Professional Documents
Culture Documents
Cisco SD-WAN
Security
Dana Yanch – Global Technical Solutions Architect
BRKRST-2377
#CiscoLiveLA
Agenda
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Secure Branch
• Ent Firewall App Aware
• Intrusion Prevention
• URL-Filtering
• DNS/web-layer Security
• Advanced Malware Protection + Threat Grid
• Secure Management
• Demo
#CiscoLiveLA Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About Me
• Global Cisco SD-WAN (Viptela) TSA
• 10 years of WAN and DC Architecture
• 5 years of multi-vendor SD-WAN Design and
Implementation
• Areas of Expertise
• SD-WAN, SD-WAN, SD-WAN and more SD-WAN
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
SD-WAN exposes new security challenges
POLICY
DEFEND AND ACCESS
AGAINST
DIRECT INTERNET BADGAPS EXPAND ATTACK
DESTINATIONS
ACCESS EXPOSES & DATASURFACE
INGRESS BREACHES
POINTS
SaaS IaaS Outside-in threats
Internet • Unauthorized
Exposed access
ingress points as
traffic is no longer backhauled
• Denial of service attacks
to the data center
NO SECURITY
CLOUD EDGE • Ransomware
Remote
Corporate Inside-out threats
Software
BASIC/NO
EXISTING
• Malware
Users andinfection
devices request
Users Devices
Critical
• Command
access & control
to infrastructure and
WAN SECURITY
WAN EDGE
• Phishing attacks
applications
Infrastructure Branch • Untrusted users/devices
SD-WAN Fabric IOT Users Mobile
EDGE
SECURITY
(guests) devices
Internal threats
Data
Data
Center
Center && • Untrusted
Traffic access
must be encrypted and
Campus
Campus • access must be segmented
Lateral movement
• end to end
Compliance
• Man-in-the-Middle
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Comprehensive SD-WAN security
SIMPLIFIED
SECURE
ENTERPRISE-GRADE
INTERNAL
CLOUD CONNECTIONS
SECURITY
SECURITY EMBEDDED
SaaS IaaS
Full edge
Outside-in
Inside-out
Internal
Internet security stack
SD-WAN security
• Mitigate external security risks
SECURE CLOUD EDGE • with integrated
Firewall
End to
Umbrella’s andSecure
end threat
intrusion
segmentation defense
Internet to
from
Gatewaythe WAN
prevention
stop breach to cloud
embedded
protects edge
usersplus
propagation, and
Remote URL filtering
enforce
devices and malware
regulatory
and protects compliance,
data
Corporate sandboxing
and promote
sent to and fromfor inside-out
network
the cloud
(and
Software application) layer security
• Single console to manage
Duo’s Multi-Factor
SECURE WAN EDGE
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco SD-WAN Holistic Approach
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated
DC
DEVICES APPLICATIONS
Fabric IaaS
SaaS
THINGS
SECURE SCALABLE APP AWARE vDC
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Security Deployment Models
Flexible Security based on customer needs
Cloud Security
Co-Location
• Lean Branch with Security in • Single platform for Routing and • Security Services as VNF at
the cloud Branch Security at the Branch Regional Colocation Hub
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Infrastructure
Cisco SD-WAN Architecture
Orchestration Management Plane
Plane vManage
• First point of authentication • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond Automation troubleshooting and monitoring
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical or virtual • Disseminates control plane
• Zero Touch Provisioning information between vEdges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics vEdge Routers
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes list of vSmarts/
vManage to all WAN Edge
MPLS 4G routers
INET • Facilitates NAT traversal
WAN Edge Routers
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Center Campus Branch SOHO
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Data Plane Data Plane
Physical/Virtual
WAN Edge
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Management Plane
Management Plane
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Device Identity
Malware in IOS is a Real Threat
Malware: 6 Observed Variants
Incident 3 Incident 4
Synful
Incident 0 Incident 1 Incident 2 Runtime Runtime Knock
infection infection
Static Static Runtime Static
infection infection C&C; data exfil. C&C infection
infection
multi-arch data exfil.
Crypto Crypto C&C Line cards ROMMON C&C; modular
(DH keys) (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco Trust Anchor Module (TAm)
Crypto Functions
• Anti-Tamper Chip Design
Tamper-Proof Storage • Built-In Crypto Functions
Boot • Secure Storage
SUDI
Measurements
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Platform Integrity: TPM and TAm Compared For Your
Reference
Non-volatile
Anti-tamper Crypto engine
secure storage
Random
Policy &
Key storage number
Configuration
generation
§ Provides end-user and supply chain protections § Focused on providing end-user capabilities
§ For specialized network devices § For general purpose computing
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Secure Unique Device Identification (Secure – UDI)
• Tamperproof ID for the device
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Whitelisting SDWAN Edge router
SDWAN Edge List Identity
(Installed Cert Serial) Trust
Valid
Invalid
Staging
vManage
vSmart vBond
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Router Identity
During Manufacturing
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cloud Router Identity
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage
- One per-(chassis ID, serial number) in the
uploaded WAN Edge list
• OTP/Token is supplied to Cloud router in Cloud-
Init during the VM deployment
Device - Can activate from CLI post VM deployment
Certificate(s)
• vManage signs certificate(s) for the Cloud router
post OTP/Token validation
- If vManage cluster, each member signs
- vManage removes OTP to prevent reuse
• DigiCert or Cisco root CA chain of trust is used
Root Chain to validate Control Plane elements
• Alternatively, Enterprise root CA chain of trust
can be used to validate Control Plane elements
In Software
- Can be provided in Cloud-Init
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Control Plane Trust and Whitelisting
Zero-Trust Automated Identity Provisioning
Root-cert
Administrator Defined
Controllers (White-List) vManage
Root-cert Root-cert
vSmart vBond
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Establishing Control Elements Identity
1. Private and public keys are generated on the
1 2 3 control element
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Establishing Control Elements Identity – Cisco PKI 19.1
Digicert
Digicert Signed
Digicert
Signed Signed
SD-WAN Edge
Digicert
Root-Cert Signed
DTLS/TLS tunnel
Encryption/Hash Algorithm: AES256-GCM (Non-configurable)
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DDoS Protection for Controllers
vBond
Authenticated
Sources
vSmart vManage
SDWAN Edge
Control Plane Policing:
§ 500pps per flow
§ 10,000pps
vManage
Unknown vSmart
Note: vBond control plane policing is the
Sources
same as SDWAN Edge
Other
Deny except:
DHCP, DNS, ICMP, NETCONF
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
DDoS Protection for SDWAN Edge Routers
vBond
Authenticated
Sources
vSmart vManage
Explicitly
Defined
Sources
Cloud Security
Deny except:
1. Return packets matching flow entry (DIA enabled)
Unknown 2. Response pkts of DHCP, DNS
Sources 3. ICMP
Other * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Secure Control Plane
Network-wide Control Plane
Cisco SD-WAN Traditional
Network Control Plane
Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Overlay Management Protocol (OMP)
vSmart
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Color, Encap)
WAN Edge
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
§ Security – Encryption Keys
OMP
§ Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Data Plane Privacy vSmart
Controllers
§ Each WAN Edge advertises its local IPsec § Can be rapidly rotated
encryption keys as OMP TLOC attributes
§ Symmetric encryption keys used
§ Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport1
A’s session Key generated locally at Edge-A B’s session Key generated locally at Edge-B
C
C’s session Key generated locally at Edge-C
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
IPSec Pairwise Keys
Edge-B
AB- A’s Encryption Key for B BA - B’s Encryption Key for A q PWK is disabled by default
CA
AC
AC- A’s Encryption Key for C CA - C’s Encryption Key for A
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane Integrity
§ vBond discovers WAN Edge public vSmart § WAN Edge computes AH value
Controllers
IP address, even if traverses NAT based on the post NAT public IP
§ vBond communicates public IP to § Packet integrity (+IP headers) is
the WAN Edge preserved across NAT
OMP OMP
Update Update
Transport1
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup (rfc 4023)
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
SDWAN VPNs and Security Zoning
Trust Zone
Untrust Zone
IF,
Sub-IF
IF,
Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF
Internet
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Local SD-WAN Fabric Secure Perimeter
Fabric Security • Centralized data policy is defined on
vManage and distributed by vSmart
vManage
controllers
• Centralized data policy match on
application traffic of interest
vSmart - DPI or 6 tuple matching
Centralized
• Centralized data policy takes drop
Localized
Data Policy Data Policy action to block unwanted traffic
- Can log
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Regional Secure Perimeter – Multiple Services
Policy
vSmart • Service nodes are connected to SDWAN Edge
Advertisement*
(+ Service) - Directly or IPSec IKE v1/v2
- Routed or bridged
Traffic Path Service
Advertisement
OMP • Service nodes can be connected to different
FW IDS
SDWAN Edge routers
- Can be in different sites
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Threat Landscape Types of Threats
v Cyber Warfare
vSecurity bug / Vulnerability
v e.g.: Heartbleed, SMBv1 vulnerability, IKEv1
v Nation-State Sponsored vulnerability, SQL Injection, Buffer Overflow,
Cross-site request forgery, Cross Site Scripting
(XSS)
v Organized Crime / Targeted Attacks vMalware
v Viruses, Worms, Trojans
v Ransomware v Phishing, Adware, Spyware, Scareware
v Keyloggers, Backdoors, Exploits, Rootkits
v Sextortion
vBotnets
v e.g. : LinkedIn attack (Aug 2016), Deutsche
Telekom (Nov 2016)
v Financially Motivated
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Profile Incidents and their Targets
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Combining Best of Breed in Security and SD-WAN
What is Cisco SD-WAN Security?
Enterprise Firewall
+1400 layer 7 apps classified
Cisco URL-Filtering
Web reputation score using 82+ web categories
Security
Adv. Malware Protection
With File Reputation and Sandboxing
Cisco SD-WAN
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Direct Internet Access
SD-WAN Security Use Cases
Use Case: Use Case: Use Case:
Direct Internet Access Guest Services Industry Compliance
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Security Policy
1 Build Objects
Lists ZBFW Policy IPS Policy
#CiscoLiveLA BRKRST-2791 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Security Policy
2 Create Security Policy
Lists ZBFW Policy IPS Policy
#CiscoLiveLA BRKRST-2791 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Security Policy
2 Create Security Policy
Lists ZBFW Policy IPS Policy
#CiscoLiveLA BRKRST-2791 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Security Policy
2 Create Security Policy
Lists ZBFW Policy IPS Policy
Configuration Change
Apply Security Policy to Update
4
Device Template
#CiscoLiveLA BRKRST-2791 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Enterprise App
Aware Firewall
Enterprise App Firewall SaaS
Ø PCI compliance
Ø HSL Logging (Netflow log Inside Guest
export) for SIEM Users Zone Zone
Devices
BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Ent. Firewall App Aware : Inter-Zone Security
vSmart
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone1 Zone2 Zone1
SD-WAN VPN1
VPN1 VPN2
Fabric
Action: D I P
D - Drop
I – Inspect
Host Host
P – Pass Host Host
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
vManage - Ent FW App Aware - Configuration
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
vManage - Ent FW App Aware - Configuration For Your
Reference
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ent Firewall with Zone Policy - CLI rendered For Your
Reference
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
For Your
On-site Services
• PCI compliance
BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
vManage - Intrusion Prevention
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Intrusion Prevention – CLI rendered For Your
Reference
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Intrusion Prevention - Overview For Your
Reference
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
URL Filtering
URL Filtering Requests for “risky” domain requests
Order of Operation:
White/Black List >> Category >> Reputation
www.abc.com www.xyz.com
#CLUS BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
vManage - URL Filtering
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
URL Filtering – CLI rendered For Your
Reference
Step 1 Configure virtual service Step 4 Configure (optional) white and black list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex wlist1
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex blist1
description Management interface pattern www.exmaplehoo.com
vrf forwarding 65529 pattern www.bing.com
ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1
description Data interface Step 5 Configure block page
ip address 192.0.2.1 255.255.255.252 web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
Step 3 Activate virtual service and configure
iox
app-hosting appid utd
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252
app-resource package-profile urlf-low
start
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
URL Filtering – CLI rendered For Your
Reference
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
DNS/Web-layer
Security
DNS/web-layer Cisco Umbrella
security
• Block malware, phishing and
non-compliance domain
requests Safe Blocked
requests requests
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption
Users and Devices
• Intelligent Proxy
• VPN Aware
#CLUS BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Umbrella Data centers co-located at major IXPs
>31
data centers
worldwide
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
DNS/web-layer Security - Solution Overview
Safe Blocked
reques request
t
WAN Edge
DNS Request (1) Cisco Umbrella
Web Servers
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
vManage – DNS/web-layer Security
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
vManage – DNS/web-layer Security
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
For Your
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Cisco Umbrella for SD-WAN
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Filtering For Your
Reference
• Comes with Umbrella at DNA-E/A (no enforcement, • Comes with DNA Advantage
only monitoring) • Comes as part of embedded security in a IOSXE SD-
• Enforcement with Umbrella Insights in DNA-P WAN Cisco router with 8GB memory
Advanced Malware
Protection and Threat
Grid
Advanced Malware
Protection + Threat Grid
AMP
ThreatGrid
BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Advanced Malware Protection
AMP
1. Snort file pre-processor on the device
identifies file download
2. Computes SHA256, looks up in the
local cache.
Internet
4 3. If no response is found, send it to AMP
3
cloud
1 4. AMP cloud gives a response
(malicious, unknown, clean)
2
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Comprehensive Malware Protection (AMP & TG)
1. If the response from AMP is
4 unknown WAN edge checks for
active content
2. If active content is found, and
config allows for export, WAN
edge sends it to Threat Grid for
2
sandboxing
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
vManage – AMP + ThreatGrid
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
AMP + ThreatGrid – CLI rendered For Your
Reference
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Snort IPS/IDS, URL Filtering & AMP Architecture
For Your
Reference
Snort
LXC
Control Plane
Virtual Ethernet
IOSd App-Hosting Manager
Linux OS
Management VPG
Traffic VPG Virtual Ports (VPG)
Data Plane
Traffic Path
Data Plane
- IPS, AMP & URL Filtering services runs on a Linux Container (LXC), using control plane resources
- Traffic is punted to Container using Virtual Port Group (VPG) interface
- Reserved CPU and memory for Container process enables deterministic performance
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SD-WAN Security Support For Your
Reference
DNS/web-
Ent FW App URL layer
Platforms/Features Ent FW IPS/IDS AMP/TG
Awareness Filtering Monitoring
*
Viptela - (100, 1000, 2000 and 5000)
DPI using
Y N/A N/A N/A Y
Qosmos **
Cisco - CSR
Y Y Y Y Y Y
Cisco – ENCS (ISRv)
Y Y Y Y Y Y
Cisco – ISR4K (4451, 4431, 4351, 4331,
Y Y Y Y Y Y
4321, 4221-X)
Cisco – ISR1K (1111X-8P)
Y Y Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX,
Y Y N/A N/A NA Y
1001-X, 1002-X)***
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Security App Hosting Profile & Resources
For Your
Reference
I/O
!/O PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 SVC2 SVC3 Crypto
Linux
Crypto
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Security App Hosting Profile & Resources
IP Dest DNS
G0/0 – LAN facing
Lookup NBAR 2 Security VFR 4 CEF 5 G0/1 – WAN facing
1 3
Ingress G0/0
LAN to WAN
NAT DNS
FW IPS URL-F AMP NBAR
Egress G0/1 Security
DNS
VFR 2 NAT 3 CEF 4
Layer 1
Ingress G0/1
WAN to LAN
URL-F DNS
FW IPS AMP NBAR
Layer
Egress G0/0
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Life of a Packet: From LAN to WAN For Your
Reference
Lookup
SDWAN App- DNS-
IP Dest Data Process Go to
Interface NBAR FNF First Route Redir
Lookup Policy ect & OCE Output
ACL Policy
Walk
IPSEC
MPLS Encrypt
Tunnel Pre- Layer 2 DNS FNF
FW UTD Label FW UTD NAT (Transp ACL TX
Encap Route Encap Crypt LAST
Add ort
mode)
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
SDWAN Lookup
IP Dest SDWAN SDWAN IPSEC Go to
interface NAT Process &
lookup WAN Filter For-us Decrypt Output
ACL OCE walk
Lookup
MPLS MPLS IP Dst App-
Data Process Go to
Label transition lookup in NBAR FNF first route
Policy & OCE Output
Lookup to IP vrf Policy
walk
L2 FNF
FW UTD ACL TX
Encap Last
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
RGN RGN
POP1 POP2 1 2
DIA ISP A
Regional
Hub/CoLo
ISP B
SD-WAN
Remote Site
Fabric
Remote Site Data Center
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure
Management
vManage Authentication methods
• Local Database / RADIUS / TACACS
• Single-Sign ON
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
RBAC
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
RBAC by VPN Feature
Admin user:
q Create VPN dashboards:
ü Create/discover VPN segments in a network
ü Create VPN groups
ü New VPN dashboard for each VPN group
q Create users with VPN group access:
ü Link user group to VPN group
ü Create users with access to VPN group
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
vManage Admin
Dashboard (full
access)
VPN Dashboard
(Restricted
access)
Dana Airways
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
VPN Dashboard View
Application
status
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Monitor per VPN network
#CiscoLiveLA BRKRST-2377 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Cisco DNA Licensing for SD-WAN
Simplified Packaging
DNA Premier
DNA Advantage
Advanced Cloud
Cloud-Scale SD-WAN Security Use-Cases
DNA Essentials Use-Cases
Comprehensive Malware
Standard SD-WAN Malware Protection and URL-Filtering2 Protection w/ Sandboxing
Use-Cases (<50 Sites)
Application-based SLA Application Optimization for Multi-Cloud Umbrella Insights
Multi-Domain End-End Policy and
Branch Security with Firewall and IPS Segmentation3
Includes Advantage
Rich Services - Integrated Voice and Wan
WAN Automation and Ease of Management
Opt4
Voice Optimization Analytics for Performance and
Troubleshooting
Includes Essentials
(1) (2) (3)(4) Capabilities supported only on ISR and CSR #CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• All surveys can be taken:
– Cisco Live Mobile App
– Logging in to the Session Catalog:
https://reg.rainfocus.com/flow/cisco/cllatam19/adash/p
age/dashboard
#CiscoLiveLA Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Continue your education
Demos in the
Cisco campus
#CiscoLiveLA Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Thank you
#CiscoLiveLA
#CiscoLiveLA