy for malware, phishing, and unacceptable requests by blocking based on DNS requests

• Supports DNScrypt

• Local Domain-bypass

• TLS decryption

• Intelligent Proxy

DNS/web-layer security

Safe requests

Blocked requests

Cisco Umbrella

BRKCRS-2114 60


DNS/web-layer Security - Solution Overview

Martha

Internet

WAN Edge

Web Servers

DNS Request (1)

DNS Response (4)

Approved Content (5)

Cisco Umbrella

Safe request

Blocked request

BRKCRS-2114 61


vManage –

DN

S/w

eb-

laye

r S

ecurity

BRKCRS-2114 62


vManage –

DN

S/w

eb-

laye

r S

ecurity

BRKCRS-2114 63


vManage -

DN

S/w

eb-

laye

r S

ecurity

BRKCRS-2114 64


DNS/web-layer security – CLI rendered

Configure local domain bypass (optional)parameter-map type regex dns_wlpattern www.cisco.compattern .*eisg.cisco.*

Configure token and enable DNS security

parameter-map type umbrella globaltoken 57CC8010687FB1B2A7BA4F2373C00247166 no dnscrypt (enabled by default)udp-timeout (to change the udp –timeout)resolver-ip <>vpn 21

dns-resolver-ip < Umbrella > [bypass-local-domain]vpn 22

dns-resolver-ip < Umbrella > [bypass-local-domain]

For YourReference

BRKCRS-2114 65

http://www.cisco.com/


SD-WAN Security Support on vEdges – 18.3.1

Need Umbrella Subscription for enforcement

Platforms/Features Ent FW DPIDNS/web-

layer Monitoring *

Viptela - (100, 1000, 2000 and 5000) Y Qosmos Y

BRKCRS-2114 66


SD-WAN Security IOS-XE Routers – 16.10.1

* Need Umbrella Subscription for enforcementEnt FW App Aware and DNS/web-layer security will work with default 4 GB DRAM

Platforms/FeaturesEnt FW with

App Awareness

IPS/IDSURL

Filtering

DNS/web-layer

Monitoring *

Cisco - CSRY Y Y Y

Cisco – ENCS (ISRv)Y Y Y Y

Cisco – ISR4K (4451, 4431, 4351, 4331, 4321, 4221-X) Y Y Y Y

Cisco – ISR1K (1111X-8P)Y Y Y Y

Cisco - ASR1K 1001-HX, 1002-HX, 1001-X, 1002-X) Y N/A N/A Y

BRKCRS-2114 67


Security App Hosting Profile & Resources

4331 / 4351

PPE1 PPE2

PPE3I/O

Crypto

IOS

SVC2 SVC3

SVC1

Linux

Control Plane(4 cores)

Data Plane(4 cores)

4321 / 4221 / 1K

PPE I/O

Crypto

IOS SVCControl Plane

(2 cores)

Data Plane(2 cores)

IOS

SVC2 SVC3

SVC1

Linux

Control Plane(4 cores)

PPE1 PPE2 PPE3 PPE4 PPE5

PPE6PPE7 PPE8 PPE9

!/OCrypto

Data Plane

(10 core)

4431 / 4451

PlatformsTotal No of CP Cores

Total No of CP Cores for Security

Default Profile (URL-F Cloud Lookup)

High Profile (URL-F On-Box Lookup)

4321/4221/1K 2 1 1 -

4331 4 2 2 2

4351 4 2 2 2

4431 4 2 2 2

4451 4 2 2 2

CPP Code

Linux

BRKCRS-2114 68


IPS / URL-F App Hosting

Profile

Security Profile Features Memory requirement Platform Supported

DefaultIPS + URLF (Cloud Lookup only) 8GB Bootflash 8GB Memory ISR1K/4221/4321

4/8 vCPU CSR/ISRv4331/4351/44xx *

High

IPS + URLF (On-box DB + Cloud Lookup)

16GB Bootflash & 16GB Memory

4/8 vCPU CSR/ISRv4331/4351/44xx *

Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM

Security App Hosting Profile & Resources

* 44XX support – March 2019Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM

BRKCRS-2114 69


IP DestLookup

1NBAR 2

DNS Security

3VFR 4 CEF 5

Ingress G0/0

Egress G0/1

SD-WAN Security Features – Order of Operation

LAN to WAN

IPS URL-F FW 1 NAT 4NBAR 3

UTD – Unified Threat Defense

G0/0 – LAN facingG0/1 – WAN facing

2DNS

Security 5

BRKCRS-2114 70


DNS Layer 1

VFR 2 NAT 3 CEF 4

Ingress G0/1

Egress G0/0

SD-WAN Security Features – Order of Operation

WAN to LAN

IPSFW 1DNS

Layer 3NBAR 4URL-F

UTD (Unified Threat Defense)

G0/0 – LAN facingG0/1 – WAN facing

2

BRKCRS-2114 71


PlatformTraffic Profile

HTTP

Throughout (Mbps)IPSEC

Throughout (Mbps)

IPSEC + EntFW

Throughout (Mbps)

IPSEC + Ent FW + IPS + URLF

Throughout (Mbps)

NAT DIA + Ent FW + IPS + URLF

ISR 4351

16k 300 295 95 162

64k 620 375 115 213

1024k 850 520 180 229

ISR 4331

16k 300 250 90 101

64k 430 330 105 145

1024k 600 450 150 170

C1111x-8P

16k 211 190 65 97

64k 212 189 68 99

1024k 214 180 69 100

SD-WAN Security - Performance

XE SD-WAN 16.10.1 vManage 18.416k, 64k, 1024k – object size, entire http payload

For YourReference

BRKCRS-2114 72


SD-WAN Security - Demo in a Box

Management Network

ESXi 6.7 Google Fiber

Internet

BRKCRS-2114 74


• Basic connectivity - Install and Configure controllers on ESXi, OpenStack or KVM

• After connectivity, your next step is to do the certificate work, otherwise control elements will not establish DTLS connection between themselves and obviously the overlay is not going to be functional.

• Basic steps are as followed:

1. Make initial CLI config on vBond, vSmart, vManage. Need to specify site-id (can be the same for all), system-ip (unique per-device, but doesn’t have to be reachable, like router-id), organization name, vBond VPN0 IP address (on vBond give own IP and add “local” keyword). Also obvious need to configure interfaces for reachability between the controllers.

2. Install Root CA and generate root cert. I use openssl on a Linux VM.

3. Upload (scp) root cert into vBond, vSmart, vManage.

4. Install root CA on vBond, vSmart, vManage (request root-cert-chain install)

5. Generate CSR on vBond, vSmart, vManage (request csr upload /home/admin/<blah>.csr. Org name of the CSR should match the org name you defined on the vManage.

6. Download (scp) CSRs into CA

7. Sign CSRs with CA

8. Upload certificates back to vBond, vSmart, vManage (put them into /home/admin folder)

9. Install certificates on vBond, vSmart, vManage (request certificate install)

10. Add controllers on vManage

Basic Steps (1/2)

BRKCRS-2114 75


• After controller setup, log in PnP Connect and:

• Add Controller Profile (provide vBond and Org Name)

• Add hardware devices

• Add software devices (vEdgeCloud, ISRv, CSR1000v)

• Download Provisioning File (Serial File)

• Upload Serial File to vManage

Basic Steps (2/2)

BRKCRS-2114 76


Topology

1.1.1.110.118.34.8 admin/admin

1.1.1.2

1.1.1.3

Internet

192.168.1.1

MgmtN/W

BRKCRS-2114 77

Resources


Release Notes and Image Download Links

Release Notes for both 16.10.1 and 18.4: https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-WAN_Release_18.4

16.10.1 Software Download Link for ISR 1K/4K and ASR: ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.10.1ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.10.1ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.10.1ISRv: https://software.cisco.com/download/home/286308662/type/286321980/release/16.10.1

18.4 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/18.4.0

18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/18.4.0

BRKCRS-2114 79

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-WAN_Release_18.4

https://software.cisco.com/download/home/286321996/type/286321980/release/16.10.1







SD-WAN Security – External Resources

Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936

Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_

Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering

Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301

Cisco Validated Design: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf

BRKCRS-2114 80

https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_Security_Virtual_Image_for_IPS/IDS_and_URL_Filtering

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_Security_Virtual_Image_for_IPS/IDS_and_URL_Filtering

https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf


Cisco SD-WAN - http://www.cisco.com/go/sdwan

Network World - https://tinyurl.com/yabey6f2

WSJ - https://tinyurl.com/yb75loxn

Lightreading - https://tinyurl.com/yba9zb4s

FB: https://tinyurl.com/y9u375hk

YouTube Network Field Day (demo): https://tinyurl.com/y955ufde

SD-WAN Security – External Resources

BRKCRS-2114 81

http://www.cisco.com/go/sdwan

https://tinyurl.com/yabey6f2

https://tinyurl.com/yb75loxn

https://tinyurl.com/yba9zb4s

https://tinyurl.com/y9u375hk

https://tinyurl.com/y955ufde


Call to Action

World Of Solution – SD-WAN Security Booth

Whisper Suite – SD-WAN Security Booth

Checkout other SD-WAN Sessions

Try It (dCloud coming soon)

Test It

Buy It

BRKCRS-2114 82


Monday Tuesday Wednesday Thursday Friday

TECCRS-2014Deep Dive

TECSEC-2355Security

TECCRS-2191Deployment / BCP

Your SD-WAN learning map at CLEUR

BRKCRS-2110The Foundation

BRKCRS-2111Migration

BRKCRS-2112Serviceability

BRKRST-2560Analytics / ML

BRKCRS-2114Security

BRKRST-2558SD-WAN as a

Managed Service

BRKRST-2559On-prem

Deployment

BRKCRS-2113Cloud OnRamp

BRKCRS-2117Design

Deployment

BRKCRS-2114 83


Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Complete your online session survey

BRKCRS-2114 84


Demos in the Cisco Showcase

Walk-in self-paced

labs

Meet the engineer

1:1 meetings

Related sessions

Continue Your Education

BRKCRS-2114 85


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

Cs.co/ciscolivebot#BRKCRS-2114

BRKCRS-2114 86

Thank you

manager, technical marketing - sccug · 2019-05-03 · kureli sankar, ccie security #35505 manager,...

Documents