Professional Documents
Culture Documents
BRKRST 2377
BRKRST 2377
BRKRST-2377
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Kureli Sankar
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Kural Arangasamy
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Secure Branch
• Ent Firewall App Aware
• Intrusion Prevention
• URL - Filtering
• DNS/Web-layer Security
• Advanced Malware Protection + Threat Grid
• Secure Management
• Demo
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Introduction
SD-WAN exposes new security challenges
POLICY
DEFEND AND ACCESS
AGAINST
DIRECT INTERNET BADGAPS EXPAND ATTACK
DESTINATIONS
ACCESS EXPOSES & DATASURFACE
INGRESS BREACHES
POINTS
SaaS IaaS Outside-in threats
Internet • Unauthorized
Exposed access
ingress points as
traffic is no longer backhauled
• Denial of service attacks
to the data center
NO SECURITY
CLOUD EDGE • Ransomware
Remote
Corporate Inside-out threats
Software
BASIC/NO
EXISTING
• Malware
Users andinfection
devices request
Users Devices
Critical
• Command
access & control
to infrastructure and
WAN SECURITY
WAN EDGE
• Phishing attacks
applications
Infrastructure Branch • Untrusted users/devices
SD-WAN Fabric IOT Users Mobile
EDGE
SECURITY
(guests) devices
Internal threats
Data
Data
Center
Center && • Untrusted
Traffic access
must be encrypted and
Campus
Campus • access must be segmented
Lateral movement
• end to end
Compliance
• Man-in-the-Middle
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Comprehensive SD-WAN security
SIMPLIFIED
SECURE
ENTERPRISE-GRADE
INTERNAL
CLOUD CONNECTIONS
SECURITY
SECURITY EMBEDDED
SaaS IaaS
Full edge
Outside-in
Inside-out
Internal
Internet security stack
SD-WAN security
• Mitigate external security risks
SECURE CLOUD EDGE • with
End tointegrated
Firewall
Umbrella’s andSecure
end threat
intrusion
segmentation defense
Internet to
from
Gatewaythe WAN
prevention
stop breach to cloud
embedded
protects edge
usersplus
propagation, and
Remote URL filtering
enforce
devices and malware
regulatory
and protects compliance,
data
Corporate sandboxing
and promote
sent to and fromfor inside-out
network
the cloud
(and
Software application) layer security
• Single console to manage
Duo’s Multi-Factor
SECURE WAN EDGE
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
DC
DEVICES
Fabric IaaS
APPLICATIONS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure Infrastructure
Cisco SD-WAN Architecture
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
High level view of ordering and on-boarding
vManage
Smart Account
Automation PnP Cloud
Service vBond
Cisco Commerce
Workspace Add a vBond Controller Profile and
Associate with Org-Name
WAN Edge
Customer
Service Provider
End Customer
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Device identity and Integrity
History of Malware Found on Cisco IOS Devices
Incident 0 Incident 1 Incident 2 Incident 3 Incident 4 Incident 5
“SYNful Knock”
Date Discovered 2011 2012 2013 2013 2014 2015
Device(s) Cisco 2800 and Cisco 2800 and Cisco Cisco Cisco Cisco 1841, 2811,
Affected 3800 Families 3800 Families 7600 IOS & line 7600 IOS & line 1800,3800, 7200 3825
cards cards IOS & ROMMON
Remote Via crypto Via crypto C2 protocol C2 protocol Not Directly Yes
Detectability analysis analysis
Preventions To Trust Anchor Trust Anchor Strong admin Strong admin Secure Boot, Strong admin
Be Taken Technology, Technology, credentials & credentials & Trust Anchor credentials, Secure
Secure Boot, & Secure Boot, & authorization authorization Technologies + Boot, Image
Image Signing Image Signing Image Signing Signing
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Key Trustworthy Technologies
Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)
Prevents malicious code from Tamper-resistant chip with X.509 cert Protects against injection of malicious
booting on a Cisco platform installed at manufacturing code into running software
Automated integrity checks Provides unique device identity and Makes it harder for attackers to
anti-counterfeit protections exploit vulnerabilities in running
Monitors startup process and shuts
software
down if compromised Secure, non-volatile on-board storage
and RNG/crypto services Runtime technologies include ASLR,
Faster identification of threats
BOSC, and X-Space
Enables zero-touch provisioning and
minimizes deployment costs
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Secure Unique Device Identification (Secure – UDI)
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Image Signing: Integrity & Non Repudiation
Validation Check at Customer Site
Software
1 5
Image
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco Secure Boot
Software and Hardware Integrity Checks
Hardware authenticity check
Step 5 Step 6
Software authenticity checks
FPGA
First instructions run on CPU stored in tamper-resistant hardware TAm = Trust Anchor module
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cloud (Virtual) Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
uploaded WAN Edge list
Device
Certificate(s) • OTP/Token is supplied to Cloud router in
Cloud-Init during the VM deployment
- Can activate from CLI post VM deployment
• vManage signs certificate(s) for the Cloud
router post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert or Cisco root CA chain of trust is used
Root Chain to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Establishing Control Elements Identity
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Establishing Control Elements Identity – Cisco PKI 19.1
vSmart vManage
Authenticated
Sources
Control Plane Policing
500pps per flow
10,000pps
vManage
vSmart
Unknown Note: vBond control plane policing is the
Sources same as WAN Edge
Other
Default Permit:
DHCP, DNS, ICMP, NETCONF
Optional Permit:
SSH, NTP, STUN, HTTPS (vManage)
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
DDoS Protection for SD-WAN Edge Routers
vBond
Authenticated
Sources
vSmart vManage
Implicitly Control Plane Policing*
Trusted 500pps per flow
SD-WAN IPSec 10,000pps
Sources
WAN Edge
Explicitly
Defined
Sources Cloud Security Default Permit:
1. Return packets matching flow entry (DIA enabled)
2. Response pkts of DHCP, DNS
Unknown 3. ICMP
Sources Optional Permit:
Other SSH, NETCONF, NTP, OSPF, BGP, STUN
* Only on vEdges
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Secure Control Plane
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Color, Encap)
WAN Edge
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart Reachability – IP Subnets, TLOCs
Security – Encryption Keys
OMP
Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Data Plane Privacy vSmart
Controllers
Each WAN Edge advertises its local IPsec Can be rapidly rotated
encryption keys as OMP TLOC attributes
Symmetric encryption keys used
Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport
1
Transport
WAN Edge 2 WAN Edge
vSmart Edge-B
Internet
Edge-A
Edge-C
LAN IPSec/GRE DTLS A’s Encryption Key for B A’s Encryption Key for C
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Data Plane Integrity
vBond discovers WAN Edge public vSmart WAN Edge computes AH value
Controllers
IP address, even if traverses NAT based on the post NAT public IP
vBond communicates public IP to Packet integrity (+IP headers) is
the WAN Edge preserved across NAT
OMP OMP
Update Update
Transport1
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup (rfc 4023)
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Combining Best of Breed in Security and SD-WAN
Enterprise Firewall
+1400 layer 7 apps classified
URL-Filtering
Cisco Web reputation score using 82+ web categories
Security Adv. Malware Protection
With File Reputation and Sandboxing (TG)
1. Avoid Backhauling
Benefit: Better use of WAN bandwidth
SaaS/IaaS/
Private Cloud/Internet
3. Enable DIA
Benefit: Improves user experience
Data Center Branch
4. Centralized Policy/Monitoring
Cloud Branch
Firewall/IPS Benefit: Consistent Security Policy & monitoring
Security Security
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
SD-WAN Security Use Cases
Use Case: Use Case: Use Case:
Direct Internet Access Guest Services Industry Compliance
Firewall Cisco
AMP+TG
vManage IPS URL
Filtering
Umbrella Firewall URL
Filtering
Firewall IPS AMP+TG
Internet Internet
Internet
Cloud Security
Co-Location
Internet
VPN1 Data Center
Security Tools
Applications
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Use Case 2: Guest Access
SD-WAN
Internet
VPN1 VPN2 Data Center
Applications
Security Tools
HQ Destined Traffic
Employee Guest
Employee Internet Traffic
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Use Case 3: Direct Cloud Access
SD-WAN
Internet
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Use Case 4: Direct Internet Access
SD-WAN
Internet
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Why Multi-Layered
Security and How it Works?
Multi-layer Security
• Access Control Lists (Network Access Control)
• Stateful Firewall (Layer 4 inspection)
• Application Control (Layer 7 inspection)
• IPS (Signature Detection)
• DNS/Web/Content Filtering (Application inspection)
• IP Reputation (Block known bad IPs)
• File Reputation (Block known bad Files)
• Anti-Malware / Anti-Virus (Signature / Heuristic Detection)
• Sandboxing Capabilities (Zero-day threats)
• CASB (Cloud Access Security Broker) (Cloud Applications)
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Access Control Lists
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Stateful Firewall
Stateful Firewall
• Deep inspection
• Session Tracking Data URL HTTP SYN TCP Port Dst IP Src IP
• Stateful inspection
• Application Layer Gateway
• Protocol Misbehaviors App Identification
• Directional Control
• Stricter Layer 4 Control
AppAware Firewall
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Firewall vs Next-Gen Firewall - What’s the difference?
Next-Gen Firewall
Firewall Next-Gen Firewall
Stateful Firewall • Deep inspection
• Deep inspection • Stateful inspection
• Stateful inspection • Application identification
• Protocol by L7 inspection
Misbehaviors URLF • Directional control
Access Control
• Directional Control • User Id / Context based
• Stricter Layer 4 policy
Control • Intrusion Prevention
Data URL HTTP SYN TCP Port Dst IP Src IP
• URL/DNS/Web Content
Filtering
• Anti-Malware / Anti-
AMP Virus
AppID
• Advanced logging /
alerting
• SIEM Integration
• TLS/SSL Inspection
• Threat Intel Integration
IPS
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Intrusion Detection/Prevention System (IDS/IPS)
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent";
flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
security-ips drop, service http; classtype:misc-activity; sid:5808; rev:10;)
100101000101000111010011000101100011100011001111001
• Protocol engines check for
protocol level misbehaviours
MAC IP TCP HTTP HTTP_CLIENT_
BODY • Detection engine matches attack
signatures
Signature • Rules (Signatures) are updated as
IPS Engine rules
and when new attacks are
identified
Alerts,
Packet Logs
Pkt Detection Output
Preprocessors
Decoder Engine Module
L3 – 7,
L2/3 sessions,
File, AppId Verdict
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
URL-Filtering Solution Overview
BlackList
Block Page
Category
URLF Engine
HQ Destined Traffic
4
Allowed Internet Traffic
Blocked Internet Traffic
WAN Edge
User-2
Internet
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
DNS-Filtering Solution Overview
Blocked
request
DNS Request (2)
UMBRELLA
User-1
WAN Edge Blocked Content (5)
User-2
Internet
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
File Reputation & Retrospection Service –
Solution Overview Good
Files
f11c3d6770b6…
Bad Files
8e8ca2642a6e…
8e8f460c74b0…
How it works?
91f59420a752…
File Verify (4) • File download
Cache intercepted
File Reputation • File sha calculate
Service
FRS Engine • Reputation lookup
• File released or
blocked
File Sha(3) (5)Verdict • Local or Cloud
File Request (1) File Download (2)
Database
What it does?
File Allowed (6)
Internet
Martha • File Sha match
WAN Edge • Good or Bad Files
Mac
Database
CLI • Known bad files
blocked
• File Database updated
File
frequently
sha256 Filename • File Retrospection
Web Servers
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
File Analysis (Sandbox) – Solution Overview
Good Bad Files
8e8ca2642a6e…
Files 8e8f460c74b0…
f11c3d6770b6…
91f59420a752…
File Verify (4)
Cache
File Reputation Service File Analysis Service
FRS Engine
How it works?
File Sha(3) (7)Allow • File sha lookup
• Unknown Reputation
File Request (1) File Download (2) Internet • File Transfer to FAS
• File Runs in a virtual env.
• Bad files blocked
File Allowed (7)
Martha WAN Edge What it does?
• Execute file in a VM
• Analyze file execution
• Analyze file content
• Detect Malicious
Web Servers behavior
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cloud Access Security Broker (CASB) – Solution
Overview
How it works?
• Forward Proxy
• Reverse Proxy
• API Node
MPLS INET
What it does?
CASB
• Visibility
• Policy Compliance
• Security
Branch • Authentication
• Authorization
WAN Edge
• Device Profiling
Users • Encryption
• Data Loss
Prevention
• Malware Prevention
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
TLS/SSL Decryption (MiTM Proxy)– Solution
Overview
• More Apps/Data-cloud hosted
• Internet going dark
• >80% Internet traffic encrypted Why do you need it ?
• Lack of security control
Data Centre • Malwares hidden in
encrypted traffic
Applications
• URL request intercepted
Internet • Server certificate checked
• Proxy resigns server
Certificate
How does it work? • User traffic redirected via
HQ Destined Traffic
proxy
Employee Internet Traffic • Decrypt and inspect
G0/0/0
• Re-encrypt and send
10 101 10
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Manage in Edge
Full Edge Branch
Cloud or Router
Security Edge
On-Prem Flexibility
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-WAN Security: vManage Provisioning Wizard
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Enterprise App Aware Firewall
Enterprise App Firewall SaaS
• Segmentation
• PCI compliance
Users
Inside
Zone
Guest
Zone Devices
• HSL Logging
• Self Zone Policy Service-VPN 1 Service-VPN 2
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Ent. Firewall App Aware : Self-Zone Security
WAN Edge WAN Edge
Self Zone Zone3 Self Zone
VPN0 Cloud
(Control Plane) (Control Plane)
Zone2 Zone1
NAT
Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Intrusion Prevention
Intrusion Prevention
• PCI compliance
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
vManage - Intrusion Prevention For Your
Reference
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
URL Filtering
URL Filtering Requests for “risky” domain requests
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
vManage - URL Filtering For Your
Reference
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
DNS/web-layer Security
DNS/web-layer security
Cisco Umbrella
• Supports DNScrypt
• Local Domain-bypass
Users Users
• TLS decryption
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Advanced Malware
Protection and
Threat Grid
Advanced Malware
Protection + Threat Grid
AMP
ThreatGrid
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
vManage – AMP + ThreatGrid For Your
Reference
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
IPS, URL-F & AMP Architecture
For Your
Reference
IPS/URL-
F/AM&TG
LXC
Control Plane
Virtual Ethernet
IOSd App-Hosting Manager
Linux OS
Management VPG
Traffic VPG Virtual Ports (VPG)
Data Plane
Traffic Path
Data Plane
- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources
- Traffic is punted to Container using Virtual Port Group (VPG) interface
- Reserved CPU and memory for Container process enables deterministic performance
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Security App Hosting Profile & Resources For Your
Reference
I/O
PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto
Linux
CPP Code Linux Linux
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
SD-WAN Security Support For Your
Reference
DNS/web-
Ent FW App URL
Platforms/Features Ent FW IPS/IDS AMP/TG layer
Awareness Filtering
security *
Viptela - (100, 1000, 2000, 5000 and
Y N ** N/A N/A N/A N
1100-4G/6G)
Cisco - CSR Y Y Y Y Y Y
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Security App Hosting Profile & Resources
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
SD-WAN Security Features – Order of Operation
For Your
Reference
Ingress G0/0
LAN to WAN
NAT DNS
FW IPS URL-F AMP&TG NBAR
Egress G0/1 Security
DNS
VFR NAT CEF
Security
Ingress G0/1
WAN to LAN
URL-F DNS
FW IPS AMP&TG NBAR
Security
Egress G0/0
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Secure Management
vManage Authentication methods
• Local Database / RADIUS / TACACS
• Single-Sign ON
Redirect Resource Challenge Auth
to SSO Supplied Credentials Response
2 8 4 6
Identity
vManage Provider
Admin
1 7 3 5
Auth Contact Credentials
Access
Response SSO Supplied
Resource
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
RBAC
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
RBAC by VPN Feature For Your
Reference
Admin user:
• Create VPN dashboards:
Create/discover VPN segments in a network
Create VPN groups
New VPN dashboard for each VPN group
• Create users with VPN group access:
Link user group to VPN group
Create users with access to VPN group
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
vManage Admin
Dashboard (full
access)
VPN Dashboard
(Restricted
access)
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
VPN Dashboard View
Application
status
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Cisco DNA SD-WAN Licensing
Capability Based Packaging
Simplified management & security protection Advanced SD-WAN with enhanced security for Advanced SD-WAN security will mitigate the
for the cost-conscious customer feature-rich & varied branch deployment models most sophisticated threats to your business
Enterprise firewall with Cisco AMP with SSL proxy Cisco Umbrella Insights®
Talos-powered IPS and app controls URL filtering
Cisco Threat Grid®
Cisco Umbrella DNS Monitoring Cisco Umbrella app discovery
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Demo
Ubuntu Win 2016 FC
Raleigh - HQ
Topology 192.168.10.0/24
.10 .20 .30 .40
Vlan 10
VPN 1
.1
Internet
192.168.11.0/24
192.168.12.0/24 Vlan 11
Vlan 12
192.168.1.1 .2 1.1.1.1
10.118.34.9
admin/admin
Tunnel 3 192.168.40.0/24 .9
Tunnel 2 INET Vlan 40 .3
MPLS .11 1.1.1.2
Mgmt .10 .1
192.168.21.0/24 Vlan 32
Vlan 21 .7
.1 .1
VPN 1
192.168.30.0/24 VPN 1
Vlan 30
192.168.20.0/24 .10 .20 .10 .20
Vlan 20
Cary – Branch 1 Ubuntu Win 2016 Durham – Branch 2 Ubuntu Win 2016
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Recap - Cisco SD-WAN Controllers
Orchestration Management Data Plane
Control Plane
Plane Plane Physical/Virtual
Cisco vSmart WAN Edge
Cisco vBond Cisco vManage
• Orchestrates control • Facilitates fabric • Single pane of glass • Provides secure data
and management discovery • Multitenant with scale plane
plane • Disseminates control • Centralized provisioning • Establishes secure
• First point of plane information • Policies and Templates control plane with
authentication between WAN Edges • Troubleshooting and vSmart controllers
• Distributes list of • Distributes data plane Monitoring • Implements data plane
vSmarts/ vManage to and app-aware and application aware
all WAN Edge routers • Software upgrades
routing policies to the routing policies
• Facilitates NAT WAN Edge routers • GUI with RBAC and per
• Exports performance
traversal VPN visibility
• Implements control statistics
• Requires public IP plane policies • Programmatic
• Leverages protocols
Address [or 1:1 NAT] • Reduces control interfaces (REST,
OSPF, BGP, EIGRP and
plane complexity NETCONF)
• Highly resilient VRRP
• Highly resilient • Highly resilient • Zero Touch Provisioning
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Recap - SD-WAN Security Capabilities
Requires 4 GB of additional DRAM = 8 GB Platform
Ent. Firewall App Intrusion URL Advance Malware DNS/web-layer
Aware Prevention Filtering Protection and TG security
SaaS
URL-F AMP DNS-layer Sec
Internet
Requests for “risky”
domain requests Safe Blocked
Inspect
requests requests
policy Outside
automaticall Zone
y allows
Check
response
Signature
traffic.
Edge
Device Edge
White/Black lists of
Device
custom URLs
Guest Inside
Internet
Zone Zone Block/Allow based
on Categories, Check file
Users Devices Reputation
Malware
Sandbox
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Release Notes and Image Download Links For Your
Reference
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
SD-WAN Security – External Resources For Your
Reference
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Continue your education
Demos in the
Walk-in labs
Cisco campus
BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Thank you