Sdwan Security

#CLMEL
Cisco SD-WAN
Security
Kureli Sankar
CCIE Security #35505
Manager, Technical Marketing
BRKSEC-2720
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2720
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda • Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Direct Internet Access

• Ent Firewall App Aware
• Intrusion Prevention
• URL-Filtering
• DNS/web-layer Security
• Demo
#CLMEL BRKSEC-2720 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Me
• BS in Electrical and Electronics Engineering

• 2006 – 2013 TAC Engineer
• CCIE Security #35505
• 2013 – 2018 TME

• 2019 – Present TME, Manager
• Areas of expertise
• IOS and IOS-XE security features
• SD-WAN Security solutions # 35505
• 2018 - Distinguished Speaker Cisco Live (EUR and ANZ)
Introduction
Current WAN Challenges
Insufficient
Bandwidth
Complex Limited Application

Operations Awareness
Is Your WAN
High Applications
Cost Business Downtime
Ready ?
Limited Fragmented
Scale Security
No Cloud Apps
Readiness
What is SD-WAN?
Software Defined WAN is a new user friendly approach to centrally provision

WAN edges, manage, monitor, report and troubleshoot.
• Lowers Operational Cost

• Increases Application Performance across the WAN
• Improves Quality of Experience
• Offers Security and Data Privacy
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
Cloud IoT
USERS
SDWAN
OnRamp
.… Edge Computing
DC
DEVICES APPLICATIONS
Fabric IaaS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
Cisco SD-WAN Solution Differentiation
Cloud or On-prem Delivered
SDN Architecture
Flexible Deployment Application

Quality of Experience
Operations Credibility (Cloud or On-Prem)
Comprehensive
Security
Secure Infrastructure
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond vSmart • First point of authentication
Controllers (white-list model)
• Distributes list of vSmarts/
vManage to all WAN Edge
MPLS 4G routers
INET • Facilitates NAT traversal
WAN Edge Routers
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Centre Campus Branch SOHO
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
3rd Party • Facilitates fabric discovery

vAnalytics
Automation
• Dissimilates control plane
vBond vSmart information between WAN Edges
Controllers • Distributes data plane and app-
aware routing policies to the
WAN Edge routers
MPLS 4G • Implements control plane
INET policies, such as service chaining,
WAN Edge Routers multi-topology and multi-hop
• Dramatically reduces control
plane complexity
Cloud Data Centre Campus Branch SOHO • Highly resilient
Data Plane Data Plane
Physical/Virtual
WAN Edge
vManage
• WAN edge router
• Provides secure data plane with
APIs
remote WAN Edge routers
3rd Party • Establishes secure control plane
vAnalytics
Automation with vSmart controllers (OMP)
vBond vSmart • Implements data plane and
Controllers application aware routing
policies
• Exports performance statistics
MPLS 4G • Leverages traditional routing
INET protocols like OSPF, BGP and
WAN Edge Routers VRRP and HSRP
• Support Zero Touch
Deployment
Cloud Data Centre Campus Branch SOHO • Physical or Virtual form factor
Management Plane
Management Plane
vManage Cisco vManage
APIs • Single pane of glass for

Day0, Day1 and Day2
3rd Party
vAnalytics
Automation
operations
• Multitenant with web scale
vBond vSmart • Centralised provisioning
Controllers • Policies and Templates
• Troubleshooting and
4G
Monitoring
MPLS
• Software upgrades
INET
WAN Edge Routers • GUI with RBAC
• Programmatic interfaces
(REST, NETCONF)
Cloud Data Centre Campus Branch SOHO • Highly resilient
High level view of ordering and onboarding
vManage
Smart Account details

specified on order used for Sync Smart Account Push Device List
Overlay creation
Smart Account
Automation PnP Cloud
Service vBond
Device list is passed to PnP
Cisco Commerce
Workspace Add a vBond Controller Profile and
Associate with Org-Name
WAN Edge
Customer
Service Provider
End Customer
Device Identity
Malware in IOS is a Real Threat
Malware: 6 Observed Variants

Incident 3 Incident 4
Synful
Incident 0 Incident 1 Incident 2 Runtime Runtime Knock
infection infection
Static Static Runtime Static
infection infection C&C; data exfil. C&C infection
infection
multi-arch data exfil.
Crypto Crypto C&C Line cards ROMMON C&C; modular
(DH keys) (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016

Cisco Trust Anchor Module (TAm)
Integrity Applications • HW Authenticity Check

• Secure PnP
TAM Services Libraries • Integrity Verification
Crypto Functions
• Anti-Tamper Chip Design
Tamper-Proof Storage • Built-In Crypto Functions
Boot • Secure Storage
SUDI
Measurements
Secure Unique Device Identification (SecureUDI)
• Tamperproof ID for the device
• Binds the hardware identity to

a key pair in a
cryptographically secure
X.509 certificate PID during
manufacturing
• Connections with the device

can be authenticated by the
SUDI credential
• IEEE 802.1AR Compliant

Secure (UDI) = SUDI
C4331#show license udi

SlotID PID SN UDI
-----------------------------------------------------------------
* ISR4331/K9 FDO21XXXXXX ISR4331/K9:FDO21XXXXXX
Cisco Secure Boot
Anchors Secure Boot in Hardware to Create a Chain of Trust
Cisco Secure Boot

Boot Code Integrity Anchored in Hardware
Step 1 Step 2 Step 3 Step 4  Only authentic

signed Cisco
software boots up
on a Cisco platform
Hardware CPU CPU CPU

Anchor
Microloader Bootloader OS  The boot process
Microloader stops if any step
fails to authenticate
Microloader Bootloader OS launched
checks checks OS
bootloader
Router Identity
During Manufacturing
TPM • Each physical router is uniquely identified by

Chip the chassis ID and certificate serial number
• Certificate is stored in on-board Temper Proof
Module (TPM)
- Installed during manufacturing process
• Certificate is signed by Avnet root CA
Device
Certificate - Trusted by Control Plane elements
• DigiCert root CA chain of trust is used to
validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
Root Chain can be used to validate Control Plane
elements
- Can be automatically installed during ZTP
In Software
Virtual Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
Device uploaded WAN Edge list
Certificate(s)
• OTP/Token is supplied to Cloud router in
Cloud-Init during the VM deployment
- Can activate from CLI post VM deployment
• vManage signs certificate(s) for the Cloud
router post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert root CA chain of trust is used to
Root Chain validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
Secure Control Plane
Network-wide Control Plane
Cisco SD-WAN Traditional
Network Control Plane
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
Overlay Management Protocol (OMP)
vSmart
• TCP based extensible control plane protocol

• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
vSmart vSmart • Leverages address families to advertise

reachability for TLOCs, unicast/multicast
destinations, service routes, BFD up/down stats
and Cloud onRamp for SaaS probe stats
• Distributes IPSec encryption keys, and data and
app-aware policies
WAN Edge WAN Edge
Note: WAN Edge routers need not connect to all vSmart Controllers
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Colour, Encap)
WAN Edge
WAN Edge WAN Edge * Can be influenced by the control policies

Transport Locator (TLOC) OMP IPSec Tunnel
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart  Reachability – IP Subnets, TLOCs
 Security – Encryption Keys
OMP
 Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Data Plane Privacy vSmart
Controllers
 Each WAN Edge advertises its local IPsec  Can be rapidly rotated
encryption keys as OMP TLOC attributes
 Symmetric encryption keys used
 Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport
1
Transport
WAN Edge 2 WAN Edge
Remote (received) Remote (received)
IP UDP ESP Original Packet

AES256-GCM/CBC
Encrypted Control Plane
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
Critical Applications SLA
WAN Edge Routers continuously vManage App Aware Routing Policy
App A path must have:
perform path liveliness and quality
Latency < 150ms
measurements Loss < 2%
Jitter < 10ms
vSmarts
Internet
Remote Site
MPLS Regional
Path 2 Data Centre
4G LTE
Path1: 10ms, 0% loss, 5ms jitter
IPSec Tunnel
Direct Internet Access
SD-WAN Security – Use Case 1: PCI Compliance
SD-WAN
Internet
VPN1 Data Centre
PCI Compliance
Applications
Employee 1 Employee 2 HQ Destined Traffic

Employee Internet Traffic
Ent. FW IPS
App Aware
SD-WAN Security - Use Case 2: Guest Access
SD-WAN
Internet
VPN1 VPN2 Data Centre
Applications
Guest Access
HQ Destined Traffic
Employee Guest
Guest Internet Traffic
Ent. FW URL
App Aware Filtering
SD-WAN Security – Use Case 3: Direct Cloud Access
SD-WAN
Internet

SaaS Applications
HQ Destined Traffic
Employee Guest Direct Cloud Access
Employee SAAS Traffic
Guest Internet Traffic
Ent. FW IPS DNS/web

App Aware layer security
SD-WAN Security - Use Case 4: Direct Internet Access
SD-WAN
Internet

Applications
SaaS
HQ Destined Traffic
Employee Guest Direct Internet Access Employee Internet Traffic
Employee SAAS Traffic
Ent. FW IPS DNS/web

App Aware layer security
SD-WAN Security
Manage in Full Edge Edge
Branch
Cloud or Security Router
Edge
Flexibility
On-Prem
Single Pane of Glass Embedded Platforms

• Provision • Ent. Firewall App Aware • ISR 1K
• Manage • IPS • ISR 4K
• Monitor • URL-Filtering • ENCS (ISRv)
• Report • AMP and Threat Grid * • CSR
• Troubleshoot • ASR 1K (Ent FW App Aware and
DNS/web-layer security)
Cloud
• DNS/web-layer Security • vEdges (FW and DNS/web-layer
security)
* 1HCY19
SD-WAN Security Licensing
DNA Advantage
Advanced SD-WAN Topology
DNA Essentials Cloud App Discovery
Ent FW – App-Aware Ent FW – App-Aware

Intrusion Prevention Intrusion Prevention
URL filtering URL filtering
* DNS-Layer security monitoring * DNS-Layer security monitoring
* Need Umbrella Subscription for enforcement
SaaS
Ent Firewall App Aware
Internet
• Zone Policies
Inspect policy allows Outside Zone

• Application Visibility and Granular control only return traffic to
be allowed.
• 1400+ layer 7 applications classified
Edge Device
• Block traffic by group, category or specific application
• Segmentation Inside Guest

Users Zone Zone Devices
• PCI compliance
Service-VPN 1 Service-VPN 2
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
SD-WAN Site A SD-WAN Site B
vManage - Ent FW App Aware
Ent Firewall with Zone Policy - CLI rendered For Your
Reference
zone security INSIDE

zone security OUTSIDE
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

match protocol ftp
match protocol tcp match access-group name
match protocol udp
match protocol icmp
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Security Zone
class type inspect INSIDE-TO-OUTSIDE-CLASS Data Centre
OUTSIDE
inspect
class class-default VPN 0
ISP
drop
zone security OUTSIDE
SD-WAN
VPN 0
VPN 1
Fabric
Zone security INSIDE
VPN 1
Remote Site
Security Zone
INSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
Ent. FW App Aware – CLI rendered For Your
Reference
zone security INSIDE policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

zone security OUTSIDE class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS service-policy avc AVC-POLICY
match protocol ftp class class-default
match protocol http drop
match protocol https match access-group name
match protocol dns
match protocol tcp zone security OUTSIDE
match protocol udp VPN 0
match protocol icmp Zone security INSIDE
VPN 1
class-map match-any AVC-CLASS

match protocol yahoo zone-pair security IN_OUT source INSIDE destination
match protocol amazon OUTSIDE
match protocol attribute category consumer-streaming service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
match protocol attribute category gaming
match protocol attribute category social-networking
policy-map type inspect avc AVC-POLICY

class AVC-CLASS
deny
class class-default
allow
Intrusion Prevention
Intrusion Prevention
• Most widely deployed Intrusion Prevention

solution in the world
• Backed by TALOS, signature update is

automated
• Signature whitelist support

IPS
• Real-time traffic analysis On-site Services
• PCI compliance
vManage - Intrusion Prevention
vManage - Intrusion Prevention
Intrusion Prevention – CLI rendered For Your
Reference
Step 1 Configure virtual service

app-hosting install appid utd package bootflash:utd.tar
Step 2 Configure Port Groups Step 4 Configuring UTD (service plane)

interface VirtualPortGroup0
utd engine standard multi-tenancy
description Management interface
threat-inspection whitelist profile Sig-white-list
vrf forwarding 65529
generator id 3 signature id 22089
ip address 192.168.1.1 255.255.255.252
generator id 3 signature id 36208
Interface VirtualPortGroup1
threat-inspection profile IPS-POLICY
description Data interface
threat [protection | detection]
ip address 192.0.2.1 255.255.255.252
policy [security | connectivity | balanced]
whitelist profile Sig-white-list
Step 3 Activate virtual service and configure logging level [alert | info | ….. ]
iox
app-hosting appid utd Step 5 Enabling UTD (data plane)
app-vnic gateway0 virtualportgroup 0 guest-interface 0
policy utd-policy-vrf-1
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
vrf 1
all-interfaces
fail [open | close]
app-resource package-profile urlf-low
threat-inspection profile IPS-POLICY
start
URL-Filtering
Requests for “risky” domain requests
URL Filtering
• 82+ Web Categories with dynamic URL Filtering
updates from Webroot/BrightCloud
White/Black lists of
• Block based on Web Reputation
custom URLs
score
• Create custom Black and White

Lists Block/Allow based on
Categories,
• Customizable End-user notifications Reputation
vManage - URL Filtering
vManage - URL Filtering
URL Filtering – CLI rendered For Your
Reference
Step 1 Configure virtual service Step 4 Configure (optional) white and black list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex wlist1
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex blist1
description Management interface pattern www.exmaplehoo.com
vrf forwarding 65529 pattern www.bing.com
ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1
description Data interface Step 5 Configure block page
ip address 192.0.2.1 255.255.255.252 web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
Step 3 Activate virtual service and configure
iox
app-hosting appid utd
app-resource package-profile urlf-low
start
URL Filtering – CLI rendered For Your
Reference
Step 6 Configure web-filter profile Step 7 Configure data plane

web-filter url profile URL-FILTER-POLICY utd global
blacklist logging syslog
parameter-map regex blist1 !
whitelist policy utd-policy-vrf-1
parameter-map regex wlist1 all-interfaces
categories block fail close
abortion vrf 1
abused-drugs web-filter url profile URL-FILTER-POLICY
adult-and-pornography
bot-nets
cheating
confirmed-spam-sources
cult-and-occult
alert all
block page-profile block-URL-FILTER-POLICY
reputation
block-threshold moderate-risk
DNS/web-layer security Cisco Umbrella
• Leading Security Efficacy for

malware, phishing, and Safe Blocked
unacceptable requests by blocking requests requests
based on DNS requests
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption
Users and Devices
• Intelligent Proxy
DNS/web-layer Security - Solution Overview
Safe Blocked
request request
WAN Edge
DNS Request (1) Cisco Umbrella
DNS Response (4) Internet

Approved Content (5)
Martha
Web Servers
vManage – DNS/web-layer Security
vManage – DNS/web-layer Security
vManage - DNS/web-layer Security
For Your
DNS/web-layer security – CLI rendered

Reference
Configure local domain bypass (optional)

parameter-map type regex dns_wl
pattern www.cisco.com
pattern .*eisg.cisco.*
Configure token and enable DNS security
parameter-map type umbrella global

token 57CC8010687FB1B2A7BA4F2373C00247166
no dnscrypt (enabled by default)
udp-timeout (to change the udp –timeout)
resolver-ip <>
vpn 21
dns-resolver-ip < Umbrella > [bypass-local-domain]
vpn 22
dns-resolver-ip < Umbrella > [bypass-local-domain]
Advanced Malware 1HCY19
Protection and Threat Grid

AMP
• Integration with AMP

File reputation
Internet Check Signature
File retrospection
• Integration with ThreatGrid
File Analysis
• Backed with valuable Threat Check file
Intelligence
Malware Sandbox
ThreatGrid
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Security Support on vEdges – 18.3.1
DNS/web-
Platforms/Features Ent FW DPI layer
Monitoring *
Viptela - (100, 1000, 2000 and 5000) Y Qosmos Y
SD-WAN Security IOS-XE Routers – 16.10.1
Ent FW with DNS/web-

URL
Platforms/Features App IPS/IDS layer
Filtering
Awareness Monitoring *
Cisco - CSR
Y Y Y Y
Cisco – ENCS (ISRv)
Y Y Y Y
Cisco – ISR4K (4451, 4431, 4351,
4331, 4321, 4221-X) Y Y Y Y
Cisco – ISR1K (1111X-8P)

Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX,
1001-X, 1002-X) Y N/A N/A Y

Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Security App Hosting Profile and Resources
4431 / 4451 4331 / 4351 4321 / 4221 / 1K
Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)
PPE1 PPE2 IOS SVC1

PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE I/O Data Plane
(2 cores)
Crypto
I/O
PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto
Linux
CPP Code Linux Linux
Total No of Total No of CP Default Profile High Profile with 16

Platforms
CP Cores Cores for Security with 8 GB DRAM GB of DRAM
4321/4221/1K 2 1 1 -
4331 4 2 2 2
4351 4 2 2 2
4431 4 2 2 2
4451 4 2 2 2
Security App Hosting Profile and Resources
IPS / URL-F Security Profile Features Memory requirement Platform

App Hosting Supported
Profile
IPS + URLF (Cloud Lookup only) 8GB Bootflash 8GB Memory ISR1K/4221/4321
Default 4/8 vCPU CSR/ISRv
4331/4351/44xx *
IPS + URLF (On-box DB + Cloud 16GB Bootflash & 16GB 4/8 vCPU CSR/ISRv
High Lookup) Memory 4331/4351/44xx *
* 44XX support – March 2019

Life of a Packet: From LAN to WAN
Lookup
SDWAN App- DNS-
IP Dest Data Process Go to
Interface NBAR FNF First Route Redir
Lookup Policy ect & OCE Output
ACL Policy
Walk
IPSEC
MPLS Encrypt
Tunnel Pre- Layer 2 DNS FNF
FW UTD Label FW UTD NAT (Transp ACL TX
Encap Route Encap Crypt LAST
Add ort
mode)
UTD: IPS->URL-F->AMP/TG * Color Coding: LAN Interface Tunnel Interface WAN Interface
* 1HCY19 OCE – Output Chain Element

Life of a Packet: From WAN to LAN
SDWAN SDWAN Lookup

IP Dest SDWAN IPSEC Go to
WAN interface NAT Process &
lookup For-us Decrypt Output
Filter ACL OCE walk
Lookup
MPLS MPLS IP Dst App-
Data Process Go to
Label transition lookup in NBAR FNF first route
Policy & OCE Output
Lookup to IP vrf Policy
walk
L2 FNF
FW UTD ACL TX
Encap Last
UTD: IPS->URL-F->AMP/TG * Color Coding: LAN Interface Tunnel Interface WAN Interface
* 1HCY19 OCE – Output Chain Element

SD-WAN Security - Performance For Your
Reference
Throughout Throughout
Throughout Throughout
Traffic Profile (Mbps) (Mbps)
Platform (Mbps) (Mbps)
HTTP IPSEC + Ent FW NAT DIA + Ent
IPSEC IPSEC + EntFW
+ IPS + URLF FW + IPS + URLF
16k 300 295 95 162

ISR 4351 64k 620 375 115 213
1024k 850 520 180 229
16k 300 250 90 101
ISR 4331 64k 430 330 105 145
1024k 600 450 150 170
16k 211 190 65 97
C1111x-8P 64k 212 189 68 99
1024k 214 180 69 100
XE SD-WAN 16.10.1 vManage 18.4 16k, 64k, 1024k – Object size (http payload)
Demo
SD-WAN Security - Demo in a Box
Internet
UCS M2 C-Series 210
ESXi 6.7 Google Fiber
Management
Network
Basic Steps (1/2)
• Basic connectivity - Install and Configure controllers on ESXi, OpenStack or KVM
• After connectivity, next step is to do the certificate work, otherwise control elements will not establish DTLS
connection between themselves and obviously the overlay is not going to be functional.
• Basic steps are as followed:

1. Make initial CLI config on vBond, vSmart, vManage. Need to specify site-id (can be the same for all), system-ip (unique per-
device, but doesn’t have to be reachable, like router-id), organisation name, vBond VPN0 IP address (on vBond give own IP and
add “local” keyword). Also obvious need to configure interfaces for reachability between the controllers.
2. Install Root CA and generate root cert. I used xca.
3. Upload (scp) root cert into vBond, vSmart, vManage.
4. Install root CA on vBond, vSmart, vManage (request root-cert-chain install)
5. Generate CSR on vBond, vSmart, vManage (request csr upload /home/admin/<blah>.csr. Org name of the CSR should match the
Org name defined on the vManage.
6. Download (scp) CSRs into CA
7. Sign CSRs with CA
8. Upload certificates back to vBond, vSmart, vManage (put them into /home/admin folder)
9. Install certificates on vBond, vSmart, vManage (request certificate install)
10. Add controllers on vManage
Basic Steps (2/2)
• After controller setup, log in PnP Connect and:
• Add Controller Profile (provide vBond and Org Name)
• Add hardware devices
• Add software devices (vEdgeCloud, ISRv, CSR)
• Download Provisioning File (Serial File)
• Upload Serial File to vManage
Ubuntu Win 2016 FC
Raleigh - HQ
Topology
192.168.10.0/24
.10 .20 .30 .40
Vlan 10
VPN 1
.1
Internet
192.168.11.0/24
192.168.12.0/24 Vlan 11
Vlan 12
192.168.1.1
.2 1.1.1.1
10.118.34.9
admin/admin
Tunnel 3 192.168.40.0/24 .9
Tunnel 2 INET Vlan 40 .3
MPLS .11
Mgmt
1.1.1.2
.10 .1
N/W AS 100 AS 200

V
.4 1.1.1.3
P
N
192.168.22.0/24 0 192.168.31.0/24
10.118.x.0/28
Vlan 22 192.168.32.0/24 Vlan 31

192.168.21.0/24 Vlan 32
Vlan 21 .7
.1 .1
VPN 1
192.168.30.0/24 VPN 1
Vlan 30
192.168.20.0/24 .10 .20 .10 .20
Vlan 20
Cary – Branch 1 Ubuntu Win 2016 Durham – Branch 2 Ubuntu Win 2016
For Your
Release Notes and Image Download Links

Reference
Release Notes for both 16.10.1 and 18.4:

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-WAN_Release_18.4
16.10.1 Software Download Link for ISR 1K/4K and ASR:

ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.10.1
ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.10.1
ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.10.1
18.4 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/18.4.0
18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/18.4.0
For Your
SD-WAN Security – External Resources

Reference
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_

Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301
For Your
SD-WAN Security – External Resources

Reference
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
Call to Action
World Of Solution – SD-WAN Security Booth
Whisper Suite – SD-WAN Security Booth
Checkout other SD-WAN Sessions
Try It on dCloud - Coming Soon
Test It
Buy It
Q&A
#CLMEL
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
Thank you
#CLMEL
#CLMEL

Sdwan Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sdwan Security

Uploaded by

Copyright:

Available Formats

#CLMEL

• Direct Internet Access

• BS in Electrical and Electronics Engineering

• 2013 – 2018 TME

Complex Limited Application

Software Defined WAN is a new user friendly approach to centrally provision

• Lowers Operational Cost

Flexible Deployment Application

3rd Party • Facilitates fabric discovery

vManage Cisco vManage

APIs • Single pane of glass for

Smart Account details

Device list is passed to PnP

Malware: 6 Observed Variants

2011 2012 2013 2014 2015 2016

Integrity Applications • HW Authenticity Check

• Binds the hardware identity to

• Connections with the device

• IEEE 802.1AR Compliant

C4331#show license udi

Cisco Secure Boot

Step 1 Step 2 Step 3 Step 4  Only authentic

Hardware CPU CPU CPU

TPM • Each physical router is uniquely identified by

• TCP based extensible control plane protocol

vSmart vSmart • Leverages address families to advertise

WAN Edge WAN Edge * Can be influenced by the control policies

Remote (received) Remote (received)

IP UDP ESP Original Packet

IP UDP ESP VPN Data

Employee 1 Employee 2 HQ Destined Traffic

VPN1 VPN2 Data Centre

Ent. FW IPS DNS/web

VPN1 VPN2 Data Centre

Ent. FW IPS DNS/web

Single Pane of Glass Embedded Platforms

Advanced SD-WAN Topology

DNA Essentials Cloud App Discovery

Ent FW – App-Aware Ent FW – App-Aware

* Need Umbrella Subscription for enforcement

Inspect policy allows Outside Zone

• Segmentation Inside Guest

SD-WAN Site A SD-WAN Site B

SD-WAN Site A SD-WAN Site B

zone security INSIDE

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

zone security INSIDE policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class-map match-any AVC-CLASS

policy-map type inspect avc AVC-POLICY

• Most widely deployed Intrusion Prevention

• Backed by TALOS, signature update is

• Signature whitelist support

• Real-time traffic analysis On-site Services

Step 1 Configure virtual service

Step 2 Configure Port Groups Step 4 Configuring UTD (service plane)

• Create custom Black and White

Step 6 Configure web-filter profile Step 7 Configure data plane

• Leading Security Efficacy for

DNS Response (4) Internet

DNS/web-layer security – CLI rendered

Configure local domain bypass (optional)

Configure token and enable DNS security

parameter-map type umbrella global

Protection and Threat Grid