Professional Documents
Culture Documents
Cisco SD-WAN
Security
Kureli Sankar
CCIE Security #35505
Manager, Technical Marketing
BRKSEC-2720
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2720
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda • Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Demo
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Me
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Current WAN Challenges
Insufficient
Bandwidth
Is Your WAN
High Applications
Cost Business Downtime
Ready ?
Limited Fragmented
Scale Security
No Cloud Apps
Readiness
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What is SD-WAN?
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
Cloud IoT
USERS
SDWAN
OnRamp
.… Edge Computing
DC
DEVICES APPLICATIONS
Fabric IaaS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco SD-WAN Solution Differentiation
Cloud or On-prem Delivered
SDN Architecture
Comprehensive
Security
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure Infrastructure
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond vSmart • First point of authentication
Controllers (white-list model)
• Distributes list of vSmarts/
vManage to all WAN Edge
MPLS 4G routers
INET • Facilitates NAT traversal
WAN Edge Routers
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Centre Campus Branch SOHO
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Data Plane Data Plane
Physical/Virtual
WAN Edge
vManage
• WAN edge router
• Provides secure data plane with
APIs
remote WAN Edge routers
3rd Party • Establishes secure control plane
vAnalytics
Automation with vSmart controllers (OMP)
vBond vSmart • Implements data plane and
Controllers application aware routing
policies
• Exports performance statistics
MPLS 4G • Leverages traditional routing
INET protocols like OSPF, BGP and
WAN Edge Routers VRRP and HSRP
• Support Zero Touch
Deployment
Cloud Data Centre Campus Branch SOHO • Physical or Virtual form factor
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Management Plane
Management Plane
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
High level view of ordering and onboarding
vManage
Smart Account
Automation PnP Cloud
Service vBond
Cisco Commerce
Workspace Add a vBond Controller Profile and
Associate with Org-Name
WAN Edge
Customer
Service Provider
End Customer
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Device Identity
Malware in IOS is a Real Threat
✖ ✖ ✖ ✖ ✖ ✖
Crypto Functions
• Anti-Tamper Chip Design
Tamper-Proof Storage • Built-In Crypto Functions
Boot • Secure Storage
SUDI
Measurements
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Secure Unique Device Identification (SecureUDI)
• Tamperproof ID for the device
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco Secure Boot
Anchors Secure Boot in Hardware to Create a Chain of Trust
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Router Identity
During Manufacturing
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Virtual Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
Device uploaded WAN Edge list
Certificate(s)
• OTP/Token is supplied to Cloud router in
Cloud-Init during the VM deployment
- Can activate from CLI post VM deployment
• vManage signs certificate(s) for the Cloud
router post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert root CA chain of trust is used to
Root Chain validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Secure Control Plane
Network-wide Control Plane
Cisco SD-WAN Traditional
Network Control Plane
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Overlay Management Protocol (OMP)
vSmart
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Colour, Encap)
WAN Edge
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart Reachability – IP Subnets, TLOCs
Security – Encryption Keys
OMP
Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Data Plane Privacy vSmart
Controllers
Each WAN Edge advertises its local IPsec Can be rapidly rotated
encryption keys as OMP TLOC attributes
Symmetric encryption keys used
Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport
1
Transport
WAN Edge 2 WAN Edge
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Critical Applications SLA
WAN Edge Routers continuously vManage App Aware Routing Policy
App A path must have:
perform path liveliness and quality
Latency < 150ms
measurements Loss < 2%
Jitter < 10ms
vSmarts
Internet
Remote Site
MPLS Regional
Path 2 Data Centre
4G LTE
Path1: 10ms, 0% loss, 5ms jitter
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter
IPSec Tunnel
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Direct Internet Access
SD-WAN Security – Use Case 1: PCI Compliance
SD-WAN
Internet
VPN1 Data Centre
PCI Compliance
Applications
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SD-WAN Security - Use Case 2: Guest Access
SD-WAN
Internet
VPN1 VPN2 Data Centre
Applications
Guest Access
HQ Destined Traffic
Employee Guest
Employee Internet Traffic
Guest Internet Traffic
Ent. FW URL
App Aware Filtering
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SD-WAN Security – Use Case 3: Direct Cloud Access
SD-WAN
Internet
HQ Destined Traffic
Employee Guest Direct Cloud Access
Employee Internet Traffic
Employee SAAS Traffic
Guest Internet Traffic
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SD-WAN Security - Use Case 4: Direct Internet Access
SD-WAN
Internet
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
SD-WAN Security
Manage in Full Edge Edge
Branch
Cloud or Security Router
Edge
Flexibility
On-Prem
* 1HCY19
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SD-WAN Security Licensing
DNA Advantage
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
SaaS
Ent Firewall App Aware
Internet
• Zone Policies
• PCI compliance
Service-VPN 1 Service-VPN 2
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
vManage - Ent FW App Aware
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Ent Firewall with Zone Policy - CLI rendered For Your
Reference
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Ent. FW App Aware – CLI rendered For Your
Reference
• PCI compliance
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
vManage - Intrusion Prevention
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
vManage - Intrusion Prevention
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Intrusion Prevention – CLI rendered For Your
Reference
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
URL-Filtering
Requests for “risky” domain requests
URL Filtering
• 82+ Web Categories with dynamic URL Filtering
updates from Webroot/BrightCloud
White/Black lists of
• Block based on Web Reputation
custom URLs
score
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
vManage - URL Filtering
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
vManage - URL Filtering
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
URL Filtering – CLI rendered For Your
Reference
Step 1 Configure virtual service Step 4 Configure (optional) white and black list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex wlist1
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex blist1
description Management interface pattern www.exmaplehoo.com
vrf forwarding 65529 pattern www.bing.com
ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1
description Data interface Step 5 Configure block page
ip address 192.0.2.1 255.255.255.252 web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
Step 3 Activate virtual service and configure
iox
app-hosting appid utd
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252
app-resource package-profile urlf-low
start
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
URL Filtering – CLI rendered For Your
Reference
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
DNS/web-layer security Cisco Umbrella
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption
Users and Devices
• Intelligent Proxy
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
DNS/web-layer Security - Solution Overview
Safe Blocked
request request
WAN Edge
DNS Request (1) Cisco Umbrella
Martha
Web Servers
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
vManage – DNS/web-layer Security
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
vManage – DNS/web-layer Security
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
vManage - DNS/web-layer Security
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
For Your
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Advanced Malware 1HCY19
ThreatGrid
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security Support on vEdges – 18.3.1
DNS/web-
Platforms/Features Ent FW DPI layer
Monitoring *
Viptela - (100, 1000, 2000 and 5000) Y Qosmos Y
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-WAN Security IOS-XE Routers – 16.10.1
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Security App Hosting Profile and Resources
4431 / 4451 4331 / 4351 4321 / 4221 / 1K
Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)
I/O
PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto
Linux
CPP Code Linux Linux
4351 4 2 2 2
4431 4 2 2 2
4451 4 2 2 2
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Security App Hosting Profile and Resources
Lookup
SDWAN App- DNS-
IP Dest Data Process Go to
Interface NBAR FNF First Route Redir
Lookup Policy ect & OCE Output
ACL Policy
Walk
IPSEC
MPLS Encrypt
Tunnel Pre- Layer 2 DNS FNF
FW UTD Label FW UTD NAT (Transp ACL TX
Encap Route Encap Crypt LAST
Add ort
mode)
UTD: IPS->URL-F->AMP/TG * Color Coding: LAN Interface Tunnel Interface WAN Interface
Lookup
MPLS MPLS IP Dst App-
Data Process Go to
Label transition lookup in NBAR FNF first route
Policy & OCE Output
Lookup to IP vrf Policy
walk
L2 FNF
FW UTD ACL TX
Encap Last
UTD: IPS->URL-F->AMP/TG * Color Coding: LAN Interface Tunnel Interface WAN Interface
Throughout Throughout
Throughout Throughout
Traffic Profile (Mbps) (Mbps)
Platform (Mbps) (Mbps)
HTTP IPSEC + Ent FW NAT DIA + Ent
IPSEC IPSEC + EntFW
+ IPS + URLF FW + IPS + URLF
XE SD-WAN 16.10.1 vManage 18.4 16k, 64k, 1024k – Object size (http payload)
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Demo
SD-WAN Security - Demo in a Box
Internet
UCS M2 C-Series 210
ESXi 6.7 Google Fiber
Management
Network
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Basic Steps (1/2)
• After connectivity, next step is to do the certificate work, otherwise control elements will not establish DTLS
connection between themselves and obviously the overlay is not going to be functional.
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Basic Steps (2/2)
• After controller setup, log in PnP Connect and:
• Add Controller Profile (provide vBond and Org Name)
• Add hardware devices
• Add software devices (vEdgeCloud, ISRv, CSR)
• Download Provisioning File (Serial File)
• Upload Serial File to vManage
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Ubuntu Win 2016 FC
Raleigh - HQ
Topology
192.168.10.0/24
.10 .20 .30 .40
Vlan 10
VPN 1
.1
Internet
192.168.11.0/24
192.168.12.0/24 Vlan 11
Vlan 12
192.168.1.1
.2 1.1.1.1
10.118.34.9
admin/admin
Tunnel 3 192.168.40.0/24 .9
Tunnel 2 INET Vlan 40 .3
MPLS .11
Mgmt
1.1.1.2
.10 .1
192.168.22.0/24 0 192.168.31.0/24
10.118.x.0/28
Cary – Branch 1 Ubuntu Win 2016 Durham – Branch 2 Ubuntu Win 2016
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
For Your
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
For Your
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
For Your
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Call to Action
World Of Solution – SD-WAN Security Booth
Test It
Buy It
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Q&A
#CLMEL
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Thank you
#CLMEL
#CLMEL