Professional Documents
Culture Documents
TECSEC-2355
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Schedule
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• URL-Filtering
• Packet flow
• SDWAN infrastructure refresher • Configuration
• Secure Infrastructure • Troubleshooting
• Secure Control Plane
• DNS/web-layer security
• Secure Data Plane
• Packet flow
• Device Identity
• Configuration
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
About us
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
About Us
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Session objectives Reminder
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
SD-WAN refresher
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes list of vSmarts/
vManage to all vEdge routers
MPLS 4G
• Facilitates NAT traversal
INET • Requires public IP Address
vEdge Routers
[could sit behind 1:1 NAT]
• Highly resilient
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Data Plane
Data Plane
Physical/Virtual
APIs
• WAN edge router
• Provides secure data plane with
3rd Party remote Edge routers
vAnalytics
Automation • Establishes secure control plane
with vSmart controllers (OMP)
vBond
• Implements data plane and
vSmart Controllers application aware routing policies
• Exports performance statistics
• Leverages traditional routing
MPLS 4G
protocols like OSPF, BGP and
INET VRRP
vEdge Routers
• Support Zero Touch Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Cloud Data Center Campus Branch SOHO
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Secure Infrastructure:
Secure Control Plane
Overlay Management Protocol (OMP)
vSmart • TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside DTLS connections
DTLS
• Leverages address families to advertise
reachability for TLOCs, unicast/multicast
vSmart vSmart
destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD
up/down stats (TE node) and Cloud onRamp for
SaaS probe stats (gateway)
- Uses attributes
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
(System IP, Color, Encap)
WAN WAN
Edge Transport1 Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Data Plane: 1 shared ingress SPI per TLOC (1)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Data Plane: 1 shared ingress SPI per TLOC (2)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Encr-Key3
Local (generated) Encr-Key1
Local (generated)
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Data Plane: 1 shared ingress SPI per TLOC (3)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Encr-Key3
Local (generated) Encr-Key1
Local (generated)
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Data Plane: 1 shared ingress SPI per TLOC (4)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport Encr-Key1 Encr-Key3
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Data Plane: 1 shared ingress SPI per TLOC (5)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport Encr-Key1 Encr-Key3
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Data Plane: 1 shared ingress SPI per TLOC (6)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4 Encr-Key2
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Data Plane: 1 shared ingress SPI per TLOC (7)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4 Encr-Key2
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Data Plane: 1 shared ingress SPI per TLOC (8)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Transport
1
AES256-GCM/CBC
Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Data Plane: 1 shared ingress SPI per TLOC– BFD up
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Transport
1
Transport
Transport
1
1
WAN Edge
WAN Edge WAN Edge
WAN Edge
WAN Edge
WAN Edge AES256-GCM/CBC
AES256- GCM/CBC
Control
Control Plane
Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
TECSEC- 2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Data Plane: Pair-wise keying (2)
vSmart
▪ Each WAN Edge creates:
Controller
▪ ECDH key pair
▪ Nonce
▪ ECDH Key ID [ SPI ]
▪ Blue = public value
▪ Red = private value
ECDH pub key “C”
ECDH pub key “A” WAN Edge “A” WAN Edge “C”
ECDH pub key “B”
ECDH priv key “A”
ECDH priv key “B”
Nonce “A”
Nonce “B”
ECDH key ID [SPI] WAN Edge “B” AES256-GCM/CBC
ECDH key ID [SPI] Control Plane
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Data Plane: Pair-wise keying (3)
vSmart
▪ Each WAN Edge sends to vsmart:
Controller
▪ ECDH pub key
▪ Nonce
▪ ECDH Key ID [ SPI ]
Nonce “B”
SPI “B”
Nonce “B”
SPI “B”
Transport
1
Transport
1
Rekey local inbound SA, which triggers peer outbound and inbound SA rekey.
Then after receiving first packet with new SPI from peer, do local outbound SA rekey.
This method requires higher control plane CPU usage, resulting in lower session scaling.
• no pwk-sym-rekey
Rekey local inbound SA, which triggers peer outbound SA rekey
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Data Plane: Pair-wise keying (12)
Change PWK setting on cEdge requires device reload!
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Data Plane: Pair-wise keying (13)
cEdge1#show sdwan ipsec pwk inbound-connections
SOURCE DEST LOCAL LOCAL REMOTE REMOTE SA PKEY NONCE PKEY
SS D-KEY AH
SOURCE IP PORT DEST IP PORT TLOC ADDRESS TLOC COLOR TLOC ADDRESS TLOC COLOR PWK-SPI INDEX ID HASH
HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
192.168.70.9 12346 192.168.70.6 12346 3.1.0.3 gold 3.1.0.1 lte 0005B2 11 5 ADC3 38B5 3DD1 5715
true
192.168.70.3 12346 192.168.70.6 12346 3.1.0.3 gold 3.1.0.4 green 000000 12 0
false
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Data Plane: Pair-wise keying (14)
Debugs
cEdge1#debug plat soft sdwan ftm pwk [dump | log]
cEdge1#debug plat soft sdwan ttm pwk [dump | log]
cEdge1#debug plat soft sdwan vdaemon pwk [dump | log]
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Anti-Replay Protection
▪ Encrypted packets are assigned ▪ Upon receipt of a packet with higher
sequence numbers. WAN Edge routers sequence number than received thus far,
drop packets with duplicate sequence WAN Edge router will advance the sliding
numbers window
- Replayed packet
▪ Sliding window is COS aware to prevent
▪ WAN Edge routers drop packets with low priority traffic from “slowing down”
sequence numbers lower than the high priority traffic (8 queues)
minimal number of the sliding window
- Maliciously injected packet
Drop Accept Range Advance Window
Sliding Window
Packet
Sequence
Numbers
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Secure Infrastructure:
Device Identity
WAN Edge Router Identity All platforms except
ASR1002-X / ENCS / CSR1000v
During Manufacturing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Onsite bootstrap process: Create bootstrap
config
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
On-Site bootstrap process
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Onsite bootstrap process: Create bootstrap
config
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Onsite bootstrap process: Create bootstrap
config
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Onsite bootstrap process: Create bootstrap
config
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Onsite bootstrap process: Reset and activate
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cisco PKI
certificates
authorization
Cisco PKI certificates authorization
▪ Starting from 19.1.0 software we also introduced Cisco Public Key Infrastructure
(PKI) to sign SD-WAN controller certificates
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cisco PKI certificates authorization - manual (1)
▪ Manual Certificate Authorization: vManage > Administration > Settings
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Cisco PKI certificates authorization - manual (2)
▪ Manual Certificate Authorization: PnP portal
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cisco PKI certificates authorization - manual (3)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cisco PKI certificates authorization - manual (4)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco PKI certificates authorization - manual (5)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cisco PKI certificates authorization – automatic (1)
Automatic Certificate Authorization - verify the following conditions are met:
Optional: configure a shorter Retrieve Interval, so that vManage checks more often for
available certificates:
Administration> Settings> Controller Certificate Authorization > Certificate Retrieve
Interval
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco PKI certificates authorization – automatic (2)
▪ Automatic Certificate Authorization: vManage > Administration > Settings
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cisco PKI certificates authorization – troubleshooting (1)
Monitor the following file /var/log/nms/vmanage-server.log (tail –f …, show log … tail )
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Cisco PKI certificates authorization – troubleshooting (2)
2. vManage should query the PnP portal to retrieve the SA/VA. SA/VA cannot contain special
characters, otherwise the API calls will fail
08-Aug-2019 17:23:11,590 UTC INFO [vManage01] [SmartAccountClientService] (default task-20)
|default| Query Smart Account:
as/token.oauth2?grant_type=password&client_id=01f0c6f5204248969b2125cf6c79fec2&client_secret=cFCB6A
39E12A476D97dDd877f342F738&username=sampleuser&password=*******
08-Aug-2019 17:23:12,599 UTC INFO [vManage01] [SmartAccountClientService] (default task-20)
|default| Query network: services/api/software/dms/v2/networks?organizationName=CALO - 100589
08-Aug-2019 17:23:12,599 UTC INFO [vManage01] [RestAPIClient] (default task-20) |default| GET API
call to - https://apx.cisco.com:443/services/api/software/dms/v2/networks?organizationName= CALO -
100589
08-Aug-2019 17:23:14,312 UTC INFO [vManage01] [SmartAccountProcessor] (default task-20) |default|
Returning pkiParams as CiscoPKIParams{accessToken='MGd7rrROIXdUctuORvBidKixDatc',
virtualAccountName=EMEAR-SDWAN', domain=‘tac.cisco.com’}
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Cisco PKI certificates authorization – troubleshooting (3)
3. vManage will do POST of the CSR to cisco.com via API:
https://apx.cisco.com/services/api/software/dms/v2/smartaccounts/<SmartAccount>/virtualaccounts/<VirtualAccount>/certificates
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco PKI certificates authorization – troubleshooting (4)
4. PnP portal will respond with the location of the certificate
https://apx.cisco.com/services/api/software/dms/v2/smartaccounts/<SmartAccount>/virtualaccounts/<Vir...
222b1f0d1e808ae99bcc7b1bec730ae7
08-Aug-2019 17:23:18,140 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager] (default task-20)
|default| Enrollment response from Cisco pnp server is: {"status":"ACCEPTED","message":"The request
has been submitted for processing","messageCode":"DMS-ASYNC-
ACCEPTED","data":{"location":"apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.co
m/virtualaccounts/EMEAR-SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7"}}
08-Aug-2019 17:23:18,140 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager] (default task-20)
|default| Cisco enrollment response: {"status":"ACCEPTED","message":"The request has been submitted
for processing","messageCode":"DMS-ASYNC-
ACCEPTED","data":{"location":"apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.co
m/virtualaccounts/EMEAR-SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7"}} status: ACCEPTED
08-Aug-2019 17:23:18,140 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager] (default task-20)
|default| Location received from PNP server:
apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-
SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco PKI certificates authorization – troubleshooting (5)
5. vManage will pick up the controller when the Retrieve Interval is due
NOTE: the certificate will NOT be picked up immediately after receiving the location, we must wait until the next pickup thread starts
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cisco PKI certificates authorization – troubleshooting (6)
6. The certificate is installed finally
08-Aug-2019 18:00:03,014 UTC INFO [vManage01] [CertificateRequestHandler] (certificate-pickup) || Processing
Install Cert Request <requestToken: 2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89, certSerialNumber:
244473F1EC4FAE909CAC881542E3A9153A90EB12, deviceUUID: ef6c60ae-7ae5-44d9-964b-15efa6f1d406, commonName:
vmanage-ef6c60ae-7ae5-44d9-964b-15efa6f1d406-10.viptela.com, deviceTenantComponent:
com.viptela.vmanage.server.di.DaggerApplicationComponent$TenantComponentImpl@d59a29e>
08-Aug-2019 18:00:03,099 UTC INFO [vManage01] [DeviceLifeCycleTaskHandlerDAO] (certificate-pickup) ||
starting task install_certificate for requestUUID 2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89
…
08-Aug-2019 18:00:03,979 UTC INFO [vManage01] [SendDeviceListWorker] (send-device-list-0) || For controller
<uuid: ef6c60ae-7ae5-44d9-964b-15efa6f1d406, deviceType: vManage>, Command to be executed=<request
xmlns="http://viptela.com/actions">
<vsmart-upload xmlns="http://viptela.com/actions">
<serial-file xmlns="http://viptela.com/actions">
<file
xmlns="http://viptela.com/actions">H4sIAAAAAAAAADMyMTExN3YzdHU2cXN0tTSwdHZ0trAwNDUxcjV2tDQ0BRIGrk6GRjpliTmZKT
rBIS66Po5OusEu4Y5+XAA0Lx8VPQAAAA==</file>
<version xmlns="http://viptela.com/actions">9223372036854775807</version>
</serial-file>
</vsmart-upload>
</request>
…
08-Aug-2019 18:00:04,524 UTC INFO [vManage01] [SendDeviceListWorker] (send-device-list-0) ||
push_vsmart_list successfully done on device (vManage-ef6c60ae-7ae5-44d9-964b-15efa6f1d406)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SDWAN security
SD-WAN Security
Only App Aware FW and DNS/web-layer security Only FW and DNS/web-layer security
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Secure Infrastructure:
locking down edge
access
Lock down edge access
Internet
Gig1
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Lock down edge access
Internet
Gig1
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Secure Infrastructure:
password change
enforcement
Password change enforcement (1)
Starting from IOS-XE SDWAN software 16.10.3/16.12.1, Default user
admin was set as 'one-time'. When user logs in the first time (e.g. new
router, config reset), the username admin was removed.
Example of fresh new router login:
Username: admin
Password:
Router#
Jan 22 07:42:50.193: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source:
LOCAL] [localport: 0] at 07:42:50 UTC Wed Jan 22 2020
Jan 22 07:42:50.193: SDWAN INFO: WARNING: Please configure a new username and
password; one-time user admin is removed.
Jan 22 07:42:50.472: %SYS-5-CONFIG_P: Configured programmatically by process
iosp_vty_100001_dmi_nesd from console as NETCONF on vty31266
Jan 22 07:42:50.473: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by
system, transaction-id 6
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Password change enforcement (2)
16.12.2
User is prompted for new admin password on first login to
console or through ssh.
Username: admin
Password:
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Password change enforcement (3)
What does it mean? Don’t get screwed!
Continuation of the example, 10 minutes passed since admin was IDLE and no user was
configured (16.12.1e software):
Router con0 is now available
Username: admin
Password:
% Login invalid
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Password change enforcement (4)
What if I screwed?
IOS-XE SD-WAN uses bit more trickier password recovery method than ordinary IOS-XE
due to the nature of CDB presence:
• Power cycle and force into the ROMmon with break sequence (ctrl+break,
ctrl+c).
• Change the config register to 0xA102 or 0x8000
• Reset the router
• Login with default credentials (admin:admin)
• Change the configuration register back to 0x2102 and execute request
platform sdwan software reset (this also wipes out all the
configuration that exists)
• The router reboots with software specified in the packages.conf
• Login again with default credentials and don’t forget to change it finally!
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Direct Internet
Access
Direct Internet Access Basics
Hybrid WAN
Transport
MPLS
Private
Cloud
BRANCH
Public
Direct Internet Internet Cloud
Access
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Direct Internet
Access( NAT)
Configuring DIA – Enable NAT on Internet interface template
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Configuring DIA – Add leaked default route to VPN0 on service VPN template
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Configuring DIA – Add a leaking default route to VPN0
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
DIA translation into IOS-XE SDWAN config
interface GigabitEthernet3
<....>
ip nat outside
!
New command to leak from VPN 1 to VPN 0
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
…
IP Unicast
PBR
Dispatcher
URD Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor Miss Hit
Input In → Out Check Session Lookup Child Session Lookup
Input FIA Output FIA
EEPROM Hit
QFP Complex
PPE2
Miss
Netflow
DDRAM Packet Processor Engine ... BQS
Input ACL
OUTPUT_NAT
NBAR Classify Door
PPE DB
Boot Flash
FECP PPE1 PPE2 PPE3 PPE
4 5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
NAT
Unicas
PBR
t Packet
Dispatcher
Buffer
Allocate Addr Drop
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
SD-WAN Update – Viptela cEdge and vEdge
DNS-Layer Integration Device & Feature Support
As of June
Features Planned
2019
Auto-Registration
(Device Registration via APIs)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SD-WAN Update – Viptela cEdge
Automated Tunnels
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco DNA Packages for SD-WAN
DNA Premier
IOS Stateful Firewall | Intrusion Prevention System (IPS) | Umbrella DNS Monitoring
Dynamic Routing – BGP & OSPF | App & Basic SLA-based policy
Dynamic Multi-Path with FEC & Packet Duplication | TCP Optimization | ZTP
IPv4 and IPv6 support | Cisco Cube Connector | VNF Lifecycle Management
Hub & Spoke Topologies | Full Mesh Topologies (less than 50 sites in DNA Essentials)
Cloud Management of SD-WAN solution through vManage
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Enterprise App
Aware Firewall
SDWAN Security: Enterprise App aware Firewall
Enterprise Firewall
+1400 layer 7 apps classified
Cisco SD-WAN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Enterprise App Aware SaaS
Firewall Internet
• Zone Policies
Inspect policy allows
only return traffic to Outside Zone
• Application Visibility and Granular be allowed and drops
control any new connections
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Enterprise App Aware
Firewall: Scenarios
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone Zone
SD-WAN
VPN1 VPN1
Fabric
Default Action: D I P
Note:
Optional 5-tuple matching
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Ent. Firewall App Aware : Inter-Zone Security
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone Zone Zone
SD-WAN VPN1
VPN1 VPN2
Fabric
Default Action: D I P
Note:
Optional 5-tuple matching
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Ent. Firewall App Aware :DIA / DCA
WAN Edge VPN1-VPN0
Route Leaking
Zone Zone
VPN1 VPN0
Internet
NAT
Web Server
Default Action: D I P
Note:
Optional 5-tuple matching
Host
SD-WAN Site A
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Enterprise App Aware Firewall:
packet processing
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
EEPROM
QFP Complex
DDRAM Packet Processor Engine BQS
Boot Flash
(OBFL,…) FECP PPE1 PPE2 PPE3 PPE4 PPE5
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
Input ACL
PPE2Packet Processor Engine ... BQS
OUTPUT_INSPECT
NBAR Classify
Boot Flash
FECP PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
URD
Crypto
PPE2
SPI Mux Thread 3
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Temp Sensor Session Lookup Miss Classify Traffic
Input Policy Selection (precise + imprecise) NBAR classification
Input FIA Output FIA NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
QFP
Crypto
Assist. PPE BQS
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS Drop Inspect
If Action = Inspect, create
session flow in DB
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
L4 Inspection
NAT
Unicas PDU reassembly, parsing
PBR
t Packet
Dispatcher
Pass
Buffer L7 Parse
(HTTP GET, POST,…)
Dialer IDLE Rst
PPE2
URD
Crypto Imprecise Channel Thread 3
SPI Mux L7 Inspection
Creation
Reset / Pwr Ctrl
Output SA table IPV4 OUTPUT
DRAM Interconnect Action Mapping
INSPECT
Child session creation (data flow
RPs RPs ESP RPs from FTP, RTP flow from SIP,…)
SIPs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Input
Temp Sensor
Policy Selection Session Lookup Miss
Classify Traffic
(precise + imprecise)
Input FIA Output FIA NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl …
show policy-firewall IP
session platform
PPE6 PPE7 PPE8 … PPEN
L4 Inspection
--show platform
Unicas
NAT hardware qfp active feature firewall datapath scb any any any any any all any --
[s=session i=imprecise channel c=control channel d=data channel]
PBR58513 10.0.0.1 1967 proto 6 (0:0)[sc]
172.18.25.66
Pass
172.18.25.66 59869 10.0.0.1 1967 proto 17 (0:0)[sc]
tDispatcher
Packet Buffer L7 Parse
Dialer IDLE Rst
172.18.25.66 59824 10.2.6.254 1967 proto 6 (0:0)[sc] PPE2
172.18.25.66 56338 10.11.32.15 6665 proto 17 (0:0)[sd]
…
URD
Crypto Imprecise Channel Thread 3
SPI Mux L7 Inspection
Creation
Reset / Pwr Ctrl
Output SA table
Interconnect
IPV4 OUTPUT
DRAM
INSPECT
RPs RPs ESP RPs SIPs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Temp Sensor Session Lookup Miss Classify Traffic
Input Policy Selection (precise + imprecise) IncludingTraffic
Classify NBAR
Input FIA Output FIA NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2 Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl
show policy-firewall
… IP
sessionPPEplatform
PPE PPE
tcp…destination-port
PPE 6
80 detail
7 8 N
L4 Inspection
--show platform
Unicas
NAT hardware qfp active feature firewall datapath scb any any any 80 6 all any detail--
[s=session i=imprecise channel c=control channel d=data channel]
172.18.25.66
…
PBR53471 213.94.72.66 80 proto 6 (0:0)[sc]
Pass t Dispatcher
Packet Buffer L7 Parse
Dialer IDLE Rst
nxt_timeout: 100, refcnt: 1, ha nak cnt: 0, rg: 0, sess id: 32584
…
PPE2
URD
ingress/egressCrypto Imprecise
intf: GigabitEthernet0/0/2 (1021), GigabitEthernet0/0/3 (65526)Channel Thread 3
current time 1384744571498 create SPI tstamp:
Mux 1384690046997 last access: 1384690179236 L7 Inspection
…
Creation
Reset / Pwr Ctrl
Output syncookie fixup: 0x0
SA table
Interconnect
IPV4 OUTPUT
… DRAM
INSPECT
RPs RPs ESP RPs SIPs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Temp Sensor Session Lookup Miss Classify Traffic
Input Policy Selection (precise + imprecise) IncludingTraffic
Classify NBAR
Input FIA Output FIA NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
show policy-firewall statistics platform
# of sessions freed
JTAG Ctrl … … IP
PPE6 …
PPE7 PPE8 PPEN
through the lifetime
==FW memory info== # of sessions active L4 Inspection
NAT …
Unicas of the FW
PBR
t Dispatcher
------------Total History----------
Pass # of memory
L7 failures…
Parse
DialerChunk-Pool
IDLE Rst Inuse |Allocated Freed Packet
Alloc_Fail|
Buffer allocation
FW Sessions ------------------------------------------------------------ PPE2
URD scb 33 32851 32818 0
Imprecise Channel
Synflood protect Crypto
hostdb 0 11747 11747 0 Thread 3
L7 Inspection
SPI Mux
ICMP Error 0 0 0 0 Creation
Reset / Pwr Ctrl dst pool 0 0 0 0
Output SA table
… Interconnect IPV4 OUTPUT
DRAM # of sessions
allocated through the INSPECT
lifetime of the FW
RPs RPs ESP RPs SIPs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
ESP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Session Lookup Miss Classify Traffic
Input Policy
Temp Selection
Sensor Classify Traffic
Input FIA
(precise + imprecise)
Output FIA Including NBAR
NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS
Drop
Inspect
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
Input ACL
PPE2Packet Processor Engine ... BQS
OUTPUT_INSPECT
NBAR Classify
Boot Flash
FECP PPE1 PPE2 PPE3 PPE4 PPE5
…
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
VFR_REFRAG
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
L2_REWRITE
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto
SPI Mux Thread 3
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
Crypto
Assist. PPE BQS
intercon.
EEPROM
QFP Complex
DDRAM Packet Processor Engine BQS
Boot Flash
(OBFL,…) FECP PPE1 PPE2 PPE3 PPE4 PPE5
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Enterprise App Aware Firewall Configuration
Create zones and zone-pairs by clicking on ‘Apply Zone-Pairs’
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Enterprise App Aware Firewall Configuration
Create zones by selecting ’New Zone List’ or select the existing zones
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Enterprise App Aware Firewall Configuration
• You must choose one of the above in order to configure an application list.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Enterprise App Aware Firewall Configuration
Create a sequence rule by configuring Match condition. For example, protocol tcp is configured with port 8002 here
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Enterprise App Aware Firewall Configuration
Choose Actions for the match condition – It can be Pass, Inspect , Drop.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Enterprise App Aware Firewall Configuration
You can create multiple sequences. Lets create a sequence with Source Data Prefix. You can create a new one by
clicking on ‘New Data Prefix List’
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Enterprise App Aware Firewall Configuration
After creating the list , you can see prefix list displayed in options and you can choose the same.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Enterprise App Aware Firewall Configuration
At the end , your screen should look like this
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Enterprise App Aware Firewall Configuration
If you want to match traffic based on applications , you should create a list and add them to the policy. You should
Choose one of the L4 attributes and then apply application list on it.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Ent. Firewall App Aware: Configuration
Your can create a list of application/application-family. Then select the same list in the previous dialog
We will
drop
this
apps!
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Enterprise App Aware Firewall Configuration
Once you select the Match conditions , switch on to Actions. For App Firewall , only Inspect is supported.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Enterprise App Aware Firewall Configuration
• DNS over (D)TLS can be blocked easily by Enterprise App Aware Firewall
TLS New Port: TCP/853 Middleboxes need to have this port
Existing Implementations blocked
DTLS UDP based: UDP/853 Middleboxes need to have this port
Not widely used blocked
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Enterprise App Aware Firewall:
Self zone
What is the self zone?
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Self-zone configuration translated in CLI
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Self-zone configuration best practices
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Self-zone: What management protocol/ports to allow?
Source Protocol/Port(s) Destination
Outside to self
internet Router
self zone
NOC subnet SSH (TCP/22) VPN 0 outside IPv4/v6
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Self-zone: Which services to allow?
Source Protocol/Port(s) Destination
internet
Outside to self
Router
Self zone
Internet DTLS/IPSECoUDP VPN 0 outside IPv4/v6
internet
Router Self to Outside
self zone
VPN 0 outside IPv4/v6 DTLS/IPSECoUDP Internet
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Self-zone: Which services to allow?
Source Protocol/Port(s) Destination
internet
Outside to self
Router
Self zone
Internet DTLS/IPSECoUDP VPN 0 outside IPv4/v6
internet
Router Self to Outside
self zone
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
SDWAN Port Handling and Firewall
• By default, all Viptela devices use base port 12346 for establishing the connections that handle
control and traffic in the overlay network. Each device uses this port when establishing
connections with other Viptela devices
• Port Offset
• When multiple Viptela devices are installed behind a single NAT device. For NAT devices that can differentiate among the
devices behind the NAT, you do not need to configure the port offset.
• Different port numbers used for each device so that the NAT can properly identify each individual device.
• Port offset from the base port 12346. For example, device with a port offset of 1, that device uses port 12347. The port offset
can be a value from 0 through 19. The default port offset is 0.
• Port Hopping
• Devices try different ports when attempting to establish connections with each other in the event that a connection attempt on
the first port fails.
• After such a failure, the port value is incremented and the connection attempt is retried. The software rotates though a total of
five base ports, waiting longer and longer between each connection attempt.
• If you have not configured a port offset, the default base port is 12346, and port hopping is done sequentially among ports
12346, 12366, 12386, 12406, and 12426, and then returning to port 12346.
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Edge Routers – Base Ports
DTLS
UDP
• When initially establishing these DTLS
connections, the vEdge router uses the base
INET MPLS port 12346. If it is unable to establish a
connection using this base port, it port-hops
through ports 12366, 12386, 12406, and
12426, returning, if necessary, to 12346
• This same port number is used to establish
12346
12366 UDP
12386
12406 the IPsec connections and BFD sessions to
12426 12346
12366 the other vEdge routers in the overlay
12386
12406
network.
• Command: show control local-properties
12426
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Controllers – Base Ports
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Firewall Ports for Viptela Deployments
Default – No Port Offset
Configured and DTLS
vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346
vBond – IP2 vSmart – IP2 Core3 - 12646 Core1 - 12446
Core4 - 12746 Core2 - 12546
Core5 - 12846 Core3 - 12646
vBond orchestrators do not Core6 - 12946 Core4 - 12746
support multiple cores. vBond Core7 – 13046 Core5 - 12846
orchestrators always use DTLS 12346 UDP UDP Core6 - 12946
tunnels to establish control UDP Core7 – 13046
connections with other Viptela
devices, so they always use The vManage NMSs and vSmart controllers can
run on a virtual machine (VM) with up to eight
UDP. The UDP port is 12346 virtual CPUs (vCPUs). The vCPUs are designated
as Core0 through Core7.
Each core is allocated separate base ports for
Firewall control connections
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Enterprise App Aware Firewall:
High speed logging
High Speed Logging [ HSL] for Zone based firewall
?
• Why not using IOS syslog as logger?
• IOS logger is text based [slow since strings need to be formatted]
• QFP to IOS messages are rate-limited by the system in order to protect the RP
• IOSd syslogs will show only part of the messages and it’s not suitable for production
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
High Speed Logging in a nutshell
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
High Speed Logging in a nuttshell
QFP Complex
…
PPE6 PPE7 PPE8 PPEN
WAN Edge
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
High Speed Logging in a nuttshell
QFP Complex
WAN Edge
Dispatcher
• Traffic flows Packet
across Bufferfirewall
Collector
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Configuring HSL: Template configuration
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Configuring HSL: CLI configuration
cEdge(config-profile)# log flow-export v9 udp destination <dst ipaddr> <dst port> vrf <VRF label>
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Configuring HSL: CLI configuration example
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
HSL best practices and limitations
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Enterprise App Aware Firewall:
Troubleshooting and
monitoring
Enterprise App Aware Firewall Monitoring
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Enterprise App Aware Firewall Monitoring
Overall Dashboard – Firewall Enforcement Device Dashboard - Firewall
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Enterprise App Aware Firewall Monitoring
User can check ‘Inspected’ and ‘Dropped’ traffic in here
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Enterprise App Aware Firewall Monitoring
Device & Policy Specific Data
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Enterprise App Aware Firewall Commands
One can reach access real time commands in vManage by Monitor->Network->SelectDevice->Real Time
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Enterprise App Aware Firewall Commands
This translates to “show sdwan zonebfwdp sessions” in CLI
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Enterprise App Aware Firewall Commands
This translates to ”show sdwan zbfw drop-statistics” in CLI
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Enterprise App Aware Firewall Commands
This translates to “show sdwab zbfw zonepair-statistics” in CLI
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Enterprise App Aware Firewall Debug Commands
pm5#show policy-firewall sessions platform
[s=session i=imprecise channel c=control channel d=data channel]
14.38.112.250 41392 14.36.1.206 23 proto 6 (0:0) [sc]
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Enterprise App Aware Firewall: Demo
Enterprise App Aware Firewall Debug Commands
pm5#show platform hardware qfp active feature firewall datapath zonepair 0 0
idx:66 zp:(1 inet_to_zone_1) key(1->2)
flag: 0x1
Policy Valid (0x00000001)
tcam region: 0xea1411b0 tcam cmd: 0x20000000
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Enterprise App Aware Firewall Debug Commands
pm5#show platform packet-trace packet 0
Packet: 0 CBUG ID: 2980
Summary
Input : GigabitEthernet0/0/2
Output : GigabitEthernet0/0/0
State : DROP 183 (FirewallPolicy)
Timestamp
Start : 1207843476722162 ns (04/15/2014 12:37:01.103864 UTC)
Stop : 1207843477247782 ns (04/15/2014 12:37:01.104390 UTC)
Path Trace
Feature: IPV4
Source : 10.1.1.1
Destination : 192.168.1.1
Protocol : 1 (ICMP)
Feature: ZBFW
Action : Drop
Reason : ICMP policy drop:classify result
Zone-pair name : INSIDE_OUTSIDE_ZP
Class-map name : class-default
Packet Copy In
c89c1d51 5702000c 29f9d528 08004500 00540000 40004001 ac640e26 70fa0e24
01010800 172a2741 00016459 4d5310e4 0c000809 0a0b0c0d 0e0f1011 12131415
Packet Copy Out
c89c1d51 5702000c 29f9d528 08004500 00540000 40003f01 ad640e26 70fa0e24
01010800 172a2741 00016459 4d5310e4 0c000809 0a0b0c0d 0e0f1011 12131415
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Intrusion
Prevention
SDWAN Security: Intrusion Prevention
Enterprise Firewall
+1400 layer 7 apps classified
URL-Filtering Phase 1
Cisco Web reputation score using 82+ web
Security categories
Cisco SD-WAN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Intrusion Prevention
• PCI compliance
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Intrusion
Prevention:
packet flow
Intrusion Prevention – Packet flow
Input
UTD container
features Output
features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
Forwarding
Decision
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
Forwarding NBAR
Decision Classification
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
GRE over VPG1 interface features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Intrusion Prevention – Packet Flow
Processing
Input
UTD container
features Output
GRE over VPG1 interface features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Intrusion Prevention – Packet Flow
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established;
content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http;
classtype:misc-activity; sid:5808; rev:9;)
Snort
inspection
100101000101000111010011000101100011100011001111001
IPS container Processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Intrusion Prevention – From container to outside
Processing
UTD container
Output
“Built-in” GRE Tunnel600001 features
Ingress interface
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Intrusion Prevention – From container to outside
Processing
UTD container
Output
“Built-in” GRE Tunnel600001 features
Ingress interface
Forwarding
Decision
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Intrusion Prevention – From container to outside
Processing
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
Decision inspection
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Intrusion Prevention – From container to outside
Processing
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Intrusion Prevention – From container to outside
Processing
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Intrusion Prevention – Diversion control by the
container
Snort decides if a flow need further inspection.
If inspection is not required anymore , snort is
going to request the datapath to stop
redirecting to the container
Input
UTD container
features Output
GRE over VPG1 interface features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Intrusion Prevention – Diversion control by the
container
Snort decides if a flow need further inspection.
If inspection is not required anymore , snort is
going to request the datapath to stop
redirecting to the container
Input
UTD container
features Output
GRE over VPG1 interface features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Intrusion Prevention – Diversion control by the
container
Snort decides if a flow need further inspection.
If inspection is not required anymore , snort is
going to request the datapath to stop
redirecting to the container
Input
UTD container
features Output
GRE over VPG1 interface features
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
• UTD consists of two FIAs entries,
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Intrusion
Prevention:
configuration
Intrusion Prevention – Configuration Workflow
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Intrusion Prevention – Compatible Image Version
Download App Hosting TAR file from CCO
TAR file name Applicable platform
Note: Each router image version (16.10.1, 16.11.1 etc.) has its own range of supported app versions.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Intrusion Prevention – Compatible Image Version
Find the compatible range of application versions for the device (Monitor -> Network)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Intrusion Prevention – Compatible Image Version
Find the compatible range of application versions for the device type (Select the device – CSR in example below)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Intrusion Prevention – Compatible Image Version
Find the compatible range of application versions for the device type (Click on Real Time)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Intrusion Prevention – Compatible Image Version
Find the compatible range of application versions for the device type (Type in UTD Version Status in the search box)
https://software.cisco.com/download/home/286321991/type/286321980/release/16.9.3
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Intrusion Prevention - Upload App Hosting Image
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Intrusion
Prevention – Policy
Configuration
Intrusion Prevention –
Policy Template Configuration
• Choose signature set (Connectivity/Balanced/Security)
• Choose mode of operation (Detection/Protection)
• Choose an existing whitelist profile or create a new one
• Choose alert level for syslogs
• Attach VPNs
• Configure logging (External)
• Configure fail-open/fail-close
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
IPS – Policy Configuration
vManage >> Security >> Add Security Policy (choose IPS from custom)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
IPS – Policy Configuration
Choose signature set (Connectivity/Balanced/Security)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
IPS – Policy Configuration
Choose signature set (Connectivity/Balanced/Security)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
IPS – Policy Configuration
Connectivity:
CVSS Score = 10
Choose signature set (Connectivity/Balanced/Security)
CVE year is current - 2 (So, for example, 2020, 2019, 2018)
Balanced:
Security
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
IPS – Policy Configuration
Choose mode of operation (Detection/Protection)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
IPS – Policy Configuration
Choose signature whitelist profile (optional)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
IPS – Policy Configuration
Choose alert level for syslogs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Configuration – Policy Configuration
Specify the VPNs for which this Intrusion Prevention Policy is applicable
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
IPS – App Hosting Profile
Determines the number of CPU cores, amount of memory and disk reserved for Service plane (IPS/IDS)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
IPS – App Hosting Profile
Click on Feature Template tab
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
IPS – App Hosting Profile
Click on Add template (or you can edit an existing Feature Template – not shown)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
IPS – App Hosting Profile
Click on one or more devices on the left (CSR selected here)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
IPS – App Hosting Profile
Select UTD Security Policy Template from Basic Information Section to arrive at this page
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
IPS – App Hosting Profile
Select Resource Profile for IPS/IDS application
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
IPS – Policy configuration
IPS/IDS Signature update
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
IPS – Policy configuration
IPS/IDS Signature update
• Specify the username and password to use for signature package download from CCO
• Specify how often vManage should download and check the signature packages inorder to push down devices
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
IPS – Container upgrade
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
IPS – Container upgrade
Upgrade container image for an existing router image:
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
IPS – Container upgrade
Upgrade container image for an existing router image:
Select one or more devices for which the IPS/IDS application needs to be upgraded and click on Upgrade Container
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
IPS – Container upgrade
Upgrade container image for an existing router image:
Choose the Upgrade to Version from the drop-down list and click on Upgrade
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
IPS – Container upgrade
Upgrade container image after a router image upgrade:
After the router image is upgraded, find out the compatible range of app versions for the new router image from Real
Time page as described earlier in Container installation
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
IPS – Container upgrade
Upgrade container image after a router image upgrade:
Upload the application image file with a compatible version to Virtual Images Software Repository
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
IPS – Container upgrade
Upgrade container image after a router image upgrade:
Upgrade the application image file from Maintenance -> Software Upgrade -> Upgrade Container as described
previously
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Intrusion
Prevention:
Automatic
provisioning
Snort IPS – Configuration steps by vmanage
Configure IPS
policies Snort IPS Specific
configuration
Enable IPS, global
per VPN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Intrusion
Prevention –
Troubleshooting
Intrusion Prevention - Troubleshooting
Top Signature Violations dashboard
Two Views:
• Threats by severity (over time)
• Total threat count (for the selected time period)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Intrusion Prevention - Troubleshooting
Real time data of a device
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Intrusion Prevention - Troubleshooting
IPS not inspecting traffic(vManage side)
• Check top signature violations for the entire network in the dashboard as described earlier
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
Intrusion Prevention - Troubleshooting
Verify IPS inspection (vManage side) Contd
• Check engine is GREEN
• show utd eng standard logging events – To view alert messages from Snort for malicious traffic
• show platform hardware qfp active feature utd stats divert – To view number of packets sent to/received from
container. The counts should match up
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Intrusion Prevention - Troubleshooting
Signature package updates not working
Device level events screen – Monitor -> Network -> Select Device -> Events -> Search for utd-update-type-ips
notification type
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Demo
packet-tracer output and conditional debugs
cedge6#show platform packet-trace packet 14
Packet: 14 CBUG ID: 3849209
Summary
Input : GigabitEthernet2
Output : internal0/0/svc_eng:0
State : PUNT 64 (Service Engine packet)
Timestamp
Start : 1196238208743284 ns (05/08/2019 10:50:36.836575 UTC)
Stop : 1196238208842625 ns (05/08/2019 10:50:36.836675 UTC)
Path Trace
Feature: IPV4(Input)
Input : GigabitEthernet2
Output : <unknown>
Source : 192.168.16.254
Destination : 151.101.129.67
Protocol : 6 (TCP)
SrcPort : 35568
DstPort : 443
Feature: DEBUG_COND_INPUT_PKT
Entry : Input - 0x8177c67c
Input : GigabitEthernet2
Output : <unknown>
Lapsed time : 2933 ns
<removed>
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
packet-tracer output and conditional debugs (2)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
packet-tracer output and conditional debugs (3)
<removed>
Feature: IPV4_OUTPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x81781bb4
Input : GigabitEthernet2
Output : Tunnel6000001
<removed>
Feature: IPV4_INPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x8177c698
Input : Tunnel6000001
Output : VirtualPortGroup1
Lapsed time : 880 ns
<removed>
Feature: OUTPUT_SERVICE_ENGINE
Entry : Output - 0x817c6b10
Input : Tunnel6000001
Output : internal0/0/svc_eng:0
Lapsed time : 15086 ns
<removed>
Feature: INTERNAL_TRANSMIT_PKT_EXT
Entry : Output - 0x8177c718
Input : Tunnel6000001
Output : internal0/0/svc_eng:0 Transmitting internally to the container
Lapsed time : 43986 ns
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
packet-tracer output and conditional debugs (4)
cedge6#show platform packet-trace packet 15
Packet: 15 CBUG ID: 3849210
Summary
Input : Tunnel6000001
Output : GigabitEthernet3 Tunnel600001 is the container egress interface
State : FWD
<removed>
Feature: UTD Inspection
Action : Reinject
Input interface : GigabitEthernet2
Egress interface: GigabitEthernet3
Feature: OUTPUT_UTD_FINAL_INSPECT_EXT
Entry : Output - 0x817cc5e8
Input : GigabitEthernet2
Output : GigabitEthernet3
Lapsed time : 12933 ns
<removed>
Feature: NAT
Direction : IN to OUT
Traffic is translated on VPN 0 interface
Action : Translate Source
Steps :
Match id : 1
Old Address : 192.168.16.254 35568
New Address : 172.16.16.254 05062
Feature: MARMOT_SPA_D_TRANSMIT_PKT
Entry : Output - 0x8177c838
Input : GigabitEthernet2
Output : GigabitEthernet3
Lapsed time : 91733 ns
.
Conditional debugging
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
URL - Filtering
SDWAN Security: URL Filtering
Enterprise Firewall
+1400 layer 7 apps classified
URL-Filtering Phase 1
Cisco Web reputation score using 82+ web
Security categories
Cisco SD-WAN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
URL Filtering Requests for “risky” domain requests
URL Filtering
• 82+ Web Categories with dynamic
updates
White/Black lists of
custom URLs
• Block based on Web Reputation score
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
URL – Filtering - Overview
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
URL-Filtering
Packet flow
Intrusion Prevention – Packet Flow
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
Intrusion Prevention – Packet architecture
High level Container Flow WebR
oot
Leveraging Snort pre-processors to
gather URL information: Snort Preprocessors
• HTTP preprocessor
• HTTPS preprocessor
Input DAQ UTD containerURL
DB Output
features
Edge Data Plane HTTP GRE over VPG1 interface features
OpenAppID Loadable
Preprocessor
Config Forwarding NBAR SSL
App aware URL
UTD Filtering
Decision Classification Firewall redirect
Snort
Ingress interface
Snort QFP Packet processing
Detection Logging/Alert
Redirect?
YES! Modules
Output
Signature Engine
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Intrusion Prevention – From container to outside
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
URL level
Filtering
Intrusion Prevention
High Data architecture
– Packet
Container Flow WebR
Snort Loadable Preprocessors
oot
URL inspection
leveraging
Webroot preprocessors
IPS/URL
Http/Https containerBackend
Snort DB/SDK
PKT Whitelist
Snort Preprocessors
(Thread)
URL
DAQ
Preprocessor
Flow Diversion Flow Insertion
Blacklist DB
Edge Data Plane HTTP
Request
WebRoot
URL SDK Front
Lookup
OpenAppID End
Loadable
Preprocessor
Config SSL
PKT
Snort
Session
Verdict
Verdict URL Filtering
Handling
Ingress interface Block IOS XE Packet processing
URL Receive
Egress interface
Server
Input
URLF
output
Snort
Thread
features Action Engine features
Snort Logging/Alert
Snort Detection
Policy Log/Aler
Output Modules
Signature PKT Mangement
Engine
t
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
URL Filtering Logic
URL HTTP/S
Normalization Receive Pkt
yes
White Release
List Pkt
• URL Normalization includes only basic sanity checks and URI start
point check. More check can be implemented there. no
• The code for URLF warm restart has been implemented, but not fully
tested. There are 2 utm_persona tables that store the policies/config.
One is active and another is shadow. The 2 persona table will switch
at the time of warm restart.
yes Respond with
Black
• Webroot SDK can be integrated into URLF engine. The reason we did List
Block Page or
not do so was because Cisco Beaker uses Socket communication Redirect URL
between URLF engine and Beaker database, we implement the no
Webroot SDK the same way as Beaker for future compatibility.
Prepare URL
Query Web URL DB &
• URLF handles multiple categories for one URL. Lookup
SDK Client
Request
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
URL-Filtering
configuration
URL-Filtering Policy Configuration
• Allow / Block
• Web Reputation
• Block Page
• Redirect URL
• Alerts
• VPNs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
URL Filtering Security Policy Template
vManage >> Security >> Add Security Policy (choose one that includes URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
abortion hunting-and-fishing questionable
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
• bot-nets
• keyloggers-and-monitoring
• malware-sites
proxy-avoid-and-anonymizers:
• open-http-proxies
• phishing-and-other-frauds
• DoH
• proxy-avoid-and-anonymizers
• Public proxies
TOR
•• spam-urls
• spyware-and-adware
• Uncategorized
• unconfirmed-spam-sources
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
URL-Filtering
Practical example
URL Filtering Security Policy Configuration: DNS
policy avoidance
• DNS… A protocol that is overlooked by many
• Privacy vs Need for control in Enterprise
• DNS-over-(D)TLS
• DNS-over-HTTPS
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
Supported Recursive Resolvers for DoT
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
Android Support:
https://www.xda-
developers.com/
android-dns-
over-tls-website-
privacy/amp/
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
DNS-over-HTTPS (DoH) – what has happened…
Browser
tcp/443
DoH
Will not be
OS DNS involved in the
DNS Requests
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
DNS-over-HTTPS (DoH) and URL filtering…
Browser
tcp/443
DoH
Will not be
OS DNS involved in the
DNS Requests
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
URL Filtering Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 250
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 251
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
(Optional) Specify the Block page server details (Block page message)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
(Optional) Specify the target VPNs for which this Policy Template is applicable by clicking on Target VPNs and
specifying the VPN IDs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
URL-Filtering
troubleshooting
URL Filtering Troubleshooting
Is URL-Filtering inspecting traffic?
Click on Dashboard and check the data for URLs getting blocked/allowed (Note: this is for the entire network)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 257
URL Filtering Troubleshooting
Is URL-Filtering inspecting traffic?
Go to device level page (Monitor -> Network -> Select Device -> URL-Filtering) for URL-Filtering stats
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
URL Filtering Troubleshooting
Is URL-Filtering inspecting traffic?
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
URL Filtering Troubleshooting
URL Filtering database updates not working
Check device level events for utd-update-type-urlf type notifications (Monitor -> network -> Select Device -> Events)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
packet-tracer output and conditional debugs
cedge6#show platform packet-trace packet 14
Packet: 14 CBUG ID: 3849209
Summary
Input : GigabitEthernet2
Output : internal0/0/svc_eng:0
State : PUNT 64 (Service Engine packet)
Timestamp
Start : 1196238208743284 ns (05/08/2019 10:50:36.836575 UTC)
Stop : 1196238208842625 ns (05/08/2019 10:50:36.836675 UTC)
Path Trace
Feature: IPV4(Input)
Input : GigabitEthernet2
Output : <unknown>
Source : 192.168.16.254
Destination : 151.101.129.67
Protocol : 6 (TCP)
SrcPort : 35568
DstPort : 443
Feature: DEBUG_COND_INPUT_PKT
Entry : Input - 0x8177c67c
Input : GigabitEthernet2
Output : <unknown>
Lapsed time : 2933 ns
<removed>
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 261
Demo
packet-tracer output and conditional debugs (2)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 263
packet-tracer output and conditional debugs (3)
<removed>
Feature: IPV4_OUTPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x81781bb4
Input : GigabitEthernet2
Output : Tunnel6000001
<removed>
Feature: IPV4_INPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x8177c698
Input : Tunnel6000001
Output : VirtualPortGroup1
Lapsed time : 880 ns
<removed>
Feature: OUTPUT_SERVICE_ENGINE
Entry : Output - 0x817c6b10
Input : Tunnel6000001
Output : internal0/0/svc_eng:0
Lapsed time : 15086 ns
<removed>
Feature: INTERNAL_TRANSMIT_PKT_EXT
Entry : Output - 0x8177c718
Input : Tunnel6000001
Output : internal0/0/svc_eng:0 Transmitting internally to the container
Lapsed time : 43986 ns
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
packet-tracer output and conditional debugs (4)
cedge6#show platform packet-trace packet 15
Packet: 15 CBUG ID: 3849210
Summary
Input : Tunnel6000001
Output : GigabitEthernet3 Tunnel600001 is the container egress interface
State : FWD
<removed>
Feature: UTD Inspection
Action : Reinject
Input interface : GigabitEthernet2
Egress interface: GigabitEthernet3
Feature: OUTPUT_UTD_FINAL_INSPECT_EXT
Entry : Output - 0x817cc5e8
Input : GigabitEthernet2
Output : GigabitEthernet3
Lapsed time : 12933 ns
<removed>
Feature: NAT
Direction : IN to OUT
Traffic is translated on VPN 0 interface
Action : Translate Source
Steps :
Match id : 1
Old Address : 192.168.16.254 35568
New Address : 172.16.16.254 05062
Feature: MARMOT_SPA_D_TRANSMIT_PKT
Entry : Output - 0x8177c838
Input : GigabitEthernet2
Output : GigabitEthernet3
Lapsed time : 91733 ns
.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
URL Filtering Troubleshooting
• If a URL is not being categorized as expected, the URL in question should be validated in the following link:
https://www.brightcloud.com/tools/url-ip-lookup.php
This link will provide the details for the URL in question - what its current category and reputation is, if any. If it is not
categorized, a request can be made to categorize it or to have its category updated.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
DNS / Web
Security
SDWAN Security: Intrusion Prevention
Enterprise Firewall
+1400 layer 7 apps classified
URL-Filtering Phase 1
Cisco Web reputation score using 82+ web
Security categories
Cisco SD-WAN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 269
Cisco Umbrella
DNS/web-layer
security
Safe Blocked
requests
• Leading Security Efficacy for requests
• Intelligent Proxy
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 270
DNS / Web Security:
packet flow
DNS/web-layer Security - Solution Overview
Safe Blocked
request request
ISR4K
DNS Request (1) Cisco Umbrella
Martha
Web Servers
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
DNS / Web Security:
configuration
DNS Layer Security - Configuration
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
DNS Layer Security – Bypass Domain List
Configuration ► Security tab ► Custom Options ► Lists
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
DNS Layer Security - Template
vManage >> Security >> Add Security Policy (choose one that includes DNS Layer Security)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
DNS Layer Security - Template
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
DNS Layer Security - Template
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy
Umbrella Registration API token can be entered first time here and managed later from global settings
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
DNS Layer Security - Template
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy Per VPN DNS
resolver and local-domain match criteria
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
DNS Layer Security - Template
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy Per VPN DNS
resolver and local-domain match criteria
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
DNS Layer Security - Template
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 281
DNS Layer Security: Umbrella Portal
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
DNS Layer Security: Umbrella Portal
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
DNS Layer Security: Umbrella Portal
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 284
Umbrella marked DoH Resolvers as Anonymizers
https://support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 285
DNS Security:
Monitoring
DNS Layer Security - Monitoring
Monitor ► Network ► select WAN Edge device Umbrella monitoring is available only on device dashboard
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 287
DNS Layer Security - Monitoring
Monitor ► Network ► select WAN Edge device ► Security Monitoring ► Umbrella DNS Re-direct Two tabs: DNS
Redirect count and Local Domain Bypass count for device level
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 288
DNS Layer Security - Troubleshooting
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 289
DNS Layer Security - Troubleshooting
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 290
DNS Layer Security - Troubleshooting
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
DNS Layer Security - Troubleshooting
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
DNS Layer Security - Troubleshooting
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
DNS Layer Security - Troubleshooting
Make sure that api.opendns.com is getting resolved from router
Note: GigabitEthernet1 is the WAN interface that has “ip nat outside” configured
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 295
DNS Layer Security - Troubleshooting
• Make sure dns-resolver is configured as Umbrella for a VRF
• Sample:
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 296
DNS Layer Security –
Troubleshooting Registration
• Every registration is tied to VRF 65528. So, there must be NAT translation to
api.opendns.com for every registration sent. You can check via “show ip nat
translation"
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 297
DNS Layer Security – Show Commands
1.29
Tag : vpn29
Device-id : 010a9b2b0d5cb21f
Description : Device Id recieved successfully
WAN interface : None
2.39
Tag : vpn39
Device-id : 010a1a2e1989da19
Description : Device Id recieved successfully
WAN interface : None
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 298
DNS Layer Security – Show Commands
# show platform software umbrella f0 config
Umbrella feature:
------------------
Init: Enabled
Dnscrypt: Enabled
…
…
Dnscrypt Info:
public_key:
A5:BA:18:C5:59:70:67:94:E5:37:38:33:06:F9:63:83:39:86:82:E4:00:F5:D8:BE:C1:AA:77:4A:4C:BA:64:00
magic_key: 71 4E 7A 69 6D 65 75 55
serial number: 1517943461
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 299
DNS Layer Security – Debug Commands
#debug umbrella ?
• config Umbrella Configuration -------> Config related debugs
• device-registration Umbrella Device Registration -------> Registration related debugs
• dnscrypt Umbrella DNSCrypt -------> DNSCrypt related debugs
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 300
AMP & Threatgrid
SDWAN Security: Advanced Malware Protection
Enterprise Firewall
+1400 layer 7 apps classified
URL-Filtering Phase 1
Cisco Web reputation score using 82+ web
Security categories
Cisco SD-WAN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
AMP & Threatgrid
Packet flow
AMP inspection– Packet Flow
Leveraging Snort pre-processors to
scan files transferred by:
• HTTP
• FTP
• SMTP
Input
• POP3 UTD container
• IMAP Output
features
• SMB features
GRE over VPG1 interface
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
Intrusion Prevention – Packet Flow
UTD container
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
Intrusion Prevention – Packet Flow
UTD container
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
Intrusion Prevention – Packet Flow
UTD container
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 307
Intrusion Prevention – Packet Flow
database
UTD container
Cloud lookup
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
Intrusion Prevention – Packet Flow
database
UTD container
Cloud response
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 309
Intrusion Prevention – Packet Flow
database
UTD container
Cloud response
SH256 is known!
Action:cache
Querying Drop
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
What if the SHA256 is unknown
Intrusion Prevention – Packet Flow
database
UTD container
Cloud response
SH256 is unknown!
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 312
Intrusion Prevention – Packet Flow
database
UTD container
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
Intrusion Prevention – Packet Flow
database
UTD container
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 314
Intrusion Prevention – Packet Flow
Analyzing file in VM
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 315
Intrusion Prevention – Packet Flow
Analyzing file in VM
Verify completion
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
Intrusion Prevention – Packet Flow
Update Malware Analyse completed
Database
database Virtual Machine
UTD container
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 317
Intrusion Prevention – Packet Flow
Preprocessing file
Querying cache
Calculate SHA256
File capture
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 318
Amp inspection– From container to outside
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
QFP Packet processing
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 319
AMP & Threatgrid – Packet Flow
URL inspection
leveraging
preprocessors
IPS/URL container
Flow Diversion Flow Insertion
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 320
Advanced Malware Protection
AMP
ThreatGrid
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 321
AMP terminologies
• File Reputation
File Reputation is the process in which a SHA256 is looked up against the AMP cloud to access
threat intelligence information. The cloud server may respond with a disposition of DISP_CLEAN,
DISP_UNKNOWN, DISP_MALICIOUS, or DISP_FAILED. If the file is DISP_UNKNOWN, part of the
response from the cloud may include an action of ACTION_SEND to suggest sending the file to File
Analysis.
• File Analysis
File Analysis is the process of submitting a file that the AMP cloud has determined is
DISP_UNKNOWN and ACTION_SEND to the Threat Grid cloud for detonation in a sandbox. During the
detonation, the sandbox will capture artifacts, observe behaviors, and give the sample an overall score
of abnormal behaviors. Based on the sandbox observations, Threat Grid may change the disposition in
the AMP Cloud to DISP_MALICIOUS.
• Retrospection
Retrospection is the process of receiving a change in file reputation intelligence from Threat Grid or
from TALOS from DISP_UNKNOWN to DISP_MALICIOUS, DISP_CLEAN to DISP_MALICIOUS, or
DISP_MALICIOUS to DISP_CLEAN and then notifying all Connector GUIDs about that change when
they check into the cloud on their Heartbeat.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 322
Supported file transfer protocols
• HTTP
• FTP
• SMTP
• POP3
• IMAP
• SMB
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 323
Supported file types
• MOV, FLIC, SWF, EXE, PDF, RTF, RIFF, ZIP, RAR, MSOLE2, MSCAB, MSCHM, BZ, GZ, ARJ,
PDF, JPEF, MP4, MACHO, MACHO UNIBIN, PCAP, MP3, PST, SIT, WMF, DICM, NEW-OFFICE
• This list of AMP file types will be a superset of files Threat Grid may consider for file analysis
after evaluating the file submission criteria.
• PDF, MS-EXE, NEW-OFFICE, RTF, MDB, MSCAB, MSOLE2, WRI, XLW, FLV, SWF
AMP Cache
• Container will maintain a local cache of Hashes, dispositions and other meta data based on prior
AMP disposition lookups. Cache lookup is done prior to making disposition requests to the AMP
Cloud. Cache TTL for each entry is 2 hours.
• Cloud lookup timeout is 2s. If no cloud response within lookup timer expiry, default action
is to allow the file and no cache entry will be added.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 324
Sample configuration
vm5#show running-config | sec utd file-reputation profile FILE-REP-PROFILE1
utd multi-tenancy alert level warning
utd engine standard multi-tenancy file-inspection profile FILE-INS-PROFILE1
utd global reputation profile FILE-REP-PROFILE1
file-analysis analysis profile FILE-ANA-PROFILE1
apikey 0 abcdefgh5qe230bni7u3f5950f policy POLICY1
cloud-server isr.api.threatgrid.com vrf 1
file-reputation all-interfaces
cloud-server cloud-isr-asn.amp.cisco.com file-inspection profile FILE-INS-PROFILE1
est-server cloud-isr-est.amp.cisco.com
query-interval 300
file-analysis profile FILE-ANA-PROFILE1
alert level warning
file-types
pdf
ms-exe
new-office
rtf
mdb
mscab
msole2
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 325
AMP & Threatgrid
configuration
Intend based configuration
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 327
Configuration – vManage – Admin-key
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 328
Configuration – vManage – AMP - Policy
TG Regions: NAM / EU
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 329
AMP & Threatgrid
Monitoring
Monitoring
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 331
Monitoring – Device view – Files statistics
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 332
Monitoring – Device view – Files Analysis
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 333
Monitoring – Device view – File Retrospection
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
Troubleshooting
To check file reputation status
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 335
Troubleshooting
To check file analysis status
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 336
Troubleshooting
To check stats
vm5#show utd engine standard statistics file-reputation
File Reputation Statistics
--------------------------
File Reputation Clean Count: 32
File Reputation Malicious Count: 10
File Reputation Unknown Count: 22
File Reputation Requests Error: 0
File Reputation File Block: 0
File Reputation File Log: 64
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 337
Troubleshooting
To check AMP Cache
vm5#show utd engine standard cache file-inspection
File Name| SHA256| File Type| Disposition| action|
-----------------------------------------------------------------------------------------
sample1_doc.doc 9E5046F28FCE4054 27 1 1
sample2_docx.docx 269329FC7AE54B3F 120 1 1
sample3_wav.wav 5F8722542D14F9BC 166 1 1
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 338
Troubleshooting
Additional show commands
show utd engine standard statistics file-reputation vrf global internal
show utd engine standard statistics file-reputation vrf name 1 internal
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 339
Policy Summary
Policy summary configuration – Enterprise Firewall
Make sure “Bypass firewall policy and allow all internet traffic to/from VPN0 “ is unchecked when you configure firewall.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 341
Policy summary configuration – Intrusion Prevention
Configure logging (External) server IP and VPN
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
Policy summary configuration – Intrusion Prevention
Configure fail-open/fail-close and click on Save Policy Changes
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 343
Device Template
Configuration – Device Template
Select Create Template -> From Feature template
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 345
Configuration – Device Template
Select Device from Device Model drop-down (CSR1000v shown here)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 346
Configuration – Device Template
Scroll down to (or Click on) Additional templates section and choose the Security Policy Template created earlier
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 347
Configuration – Device Template
Choose the Container profile template (aka UTD Security Policy Feature Template) created earlier and click on Create
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 348
Configuration – Device Template
Click on the three dots to the right of the Device template and Select Attach Devices
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 349
Configuration – Device Template
Select the devices to which you want to push the Device template.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 350
NetFlow Support
Effective security depends on total visibility
HQ
Network
Data Center
Roaming Users
Admin
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 352
The network is a valuable data source
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 353
Enriched with data from other sources
Cisco Identity
User Device Server Switch Router WAN Router Firewall Server Services Engine
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 354
Security Analytics with Stealthwatch Enterprise
Global threat
intelligence
Multilayered machine learning (powered by Talos)
Combination of supervised and unsupervised Intelligence of global threat campaigns
techniques to convict advanced threats with high
fidelity
mapped to local alarms for faster mitigation
Data collection
Behavioral modeling Rich telemetry from the existing
network infrastructure
Behavioral analysis of every activity within
the network to pinpoint anomalies
Stealthwatch
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 355
Scaling and optimization: deduplication
10.1.1.1 port 80
Router B: 10.2.2.2:1024 → 10.1.1.1:80
Duplicates
Router B
Router C: 10.2.2.2:1024 → 10.1.1.1:80
Router A
Router C Deduplication
• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
10.2.2.2 port 240
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 356
Alarms tied to specific entities
Quick
snapshot of
malicious
activity
Suspicious
behavior
linked to
logical alarms
Risks
prioritized to
take
immediate
action
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 357
Investigating a host
Host Summary
Traffic by Alarms by Type
Peer Host Group
Flows History
User Name:
Device Name:
Device Type:
Host Group:
Location:
10.201.3.149
Last Active Status: 12-Jan 13-Jan 14-Jan 15-Jan 16-Jan
Session Information:
Policies: Data Hoarding Packet Flood
Within Outside
organization organization High Traffic Data Exfiltration
Quarantine Unquarantine
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 358
Investigating a host
Top security events
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 359
Apply machine learning to investigate threats
Correlation
of global
threat
behaviors
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 360
Investigating: Audit trails
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 361
NetFlow Policy Template Creation
• Topology TAB
configuration is optional
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 362
NetFlow Policy Template (Policy Application TAB)
• Create Traffic Data “New Site and VPN List” and Cflowd “New Site List”:
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 363
NetFlow Policy Template (Traffic Rules TAB)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 364
NetFlow Policy Template (Traffic Rules TAB)
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 365
Platform Support
SD-WAN Security Support on vEdges – 18.3.1
DNS/web-
Platforms/Features Ent FW DPI layer
Monitoring *
vEdge(100, 1000, 2000 and 5000)
Y Qosmos Y
ISR1100-4G/ISR1100-6G
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 367
SD-WAN Sec Support on IOS-XE Routers
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 368
Security App Hosting Profile & Resources
4431 / 4451 4331 / 4351 4321 / 4221 / 1K
Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)
I/O
PPE3 SVC2 SVC3
PPE7 PPE8 PPE9 !/O Crypto
PPE6 SVC2 SVC3
Crypto
Linux
CPP Code Linux Linux
Total No of Total No of CP
Platforms Default Profile High Profile
CP Cores Cores for Security
4321/4221/1K 2 1 1 -
4331 4 2 2 2
4351 4 2 2 2
4431 4 2 2 2
4451 4 2 2 2
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 369
Security App Hosting Profile & Resources
Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 370
Resources
Release Notes and Image Download Links For Your
Reference
https://sdwan-
docs.cisco.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/Software_Installation_and_Upgrade_for_Cisco
_IOS_XE_Routers
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 372
SD-WAN Security – External Resources For Your
Reference
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 373
SD-WAN Security – External Resources For Your
Reference
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 374
Before we part
Cisco DNA SD-WAN Licensing
Detail Cisco DNA Premier
Cisco DNA Advantage Security
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 376
For Your
17.2.1
• Unified image
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 377
• BRKARC-3147
TECRST – 2191
SD-WAN design, deploy and best 4 Hours
practices
TECCRS-3006
ENFV Deep Dive and Hands on Lab 8 Hours
TECSEC-2355
Implementing SD-WAN Branch 4 Hours
Cisco SD-WAN
#CLEMEA
Tectorials
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Umbrella session
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 381
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 382
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 383
Thank you