BRKRST 2377

#CiscoLiveLA
Cisco SD-WAN
Security
Dana Yanch – Global Technical Solutions Architect
BRKRST-2377
#CiscoLiveLA
Agenda
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Secure Branch
• Ent Firewall App Aware
• Intrusion Prevention
• URL-Filtering
• DNS/web-layer Security
• Advanced Malware Protection + Threat Grid
• Secure Management
• Demo
#CiscoLiveLA Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot# BRKRST-2377

by the speaker until November 1st , 2019.
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Me
• Global Cisco SD-WAN (Viptela) TSA
• 10 years of WAN and DC Architecture
• 5 years of multi-vendor SD-WAN Design and
Implementation
• Areas of Expertise
• SD-WAN, SD-WAN, SD-WAN and more SD-WAN
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
SD-WAN exposes new security challenges
POLICY
DEFEND AND ACCESS
AGAINST
DIRECT INTERNET BADGAPS EXPAND ATTACK
DESTINATIONS
ACCESS EXPOSES & DATASURFACE
INGRESS BREACHES
POINTS
SaaS IaaS Outside-in threats
Internet • Unauthorized
Exposed access
ingress points as
traffic is no longer backhauled
• Denial of service attacks
to the data center
NO SECURITY
CLOUD EDGE • Ransomware
Remote
Corporate Inside-out threats
Software
BASIC/NO
EXISTING
• Malware
Users andinfection
devices request
Users Devices
Critical
• Command
access & control
to infrastructure and
WAN SECURITY
WAN EDGE
• Phishing attacks
applications
Infrastructure Branch • Untrusted users/devices
SD-WAN Fabric IOT Users Mobile
EDGE
SECURITY
(guests) devices
Internal threats
Data
Data
Center
Center && • Untrusted
Traffic access
must be encrypted and
Campus
Campus • access must be segmented
Lateral movement
• end to end
Compliance
• Man-in-the-Middle
Comprehensive SD-WAN security
SIMPLIFIED
SECURE
ENTERPRISE-GRADE
INTERNAL
CLOUD CONNECTIONS
SECURITY
SECURITY EMBEDDED
SaaS IaaS
Full edge
Outside-in
Inside-out
Internal
Internet security stack
SD-WAN security
• Mitigate external security risks
SECURE CLOUD EDGE • with integrated
Firewall
End to
Umbrella’s andSecure
end threat
intrusion
segmentation defense
Internet to
from
Gatewaythe WAN
prevention
stop breach to cloud
embedded
protects edge
usersplus
propagation, and
Remote URL filtering
enforce
devices and malware
regulatory
and protects compliance,
data
Corporate sandboxing
and promote
sent to and fromfor inside-out
network
the cloud
(and
Software application) layer security
• Single console to manage
Duo’s Multi-Factor
SECURE WAN EDGE
SECURE WAN EDGE

Users Devices • routingThin,
Zero-trust rich or thatand
andauthentication
Authentication security
verifies only
Critical fullfull-stack
trusted
payload
users router
encryption
and devices
• Shortest time to threat
Infrastructure Branch
Branch betweencloud
access
detection
edge&routers
powered
on-prem apps
by Talos
• Mitigate internal security risks
SD-WAN Fabric
Secure IOT Users Mobile
with a secure SD-WAN fabric
SD-WAN Fabric
SD-WAN (guests) devices
with simple or flexible routing
configurations
Data
Data
Data
Center
Center &&
Center &
Campus
Campus
Campus
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
USERS Cloud IoT

SDWAN
OnRamp
.… Edge Computing
DC
DEVICES APPLICATIONS
Fabric IaaS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
Security Deployment Models
Flexible Security based on customer needs
Cloud Security
Co-Location
Cloud Security Integrated Security Regional Hub
• Lean Branch with Security in • Single platform for Routing and • Security Services as VNF at
the cloud Branch Security at the Branch Regional Colocation Hub
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Infrastructure
Cisco SD-WAN Architecture
Orchestration Management Plane
Plane vManage
• First point of authentication • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond Automation troubleshooting and monitoring
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical or virtual • Disseminates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics vEdge Routers
Cloud Data Center Campus Branch CoLo
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes list of vSmarts/
vManage to all WAN Edge
MPLS 4G routers
INET • Facilitates NAT traversal
WAN Edge Routers
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Center Campus Branch SOHO
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
3rd Party • Facilitates fabric discovery

vAnalytics
Automation • Disseminates control plane
information between WAN Edges
vBond
• Distributes data plane and app-
aware routing policies to the WAN
vSmart Controllers Edge routers
MPLS 4G • Implements control plane policies,
such as service chaining, multi-
INET
WAN Edge Routers topology and multi-hop
• Dramatically reduces control plane
complexity
Cloud Data Center Campus Branch SOHO • Highly resilient
Data Plane Data Plane
Physical/Virtual
WAN Edge
vManage • WAN edge router

• Provides secure data plane with
APIs
remote WAN Edge routers
3rd Party • Establishes secure control plane
vAnalytics
Automation with vSmart controllers (OMP)
vBond • Implements data plane and
application aware routing
policies
vSmart Controllers
• Exports performance statistics
MPLS 4G • Leverages traditional routing
INET protocols like OSPF, BGP, EIGRP
WAN Edge Routers and VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
Cloud Data Center Campus Branch SOHO
Management Plane
Management Plane
vManage Cisco vManage
APIs • Single pane of glass for Day0,

Day1 and Day2 operations
3rd Party
vAnalytics • Multitenant with web scale
Automation
• Centralized provisioning
vBond
• Policies and Templates
• Troubleshooting and
vSmart Controllers
Monitoring
MPLS 4G • Software upgrades
INET • GUI with RBAC and per VPN
WAN Edge Routers visibility
• Programmatic interfaces
(REST, NETCONF)
Cloud Data Center Campus Branch SOHO • Highly resilient
Device Identity
Malware in IOS is a Real Threat
Malware: 6 Observed Variants
Incident 3 Incident 4
Synful
Incident 0 Incident 1 Incident 2 Runtime Runtime Knock
infection infection
Static Static Runtime Static
infection infection C&C; data exfil. C&C infection
infection
multi-arch data exfil.
Crypto Crypto C&C Line cards ROMMON C&C; modular
(DH keys) (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016

Cisco Secure Boot
Anchors Secure Boot in Hardware to Create a Chain of Trust
Cisco Secure Boot

Boot Code Integrity Anchored in Hardware
Step 1 Step 2 Step 3 Step 4 § Only authentic

signed Cisco
software boots up
on a Cisco platform
Hardware CPU CPU CPU

Anchor
Microloader Bootloader OS § The boot process
Microloader stops if any step
fails to authenticate
Microloader Bootloader OS launched
checks checks OS
bootloader
Cisco Trust Anchor Module (TAm)
Integrity Applications • HW Authenticity Check

• Secure PnP
TAM Services Libraries • Integrity Verification
Crypto Functions
• Anti-Tamper Chip Design
Tamper-Proof Storage • Built-In Crypto Functions
Boot • Secure Storage
SUDI
Measurements
Platform Integrity: TPM and TAm Compared For Your
Reference
TPM & TAm Capabilities
Non-volatile
Anti-tamper Crypto engine
secure storage
Random
Policy &
Key storage number
Configuration
generation
Cisco Trust Anchor Module Trusted Platform Module (TPM)
§ Provides end-user and supply chain protections § Focused on providing end-user capabilities
§ For specialized network devices § For general purpose computing
Secure Unique Device Identification (Secure – UDI)
• Tamperproof ID for the device
• Binds the hardware identity to a key pair in a

cryptographically secure X.509 certificate
PID during manufacturing
• Connections with the device can be

authenticated by the SUDI credential
• IEEE 802.1AR Compliant
Whitelisting SDWAN Edge router
SDWAN Edge List Identity
(Installed Cert Serial) Trust
Valid
Invalid
Staging
vManage
vSmart vBond
Router Identity
During Manufacturing
TPM • Each physical router is uniquely identified by the

Chip chassis ID and certificate serial number
• Certificate is stored in on-board Tamper Proof Module
(TPM)
- Installed during manufacturing process
- In 19.2 possible to use your own identity cert in
software instead of TPM
Device • Certificate signed by Avnet root CA or Cisco root CA
Certificate
depending on platform
- Trusted by Control Plane elements
• DigiCert or Cisco root CA chain of trust is used to
validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust can be
Root Chain
used to validate Control Plane elements
- Can be automatically installed during ZTP
In Software
Cloud Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
uploaded WAN Edge list
• OTP/Token is supplied to Cloud router in Cloud-
Init during the VM deployment
Device - Can activate from CLI post VM deployment
Certificate(s)
• vManage signs certificate(s) for the Cloud router
post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert or Cisco root CA chain of trust is used
Root Chain to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
Control Plane Trust and Whitelisting
Zero-Trust Automated Identity Provisioning
Root-cert
Administrator Defined
Controllers (White-List) vManage
vManage Signed Signed
vSmart Signed vBond
Root-cert Root-cert
vSmart vBond
Note: If using Enterprise CA, load Enterprise

CA root-chain on controllers
Establishing Control Elements Identity
1. Private and public keys are generated on the
1 2 3 control element
Signed 2. Certificate Signing Request is generated
3. Certificate is signed by Digicert/Cisco

Signed
4. Certificate is installed into the control element
4
5 5. Control element has a built-in root CA trust chain
Root Root for Avnet, Digicert and Cisco. To Validate other
controllers and WAN Edge routers.
Control Element
vSmart Controller This process is fully automated within vManage.
vBond Orchestrator
vManage
Q: Can I Use Enterprise CA?
A: YES!
Establishing Control Elements Identity – Cisco PKI 19.1
1. Private and public keys are generated on the

1 2 3 control element
2. Certificate Signing Request is generated

Signed
3. Certificate automatically signed by Cisco PnP
linked to your Smart Account (when Cisco
Signed signing is selected in vManage)
4
4. Certificate is installed into the control element
5
Root Root 5. Control element will have a built-in root CA trust
chain for Cisco and Avnet, to Validate other
Control Element controllers and WAN Edges
vSmart Controller
vBond Orchestrator This process is fully automated within vManage.
vManage
Q: Can I Use Enterprise CA?
A: YES!
SD-WAN Edge router and controllers authentication
Validate: Root trust, Validate: Root trust, Validate: Root trust,
certificate serial certificate serial certificate serial
vBond vSmart vManage
Root-Cert Root-Cert Root-Cert
Digicert
Digicert Signed
Digicert
Signed Signed
SD-WAN Edge
Digicert
Root-Cert Signed
DTLS/TLS tunnel
Encryption/Hash Algorithm: AES256-GCM (Non-configurable)
Validate: Root trust,

org-name
Note: If using Enterprise CA on controllers, load Enterprise CA root-chain on SDWAN Edges (ZTP incase of vEdge/PnP incase of XE SD-WAN routers)
DDoS Protection for Controllers
vBond
Authenticated
Sources
vSmart vManage
SDWAN Edge
Control Plane Policing:
§ 500pps per flow
§ 10,000pps
vManage
Unknown vSmart
Note: vBond control plane policing is the
Sources
same as SDWAN Edge
Other
Deny except:
DHCP, DNS, ICMP, NETCONF
* Can manually enable :SSH, NTP, STUN, HTTPS (vManage)
DDoS Protection for SDWAN Edge Routers
vBond
Authenticated
Sources
vSmart vManage
Implicitly SD-WAN IPSec

Trusted
Sources
SDWAN Edge
Explicitly
Defined
Sources
Cloud Security
Deny except:
1. Return packets matching flow entry (DIA enabled)
Unknown 2. Response pkts of DHCP, DNS
Sources 3. ICMP
Other * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
Secure Control Plane
Network-wide Control Plane
Cisco SD-WAN Traditional
Network Control Plane
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
Overlay Management Protocol (OMP)
vSmart
• TCP based extensible control plane protocol

• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
vSmart vSmart • Leverages address families to advertise

reachability for TLOCs, unicast/multicast
destinations, service routes, BFD up/down stats
and Cloud onRamp for SaaS probe stats
• Distributes IPSec encryption keys, and data and
app-aware policies
WAN Edge WAN Edge
Note: WAN Edge routers need not connect to all vSmart Controllers
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Color, Encap)
WAN Edge
WAN Edge WAN Edge * Can be influenced by the control policies

Transport Locator (TLOC) OMP IPSec Tunnel
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
§ Security – Encryption Keys
OMP
§ Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Data Plane Privacy vSmart
Controllers
§ Each WAN Edge advertises its local IPsec § Can be rapidly rotated
encryption keys as OMP TLOC attributes
§ Symmetric encryption keys used
§ Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport1
WAN Edge Transport2 WAN Edge
Remote (received) Remote (received)
IP UDP ESP Original Packet

DP: AES256-GCM/CBC
Encrypted CP: AES256-GCM
IPSec Symmetric Key
Edge-B
q Each Edge creates one IPSec

vSmart C B A session key per transport
q vSmart will advertise session key

A B C to other WAN Edge using OMP
MPLS
C A B q Edge-A will use Edge-B’s
Edge-A encryption key to send traffic to
Edge-B (and vice-versa)
q IPSec Session rekeying enabled

by default - 3600 seconds
Edge-C
LAN IPSec/GRE DTLS
A B
A’s session Key generated locally at Edge-A B’s session Key generated locally at Edge-B
C
C’s session Key generated locally at Edge-C
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
IPSec Pairwise Keys
Edge-B
q Each Edge will create separate

BA AB
vSmart session key for each transport
and for each peer
BA AB
MPLS q Session keys will be advertised
CA AC through vSmart using OMP
Edge-A
CA AC
q Edge-A needs to send traffic to
Edge-B, it will use session key
“AB” (B will use key “BA”)
Edge-C q Backward compatible with non

LAN IPSec/GRE DTLS PWK devices
AB BA
AB- A’s Encryption Key for B BA - B’s Encryption Key for A q PWK is disabled by default
CA
AC
AC- A’s Encryption Key for C CA - C’s Encryption Key for A
Data Plane Integrity
§ vBond discovers WAN Edge public vSmart § WAN Edge computes AH value
Controllers
IP address, even if traverses NAT based on the post NAT public IP
§ vBond communicates public IP to § Packet integrity (+IP headers) is
the WAN Edge preserved across NAT
OMP OMP
Update Update
Transport1
WAN Edge Transport2 WAN Edge
IP UDP ESP Data

Network 20 8 36 …
Address
Translation Encrypted AES256-GCM
Control Plane
Authenticated
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup (rfc 4023)
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
SDWAN VPNs and Security Zoning
Trust Zone
Untrust Zone
IF,
Sub-IF
IF,
Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF
Internet
• VPNs are isolated from each other, each VPN

Out-of-band Management
(VPN512) has its own forwarding table
• Reachability within VPN is automatically
IF advertised by the OMP
Local SD-WAN Fabric Secure Perimeter
Fabric Security • Centralized data policy is defined on
vManage and distributed by vSmart
vManage
controllers
• Centralized data policy match on
application traffic of interest
vSmart - DPI or 6 tuple matching
Centralized
• Centralized data policy takes drop
Localized
Data Policy Data Policy action to block unwanted traffic
- Can log
SDWAN Edge SDWAN Edge

• Localized data policy works similarly
to centralized data policy, but it is
distributed directly from vManage
Trust Zone Un-trust Zone Fabric Security
Regional Secure Perimeter – Multiple Services
Policy
vSmart • Service nodes are connected to SDWAN Edge
Advertisement*
(+ Service) - Directly or IPSec IKE v1/v2
- Routed or bridged
Traffic Path Service
Advertisement
OMP • Service nodes can be connected to different
FW IDS
SDWAN Edge routers
- Can be in different sites
VPN1 • SDWAN Edge routers advertise service

VPN1 - Service route + Service label
- Specific VPN
VPN1
Regional
Hub Data • Observe Firewall trust and untrust zones
Center
• Control or data policies are used to insert the
MPLS 4G
Remote service nodes
INET
Office
* For data policy only. Control policy enforced on vSmart.
Threat Landscape Types of Threats
v Cyber Warfare
vSecurity bug / Vulnerability
v e.g.: Heartbleed, SMBv1 vulnerability, IKEv1
v Nation-State Sponsored vulnerability, SQL Injection, Buffer Overflow,
Cross-site request forgery, Cross Site Scripting
(XSS)
v Organized Crime / Targeted Attacks vMalware
v Viruses, Worms, Trojans
v Ransomware v Phishing, Adware, Spyware, Scareware
v Keyloggers, Backdoors, Exploits, Rootkits
v Cryptojacking vDenial of Service

v e.g.: Dyn Attack (Oct 2016)
v Sextortion
vBotnets
v e.g. : LinkedIn attack (Aug 2016), Deutsche
Telekom (Nov 2016)
v Financially Motivated
High Profile Incidents and their Targets
v Denial of Service v Malware

v Dyn attack (Network Infrastructure) v Stuxnet (Industrial Control Systems)
v Mirai Botnet (IoT devices)
v IKEv1 Vulnerability (Network Devices)
v Ransomware (Application & Network)
v CryptoLocker, CryptoWall v VPNFilter (Network Devices)
v WannaCry
v Yahoo! Data breach (Users)
v Petya, Bad Rabbit, Nymaim, Sage v 3 billion user accounts (Web Application)
v Cryptojacking(User Endpoints)
v Cryptocurrency Miners
Combining Best of Breed in Security and SD-WAN
What is Cisco SD-WAN Security?
Enterprise Firewall
+1400 layer 7 apps classified
Intrusion Prevention System

Most widely deployed IPS engine in the world
Cisco URL-Filtering
Web reputation score using 82+ web categories
Security
Adv. Malware Protection
With File Reputation and Sandboxing
Simplified Cloud Security

Easy Deployment for Cisco Umbrella
Cisco SD-WAN
Hours instead of weeks and months
Direct Internet Access
SD-WAN Security Use Cases
Use Case: Use Case: Use Case:
Direct Internet Access Guest Services Industry Compliance
vManage Firewall IPS AMP+TG

URL
Filtering
Cisco
Umbrella
Firewall URL
Filtering
Firewall IPS AMP+TG
Direct Internet Access SD-WAN

Internet
Internet VPN1 VPN3

Data Center
Applications VPN2 Applications
Employees Contractors Guests

SD-WAN Security: vManage Provisioning Wizard
Configuration > Security
Security Policy
1 Build Objects
Lists ZBFW Policy IPS Policy
URL Filtering AMP DNS Security
Security Policy
2 Create Security Policy
Security Policy
Apply Security Policy to

Device Template
Security Policy
Configuration Change
Apply Security Policy to Update
4
Device Template
Enterprise App
Aware Firewall
Enterprise App Firewall SaaS
Ø Stateful Firewall, Zone Policies Internet
Ø Application Visibility and Granular

control
Ø 1400+ layer 7 applications Inspect policy allows Outside Zone
only return traffic to
classified be allowed.
Ø Drop traffic by application
category or specific application Firewall events
SIEM Self Zone
Ø Segmentation Netflow v9
Ø PCI compliance
Ø HSL Logging (Netflow log Inside Guest
export) for SIEM Users Zone Zone
Devices
Ø Self Zone Policy

Service-VPN 1 Service-VPN 2
BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
SD-WAN Site A SD-WAN Site B
vManage - Ent FW App Aware - Configuration
vManage - Ent FW App Aware - Configuration For Your
Reference
Ent Firewall with Zone Policy - CLI rendered For Your
Reference
zone security INSIDE

zone security OUTSIDE
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

match protocol ftp
match protocol tcp match access-group name
match protocol udp
match protocol icmp
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
Security Zone Data Center
class type inspect INSIDE-TO-OUTSIDE-CLASS
OUTSIDE
inspect
class class-default VPN 0
drop ISP
zone security OUTSIDE

SD-WAN
VPN 0 Fabric
Zone security INSIDE VPN 1
VPN 1
Remote Site
Security Zone
INSIDE
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
For Your
Ent. FW App Aware – CLI rendered Reference
zone security INSIDE policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

zone security OUTSIDE class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS service-policy avc AVC-POLICY
match protocol ftp class class-default
match protocol http drop
match protocol https match access-group name
match protocol dns
match protocol tcp zone security OUTSIDE
match protocol udp VPN 0
match protocol icmp Zone security INSIDE
VPN 1
class-map match-any AVC-CLASS

match protocol yahoo zone-pair security IN_OUT source INSIDE destination
match protocol amazon OUTSIDE
match protocol attribute category consumer-streaming service-policy type inspect INSIDE-TO-OUTSIDE-
match protocol attribute category gaming POLICY
match protocol attribute category social-networking
policy-map type inspect avc AVC-POLICY

class AVC-CLASS
deny
class class-default
allow
Intrusion Prevention
Intrusion Prevention
and Detection
• Snort is the most widely deployed Intrusion
Prevention solution in the world
• Backed by global threat intelligence

(TALOS), signature update is automated
• Signature whitelist support
• Real-time traffic analysis IPS
On-site Services
• PCI compliance
vManage - Intrusion Prevention
Intrusion Prevention – CLI rendered For Your
Reference
Step 1 Configure virtual service

app-hosting install appid utd package bootflash:utd.tar
Step 2 Configure Port Groups Step 4 Configuring UTD (service plane)

interface VirtualPortGroup0
utd engine standard multi-tenancy
description Management interface
threat-inspection whitelist profile Sig-white-list
vrf forwarding 65529
generator id 3 signature id 22089
ip address 192.168.1.1 255.255.255.252
generator id 3 signature id 36208
Interface VirtualPortGroup1
threat-inspection profile IPS-POLICY
description Data interface
threat [protection | detection]
ip address 192.0.2.1 255.255.255.252
policy [security | connectivity | balanced]
whitelist profile Sig-white-list
Step 3 Activate virtual service and configure logging level [alert | info | ….. ]
iox
app-hosting appid utd Step 5 Enabling UTD (data plane)
app-vnic gateway0 virtualportgroup 0 guest-interface 0
policy utd-policy-vrf-1
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
vrf 1
all-interfaces
fail [open | close]
app-resource package-profile urlf-low
threat-inspection profile IPS-POLICY
start
Intrusion Prevention - Overview For Your
Reference
• If Ent. Firewall App Aware is

configured, UTD will be invoked
100101000101000111010011000101100011100011001111001 after Ent. Firewall App Aware,
allowing Ent. Firewall App Aware
MAC IP TCP HTTP HTTP_CLIENT_ to protect IDS/IPS.
BODY
• If UTD is enabled on an interface,
policy FIA will mark it for UTD
Signature inspect and pass on to the UTD
Snort Engine rules divert FIA.
• Packets which are marked for

Alerts, inspection will be diverted from
Packet Logs
Pkt Detection Output dataplane to Snort via UTD divert
Preprocessors
Decoder Engine Module FIA
• Based on the status reported by

AppNAV health monitor and fail-
open/fail-close configuration,
L3 – 7, packets are either forwarded to
L2/3 sessions, Snort or sent to egress without
File, AppId Verdict any diversion.
URL Filtering
URL Filtering Requests for “risky” domain requests
• 82+ Web Categories with dynamic

updates
URL Filtering
• Block based on Web Reputation
score White/Black lists of
custom URLs
• Create custom Black and White Lists
• Cloud lookup with local caching or

local lookup Block/Allow based on
• Local lookup downloads URL database to the Categories,
router
Reputation
Order of Operation:
White/Black List >> Category >> Reputation
www.abc.com www.xyz.com
#CLUS BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
vManage - URL Filtering
URL Filtering – CLI rendered For Your
Reference
Step 1 Configure virtual service Step 4 Configure (optional) white and black list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex wlist1
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex blist1
description Management interface pattern www.exmaplehoo.com
vrf forwarding 65529 pattern www.bing.com
ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1
description Data interface Step 5 Configure block page
ip address 192.0.2.1 255.255.255.252 web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
Step 3 Activate virtual service and configure
iox
app-hosting appid utd
app-resource package-profile urlf-low
start
URL Filtering – CLI rendered For Your
Reference
Step 6 Configure web-filter profile Step 7 Configure data plane

web-filter url profile URL-FILTER-POLICY utd global
blacklist logging syslog
parameter-map regex blist1 !
whitelist policy utd-policy-vrf-1
parameter-map regex wlist1 all-interfaces
categories block fail close
abortion vrf 1
abused-drugs web-filter url profile URL-FILTER-POLICY
adult-and-pornography
bot-nets
cheating
confirmed-spam-sources
cult-and-occult
alert all
block page-profile block-URL-FILTER-POLICY
reputation
block-threshold moderate-risk
DNS/Web-layer
Security
DNS/web-layer Cisco Umbrella
security
• Block malware, phishing and
non-compliance domain
requests Safe Blocked
requests requests
• Automatic API Key registration
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption
Users and Devices
• Intelligent Proxy
• VPN Aware
#CLUS BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Umbrella Data centers co-located at major IXPs
>31
data centers
worldwide
DNS/web-layer Security - Solution Overview
Safe Blocked
reques request
t
WAN Edge
DNS Request (1) Cisco Umbrella
DNS Response (4) Interne

Approved Content (5) t
Claudia
Web Servers
vManage – DNS/web-layer Security
vManage – DNS/web-layer Security
For Your
DNS/web-layer security – CLI rendered

Reference
Configure local domain bypass (optional)

parameter-map type regex dns_wl
pattern www.cisco.com
pattern .*eisg.cisco.*
Configure token and enable DNS security
parameter-map type umbrella global

token 57CC8010687FB1B2A7BA4F2373C00247166
no dnscrypt (enabled by default)
udp-timeout (to change the udp –timeout)
resolver-ip <>
vpn 21
dns-resolver-ip < Umbrella > [bypass-local-domain]
vpn 22
dns-resolver-ip < Umbrella > [bypass-local-domain]
Cisco Umbrella for SD-WAN
Good Better Best

Umbrella Monitoring has been in Umbrella Insights is now a
Umbrella SIG Essentials will be in
all Cisco DNA packages for SD- central part of Cisco DNA
Cisco DNA Premier
WAN Premier
Protects branch sites and roaming
Provides visibility into requests to Protects branch sites and roaming
users through full web proxy with
malicious destinations from branch users against external threats with
AMP and TG, L3-L4 CDFW
users and devices DNS-security and selective proxy
1H’FY19 TODAY 1H’FY20
Content Filtering For Your
Reference
DNS Security vs. URL Filtering

DNS Security URL Filtering
Looks only at DNS packets (preferred in Spain over URL-F) Looks within HTTP packet.
We have reporting (time, IP addr., domain browsed) in Can whitelist/blacklist sub-domains.
Umbrella portal (comes free with DNA license, user ID and No reporting/visibility
password sent to customer via email)
Refers to internal database to decide good/bad/unknown Reputation score

domain
cloud On-prem
No memory 8GB or
16GB memory (if the URL-F database needs to be on-the-
box)
Cisco Product Via Brightcloud/Webroot
• Comes with Umbrella at DNA-E/A (no enforcement, • Comes with DNA Advantage
only monitoring) • Comes as part of embedded security in a IOSXE SD-
• Enforcement with Umbrella Insights in DNA-P WAN Cisco router with 8GB memory
Advanced Malware
Protection and Threat
Grid
Advanced Malware
Protection + Threat Grid
AMP
• Integration with AMP

File reputation
Internet Check Signature
File retrospection
• Integration with ThreatGrid
File Analysis
• Backed with valuable Threat Check file
Intelligence
Malware Sandbox
ThreatGrid
Advanced Malware Protection
AMP
1. Snort file pre-processor on the device
identifies file download
2. Computes SHA256, looks up in the
local cache.
Internet
4 3. If no response is found, send it to AMP
3
cloud
1 4. AMP cloud gives a response
(malicious, unknown, clean)
2
Comprehensive Malware Protection (AMP & TG)
1. If the response from AMP is
4 unknown WAN edge checks for
active content
2. If active content is found, and
config allows for export, WAN
edge sends it to Threat Grid for
2
sandboxing
1 3 3. WAN Edge queries Threat Grid

for a period of time and then
queries AMP for retrospection.
4. Threat Grid also updates the new
status in the AMP cloud
vManage – AMP + ThreatGrid
AMP + ThreatGrid – CLI rendered For Your
Reference
td global file-analysis profile AdvanceMalwareProtection-fa-profile

file-reputation file-types
cloud-server cloud-isr-asn.amp.cisco.com pdf
est-server cloud-isr-est.amp.cisco.com ms-exe
! new-office
file-analysis rtf
cloud-server isr.api.threatgrid.com mdb
apikey 0 <API Key> mscab
! msole2
! wri
xlw
flv
swf
!
alert level critical
AMP + ThreatGrid – CLI rendered For Your
Reference
file-reputation profile AdvanceMalwareProtection-fr- policy utd-policy-vrf-1

profile all-interfaces
alert level critical fail close
! file-inspection profile AdvanceMalwareProtection-fi-
file-inspection profile AdvanceMalwareProtection-fi- profile
profile vrf 1
analysis profile AdvanceMalwareProtection-fa-profile threat-inspection profile IPS
reputation profile AdvanceMalwareProtection-fr- web-filter url profile URLFiltering
profile exit
! policy utd-policy-vrf-2
all-interfaces
fail close
file-inspection profile AdvanceMalwareProtection-fi-
profile
vrf 2
Snort IPS/IDS, URL Filtering & AMP Architecture
For Your
Reference
Snort
LXC
Control Plane
Virtual Ethernet
IOSd App-Hosting Manager
Linux OS
Management VPG
Traffic VPG Virtual Ports (VPG)
Data Plane
Traffic Path
Data Plane
- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources
- Traffic is punted to Container using Virtual Port Group (VPG) interface
- Reserved CPU and memory for Container process enables deterministic performance
SD-WAN Security Support For Your
Reference
DNS/web-
Ent FW App URL layer
Platforms/Features Ent FW IPS/IDS AMP/TG
Awareness Filtering Monitoring
*
Viptela - (100, 1000, 2000 and 5000)
DPI using
Y N/A N/A N/A Y
Qosmos **
Cisco - CSR
Y Y Y Y Y Y
Cisco – ENCS (ISRv)
Y Y Y Y Y Y
Cisco – ISR4K (4451, 4431, 4351, 4331,
Y Y Y Y Y Y
4321, 4221-X)
Cisco – ISR1K (1111X-8P)
Y Y Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX,
Y Y N/A N/A NA Y
1001-X, 1002-X)***
* Umbrella Subscription required for enforcement

** Stateful Firewall and DPI using Qosmos are separate on the vEdge
*** Supported with default 4GB DRAM
Security App Hosting Profile & Resources
For Your
Reference
4431 / 4451 4331 / 4351 4321 / 4221 / 1K

Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)
PPE1 PPE2 IOS SVC1 Data Plane

PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE I/O
Crypto (2 cores)
I/O
!/O PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 SVC2 SVC3 Crypto
Linux
Crypto
CPP Code Linux Linux
Total No of Total No of Total No of CP

Platforms
DP Cores CP Cores Cores for Security DP = Data Plane
4321/4221/1K 2 2 1
CP = Control Plane
4331 4 4 2
SVC = Services
4351 4 4 2
4431 6 4 2
4451 10 4 2
Security App Hosting Profile & Resources
IPS / URL-F Security Profile - Minimum Platform Platform

App Hosting Features requirement Supported
Profile
ISR1K/4221X/4321
IPS + URLF (Cloud Lookup only) + 8GB Bootflash & 8GB Memory 4331/4351/44xx
Default AMP (File hashing) 1 / 2 service plane cores 4/8 vCPU CSR / ISRv
IPS + URLF (On-box DB + Cloud

Lookup) + AMP (File hashing) + 16GB Bootflash & 16GB Memory 4331/4351/44xx
High Threat Grid (TG) 2 service plane cores 4/8vCPU CSR/ISRv
Enterprise FW and DNS/web-layer security will work with default 4 GB DRAM

SD-WAN Security Features – Order of Operation
For Your
Reference
IP Dest DNS
G0/0 – LAN facing
Lookup NBAR 2 Security VFR 4 CEF 5 G0/1 – WAN facing
1 3
Ingress G0/0
LAN to WAN
NAT DNS
FW IPS URL-F AMP NBAR
Egress G0/1 Security
DNS
VFR 2 NAT 3 CEF 4
Layer 1
Ingress G0/1
WAN to LAN
URL-F DNS
FW IPS AMP NBAR
Layer
Egress G0/0
Life of a Packet: From LAN to WAN For Your
Reference
Lookup
SDWAN App- DNS-
IP Dest Data Process Go to
Interface NBAR FNF First Route Redir
Lookup Policy ect & OCE Output
ACL Policy
Walk
IPSEC
MPLS Encrypt
Tunnel Pre- Layer 2 DNS FNF
FW UTD Label FW UTD NAT (Transp ACL TX
Encap Route Encap Crypt LAST
Add ort
mode)
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
OCE – Output Chain Element

Life of a Packet: From WAN to LAN For Your
Reference
SDWAN Lookup
IP Dest SDWAN SDWAN IPSEC Go to
interface NAT Process &
lookup WAN Filter For-us Decrypt Output
ACL OCE walk
Lookup
MPLS MPLS IP Dst App-
Data Process Go to
Label transition lookup in NBAR FNF first route
Policy & OCE Output
Lookup to IP vrf Policy
walk
L2 FNF
FW UTD ACL TX
Encap Last
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
OCE – Output Chain Element

SIG - 3rd Party Cloud Security
Cloud Security Provider Cloud Security Provider
RGN RGN
POP1 POP2 1 2
DIA ISP A
Regional
Hub/CoLo
ISP B
SD-WAN
Remote Site
Fabric
Remote Site Data Center
GRE/IPSec Tunnels Data Traffic IPSec Tunnels
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure
Management
vManage Authentication methods
• Local Database / RADIUS / TACACS
• Single-Sign ON
RBAC
RBAC by VPN Feature
Admin user:
q Create VPN dashboards:
ü Create/discover VPN segments in a network
ü Create VPN groups
ü New VPN dashboard for each VPN group
q Create users with VPN group access:
ü Link user group to VPN group
ü Create users with access to VPN group
VPN group user:

q Access to VPN Dashboard only
ü Monitor devices, network, and application status via VPN dashboard
ü VPN dashboard information restricted to devices with segments in VPN group
ü Monitor option restricted to devices with segments in VPN group
ü Interface monitoring on device restricted to interfaces of segments in the VPN group
vManage Admin
Dashboard (full
access)
VPN Dashboard
(Restricted
access)
VPN Group: Dana Airways (VPN 1, 2)
Dana Airways
VPN Dashboard View
Device Dana Airways VPN

detail
health s
status
Application
status
Monitor per VPN network
Cisco DNA Licensing for SD-WAN
Simplified Packaging
DNA Premier
DNA Advantage
Advanced Cloud
Cloud-Scale SD-WAN Security Use-Cases
DNA Essentials Use-Cases
Comprehensive Malware
Standard SD-WAN Malware Protection and URL-Filtering2 Protection w/ Sandboxing
Use-Cases (<50 Sites)
Application-based SLA Application Optimization for Multi-Cloud Umbrella Insights
Multi-Domain End-End Policy and
Branch Security with Firewall and IPS Segmentation3
Includes Advantage
Rich Services - Integrated Voice and Wan
WAN Automation and Ease of Management
Opt4
Voice Optimization Analytics for Performance and
Troubleshooting
Full Mesh FEC, Basic Automated

Unlimited Single
Hub Spoke, Packet Dup Telemetry AMP, Service
Segmentation, Orchestration Stitching for
Dynamic Application Visibility URL
Fabric Multicast for Cloud,
Routing FW, IPS1 (vManage) Filter Cisco and 3rd
Support Branch & Colo Party VNFs
Includes Essentials
(1) (2) (3)(4) Capabilities supported only on ISR and CSR #CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• All surveys can be taken:
– Cisco Live Mobile App
– Logging in to the Session Catalog:
https://reg.rainfocus.com/flow/cisco/cllatam19/adash/p
age/dashboard
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CiscoLiveLA
#CiscoLiveLA

BRKRST 2377

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 2377

Uploaded by

Copyright:

Available Formats

#CiscoLiveLA

Webex Teams will be moderated cs.co/ciscolivebot# BRKRST-2377

SECURE WAN EDGE

USERS Cloud IoT

Cloud Security Integrated Security Regional Hub

Cloud Data Center Campus Branch CoLo

3rd Party • Facilitates fabric discovery

vManage • WAN edge router

vManage Cisco vManage

APIs • Single pane of glass for Day0,

2011 2012 2013 2014 2015 2016

Cisco Secure Boot

Step 1 Step 2 Step 3 Step 4 § Only authentic

Hardware CPU CPU CPU

Integrity Applications • HW Authenticity Check

TPM & TAm Capabilities

Cisco Trust Anchor Module Trusted Platform Module (TPM)

• Binds the hardware identity to a key pair in a

• Connections with the device can be

• IEEE 802.1AR Compliant

TPM • Each physical router is uniquely identified by the

vManage Signed Signed

vSmart Signed vBond

Note: If using Enterprise CA, load Enterprise

Signed 2. Certificate Signing Request is generated

3. Certificate is signed by Digicert/Cisco

1. Private and public keys are generated on the

2. Certificate Signing Request is generated

vBond vSmart vManage

Root-Cert Root-Cert Root-Cert

Validate: Root trust,

* Can manually enable :SSH, NTP, STUN, HTTPS (vManage)

Implicitly SD-WAN IPSec

• TCP based extensible control plane protocol

vSmart vSmart • Leverages address families to advertise

WAN Edge WAN Edge * Can be influenced by the control policies

WAN Edge Transport2 WAN Edge

Remote (received) Remote (received)

IP UDP ESP Original Packet

q Each Edge creates one IPSec

q vSmart will advertise session key

q IPSec Session rekeying enabled

q Each Edge will create separate

Edge-C q Backward compatible with non

WAN Edge Transport2 WAN Edge

IP UDP ESP Data

IP UDP ESP VPN Data

• VPNs are isolated from each other, each VPN

SDWAN Edge SDWAN Edge

VPN1 • SDWAN Edge routers advertise service

v Cryptojacking vDenial of Service

v Denial of Service v Malware

Intrusion Prevention System

Simplified Cloud Security

Hours instead of weeks and months

vManage Firewall IPS AMP+TG

Direct Internet Access SD-WAN

Internet VPN1 VPN3

Employees Contractors Guests

Configuration > Security

URL Filtering AMP DNS Security

URL Filtering AMP DNS Security

URL Filtering AMP DNS Security