BRKRST 2377

SD-WAN Security
Kureli Sankar – Manager, Technical Marketing

Kural Arangasamy – Technical Marketing Engineer
BRKRST-2377
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Kureli Sankar
BS in Electrical and Electronics Engineering

2006 – 2013 TAC Engineer
CCIE Security #35505
2013 – 2018 TME

2019 – Present TME Manager
Areas of expertise
IOS and IOS-XE security features
SD-WAN Security solutions
2018 - Distinguished Speaker Cisco Live (EUR and ANZ)

# 35505
About Kural Arangasamy
Family : Wife & 2 kids

Work History : 20+ years in IT Field
Cisco : 14+ years
Cisco Experience : Switching, Routing & Security Solutions Team
Previous : As a Consultant in NYC & NJ Area: Cabletron, Nortel, Bear Stearns,
Goldman Sachs, Merrill Lynch: Designing & Architecting MAN
Ambition : Security Researcher & Educate the World about Security Threats!
Social Network : @kuralvanan Kural Arangasamy
Agenda
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Secure Branch
• Ent Firewall App Aware
• Intrusion Prevention
• URL - Filtering
• DNS/Web-layer Security
• Advanced Malware Protection + Threat Grid
• Secure Management
• Demo
Introduction
SD-WAN exposes new security challenges
POLICY
DEFEND AND ACCESS
AGAINST
DIRECT INTERNET BADGAPS EXPAND ATTACK
DESTINATIONS
ACCESS EXPOSES & DATASURFACE
INGRESS BREACHES
POINTS
SaaS IaaS Outside-in threats
Internet • Unauthorized
Exposed access
ingress points as
traffic is no longer backhauled
• Denial of service attacks
to the data center
NO SECURITY
CLOUD EDGE • Ransomware
Remote
Corporate Inside-out threats
Software
BASIC/NO
EXISTING
• Malware
Users andinfection
devices request
Users Devices
Critical
• Command
access & control
to infrastructure and
WAN SECURITY
WAN EDGE
• Phishing attacks
applications
Infrastructure Branch • Untrusted users/devices
SD-WAN Fabric IOT Users Mobile
EDGE
SECURITY
(guests) devices
Internal threats
Data
Data
Center
Center && • Untrusted
Traffic access
must be encrypted and
Campus
Campus • access must be segmented
Lateral movement
• end to end
Compliance
• Man-in-the-Middle
Comprehensive SD-WAN security
SIMPLIFIED
SECURE
ENTERPRISE-GRADE
INTERNAL
CLOUD CONNECTIONS
SECURITY
SECURITY EMBEDDED
SaaS IaaS
Full edge
Outside-in
Inside-out
Internal
Internet security stack
SD-WAN security
• Mitigate external security risks
SECURE CLOUD EDGE • with
End tointegrated
Firewall
Umbrella’s andSecure
end threat
intrusion
segmentation defense
Internet to
from
Gatewaythe WAN
prevention
stop breach to cloud
embedded
protects edge
usersplus
propagation, and
Remote URL filtering
enforce
devices and malware
regulatory
and protects compliance,
data
Corporate sandboxing
and promote
sent to and fromfor inside-out
network
the cloud
(and
Software application) layer security
• Single console to manage
Duo’s Multi-Factor
SECURE WAN EDGE
SECURE WAN EDGE

Users Devices • routingThin,
Zero-trust andauthentication
Authentication rich
security or thatand
verifies only
Critical fullfull-stack
trusted
payload
users router
encryption
and devices
• Shortest time to threat
Infrastructure Branch
Branch betweencloud
access
detection
edge&routers
powered
on-prem apps
by Talos
• Mitigate internal security risks
SD-WAN Fabric
Secure IOT Users Mobile with a secure SD-WAN fabric
SD-WAN Fabric (guests) devices
with simple or flexible routing
configurations
Data
Data
Data
Center
Center &&
Center &
Campus
Campus
Campus
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
USERS Cloud IoT

SD-WAN
OnRamp
.… Edge Computing
DC
DEVICES
Fabric IaaS
APPLICATIONS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
Secure Infrastructure
Cisco SD-WAN Architecture
Orchestration Plane Management Plane

vManage
• First point of authentication • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
• Physical or virtual vSmart Controllers • Dissimilates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics WAN Edge Routers
Cloud Data Center Campus Branch CoLo
High level view of ordering and on-boarding
vManage
Smart Account or Virtual

Account details specified
on order used for Overlay Sync Smart Account Push Device List
creation
Smart Account
Automation PnP Cloud
Service vBond
Device list is passed to PnP
Cisco Commerce
Workspace Add a vBond Controller Profile and
Associate with Org-Name
WAN Edge
Customer
Service Provider
End Customer
Device identity and Integrity
History of Malware Found on Cisco IOS Devices
Incident 0 Incident 1 Incident 2 Incident 3 Incident 4 Incident 5
“SYNful Knock”
Date Discovered 2011 2012 2013 2013 2014 2015
Device(s) Cisco 2800 and Cisco 2800 and Cisco Cisco Cisco Cisco 1841, 2811,
Affected 3800 Families 3800 Families 7600 IOS & line 7600 IOS & line 1800,3800, 7200 3825
cards cards IOS & ROMMON
Infection Method Modifications to Modifications to Modification of Modification of Modification to Modifications to

IOS binary IOS binary in-memory IOS in-memory IOS both ROMMON, IOS binary
and in-memory
code
Remote Via crypto Via crypto C2 protocol C2 protocol Not Directly Yes
Detectability analysis analysis
Preventions To Trust Anchor Trust Anchor Strong admin Strong admin Secure Boot, Strong admin
Be Taken Technology, Technology, credentials & credentials & Trust Anchor credentials, Secure
Secure Boot, & Secure Boot, & authorization authorization Technologies + Boot, Image
Image Signing Image Signing Image Signing Signing
Complexity Level Low Low Medium Medium High Low
Key Trustworthy Technologies
Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)
 Prevents malicious code from  Tamper-resistant chip with X.509 cert  Protects against injection of malicious
booting on a Cisco platform installed at manufacturing code into running software
 Automated integrity checks  Provides unique device identity and  Makes it harder for attackers to
anti-counterfeit protections exploit vulnerabilities in running
 Monitors startup process and shuts
software
down if compromised  Secure, non-volatile on-board storage
and RNG/crypto services  Runtime technologies include ASLR,
 Faster identification of threats
BOSC, and X-Space
 Enables zero-touch provisioning and
minimizes deployment costs
Trustworthy technologies enhance the security and resilience of Cisco solutions
Secure Unique Device Identification (Secure – UDI)
• Tamperproof ID for the device
• Binds the hardware identity to a key pair in a

cryptographically secure X.509 certificate
PID during manufacturing
• Connections with the device can be

authenticated by the SUDI credential
• IEEE 802.1AR Compliant
Image Signing: Integrity & Non Repudiation
Validation Check at Customer Site
Software
1 5
Image
SHA-512 Cisco’s public key =

Image is hashed to a
stored on the router
unique 64 byte object is used to decrypted
digital signature SHA512
(Cisco’s PUBLIC key )
2 (Encrypted with Cisco’s PRIVATE key) Digital signature with

3 the hash appended
Hash is encrypted to final image
4 Customer
downloads
+ WWW image onto
device
Cisco Secure Boot
Software and Hardware Integrity Checks
Hardware authenticity check
Step 5 Step 6
Software authenticity checks
Step 1 Step 2 Step 3 Step 4
FPGA
Hardware CPU CPU CPU CPU CPU

Anchor Microloader Bootloader OS OS OS
Microloader
(root of trust)
Microloader Bootloader OS launched Authenticity and Trust Anchor
Microloader checks Bootloader checks OS license checks module provides
stored in FPGA critical services
First instructions run on CPU stored in tamper-resistant hardware TAm = Trust Anchor module
Secure boot checks images and verifies that software is

authentic and unmodified before it is allowed to boot
Cisco Router Identity
During Manufacturing
TPM Device • Each physical router is uniquely identified by

Certificate
Chip the chassis ID and certificate serial number
• Certificate is stored in on-board Tamper Proof
Module (TPM)
- Installed during manufacturing process
• Enterprise cert can also be used to
authenticate the WAN Edge
• DigiCert or Cisco root CA chain of trust is
used to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
Root Chain can be used to validate Control Plane
elements
- Can be automatically installed during ZTP
In Software
Cloud (Virtual) Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
uploaded WAN Edge list
Device
Certificate(s) • OTP/Token is supplied to Cloud router in
Cloud-Init during the VM deployment
- Can activate from CLI post VM deployment
• vManage signs certificate(s) for the Cloud
router post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert or Cisco root CA chain of trust is used
Root Chain to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
Establishing Control Elements Identity
1. Private and public keys are generated on the

1 2 3 control element
Signed 2. Certificate Signing Request is generated
3. Certificate is signed by Digicert/Cisco

Signed
4. Certificate is installed into the control element
4
5 5. Control element has a built-in root CA trust chain
Root Root for Avnet, Digicert and Cisco. To Validate other
controllers and WAN Edge routers.
Control Element
vSmart Controller 6. This process is fully automated within vManage.
vBond Orchestrator
vManage
Q: Can I Use Enterprise CA?
A: Yes!
Establishing Control Elements Identity – Cisco PKI 19.1
1. Private and public keys are generated on the

control element
1 2 3
2. Certificate Signing Request is generated
Signed 3. Certificate automatically signed by Cisco PnP

linked to your Smart Account (when Cisco
signing is selected in vManage)
Signed
4 4. Certificate is installed into the control element

5 5. Control element will have a built-in root CA
Root Root
trust chain for Cisco and Avnet, to Validate
other controllers and WAN Edges
Control Element
vSmart Controller 6. This process is fully automated within
vBond Orchestrator vManage.
vManage
Q: Can I Use Enterprise CA?
A: Yes!
DDoS Protection for Controllers
vBond
vSmart vManage
Authenticated
Sources
Control Plane Policing
 500pps per flow
 10,000pps
vManage
vSmart
Unknown Note: vBond control plane policing is the
Sources same as WAN Edge
Other
Default Permit:
DHCP, DNS, ICMP, NETCONF
Optional Permit:
SSH, NTP, STUN, HTTPS (vManage)
DDoS Protection for SD-WAN Edge Routers
vBond
Authenticated
Sources
vSmart vManage
Implicitly Control Plane Policing*
Trusted  500pps per flow
SD-WAN IPSec  10,000pps
Sources
WAN Edge
Explicitly
Defined
Sources Cloud Security Default Permit:
1. Return packets matching flow entry (DIA enabled)
2. Response pkts of DHCP, DNS
Unknown 3. ICMP
Sources Optional Permit:
Other SSH, NETCONF, NTP, OSPF, BGP, STUN
* Only on vEdges
Secure Control Plane
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Color, Encap)
WAN Edge
WAN Edge WAN Edge * Can be influenced by the control policies

Transport Locator (TLOC) OMP IPSec Tunnel
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart  Reachability – IP Subnets, TLOCs
 Security – Encryption Keys
OMP
 Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Data Plane Privacy vSmart
Controllers
 Each WAN Edge advertises its local IPsec  Can be rapidly rotated
encryption keys as OMP TLOC attributes
 Symmetric encryption keys used
 Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport
1
Transport
WAN Edge 2 WAN Edge
Remote (received) Remote (received)
IP UDP ESP Original Packet

DP: AES256-GCM/CBC
Encrypted CP: AES256-GCM
Pairwise IPSec Keys for SA
vSmart Edge-B
Internet
Edge-A
Edge-C
LAN IPSec/GRE DTLS A’s Encryption Key for B A’s Encryption Key for C
Data Plane Integrity
 vBond discovers WAN Edge public vSmart  WAN Edge computes AH value
Controllers
IP address, even if traverses NAT based on the post NAT public IP
 vBond communicates public IP to  Packet integrity (+IP headers) is
the WAN Edge preserved across NAT
OMP OMP
Update Update
Transport1
WAN Edge Transport2 WAN Edge
IP UDP ESP Data

Network 20 8 36 …
Address
Translation Encrypted AES256-GCM
Control Plane
Authenticated
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup (rfc 4023)
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
Combining Best of Breed in Security and SD-WAN
Enterprise Firewall
+1400 layer 7 apps classified
Intrusion Protection System

Most widely deployed IPS engine in the world
URL-Filtering
Cisco Web reputation score using 82+ web categories
Security Adv. Malware Protection
With File Reputation and Sandboxing (TG)
Secure Internet Gateway

DNS Security/Cloud FW with Cisco Umbrella
COMING
SOON! TLS/SSL Proxy
Cisco SD-WAN Detect Threats in Encrypted Traffic
Hours instead of weeks and months

Secure Branch
Why SD-WAN Branch Security?
1. Avoid Backhauling
Benefit: Better use of WAN bandwidth
SaaS/IaaS/
Private Cloud/Internet
2. Benefit Regional SaaS PoP

Benefit: Improves application performance
3. Enable DIA
Benefit: Improves user experience
Data Center Branch
4. Centralized Policy/Monitoring
Cloud Branch
Firewall/IPS Benefit: Consistent Security Policy & monitoring
Security Security
SD-WAN Security Use Cases
Use Case: Use Case: Use Case:
Direct Internet Access Guest Services Industry Compliance
Firewall Cisco
AMP+TG
vManage IPS URL
Filtering
Umbrella Firewall URL
Filtering
Firewall IPS AMP+TG
Direct Internet Access SD-WAN
Internet VPN1 VPN3

Data Center
Applications VPN2 Applications
Employees Contractors Guests

Security Deployment models
Flexible Security based on customer needs
Internet Internet
Internet
Cloud Security
Co-Location
Cloud Security Integrated Security @Regional Hub
• Lean Branch with • Single platform for • Security Services as

Security in the cloud Routing and Branch VNF at Regional
Security at the Branch Colocation Hub
Use Case 1: PCI Compliance
SD-WAN
Internet
VPN1 Data Center
Security Tools
Applications
Employee Point of Sale HQ Destined Traffic

Employee Internet Traffic
Ent. FW App IPS
Aware
Use Cases Requirements
• PCI-DSS - Retail stores • Segmentation

• HIPAA - Hospitals/Clinics • Perimeter Control
• FERPA – Schools/Colleges/Universities • Intrusion Prevention
Use Case 2: Guest Access
SD-WAN
Internet
VPN1 VPN2 Data Center
Applications
Security Tools
HQ Destined Traffic
Employee Guest
Employee Internet Traffic
Ent. FW App DNS/web layerURL Filtering Guest Internet Traffic

Aware security
• Retail stores • Segmentation

• Hospitals/Clinics • Application Control
• Schools/Colleges/Universities • Liability Protection
Use Case 3: Direct Cloud Access
SD-WAN
Internet

SaaS Applications
Security Tools HQ Destined Traffic
Employee Guest Employee Internet Traffic
Employee SaaS Traffic
Guest Internet Traffic
Ent. FW App IPS DNS/web layer URL Filtering
Aware security
• SaaS applications • Controlled Redirection

• Applications in IaaS: AWS/Azure • Application Control
• Extranet or partner cloud applications • Intrusion Prevention
• Partner Applications • Malware Prevention
Use Case 4: Direct Internet Access
SD-WAN
Internet

Applications
SaaS HQ Destined Traffic
Security Tools Employee Internet Traffic
Employee Guest Employee SAAS Traffic
Guest Internet Traffic
Ent. FW App IPS DNS/web layer URL Filtering AMP&TG

Aware security
• SaaS applications • Application Control
• Applications in IaaS: AWS/Azure • Intrusion Prevention
• Web Conferencing / Social Media • Malware Prevention
• Video Streaming Applications • Web Content Filtering
Why Multi-Layered
Security and How it Works?
Multi-layer Security
• Access Control Lists (Network Access Control)
• Stateful Firewall (Layer 4 inspection)
• Application Control (Layer 7 inspection)
• IPS (Signature Detection)
• DNS/Web/Content Filtering (Application inspection)
• IP Reputation (Block known bad IPs)
• File Reputation (Block known bad Files)
• Anti-Malware / Anti-Virus (Signature / Heuristic Detection)
• Sandboxing Capabilities (Zero-day threats)
• CASB (Cloud Access Security Broker) (Cloud Applications)
• TLS/SSL Decryption (Man in the Middle (MiTM)) (Encrypted Applications)
Access Control Lists
Access Control Lists Access Control Lists
• Network Access Control

• Prevent Unauthorized Data URL HTTP SYN TCP Port Dst IP Src IP
access
• IP or Protocol Port level
• No Directional Control
Stateful Firewall
Stateful Firewall
Firewall Access Control Lists
• Deep inspection
• Session Tracking Data URL HTTP SYN TCP Port Dst IP Src IP
• Stateful inspection
• Application Layer Gateway
• Protocol Misbehaviors App Identification
• Directional Control
• Stricter Layer 4 Control
AppAware Firewall
Firewall vs Next-Gen Firewall - What’s the difference?
Next-Gen Firewall
Firewall Next-Gen Firewall
Stateful Firewall • Deep inspection
• Deep inspection • Stateful inspection
• Stateful inspection • Application identification
• Protocol by L7 inspection
Misbehaviors URLF • Directional control
Access Control
• Directional Control • User Id / Context based
• Stricter Layer 4 policy
Control • Intrusion Prevention
Data URL HTTP SYN TCP Port Dst IP Src IP
• URL/DNS/Web Content
Filtering
• Anti-Malware / Anti-
AMP Virus
AppID
• Advanced logging /
alerting
• SIEM Integration
• TLS/SSL Inspection
• Threat Intel Integration
IPS
Intrusion Detection/Prevention System (IDS/IPS)
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent";
flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
security-ips drop, service http; classtype:misc-activity; sid:5808; rev:10;)
100101000101000111010011000101100011100011001111001
• Protocol engines check for
protocol level misbehaviours
MAC IP TCP HTTP HTTP_CLIENT_
BODY • Detection engine matches attack
signatures
Signature • Rules (Signatures) are updated as
IPS Engine rules
and when new attacks are
identified
Alerts,
Packet Logs
Pkt Detection Output
Preprocessors
Decoder Engine Module
L3 – 7,
L2/3 sessions,
File, AppId Verdict
URL-Filtering Solution Overview
BlackList
Block Page
Category
White List Reputation 3
URLF Engine
User-1 1 2 Data Centre

Applications
HQ Destined Traffic
4
Allowed Internet Traffic
Blocked Internet Traffic
WAN Edge
User-2
Internet
DNS-Filtering Solution Overview
Blocked
request
DNS Request (2)
UMBRELLA
User-1
WAN Edge Blocked Content (5)
DNS Request (1) DNS Response (3)
Allowed Internet Traffic

Blocked Internet Traffic
Allowed Content (5)
User-2
Internet
File Reputation & Retrospection Service –
Solution Overview Good
Files
f11c3d6770b6…
Bad Files
8e8ca2642a6e…
8e8f460c74b0…
How it works?
91f59420a752…
File Verify (4) • File download
Cache intercepted
File Reputation • File sha calculate
Service
FRS Engine • Reputation lookup
• File released or
blocked
File Sha(3) (5)Verdict • Local or Cloud
File Request (1) File Download (2)
Database
What it does?
File Allowed (6)
Internet
Martha • File Sha match
WAN Edge • Good or Bad Files
Mac
Database
CLI • Known bad files
blocked
• File Database updated
File
frequently
sha256 Filename • File Retrospection
Web Servers
File Analysis (Sandbox) – Solution Overview
Good Bad Files
8e8ca2642a6e…
Files 8e8f460c74b0…
f11c3d6770b6…
91f59420a752…
File Verify (4)
Cache
File Reputation Service File Analysis Service
FRS Engine
How it works?
File Sha(3) (7)Allow • File sha lookup
• Unknown Reputation
File Request (1) File Download (2) Internet • File Transfer to FAS
• File Runs in a virtual env.
• Bad files blocked
File Allowed (7)
Martha WAN Edge What it does?
• Execute file in a VM
• Analyze file execution
• Analyze file content
• Detect Malicious
Web Servers behavior
Cloud Access Security Broker (CASB) – Solution
Overview
How it works?
• Forward Proxy
• Reverse Proxy
• API Node
MPLS INET
What it does?
CASB
• Visibility
• Policy Compliance
• Security
Branch • Authentication
• Authorization
WAN Edge
• Device Profiling
Users • Encryption
• Data Loss
Prevention
• Malware Prevention
TLS/SSL Decryption (MiTM Proxy)– Solution
Overview
• More Apps/Data-cloud hosted
• Internet going dark
• >80% Internet traffic encrypted Why do you need it ?
• Lack of security control
Data Centre • Malwares hidden in
encrypted traffic
Applications
• URL request intercepted
Internet • Server certificate checked
• Proxy resigns server
Certificate
How does it work? • User traffic redirected via
HQ Destined Traffic
proxy
Employee Internet Traffic • Decrypt and inspect
G0/0/0
• Re-encrypt and send
10 101 10
Clear Text • Proxy runs a cert signing

G0/0/1
authority
• Re-signs server certificate
What does it do? • Redirects traffic through
security stack
Employee 1 Employee 2 • Enforce security control
• Inspect for malware
Manage in Edge
Full Edge Branch
Cloud or Router
Security Edge
On-Prem Flexibility
Single Pane of Glass Embedded Platforms

• Provision • Ent. Firewall App Aware • ISR 1K
• IPS • ISR 4K
• Manage • URL-Filtering • ENCS (ISRv)
• AMP and Threat Grid • CSR
• Monitor • ASR 1K (Ent FW App Aware and
DNS/web-layer security)
Cloud
• vEdges (FW and DNS/web-layer
• Report • DNS/web-layer Security security)
• Secure Internet Gateway
• Troubleshoot
SD-WAN Security: vManage Provisioning Wizard
Configuration > Security
Enterprise App Aware Firewall
Enterprise App Firewall SaaS
• Stateful Firewall, Zone Policies Internet
• Application Visibility and

Granular control
Inspect policy allows Outside Zone
• 1400+ layer 7 applications only return traffic to
be allowed.
classified
• Drop traffic by application
category or specific application Edge Device
• Segmentation
• PCI compliance
Users
Inside
Zone
Guest
Zone Devices
• HSL Logging
• Self Zone Policy Service-VPN 1 Service-VPN 2
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
Ent. Firewall App Aware : Self-Zone Security
WAN Edge WAN Edge
Self Zone Zone3 Self Zone
VPN0 Cloud
(Control Plane) (Control Plane)
Zone2 Zone1
NAT
Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
Host Printer Host Host

74
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
vManage - Ent FW App Aware - Configuration For Your
Reference
Intrusion Prevention
Intrusion Prevention
• Snort is the most widely deployed
• Intrusion Prevention solution in the world
• Backed by global threat intelligence

(TALOS), signature update is automated
• Signature whitelist support

IPS
• Real-time traffic analysis On-site Services
• PCI compliance
vManage - Intrusion Prevention For Your
Reference
URL Filtering
URL Filtering Requests for “risky” domain requests
• 82+ Web Categories with dynamic URL Filtering

updates
White/Black lists of
• Block based on Web Reputation custom URLs
score
• Create custom Black and White Lists Block/Allow based on

Categories,
Reputation
• Customizable End-user notifications
vManage - URL Filtering For Your
Reference
DNS/web-layer Security
DNS/web-layer security
Cisco Umbrella
• Block malware, phishing, and non-

compliance domain requests
POP POP POP
• Automatic API Key registration
• Supports DNScrypt
• VPN-aware policies WAN Edge
• Local Domain-bypass
Users Users
• TLS decryption
• Intelligent Proxy Service-VPN 1 Service-VPN 2

DNS DNS
vManage – DNS/web-layer Security
Advanced Malware
Protection and
Threat Grid
Advanced Malware
Protection + Threat Grid
AMP
• Integration with AMP

File reputation
Internet Check Signature
File retrospection
• Integration with ThreatGrid
File Analysis
• Inspects traffic in VPNs of interest Check file
• Leverages Snort engine to identify Malware Sandbox
file transfers
ThreatGrid
vManage – AMP + ThreatGrid For Your
Reference
IPS, URL-F & AMP Architecture
For Your
Reference
IPS/URL-
F/AM&TG
LXC
Control Plane
Virtual Ethernet
IOSd App-Hosting Manager
Linux OS
Management VPG
Traffic VPG Virtual Ports (VPG)
Data Plane
Traffic Path
Data Plane
- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources
- Traffic is punted to Container using Virtual Port Group (VPG) interface
- Reserved CPU and memory for Container process enables deterministic performance
Security App Hosting Profile & Resources For Your
Reference
4461 / 4451 / 4431 4351 / 4331 4321 / 4221 / 1K

Control Plane
4451 and 4431 – 10 Data Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) IOS SVC
4461 – 16 Data Plane cores (4 cores) (2 cores)
PPE1 PPE2 IOS SVC1 Data Plane

PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE I/O
(2 cores)
Crypto
I/O
PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto
Linux
CPP Code Linux Linux
Total No of DP Total No of CP Total No of CP

Platforms
Cores Cores Cores for Security
4321/4221/1K 2 2 1
4331 4 4 2
DP = Data Plane
4351 4 4 2
CP = Control Plane
4431 6 4 2
SVC = Services
4451 10 4 2
4461 16 4 2
SD-WAN Security Support For Your
Reference
DNS/web-
Ent FW App URL
Platforms/Features Ent FW IPS/IDS AMP/TG layer
Awareness Filtering
security *
Viptela - (100, 1000, 2000, 5000 and
Y N ** N/A N/A N/A N
1100-4G/6G)
Cisco - CSR Y Y Y Y Y Y
Cisco – ENCS (ISRv) Y Y Y Y Y Y

Cisco – ISR4K (4461, 4451, 4431, 4351,
Y Y Y Y Y Y
4331, 4321, 4221-X)
Cisco – ISR1K Y Y Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX,
Y Y N/A N/A NA Y
1001-X, 1002-X)***
* Umbrella Subscription required for enforcement

** Stateful Firewall and DPI using Qosmos are separate on the vEdges
Ent FW App Aware and DNS/web layer security is supported with default 4GB DRAM
Security App Hosting Profile & Resources
IPS / URL-F Security Profile - Minimum Platform Platform

App Hosting Features requirement Supported
Profile
ISR1K/4221X/4321
IPS + URLF (Cloud Lookup only) + 8GB Bootflash & 8GB Memory 4331/4351/44xx
Default AMP (File hashing) 1 / 2 service plane cores 4/8vCPU CSR / ISRv
IPS + URLF (On-box DB + Cloud

Lookup) + AMP (File hashing) + 16GB Bootflash & 16GB Memory 4331/4351/44xx
High Threat Grid (TG) 2 service plane cores 4/8vCPU CSR/ISRv
Enterprise FW and DNS/web-layer security will work with default 4 GB DRAM
SD-WAN Security Features – Order of Operation
For Your
Reference
G0/0 – LAN facing

IP Dest DNS G0/1 – WAN facing
NBAR VFR CEF
Lookup Security
Ingress G0/0
LAN to WAN
NAT DNS
FW IPS URL-F AMP&TG NBAR
Egress G0/1 Security
DNS
VFR NAT CEF
Security
Ingress G0/1
WAN to LAN
URL-F DNS
FW IPS AMP&TG NBAR
Security
Egress G0/0
Secure Management
vManage Authentication methods
• Local Database / RADIUS / TACACS
• Single-Sign ON
Redirect Resource Challenge Auth
to SSO Supplied Credentials Response
2 8 4 6
Identity
vManage Provider
Admin
1 7 3 5
Auth Contact Credentials
Access
Response SSO Supplied
Resource
RBAC
RBAC by VPN Feature For Your
Reference
Admin user:
• Create VPN dashboards:
 Create/discover VPN segments in a network
 Create VPN groups
 New VPN dashboard for each VPN group
• Create users with VPN group access:
 Link user group to VPN group
 Create users with access to VPN group
VPN group user:

• Access to VPN Dashboard only
 Monitor devices, network, and application status via VPN dashboard
 VPN dashboard information restricted to devices with segments in VPN group
 Monitor option restricted to devices with segments in VPN group
 Interface monitoring on device restricted to interfaces of segments in the VPN group
vManage Admin
Dashboard (full
access)
VPN Dashboard
(Restricted
access)
VPN Group: British Airways (VPN 1, 2)
VPN Dashboard View
Device British_Airways VPN

health details
status
Application
status
Cisco DNA SD-WAN Licensing
Capability Based Packaging
Simplified management & security protection Advanced SD-WAN with enhanced security for Advanced SD-WAN security will mitigate the
for the cost-conscious customer feature-rich & varied branch deployment models most sophisticated threats to your business
Cisco DNA Essentials Cisco DNA Advantage Cisco DNA Premier
Enterprise firewall with Cisco AMP with SSL proxy Cisco Umbrella Insights®
Talos-powered IPS and app controls URL filtering
Cisco Threat Grid®
Cisco Umbrella DNS Monitoring Cisco Umbrella app discovery
Application-based SLA Cloud OnRamp for IaaS, SaaS, and Colo

Basic WAN & path optimizations AppQoE & WAAS RTU
Single centralized management console Integrated border plus orchestration for
in the cloud or on-prem campus, branch & DC
Forward Error Correction (FEC)
Packet duplication Integrated voice/UC gateways
Flexible topology & dynamic routing

(hub/spoke, partial/full mesh) vAnalytics
Up to 50 Cisco DNA Advantage

Device
overlay Cisco DNA Essentials Cisco DNA Essentials
Demo
Ubuntu Win 2016 FC
Raleigh - HQ
Topology 192.168.10.0/24
.10 .20 .30 .40
Vlan 10
VPN 1
.1
Internet
192.168.11.0/24
192.168.12.0/24 Vlan 11
Vlan 12
192.168.1.1 .2 1.1.1.1
10.118.34.9
admin/admin
Tunnel 3 192.168.40.0/24 .9
Tunnel 2 INET Vlan 40 .3
MPLS .11 1.1.1.2
Mgmt .10 .1
N/W AS 100 AS 200

V
.4 1.1.1.3
P
N
192.168.22.0/24 0 192.168.31.0/24
Vlan 22 192.168.32.0/24 Vlan 31
10.118.x.0/28
192.168.21.0/24 Vlan 32
Vlan 21 .7
.1 .1
VPN 1
192.168.30.0/24 VPN 1
Vlan 30
192.168.20.0/24 .10 .20 .10 .20
Vlan 20
Cary – Branch 1 Ubuntu Win 2016 Durham – Branch 2 Ubuntu Win 2016
Recap - Cisco SD-WAN Controllers
Orchestration Management Data Plane
Control Plane
Plane Plane Physical/Virtual
Cisco vSmart WAN Edge
Cisco vBond Cisco vManage
• Orchestrates control • Facilitates fabric • Single pane of glass • Provides secure data
and management discovery • Multitenant with scale plane
plane • Disseminates control • Centralized provisioning • Establishes secure
• First point of plane information • Policies and Templates control plane with
authentication between WAN Edges • Troubleshooting and vSmart controllers
• Distributes list of • Distributes data plane Monitoring • Implements data plane
vSmarts/ vManage to and app-aware and application aware
all WAN Edge routers • Software upgrades
routing policies to the routing policies
• Facilitates NAT WAN Edge routers • GUI with RBAC and per
• Exports performance
traversal VPN visibility
• Implements control statistics
• Requires public IP plane policies • Programmatic
• Leverages protocols
Address [or 1:1 NAT] • Reduces control interfaces (REST,
OSPF, BGP, EIGRP and
plane complexity NETCONF)
• Highly resilient VRRP
• Highly resilient • Highly resilient • Zero Touch Provisioning
Recap - SD-WAN Security Capabilities
Requires 4 GB of additional DRAM = 8 GB Platform
Ent. Firewall App Intrusion URL Advance Malware DNS/web-layer
Aware Prevention Filtering Protection and TG security
SaaS
URL-F AMP DNS-layer Sec
Internet
Requests for “risky”
domain requests Safe Blocked
Inspect
requests requests
policy Outside
automaticall Zone
y allows
Check
response
Signature
traffic.
Edge
Device Edge
White/Black lists of
Device
custom URLs
Guest Inside
Internet
Zone Zone Block/Allow based
on Categories, Check file
Users Devices Reputation
Malware
Sandbox
On-site Services Users and Devices

Service Service
VPN 1 VPN 2 ThreatGrid
Release Notes and Image Download Links For Your
Reference
Release Notes for both 19.2.x

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/19-2/sd-wan-rel-notes-19-2.html#id_102854
16.12.2r Software Download Link for ISR 1K/4K and ASR:

ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.12.2r
ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.12.2r
ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.12.2r
19.2.1 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/19.2.1
18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/19.2.1
SD-WAN Security – External Resources For Your
Reference
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you

BRKRST 2377

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 2377

Uploaded by

Copyright:

Available Formats

SD-WAN Security

Kureli Sankar – Manager, Technical Marketing

BS in Electrical and Electronics Engineering

2013 – 2018 TME

2018 - Distinguished Speaker Cisco Live (EUR and ANZ)

Family : Wife & 2 kids​

SECURE WAN EDGE

USERS Cloud IoT

Orchestration Plane Management Plane

Cloud Data Center Campus Branch CoLo

Smart Account or Virtual

Device list is passed to PnP

Infection Method Modifications to Modifications to Modification of Modification of Modification to Modifications to

Complexity Level Low Low Medium Medium High Low

Trustworthy technologies enhance the security and resilience of Cisco solutions

• Tamperproof ID for the device

• Binds the hardware identity to a key pair in a

• Connections with the device can be

• IEEE 802.1AR Compliant

SHA-512 Cisco’s public key =

2 (Encrypted with Cisco’s PRIVATE key) Digital signature with

Step 1 Step 2 Step 3 Step 4

Hardware CPU CPU CPU CPU CPU

Secure boot checks images and verifies that software is

TPM Device • Each physical router is uniquely identified by

1. Private and public keys are generated on the

Signed 2. Certificate Signing Request is generated

3. Certificate is signed by Digicert/Cisco

1. Private and public keys are generated on the

Signed 3. Certificate automatically signed by Cisco PnP

4 4. Certificate is installed into the control element

WAN Edge WAN Edge * Can be influenced by the control policies

Remote (received) Remote (received)

IP UDP ESP Original Packet

WAN Edge Transport2 WAN Edge

IP UDP ESP Data

IP UDP ESP VPN Data

Intrusion Protection System

Secure Internet Gateway

Hours instead of weeks and months

2. Benefit Regional SaaS PoP

Direct Internet Access SD-WAN

Internet VPN1 VPN3

Employees Contractors Guests

Cloud Security Integrated Security @Regional Hub

• Lean Branch with • Single platform for • Security Services as

Employee Point of Sale HQ Destined Traffic

Use Cases Requirements

• PCI-DSS - Retail stores • Segmentation

Ent. FW App DNS/web layerURL Filtering Guest Internet Traffic

Use Cases Requirements

• Retail stores • Segmentation

VPN1 VPN2 Data Center

Use Cases Requirements

• SaaS applications • Controlled Redirection

VPN1 VPN2 Data Center

Ent. FW App IPS DNS/web layer URL Filtering AMP&TG

• TLS/SSL Decryption (Man in the Middle (MiTM)) (Encrypted Applications)

Access Control Lists Access Control Lists

• Network Access Control

Firewall Access Control Lists

White List Reputation 3

User-1 1 2 Data Centre

Family : Wife & 2 kids