DGTL BRKRST 2377

#CiscoLive
SD-WAN Security
Kureli Sankar - Manager, Technical Marketing
CCIE Security #35505
@jmckg
DGTL-BRKRST-2377
#CiscoLive
About Kureli Sankar
BS in Electrical and Electronics Engineering

2006 – 2013 TAC Engineer
CCIE Security #35505
2013 – 2018 TME

2019 – Present TME Manager
Areas of expertise
IOS and IOS-XE security features
SD-WAN Security solutions
2018 - Distinguished Speaker Cisco Live (EUR and ANZ) # 35505
#CiscoLive DGTL-BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• Secure Infrastructure
• Device Identity
• Secure Control Plane
• Secure Data Plane
• Secure Branch
• Multi-layer Security
• Ent Firewall App Aware
• Intrusion Prevention
• URL - Filtering
• DNS/Web-layer Security
• Advanced Malware Protection + Threat Grid
• What is new in 17.2.1r?
Introduction
It’s a Multicloud World
Devices & Things
IaaS
WAN SaaS
Mobile Users Campus & Branch Users
DC/Private Cloud
Internet Connectivity Becomes Business Critical
DC/Private Cloud
Campus
X2-5
Branches X100+ Exposure to cyber threats

SaaS
Inconsistent user experience
Increasing complexity
IaaS
Mobile
Users
X1000s
More users, things and applications, everywhere

SD-WAN exposes new security challenges
POLICY
DIRECT AND
DEFEND ACCESS
AGAINST
INTERNET GAPS
BAD EXPAND ATTACK
DESTINATIONS
ACCESS EXPOSES SURFACE
& DATA
INGRESS BREACHES
POINTS
SaaS IaaS Outside-in threats
Internet • Unauthorized
Exposed access
ingress points as traffic is
no longer backhauled to the data
• Denial of service attacks
center
NO SECURITY
CLOUD EDGE • Ransomware
Remote
Corporate Inside-out threats
Software
• Malwareandinfection
BASIC/NO
Users devices request access
EXISTING
Users Devices
Critical
• Command
to & control
infrastructure and applications
WAN SECURITY
WAN EDGE
• Phishing attacks
Infrastructure Branch • Untrusted users/devices
SD-WAN Fabric
EDGE
IOT Users Mobile
SECURITY
(guests) devices
Internal threats
Data Center
Data Center
&
& Campus • Untrusted
Traffic mustaccess
be encrypted and
Campus • access
Lateralmust be segmented end to
movement
• end
Compliance
• Man-in-the-Middle
Comprehensive SD-WAN security
SIMPLIFIED
SECURE
ENTERPRISE-GRADE
INTERNAL
CLOUD CONNECTIONS
SECURITY
SECURITY EMBEDDED
SaaS IaaS
Full edge
Outside-in
Inside-out
Internal
Internet security stack
SD-WAN security
• Mitigate external security risks
SECURE CLOUD EDGE • with
End tointegrated
Umbrella’s
Firewall end threat
andsegmentation
Secure
intrusion defense
Internet
prevention
to stop
from
breach
Gatewaythe
embedded WAN
plustoURL
propagation,
protects cloud
users edge
filtering
enforce
and and
Remote regulatory
devices
malware and
sandboxing
compliance,
protects data
forand
inside-out
Corporate promote
sent to andnetwork
from the(andcloud
• Single console to manage routing
Software application) layer security
• Duo’s
and security
Multi-Factor Authentication
Thin, rich or users
SECURE WAN EDGE

SECURE WAN EDGE
Users Devices • Zero-trust

verifies that
authentication
only trusted and full
and
• Shortest time to threat detection
Critical full-stack
payload
devices access
encryption
powered by Talos router
cloud between
& on-prem edge
Infrastructure Branch
Branch routers
apps
• Mitigate internal security risks with
SD-WAN Fabric
Secure IOT Users Mobile a secure SD-WAN fabric with
SD-WAN Fabric (guests) devices
simple or flexible routing
configurations
Data Center
DataCenter
Data Center
&
& Campus
& Campus
Campus
What is SD-WAN
Software Defined WAN is a new user friendly approach to centrally provision

WAN edges, manage, monitor, report and troubleshoot.
• Lowers Operational Cost

• Increases Application Performance across the WAN
• Improves Quality of Experience
• Offers Security and Data Privacy
Secure Infrastructure
Cisco SD-WAN Architecture
Orchestration Plane Management Plane
vManage
• First point of authentication • Single pane of glass for Day0, Day1 and
• Distributes list of vSmarts/ Day2 operations
vManage to all vEdge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond troubleshooting and monitoring
Automation
• RBAC and APIs
vAnalytics
Data Plane Control Plane
• Physical or virtual vSmart Controllers • Dissimilates control plane information
• Zero Touch Provisioning between vEdges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics WAN Edge Routers
Cloud Data Center Campus Branch CoLo
High level view of ordering and on-boarding
vManage
Smart Account or Virtual

Account details specified on
order used for Overlay Sync Smart Account Push Device List
creation
Smart Account
Automation PnP Cloud
Service vBond
Device list is passed to PnP
Cisco Commerce
Workspace Add a vBond Controller Profile and
Associate with Org-Name
WAN Edge
Customer
Service Provider
End Customer
Device Identity and Integrity
Key Trustworthy Technologies
Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)
▪ Prevents malicious code from booting ▪ Tamper-resistant chip with X.509 cert ▪ Protects against injection of malicious
on a Cisco platform installed at manufacturing code into running software
▪ Automated integrity checks ▪ Provides unique device identity and anti- ▪ Makes it harder for attackers to exploit
counterfeit protections vulnerabilities in running software
▪ Monitors startup process and shuts
down if compromised ▪ Secure, non-volatile on-board storage and ▪ Runtime technologies include ASLR,
RNG/crypto services BOSC, and X-Space
▪ Faster identification of threats
▪ Enables zero-touch provisioning and
minimizes deployment costs
Trustworthy technologies enhance the security and resilience of Cisco solutions
History of Malware Found on Cisco IOS Devices
Incident 0 Incident 1 Incident 2 Incident 3 Incident 4 Incident 5
“SYNful Knock”
Date Discovered 2011 2012 2013 2013 2014 2015
Device(s) Affected Cisco 2800 and Cisco 2800 and Cisco Cisco Cisco 1800,3800, Cisco 1841, 2811,
3800 Families 3800 Families 7600 IOS & line 7600 IOS & line 7200 IOS & 3825
cards cards ROMMON
Infection Method Modifications to Modifications to Modification of in- Modification of in- Modification to Modifications to IOS
IOS binary IOS binary memory IOS memory IOS both ROMMON, binary
and in-memory
code
Remote Via crypto analysis Via crypto analysis C2 protocol C2 protocol Not Directly Yes
Detectability
Preventions To Be Trust Anchor Trust Anchor Strong admin Strong admin Secure Boot, Trust Strong admin
Taken Technology, Secure Technology, Secure credentials & credentials & Anchor credentials, Secure
Boot, & Image Boot, & Image authorization authorization Technologies + Boot, Image Signing
Signing Signing Image Signing
Complexity Level Low Low Medium Medium High Low
Secure (UDI) = SUDI
C4331#show license udi

SlotID PID SN UDI
-----------------------------------------------------------------
* ISR4331/K9 FDO21XXXXXX ISR4331/K9:FDO21XXXXXX
Secure Unique Device Identification (Secure – UDI)
• Tamperproof ID for the device
• Binds the hardware identity to a key pair in a

cryptographically secure X.509 certificate PID
during manufacturing
• Connections with the device can be authenticated

by the SUDI credential
• IEEE 802.1AR Compliant
Image Signing: Integrity & Non Repudiation
Validation Check at Customer Site
Software
1 5
Image
SHA-512 =
Cisco’s public key stored
Image is hashed to a on the router is used to
unique 64 byte object decrypt digital signature
SHA512
(Cisco’s PUBLIC key )
2 (Encrypted with Cisco’s PRIVATE key) Digital signature with

3 the hash appended to
Hash is encrypted final image
4 Customer
downloads
+ WWW image onto
device
Cisco Secure Boot
Software and Hardware Integrity Checks
Hardware authenticity check
Step 5 Step 6
Software authenticity checks
Step 1 Step 2 Step 3 Step 4
FPGA
Hardware CPU CPU CPU CPU CPU

Anchor Microloader Bootloader OS OS OS
Microloader
(root of trust)
Microloader Bootloader OS launched Authenticity and Trust Anchor
Microloader checks Bootloader checks OS license checks module provides
stored in FPGA critical services
First instructions run on CPU stored in tamper-resistant hardware TAm = Trust Anchor module
Secure boot checks images and verifies that software is

authentic and unmodified before it is allowed to boot
Cisco Router Identity - Physical
During Manufacturing
TPM Device
Certificate
• Router is identified by the chassis ID and certificate
Chip
serial number
• Certificate is stored in on-board Tamper Proof

Module (TPM)
• DigiCert or Cisco root CA chain of trust is used to

validate Control Plane elements
• Enterprise root CA chain of trust can be used to

Root Chain validate Control Plane elements
In Software
Cloud Router Identity - Virtual
Signed by vManage
(If cluster, each member signs)
• OTP/Token is generated by vManage

Device
Certificate(s) • OTP/Token is supplied to cloud router in cloud-Init
• vManage signs certificate(s) for the Cloud router
• DigiCert or Cisco root CA chain of trust is used to

validate Control Plane elements
Root Chain
In Software
Establishing Control Elements Identity
1 2 3 1. Private and public keys are generated on the control

element
Signed
2. Certificate Signing Request is generated
3. Certificate is signed by Digicert/Cisco

Signed
4 4. Certificate is installed into the control element

5
5. Control element has a built-in root CA trust chain for
Root Root
Avnet, Digicert and Cisco. To Validate other controllers
and WAN Edge routers.
Control Element
vSmart Controller 6. This process is fully automated within vManage.
vBond Orchestrator
vManage
Establishing Control Elements Identity – Cisco PKI
1. Private and public keys are generated on the control
1 2 3 element
2. Certificate Signing Request is generated

Signed
3. Certificate automatically signed by Cisco PnP linked

to your Smart Account (when Cisco signing is selected
Signed
in vManage)
5 4
4. Certificate is installed into the control element
Root Root
5. Control element has a built-in root CA trust chain for
Avnet, Digicert and Cisco. To Validate other
Control Element controllers and WAN Edge routers.
vSmart Controller
vBond Orchestrator
vManage 6. This process is fully automated within vManage.
DDoS Protection for Controllers
vBond
vSmart vManage
Authenticated
Sources
Control Plane Policing
▪ 300pps per flow
▪ 20,000pps
vManage
vSmart
Unknown Note: vBond control plane policing is the same
Sources as WAN Edge
Other
Default Permit:
DHCP, DNS, ICMP, NETCONF
Optional Permit:
SSH, NTP, STUN, HTTPS (vManage)
DDoS Protection for WAN Edge Routers
vBond
Authenticated
Sources
vSmart vManage
Implicitly • Control Plane Policing
Trusted ▪ 300pps per flow
Sources SD-WAN IPSec ▪ 20,000pps
WAN Edge
• Applies to all WAN Edges
Explicitly
Defined
Sources Cloud Security Default Permit:
1. Return packets matching flow entry (DIA enabled)
2. Response pkts of DHCP, DNS
Unknown 3. ICMP
Sources Optional Permit:
Other SSH, NETCONF, NTP, OSPF, BGP, STUN
Secure Control Plane
Transport Locators (TLOCs)
vSmarts advertise TLOCs to all
vSmart WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
WAN Edge (System IP, Color, Encap)
WAN Edge
WAN Edge WAN Edge * Can be influenced by the control policies

Transport Locator (TLOC) OMP IPSec Tunnel
Secure Data Plane
SD-WAN Fabric Operation Walk-Through
OMP Update:
vSmart ▪ Reachability – IP Subnets, TLOCs
▪ Security – Encryption Keys
OMP
▪ Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update
Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Data Plane Privacy vSmart
Controllers
▪ Each WAN Edge advertises its local IPsec ▪ Can be rapidly rotated
encryption keys as OMP TLOC attributes
▪ Symmetric encryption keys used
▪ Encryption keys are per-transport asymmetrically
Encr-Key3 Encr-Key1
OMP OMP
Encr-Key4
Local (generated) Update Update
Encr-Key2
Local (generated)
Transport1
WAN Edge Transport2 WAN Edge
Remote (received) Remote (received)
IP UDP ESP Original Packet

DP: AES256-GCM/CBC
Encrypted CP: AES256-GCM
Pairwise IPSec Keys for SA
vSmart Edge-B
Internet
Edge-A
Edge-C
LAN IPSec/GRE DTLS A’s Encryption Key for B A’s Encryption Key for C
Data Plane Integrity
▪ vBond discovers WAN Edge public IP vSmart ▪ WAN Edge computes AH value based on
Controllers
address, even if traverses NAT the post NAT public IP
▪ vBond communicates public IP to the ▪ Packet integrity (+IP headers) is
WAN Edge preserved across NAT
OMP OMP
Update Update
Transport1
WAN Edge Transport2 WAN Edge
IP UDP ESP Data

Network 20 8 36 …
Address
Translation Encrypted AES256-GCM
Authenticated Control Plane

Combining Best of Breed in Security and SD-WAN
Enterprise Firewall
+1400 layer 7 apps classified
Intrusion Protection System

Most widely deployed IPS engine in the world
URL-Filtering
Cisco Web reputation score using 82+ web categories
Security Adv. Malware Protection
With File Reputation and Sandboxing (TG)
Secure Internet Gateway

DNS Security/Cloud FW with Cisco Umbrella
TLS Proxy
Cisco SD-WAN Detect Threats in Encrypted Traffic
Hours instead of weeks and months
Secure Branch – Multi-layer security
Multi-layer Security
Firewall and IPS Web Protection E-mail security
• DNS/Web content
filtering
• Application Control
• IP Reputation • Business Email
• Access Control Lists • File Reputation Compromise
• Stateful Firewall • Anti-malware • Ransomware
• CASB (Cloud Access • Malware
• Application Control
Security Broker) • Phishing
• IPS • Sandboxing
• Spam
• TLS decryption
• Domain Protection
Why SD-WAN Branch Security?
1. Avoid Backhauling
Benefit: Better use of WAN bandwidth
SaaS/IaaS/
Private Cloud/Internet
2. Benefit Regional SaaS PoP

Benefit: Improves application performance
3. Enable DIA
Benefit: Improves user experience
Data Center Branch
4. Centralized Policy/Monitoring
Cloud Branch
Firewall/IPS Benefit: Consistent Security Policy & monitoring
Security Security
Security Deployment models
Flexible Security based on customer needs
Internet Internet
Internet
Cloud Security
Co-Location
Cloud Security Integrated Security @Regional Hub
• Lean Branch with • Single platform for • Security Services as VNF

Security in the cloud Routing and Branch at Regional Colocation
Security at the Branch Hub
Use Case 1: PCI Compliance
SD-WAN
Internet
VPN1 Data Center
Applications
Security Tools
Employee Point of Sale HQ Destined Traffic

Employee Internet Traffic
Ent. FW App IPS
Aware
Use Cases Requirements
• PCI-DSS - Retail stores • Segmentation

• HIPAA - Hospitals/Clinics • Perimeter Control
• FERPA – Schools/Colleges/Universities • Intrusion Prevention
Use Case 2: Guest Access
SD-WAN
Internet
VPN1 VPN2 Data Center
Applications
Security Tools
HQ Destined Traffic
Employee Guest
Ent. FW App DNS/web layerURL Filtering Guest Internet Traffic

Aware security
• Retail stores • Segmentation

• Hospitals/Clinics • Application Control
• Schools/Colleges/Universities • Liability Protection
Use Case 3: Direct Cloud Access
SD-WAN
Internet

SaaS Applications
Security Tools HQ Destined Traffic
Employee Guest Employee Internet Traffic
Employee SaaS Traffic
Guest Internet Traffic
Ent. FW App IPS DNS/web layer URL Filtering
Aware security
• SaaS applications • Controlled Redirection

• Applications in IaaS: AWS/Azure • Application Control
• Extranet or partner cloud applications • Intrusion Prevention
• Partner Applications • Malware Prevention
Use Case 4: Direct Internet Access
SD-WAN
Internet

Applications
SaaS HQ Destined Traffic
Security Tools Employee Internet Traffic
Employee Guest Employee SAAS Traffic
Guest Internet Traffic
Ent. FW App IPS DNS/web layer URL Filtering AMP&TG

Aware security
• SaaS applications • Application Control
• Applications in IaaS: AWS/Azure • Intrusion Prevention
• Web Conferencing / Social Media • Malware Prevention
• Video Streaming Applications • Web Content Filtering
TLS Decryption (MiTM Proxy)– Solution Overview
• More Apps/Data-cloud hosted
• Internet going dark
• >80% Internet traffic
encrypted Why do you need it ?
• Lack of security control
Data Centre • Malware hides itself in
encrypted traffic
Applications
• URL request intercepted

Internet • Server certificate checked
• Proxy resigns server Certificate
How does it work? • User traffic redirected via
HQ Destined Traffic proxy
• Decrypt and inspect
G0/0/0 • Re-encrypt and send
10 101 10
Clear Text • Proxy runs a cert signing

G0/0/1
authority
• Re-signs server certificate
What does it do? • Redirects traffic through
security stack
• Enforce security control
• Inspect for malware
Manage in Edge
Full Edge Branch
Cloud or On- Router
Security Edge
Prem Flexibility
Single Pane of Glass Embedded Platforms

• Ent. Firewall App Aware
• Provision • IPS • ISR 1K
• Manage • URL-Filtering • ISR 4K

• AMP and Threat Grid • ENCS (ISRv)
• Monitor
• TLS Decryption • CSR
• Report Cloud • ASR 1K (Ent FW App Aware and
DNS/web-layer security)
• Troubleshoot • DNS/web-layer Security
• vEdges (FW and DNS/web-layer
• Secure Internet Gateway security)
SD-WAN Security: vManage Provisioning Wizard
Configuration > Security
Enterprise App Aware
Firewall
Enterprise App Firewall SaaS
• Stateful Firewall, Zone Policies Internet
• Application Visibility and Granular

control
Inspect policy allows Outside Zone
• 1400+ layer 7 applications classified only return traffic to be
allowed.
• Drop traffic by application category
or specific application Edge Device
• Segmentation and compliance

• HSL Logging
Inside Guest
• Self Zone Policy Users Zone Zone
Devices
• FQDN based firewall policy

Service-VPN 1 Service-VPN 2
DGTL-BRKRST-2377 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Access Control Lists
IP Protocol Port Source IP Destination IP
IN - G0/0 OUT - G0/1
Access Control Lists

Client
Webserver
• Network Access Control
• Prevent Unauthorized access How do we differentiate between
Webserver Response and Attacker traffic?
• IP or Protocol Port level
• No Directional Control Attacker
ip access-list extended IN->OUT ip access-list extended OUT->IN

permit tcp Client any eq 80 permit tcp any eq 80 Client
Stateful Firewall
Application Port IP Protocol Source IP Destination IP
IN - G0/0 OUT - G0/1
Firewall
• Deep inspection Client

Webserver
• Session Tracking Firewall prevents malicious traffic

from entering the network by
• Stateful inspection tracking connections
• Protocol Misbehaviors Attacker
• Directional Control
• Stricter Layer 4 Control
SMTP Server
Firewall vs Next-Gen Firewall - What’s the difference?
Next-Gen Firewall
Next-Gen Firewall
Data URL Application IP Protocol Port Source IP Destination IP
Trusted Un-trusted • Stateful inspection

• Application Layer Gateway
• Application identification
by L7 inspection
• User ID/Context based
Firewall Client
Webserver policy
• Intrusion Prevention
• URL/DNS/Web Content
Filtering
• Deep inspection • Anti-Malware/Anti-Virus
• Stateful inspection Attacker • Advanced logging/ alerting
• Protocol Misbehaviors • SIEM Integration
• Directional Control • TLS/SSL Inspection
• Stricter Layer 4 Control • Threat Intel. Integration
SMTP Server
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge 1 WAN Edge 2
SD-WAN
Fabric
Zone1 Zone1
VPN 1 Action: D I P VPN 1
D - Drop
I – Inspect
Host A Server A
P – Pass Host B Server B
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware: Inter -Zone Security
SD-WAN
Fabric
Zone1 Zone2 Zone1

VPN 1 VPN 2 Action: D I P VPN 1
D - Drop
I – Inspect
Host A Server A
Ent. Firewall App Aware: Self-Zone Security
Zone3 Zone3
VPN 0 VPN 0
SD-WAN
Fabric
Zone1 Zone2 Action: D I P

Zone1
VPN 1 VPN 2 VPN 1
D - Drop
I – Inspect
Host A Server A
vManage - Ent FW App Aware Configuration
Intrusion Prevention
Intrusion Prevention
• Snort is the most widely deployed

Intrusion Prevention solution in the world
• Backed by global threat intelligence (TALOS),

signature update is automated
• Signature allow-list support
• Real-time traffic analysis IPS
On-site Services
• PCI compliance
Intrusion Detection/Prevention System (IDS/IPS)
100101000101000111010011000101100011100011001111001 IPS
MAC IP TCP HTTP HTTP_CLIENT_BODY
• Protocol engines check for

protocol level
Signature rules
IPS Engine misbehaviours and collects
data
• Detection engine matches
Alerts,
Packet attack signatures
Detection Output Logs
Pkt Decoder Preprocessors
Engine Module • TALOS signatures are
updated periodically
L2/3 L 3–7, sessions, File, AppId

Verdict
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH
Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:10;)
IPS, URL-F and AMP&TG Architecture
ISR 4431
Control Plane
Virtual Ethernet
IPS/URL-F/AMP&TG
IOSd
Linux OS CPU Cores

Management VPG Allocated
Traffic VPG
Data Plane
Traffic Path
Data Plane
• IPS, URL-Filtering and AMP&TG services run on a Linux Container (LXC), using control plane resources
• Traffic is punted to container using Virtual Port Group (VPG) interface
• Reserved CPU and memory for Container process enables deterministic performance
vManage - Intrusion Prevention Configuration
Intrusion Prevention – CLI rendered
Step 1 Configure virtual service
app-hosting install appid utd package bootflash:utd.tar Step 4 Configuring UTD (service plane)
utd multi-tenancy
utd engine standard multi-tenancy
Step 2 Configure Port Groups
threat-inspection whitelist profile Allow-list
interface VirtualPortGroup0
generator id 3 signature id 22089
description Management interface
generator id 3 signature id 36208
vrf forwarding 65529
threat-inspection profile IPS-POLICY
ip address 192.168.1.1 255.255.255.252
threat [protection | detection]
Interface VirtualPortGroup1
policy [security | connectivity | balanced]
description Data interface
whitelist profile Allow-list
ip address 192.0.2.1 255.255.255.252
logging level [alert | info | ….. ]
Step 3 Activate virtual service and configure Step 5 Enabling UTD (data plane)
iox policy utd-policy-vrf-1
app-hosting appid utd vrf 1
app-vnic gateway0 virtualportgroup 0 guest-interface 0 all-interfaces
guest-ipaddress 192.168.1.2 netmask 255.255.255.252 fail [close]
app-vnic gateway1 virtualportgroup 1 guest-interface 1 threat-inspection profile IPS-POLICY
guest-ipaddress 192.0.2.2 netmask 255.255.255.252
app-resource package-profile cloud-low
start
URL-Filtering
URL-Filtering Requests for “risky” domain requests
• 83 Web Categories with dynamic updates URL Filtering
Block/Allow lists of
• Block based on Web Reputation score
custom URL patterns
• Create custom block and allow URL lists

Block/Allow based on
Categories,
• Customizable end-user notifications Reputation
URL-Filtering Solution Overview
3
Allow List Category
Block Page
Block List Reputation
Cloud Lookup
URL-F Engine
Snort
User-1 1 2 Data Centre

Applications
HQ Destined Traffic
4
Allowed Internet Traffic
Blocked Internet Traffic
Webroot Cloud Lookup
WAN Edge
User-2
Internet
vManage – URL-Filtering
URL-Filtering – CLI rendered
Step 1 Configure virtual service Step 4 Configure (optional) Good and Bad list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex Allowlist
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex Blocklist
description Management interface pattern www.exmaplehoo.com
vrf forwarding 65529 pattern www.bing.com
ip address 192.168.1.1 255.255.255.252
Interface VirtualPortGroup1
description Data interface Step 5 Configure block page
ip address 192.0.2.1 255.255.255.252 web-filter block page profile block-URL-FILTER-POLICY
text WHAT ARE YOU DOING??!!!
Step 3 Activate virtual service and configure
iox
app-hosting appid utd
app-vnic gateway0 virtualportgroup 0 guest-interface 0
app-vnic gateway1 virtualportgroup 1 guest-interface 1
app-resource package-profile cloud-low
start
URL-Filtering – CLI rendered
Step 6 Configure web-filter profile Step 7 Enabling UTD (data plane)
utd multi-tenancy policy utd-policy-vrf-1
utd engine standard multi-tenancy vrf 1
web-filter url profile URL-FILTER-POLICY all-interfaces
blacklist fail [close]
parameter-map regex Blocklist web-filter url profile URL-FILTER-POLICY
whitelist
parameter-map regex Allowlist
categories block
abortion
abused-drugs
adult-and-pornography
bot-nets
cheating
confirmed-spam-sources
cult-and-occult
alert all
block page-profile block-URL-FILTER-POLICY
reputation
block-threshold moderate-risk
DNS/Web-layer Security
DNS/web-layer security Cisco Umbrella
• Block malware, phishing, and non-

compliance domain requests
POP POP POP
• Automatic API Key registration
• Supports DNScrypt
• VPN-aware policies
WAN Edge
• Local Domain-bypass
Users Users
• TLS decryption
• Intelligent Proxy
Service-VPN 1 Service-VPN 2
DNS DNS
DNS-Filtering Solution Overview
Blocked
request
DNS Request (2)
Umbrella
User-1
WAN Edge Blocked Content (5)
DNS Response (3)

DNS Request (1)
Allowed Internet Traffic
Blocked Internet Traffic
DNS Response
Allowed Content (5)
User-2
Internet
Cloud Access Security Broker (CASB) – Solution Overview
How does it work?
• Forward Proxy
• Reverse Proxy
• API Node
MPLS INET
CASB
What does it do?
• Visibility
• Policy Compliance
Branch • Security
WAN • Authentication
Edge • Authorization
• Device Profiling
User 1 • Encryption
• Data Loss
Prevention
• Malware
Prevention
Umbrella Data centers co-located at major IXPs
>31
data centers
worldwide
vManage – DNS/web-layer Security
DNS/web-layer security – CLI rendered
Step 1: Configure local domain bypass (optional)
parameter-map type regex dns_wl
pattern www.cisco.com
pattern .*eisg.cisco.*
Step 2: Configure token and enable DNS security
parameter-map type umbrella global

token 57CC8010687FB1B2A7BA4F2373C00247166
no dnscrypt (enabled by default)
udp-timeout (to change the udp –timeout)
resolver-ip <>
vpn 21
dns-resolver-ip < Umbrella > [bypass-local-domain]
vpn 22
dns-resolver-ip < Umbrella > [bypass-local-domain]
Advanced Malware
Protection and Threat
Grid
Advanced Malware
Protection + ThreatGrid
AMP
• Integration with AMP
File reputation
File retrospection Internet Check signature
• Integration with ThreatGrid
File analysis
• Inspects traffic in VPNs of interest
Check file
• Leverages Snort engine to identify file
transfers Malware sandbox
ThreatGrid
File Reputation & Retrospection Service – Solution Overview
Good Files
f11c3d6770b6…
91f59420a752…
Bad Files
8e8ca2642a6e…
8e8f460c74b0…
How does it work?
File Verify (4)
Cache
File Reputation • File download intercepted
Service • File sha calculate
FRS Engine
• Reputation lookup
• File released or blocked
(5)Verdict • Local or Cloud Database
File Sha(3)
File Request (1) File Download (2)
What does it do?

File Allowed (6)
Martha Internet
WAN Edge • File Sha match
• Good or Bad Files
Database
• Known bad files blocked
Web Servers • File Database updated
KUSANKAR-M-847C:Downloads kusankar$ shasum -a 256 test.pdf frequently
3ac53c57d22e23d7008e40398615242dfa76c3186a6213860e3b36fe8718b1f8 test.pdf • File Retrospection
File Analysis (Sandbox) – Solution Overview
Good Files Bad Files
f11c3d6770b6… 8e8ca2642a6e…
91f59420a752… 8e8f460c74b0…
File Verify (4)

Cache
File Reputation Service File Analysis Service
FRS Engine
How it works?
• File sha lookup
(7)Allow
File Sha(3) • Unknown Reputation
File Request (1) File Download (2) • File Transfer to FAS
• File Runs in a virtual
environment
File Allowed (7)
• Bad files blocked
Martha Internet
WAN Edge
What it does?
• Execute file in a VM
Web Servers • Analyze file execution
• Analyze file content
• Detect Malicious behavior
vManage – AMP + ThreatGrid
AMP + ThreatGrid – CLI rendered
Step1: Configure global variables Step 2: Define file analysis file types
utd multi-tenancy file-analysis profile AdvanceMalwareProtection-fa-profile
utd engine standard multi-tenancy file-types
utd global pdf
file-reputation ms-exe
cloud-server cloud-isr-asn.amp.cisco.com new-office
est-server cloud-isr-est.amp.cisco.com rtf
! mdb
file-analysis mscab
cloud-server isr.api.threatgrid.com msole2
apikey 0 <API Key> wri
xlw
flv
swf
!
alert level critical
AMP + ThreatGrid – CLI rendered
Step 3: Associate file analysis and reputation to file inspection Step 4: Enable UTD (Data Plane)
file-reputation profile AdvanceMalwareProtection-fr-profile policy utd-policy-vrf-1
alert level critical all-interfaces
! fail [close]
file-inspection profile AdvanceMalwareProtection-fi-profile file-inspection profile AdvanceMalwareProtection-fi-profile
analysis profile AdvanceMalwareProtection-fa-profile vrf 1
reputation profile AdvanceMalwareProtection-fr-profile threat-inspection profile IPS
! web-filter url profile URLFiltering
exit
policy utd-policy-vrf-2
all-interfaces
fail [close]
file-inspection profile AdvanceMalwareProtection-fi-profile
vrf 2
Security App Hosting Profile & Resources
4461 / 4451 / 4431 4351 / 4331 4321 / 4221 / 1K
Control Plane Control Plane
(4 cores) (4 cores) PPE IOS
PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE1 PPE2 IOS SVC1
I/O SVC
Crypto
PPE3 I/O
SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto
Linux
CPP Code Linux
Linux
Control Plane
(2 cores)
Total No of DP Total No of CP Total No of CP Cores Data Plane

Platforms
Cores Cores for Security (2 cores)
4321/4221/1K 2 2 1
DP = Data Plane
4331 4 4 2 CP = Control Plane
4351 4 4 2 SVC = Services
4431 6 4 2
4451 10 4 2
4461 16 4 2
SD-WAN Security Support
URL DNS/web-
Ent FW App IPS/IDS AMP&TG
Platforms/Features Ent FW Filtering layer security
Awareness **** ****
**** monitoring *
Viptela - (100, 1000, 2000, 5000 and 1100-
Y N ** N/A N/A N/A N
4G/6G)
Cisco - CSR Y Y Y Y Y Y
Cisco – ENCS (ISRv) Y Y Y Y Y Y

Cisco – ISR4K (4461, 4451, 4431, 4351, 4331,
Y Y Y Y Y Y
4321, 4221, 4221-X)
Cisco – ISR1K Y Y Y Y Y Y
Cisco - ASR1K 1001-HX, 1002-HX, 1001-X,
Y Y N/A N/A NA Y
1002-X)***
* Umbrella Subscription required for enforcement

** Stateful Firewall and DPI using Qosmos are separate on the vEdges
*** Ent FW App Aware and DNS/web layer security is supported on ASRs and other XE SD-WAN platforms with fixed 4GB DRAM
**** For IPS/URL-F/AMP&TG - 8GB DRAM required
Security App Hosting Profile & Resources
IPS / URL-F App Security Profile - Features Minimum Platform Platform

Hosting Profile requirement Supported
ISR1K/4221X/4321
IPS + URLF (Cloud Lookup only) + AMP 8GB Bootflash & 8GB Memory 4331/4351/44xx
Default (File hashing) 1 / 2 service plane cores 4/8vCPU CSR / ISRv
IPS + URLF (On-box DB + Cloud Lookup) +

AMP (File hashing) + ThreatGrid (TG) 16GB Bootflash & 16GB Memory 4331/4351/44xx
High 2 service plane cores 4/8vCPU CSR/ISRv
Enterprise FW and DNS/web-layer security will work with default 4 GB DRAM
XE SD-WAN: From LAN to WAN
SDWAN DNS- Lookup

IP Dest App-Route Data Go to
Interface NBAR FNF First Redire Process &
Lookup ACL Policy Policy ct Output
OCE Walk
TCP
TCP IPSEC
UTD MPLS /TLS Encrypt
/TLS + Tunnel Pre- Layer 2 DNS FNF
FW UTD
Label
Encap Route FW UTD
Policy
+ NAT (Transp
Encap Crypt
ACL LAST
TX
Policy Add UTD ort
Divert
Divert mode)
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
OCE – Output Chain Element

XE SD-WAN: From WAN to LAN
SDWAN Lookup
IP Dest SDWAN SDWAN IPSEC Go to
interface NAT Process &
lookup WAN Filter For-us Decrypt Output
ACL OCE walk
MPLS MPLS IP Dst App- Lookup

Data Go to
Label transition lookup in NBAR FNF first route Process &
Policy Output
Lookup to IP vrf Policy OCE walk
UTD TCP/TLS +
UTD Divert FW L2 Encap ACL FNF Last TX
Policy
UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface
OCE – Output Chain Element

SD-WAN Security Features – Order of Operation
G0/0 – LAN facing
IP Dest DNS G0/1 – WAN facing
NBAR VFR CEF
Lookup Security
Ingress G0/0
LAN to WAN DNS

TCP/T AMP&
FW IPS URL-F NBAR Securi NAT
TG
Egress G0/1 LS ty
DNS CEF
VFR NAT
Security
Ingress G0/1
WAN to LAN
TCP/T AMP&
FW IPS URL-F TG NBAR
LS
Egress G0/0
What’s New in
20.1/17.2.1r
20.1/17.2.1r – What is new with SD-WAN Security
• Auto Registration for Umbrella Cloud Services

• Auto Tunnel Support for Umbrella SIG
• Manual Tunnel Support for SIG (XE SD-WAN support)
• Layer 7 Health check to Zscaler (XE SD-WAN support)
• FQDN Support for Firewall Policy
• TLS Proxy & Security App-hosting Integration
Auto Registration for
Umbrella Cloud
Services
Auto Registration for Umbrella Cloud Services
Problem Solution Limitation
• Manual registration of cloud • Auto register Umbrella Cloud

services is time consuming Services • Only net new DNA-P License
order auto links SA/VA to
• Manual configuration is error • SA/VA linked to Umbrella Org Umbrella Org
prone and admin overhead
• vManage automates device
• Multiple services require registration via “Get Keys”
multiple registration
• SIG & DNS/Web Layer Security
Registration
Customer SA / VA linked to Umbrella Org
Auto-Registration to Cisco Umbrella
Based on Smart Account credentials on both
Umbrella and vManage
• Registration of Edge Devices to

Umbrella is done automatically UMBRELLA
• Secure API key is automatically HTTPS session
provisioned on the Edge Device
through HTTPS session
Edge Device
Customers can now auto-register to Umbrella without the need to

manually add API Keys
(currently requires net new DNA P licensing)
•SD-WAN subscription purchase

CCW •Umbrella license triggers work flow
Order
CCW to •CCW provides SA, VA mapping and order information to PnP and CSSM (Cisco Smart Software Manager)
PnP and
CSSM
•CSSM uses SA, VA mapping with location ID in the SKU and calls Umbrella Portal to create an account
Umbrella
•Customer adds smart account credentials to vManage

vManage
•Using SA, VA vManage gets a token from CSSM that it uses to get org ID, Registration Key and Secret from Umbrella
Get Keys
#CiscoLive DGTL-BRKRST-2377
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
How to configure – Auto Registration for DNS/Web Layer Security
Step 1: Configure Smart Account Credentials in vManage Step 2: Configure Umbrella Registration
vManage > Administration > Settings vManage > Configuration > Security > Custom Options
How to configure – Auto Registration for SIG
Step 1: Configure Smart Account Credentials in vManage Step 2: Configure SIG Credentials Template
vManage > Administration > Settings vManage > Templates > Feature > SIG Credentials
Auto Tunnel Support for
Umbrella SIG
• Lean Branch – no on-prem • Leverage Cloud Hosted • Only IPv4 tunnel support
security Security with SIG • No data policy action-based
• Cloud applications are support for traffic steering
vulnerable to attacks • User traffic redirected to SIG • No loopback interface support
• Internet bound traffic must be via Transport side IPsec tunnel for SIG tunnel source
subjected to policy • No ECMP support for load
enforcement sharing
• Enforce secure web usage & • No Manual override of tunnel
control destination IP address
• Tunnel registration & setup is a • Recommended to send DNS
tedious process separate for DNS/Web Layer
security
SIG - Umbrella Auto Tunnel Support
Auto
Registration SIG Management
SIG Security Services
• Tunnel destination uses a global
SIG DNS Resolver
FQDN
• FQDN resolves to Anycast IP Internet Traffic

address
• Anycast IP points to the nearest

DC
• Region/Location/Latency selection VPN2 to Internet

criteria
• Secondary tunnel config is

optional
Branch Office
Steps to configure Umbrella SIG – Auto Tunnel
•Configure SIG Feature Template

•Configure a Primary & Secondary tunnel (optional)
1 •Configure an Active & Backup in the High Availability section
•Configure Smart Account Credentials in vManage (optional)

•Configure SIG Credentials Template
2
•Configure Traffic redirection to SIG

3
•Attach SIG Template to the Device Template

•Attach SIG Credentials Template to the Device Template
4
•Configure Umbrella SIG Cloud FW/SWG policy

5
How to configure: Umbrella SIG – Auto Tunnel
Step 1a: Configure SIG Feature Template Step 1b: Configure a Primary & Secondary tunnel (optional)
vManage > Configuration > Templates > Feature > Add Template > Select Device > Cisco
Secure Internet Gateway
Step 1c: Configure an Active & Backup in the High Availability section
Auto
Tunnel
How to configure: Umbrella SIG – Auto Tunnel [contd]
Step 2a: Configure Smart Account Credentials in vManage (optional) Step 2c: Configure SIG Credentials Template
vManage > Administration > Settings
Step 2b: Select SIG Credentials Template
Auto
Registration
How to configure: Umbrella SIG – Auto Tunnel [contd]
Step 3: Configure Traffic redirection to SIG
Modify Service VPN template to include a “Service Route” to SIG for 0.0.0.0/0
Step 4a: Attach SIG Template to the Device Template Step 4b: Attach SIG Credentials Template to the Device Template
Auto Tunnel vs Manual Tunnel Difference
• Manual registration
• Auto Registration • Location registration
• Location based DC selection
• Static Destination IP
• Dynamic Destination IP • Static Primary/Secondary
• Automatic tunnel failover Config
• Default recommended tunnel • Static tunnel parameters
parameters • Manual provisioning is
• Auto Selects nearest error prone
Data Center • Failover is limited to
• Automatic Failover configured DC
with Anycast IP • Limited template re-
• Template re-use use
Umbrella SIG – Traffic Redirection
Coming soon
Routing Policy Data Policy
• Simple default route pointing to the •

tunnel •
• Configured as part of Service VPN •
template •
• CLI push •
• Very limited traffic selection
capabilities
* Cannot use the “Set Next Hop” as tunnel source address is set to “unnumbered”
Umbrella SIG - High Availability vs Load Sharing
Coming soon
High Availability Tunnels Load Sharing Tunnels
Internet Internet
Active Standby Active Active

IPsec/GRE Tunnel IPsec/GRE Tunnel IPsec/GRE Tunnel 1 IPsec/GRE Tunnel 2
VPN VPN
0 0
VPN VPN VPN VPN VPN VPN

1 2 3 1 2 3
• Single active tunnel for all traffic • Multiple active tunnels for traffic
• Equal-Cost Multi-path (ECMP)
• Traffic switch to backup when • Active tunnel carries traffic when
primary fails link fails
Manual Tunnel Support
for SIG
IPsec/GRE Manual Tunnel Support for SIG
• Lean Branch – no on-prem • Leverage Cloud Hosted • Only IPv4 tunnel support
security Security with SIG • No data policy action-based
• Any application hosted on the support for traffic steering
internet is vulnerable to attacks • User traffic redirected to SIG • No loopback interface support
and spoofing via Transport side IPsec tunnel for SIG tunnel source
• Internet bound traffic must be • No ECMP support for load
subjected to policy enforcement sharing
• Enforce secure web usage &
control
IPsec/GRE Manual Tunnel Support for SIG (VPN0)
SIG Provider
SIG Management
SIG Security Services
• IPsec/GRE tunnel supported Internet Traffic
• Standard IKE based IPsec
• No special label to identify service VPN
• Flow entries created to track return flows to VPN2 to Internet
identify service VPN
Branch Office
How to configure: SIG – Manual IPsec/GRE Tunnel
Create an IPsec VPN Interface Template
1. Configure IPsec source/destination IP address 2. Configure IKE & IPsec Parameters
Can use variables to

attach to multiple sites
How to configure: SIG – Manual IPsec/GRE Tunnel
Modify Service VPN & Device Templates
3. Configure an IPsec route in the desired Service VPN Template
4. Edit your device template to include an IPsec interface under Transport VPN and attach to device
SIG - Transport VPN vs Service VPN Tunnel
Internet Internet
Transport VPN Tunnel IPsec/GRE Tunnel Service VPN Tunnel IPsec Tunnel
VPN VPN
0 0

1 2 3 1 2 3
• Single tunnel for all traffic •

• IPsec/GRE supported •
• Service VPNs isolated •
• VPN 0 Protection •
• Internal network is not exposed •
• Threats are contained in VPN0 •
• Supports all DIA use cases •
•
SIG – Traffic Redirection Not
Supported
Routing Policy
Data Policy
• Simple default route pointing • Centralized policy

to the tunnel
• Can be a route redirect policy*
• Configured as part of Service
VPN template • 5-tuple Traffic selection
• CLI push • Application–based traffic

selection
• Very limited traffic selection
capabilities • Comprehensive traffic
selection
* Can use the “Set Next Hop” with the fictitious tunnel destination address
SIG - High Availability vs Load Sharing Tunnels
Not
Supported
High Availability Tunnels Load Sharing Tunnels Internet
Internet
Primary Backup Active Active

IPsec/GRE Tunnel IPsec/GRE Tunnel IPsec/GRE Tunnel 1 IPsec/GRE Tunnel 2
VPN VPN
0 0

1 2 3 1 2 3
• Single active tunnel for all traffic • Multiple active tunnels for traffic
• Equal-Cost Multi-path (ECMP)
• Traffic switch to backup when • Active tunnel carries traffic when
primary fails link fails
Layer 7 Healthcheck to
Zscaler
Layer 7 Healthcheck to Zscaler
• IPsec tunnel IKE DPD method is inadequate • Implement Application Layer • Only ZScaler is supported for
(Layer 7) Ping (HPing) to verify healthcheck
• Network Ping (ICMP) only tests up to the reachability & liveness to the
Network Layer liveness Proxy Server Application Layer • URL: http://gateway.<Zscaler
Cloud>.net/vpntest
• Application layer issues are not detected, • Measure latency
causing traffic blackholing • E.g.
• Check for liveliness http://gateway.zscalerthree.ne
t/vpntest
• IPSLA Programmable API is used
HTTP Ping to Zscaler from XE SD-WAN routers

Application Layer
HTTP Ping Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
ICMP Echo Network Layer
Datalink Layer
Physical Layer
IPsec Tunnel
IKE DPD
Zscaler Internal
Network
Internet
WAN Edge HTTP Server
Zen Node 1 Zen Node 2
WAN Edge vManage
(DC A) (DC B)
1. Enter IPSLA HTTP and ICMP Echo
parameters on vManage. Specify
threshold, frequency and timeout for
a device
2. Push config. to the WAN Edge
3a. Send HTTP RAW request to the ZEN primary IP address [type of tunnel: IPSec or GRE](+
optional, send ICMP Echo, too)
3b. Response (Tunnel up and active) = no failover
4. Edge Device Check:

If Threshold > l limit for HTTP request then
Failover Initiated to Backup Tunnel
5. Failover to Backup IPSec tunnel
6. Notify vManage that ‘backup tunnel is

active’ now
How to configure: Layer 7 Healthcheck to Zscaler
Step 1: Modify your system template to include a URL tracker: Step 2: Configure the tracker component in IPsec
interface
[vManage] Configuration -> Templates -> Feature -> Add Template
FQDN Support for
Firewall Policy
FQDN Based Firewall Policy
• Large number of IP based rules • FQDN based policy based on • Multiple domains resolving to
is cumbersome domain/sub-domain names same IP will result in applying
matching rule to all domains
• Policy using IP address that may • Easy to troubleshoot names
change frequently • DNS traffic must traverse the
• FQDN policy allows wildcard firewall
• Difficult to troubleshoot character to include domains and
all sub-domains • CDNs with different domain
• Logs are difficult to parse names may not be matched
through • Supports regex based pattern correctly
matching
Use FQDN based policy to “allow” or “deny” traffic

How to configure – Firewall FQDN Policy
Option 1: Directly configure FQDN for Source/Destination Prefix in FW Policy
vManage > Configuration > Security > Firewall Policy > Add Rule
vManage – Firewall FQDN Policy [contd.]
Option 2: Configure a Data Prefix list and use it under FQDN List when creating a rule
vManage > Configuration > Security > Custom Options > Lists
vManage > Configuration > Security > Firewall Policy > Add Rule
TLS Proxy Integration
TLS Proxy & SD-WAN Security Integration
• More Apps/Data-cloud hosted • TLS Proxy to decrypt encrypted

• TLS 1.3 traffic downgraded to TLS
traffic as a MiTM (Man in The
1.2
• Internet going dark Middle) • Certificate revocation check with
CRL (Certificate Revocation List)
• >80% Internet traffic • Inspect with Integrated not supported
encrypted security stack (IPS, URL-F, • Session ticket based resumption
AMP&TG) is not supported
• Lack of security control • Session renegotiation is not
supported
• Supported on ISR
• OCSP stapling is not supported
• Malware hidden in encrypted 4331/4351/4431/4451/4461, • Asymmetry not supported
traffic CSR1000v, ISRv (17.3) • SSL v3.0 and older traffic not
supported
TLS Proxy IPS, URL-F and AMP&TG Architecture
ISR 4431
Service Plane
Control Plane
IPS/URL-F/AMP&TG
IOSd
HTX - TCP/TLS Proxy
CPU Cores
Linux OS Allocated
Management VPG0
Data Plane
Traffic VPG1
Traffic Path
Data Plane
• IPS, URL-F and AMP&TG services run on a Linux Container (LXC), using Service plane resources
• HTX (High-Throughput Transfer) contains TCP Proxy, TLS proxy & Service chain manager to direct traffic between
services
• Traffic is punted to container using Virtual Port Group (VPG) interface
TLS Proxy Traffic Flow
Client to server connection terminated at TCP proxy

1
Flow create request is sent to TLS proxy

2
Client hello sent to UTD to determine decryption action

3
If the verdict is to decrypt, establish two connections: Client-Proxy & Proxy-Server

4
Data flow: TCP Opt (optimization) -> TLS Proxy (to decrypt) -> UTD (for threat inspection)
5 -> TLS Proxy (to encrypt)
Flows continues to be TCP proxied even if the URL based verdict is to not decrypt
6
How decryption works
◆ Client Hello
WAN Edge running TLS Proxy

Server
Client Hello Client Hello
Client
◆ The server responds to the hello and sends its certificate.

Server
Client Hello
Client Client Hello
Server Hello and

Certificate
◆ TLS proxy verifies the server certificate
◆ Handshake between the TLS proxy and server
Client Hello
Client Client Hello Server
Server Hello and
Certificate
Server Certificate
Issuer: Public CA
Handshake
◆ TLS proxy sends its own server hello and certificate to the client
Client Hello
Client Client Hello Server
Server Hello and
Server Hello, Cert Certificate
Server Certificate Server Certificate

Issuer: Local CA Issuer: Public CA
Handshake
◆ Handshake between the client and TLS proxy
Client Client Hello Client Hello Server

Server Hello and Server Hello and
Certificate Certificate

Handshake Handshake
◆ Encrypted data flows between the client and the proxy
◆ TLS proxy decrypts the flow, UTD inspects it and applies policy
Client Hello
Client Hello
Client Server
Server Hello and

Handshake Handshake
Encrypted Data
◆ Encrypted data flows between the TLS proxy and server
Client Hello
Client Hello
Client Server Hello and
Server

Handshake Handshake
Encrypted Data Encrypted Data
HTTPS Traffic - Packet Capture
Handshake
Post handshake a blocked page can be issued
TLS Proxy & SD-WAN Security Integration
Root CA Intermediate CA Proxy
• Issues Signing Certificate to • Acts on behalf of Root CA

Proxy • Securely stores Intermediate CA • Securely stores sub CA &
private key server cert private keys
• Securely stores CA private key • Automates proxy cert • Dynamically generates &
provisioning signs
• Manages issued Certificates • Manages issued Certificates • Forward Proxy certificate
(monitor/revoke/validity etc.) (monitor/revoke/validity etc.) • Manages issued Certificates
• Maintains a Revocation List (Maintains & verifies
• Maintains a Revocation List • Intermediate Root Certificate is revocation list
installed on client trust store or • Inspects traffic after
• Root Certificate trusted by client forwarded by proxy to client decryption
Importance of CA Selection for Proxy
vManage as Root CA vManage as Intermediate CA
• Certs deployment to proxies automated • Certs deployment to proxies automated

• Certs monitored/tracked/validated • Certs monitored/tracked/validated
• Certs reissued/revalidated before expiry
Pros • Certs reissued/revalidated before expiry
• Cert compromise risk limited Pros
• Cert compromise risk limited
• Compromised proxy certificate revoked • Compromised proxy certificate revoked
• •
• •
Cons • Cons
•
• •
Enterprise CA w/SCEP Enterprise CA

•Pros
Certs deployment to proxies automated
• Certs monitored/tracked/validated
•
•
Cons Pros
Pros • • Customer
Certs reissued/revalidated
managed existing CAbefore expiry •
•• Certs
Cert
Admincompromise to risk
overhead limited
to maintain a CA •
•
• Single
deployment
Compromised
proxies
proxy all
automated
certificate revoked
• • Customer managed existing CA Cons
• • place to manage issued certs
Manual cert deployment for the proxies
• Certs reissued/revalidated before expiry • Certs deployment to proxies automated
• •• Certificates
Certificates usage/expiryfrom
revoked/tracked tracked
Ent CAOOB
Cons • • Single place to manage all issued certs
• Manual reissue of expired proxy cert
•
• Cons • Certs reissued/revalidated before expiry
#CiscoLive DGTL-BRKRST-2377
• Certificates revoked/tracked from Ent CA
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
TLS Decrypt Policy – Network and URL Policy
Network Policy URL Policy

(defined in data plane) (defined in service plane)
• Source and/or destination VPN • VPN

• Source and/or destination • Static domain list
IP/subnet
• Domain categories
• Source and/or destination port
• Domain reputation score
• Application ID
Client side Trust store and Browser Complexities
Client Trust Store Browser Variations HSTS/HPKP
1 2 3
• SSL connection error • Mechanism to protect against

• Root cert installed in the downgrade attacks
trusted root store • SSL protocol error • Server declares only HTTPS
• HTTPS response header field named
• Time must be in sync • Client/Server date/time HSTS
"Strict-Transport-Security”
• Intermediate cert sent along errors • Valid for a pre-set period
with chain of trust • Server name mismatch • May need to clear browser
• Some browsers may have errors
HSTS/HPKP setting
separate root trust store
• Root cert in system trust store • Server authority-invalid
overrides browser setting errors • Deprecated mechanism
• Roll out root cert on to client • Server serves a list of “pinned” public
• Insufficient intermediate
key hashes valid for a given time
browser using tools like errors HPKP
• Clients expect servers to use one of
Microsoft GPO (Group Policy • SHA-1 errors those public key hashes in the chain
Object) • Cannot be easily bypassed
• Some browsers do not trust • Replacement mechanism Expect-CT
some CA issuers (Certificate Transparency)
Client - NTP, Cert Authentication and Proxy Block
SDA
NTP ACI
Client Cert Auth
Cloud Proxy Block
• Client authentication is • Clients do not know

• Proxy generates server to protect the client the connection is
certs on demand and • Server verifies the being proxied
instantaneously possession of private
• Proxy cannot issue cert • Network or URL policy
key by the client
beyond its validity may determine
• Typically used in a high connection drop
• Proxy cert is valid for a security critical client
day environment • Depending on when,
• Proxy uses current time • Used in highly secure the SSL handshake
as start time IoT devices may or may not have
• Even a few milliseconds • Similar to 2FA but with completed
time difference can certificate • Post SSL handshake,
cause cert error • Not supported by Proxy block page can be
issued not before.
Time Sync is an absolute must for HTTPS sessions
Certificate Revocation Checks - CRL vs OCSP
Certificate Revocation Reasons
CRL (Certificate • Key compromise OS CP (On lin e
Ce r t if icate
Revocation List) • CA compromise
Stat u s P ro to co l
• Policy compliance
requirements
• Certs on hold
• Privilege withdrawn etc.
• List of revoked certs • On-demand check

• Typically published by a • Small data to parse
CA • Up to date info
• Pre-defined validity • Risk of network
• Database grows over a outage/OCSP responder
period outage
• Risk of outdated info • Preferred over CRL
OCSP Stapling and its impact on proxy
Improves security and performance for clients
Also known as TLS Certificate Status Request extension
OCSP stapling eliminates OCSP privacy concerns
Server bears the responsibility of including OCSP response signed by

CA
Client must explicitly request
Bad Servers may not respond to OCSP Stapling request
Proxy does not support OCSP stapling today
TLS 1.3 and Decryption
TLS 1.3
Large web service providers are switching to TLS 1.3 (e.g. Google, Facebook)
Improves website performance and security

Server certificate is encrypted, SNI could be encrypted as well
Eliminated older insecure algorithms
Challenges selective decryption for proxy
Supports only PFS/AEAD algorithms
Proxy downgrades TLS 1.3 to 1.2 connection
How to configure – TLS Proxy
Configure Root Certificate Authority that can issue signing certificate to TLS
Proxy (WAN Edge router)
1
Configure TLS Decryption policy

2
Attach Security Template to the Device Template

3
Install Root Certificate in client’s trust store

4
How to configure – TLS Proxy [contd.]
Step 1: Configure Root Certificate Authority that can issue signing certificate to TLS Proxy (WAN Edge router)
Step 2a: Configure TLS Decryption policy (Network Rule)
vManage > Configuration > Security > Add Security Policy
Step 2b: Configure TLS Decryption policy (URL Rule)
vManage > Configuration > Security > Add Security Policy
Advanced Settings and Tweaks
Secure Management
vManage Authentication methods
• Local Database / RADIUS / TACACS
• Single-Sign ON
Redirect Resource Challenge Auth
to SSO Supplied Credentials Response
2 8 4 6
Identity
vManage Provider
Admin
1 7 3 5
Auth Contact Credentials
Access
Response SSO Supplied
Resource
RBAC – Role Based Access Control
RBAC by VPN Feature
Admin user:
• Create VPN dashboards:
• Create/discover VPN segments in a network
• Create VPN groups
• New VPN dashboard for each VPN group
• Create users with VPN group access:
• Link user group to VPN group
• Create users with access to VPN group
VPN group user:

• Access to VPN Dashboard only
• Monitor devices, network, and application status via VPN dashboard
• VPN dashboard information restricted to devices with segments in VPN group
• Monitor option restricted to devices with segments in VPN group
• Interface monitoring on device restricted to interfaces of segments in the VPN group
vManage Admin Dashboard
(full access)
VPN Dashboard
(Restricted access)
VPN Group: British Airways (VPN 1, 2)
Cisco DNA SD-WAN Licensing
Capability Based Packaging
Cisco DNA Essentials Cisco DNA Advantage Cisco DNA Premier

Simplified management & security protection Advanced SD-WAN with enhanced security for Advanced SD-WAN security will mitigate the most
for the cost-conscious customer feature-rich & valued branch deployment models sophisticated threats to your business
Enterprise firewall with Talos- Cisco AMP with TLS proxy Now with
powered IPS and app controls Cisco Basic URL filtering Cisco Umbrella SIG Essentials®
Umbrella DNS Monitoring Cisco Umbrella app discovery (Full URL Filtering | Granular App
Control | File-type Controls | AMP |
Application-based SLA Cloud OnRamp for IaaS, SaaS, and Colo ThreatGrid | L3 – L4 Cloud Firewall |
Basic WAN & path optimizations AppQoE & WAAS RTU Roaming User Protection With
AnyConnect)
Single centralized management Integrated border plus orchestration
console in the cloud or on-prem for campus, branch & DC
Additional SIG
Forward Error Correction (FEC) Seats optional
Integrated voice/UC gateways
Packet duplication
Flexible topology & dynamic routing

vAnalytics
(hub/spoke, partial/full mesh)
Cisco DNA Advantage
Up to 50 Device Overlay Cisco DNA Essentials Cisco DNA Essentials
*Each SIG seat equals about 50kbps of bandwidth traffic
Cisco DNA SD-WAN Licensing
Detail Cisco DNA Premier
Cisco DNA Advantage Security
Cisco Umbrella SIG Essentials

Cisco DNA Essentials Cloud/Analytics Transactional
• 5 – 250 Mbps = 1 License per Mbps
• Cloud OnRamp for IaaS and SaaS • 500 Mbps = 375 Licenses
Connectivity/Mgmt • Automated Service Stitching • 1 Gbps = 500 Licenses
• vAnalytics • 2.5, 5, 10 Gbps = 750 Licenses
• Cloud or On-Prem Management
Enterprise Agreement
• Flexible Topology
• Tier 0: Not Available in Premier
• Hub and Spoke Security • Tier1: 25 Licenses
• Full Mesh/Partial Mesh
• Tier 2: 250 Licenses
• App and SLA based policy • Segmentation (Unlimited VPNs)
• Tier 3: 750 Licenses
• Dynamic Routing (BGP, OSPF) • Cisco AMP and TLS proxy
• Additional Cisco Umbrella SIG Essentials licenses
• VNF Lifecycle Management • URL filtering
can be purchased separately.
• Cisco Umbrella app discovery
Security
Cisco Threat Grid
X-domain Innovations • Provides entitlement for 200 files per day
• Enterprise Firewall with Talos-powered
IPS and application controls per customer account
• Integrated Border for Campus (SD-Access)
• Files sent to Threat Grid cloud for sandboxing.
• Cisco Umbrella DNS Monitoring (visibility only) • Integration with ACI for Application SLA
On-premises Threat Grid not available in
Premier
SD-WAN Services Services
• Global entitlement across all customer sites
• Basic Path optimization with FEC and • Additional Cisco Threat Grid licenses can be
• Web Caching, DRE (incl. TLS proxy)
Packet Duplication purchased separately.
• Voice Module and SRST Integration
• TCP Optimization Up to 50
Device
• Multicast Cisco DNA Advantage
overlay
Cisco DNA Essentials Cisco DNA Essentials
Demo
SD-WAN Security - Demo in a Box
Internet
ESXi 6.7 Google Fiber
Management
Network
FC
Topology
Internet
192.168.1.1 1.1.1.1
10.118.34.9
admin/admin
1.1.1.2
Mgmt
N/W 1.1.1.3
Recap - Cisco SD-WAN Controllers
Orchestration Management Data Plane
Control Plane
Plane Plane Physical/Virtual
Cisco vSmart WAN Edge
Cisco vBond Cisco vManage
• Orchestrates control • Facilitates fabric • Single pane of glass • Provides secure data plane
and management plane discovery • Multitenant with scale • Establishes secure control
• First point of • Disseminates control • Centralized provisioning plane with vSmart
authentication plane information • Policies and Templates controllers
• Distributes list of between WAN Edges • Troubleshooting and • Implements data plane and
vSmarts/ vManage to • Distributes data plane Monitoring application aware routing
all WAN Edge routers and app-aware routing policies
• Software upgrades
• Facilitates NAT traversal policies to the WAN • Exports performance
Edge routers • GUI with RBAC and per
• Requires public IP statistics
VPN visibility
Address [or 1:1 NAT] • Implements control • Leverages protocols OSPF,
• Programmatic interfaces
• Highly resilient plane policies BGP, EIGRP and VRRP
• Reduces control plane (REST, NETCONF)
• Zero Touch Provisioning
complexity • Highly resilient
• Highly resilient
Recap - SD-WAN Security Capabilities TLS
Proxy
New
Requires 4 GB of additional DRAM = 8 GB Platform

Ent. Firewall App Intrusion URL Advance Malware DNS/web-layer
Aware Prevention Filtering Protection and TG security
SaaS URL-F AMP DNS-layer Sec

Internet
Requests for “risky”
domain requests Safe Blocked
Inspect policy
requests requests
automatically Outside
allows Zone
response
Check
traffic.
Signature
Edge
Device Edge
Allow/Block lists of
Device
custom URLs
Guest Inside
Zone Internet
Zone Block/Allow based
on Categories, Check file
Users Devices Reputation
Malware
Sandbox
On-site Services Users and Devices

Service Service
VPN 1 VPN 2 ThreatGrid
Release Notes and Image Download Links
Release Notes for both 20.1 and 17.2.1r

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/20-1/sd-wan-rel-notes-20-1.html
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-17-2/ios-xe-sd-wan-re-notes-17-2.html
17.2.1r Software Download Link for CSR, ISRv, ISR 1K/4K and ASR:
CSR 1Kv: https://software.cisco.com/download/home/286323714/type/282046477/release/Amsterdam-17.2.1r
ISRv: https://software.cisco.com/download/home/286308649/type/286309323/release/17.01.01
ISR 1K: https://software.cisco.com/download/home/286321996/type/282046477/release/Amsterdam-17.2.1r
ISR 4K: https://software.cisco.com/download/home/286321991/type/282046477/release/Amsterdam-17.2.1r
ASR1K: https://software.cisco.com/download/home/286321999/type/282046477/release/Amsterdam-17.2.1r
20.1.1 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/20.1.1
20.1.1 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/20.1.1.1
SD-WAN Security – External Resources
Cisco SD-WAN: Enabling Firewall and IPS for Compliance:

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2019nov.pdf
SD-WAN on-prem controller setup guide: http://cs.co/sd-wan-controller-setup
How to Onboard a Remote Router into an existing SD-WAN Fabric:

https://community.cisco.com/t5/networking-documents/how-to-onboard-a-remote-router-into-an-existing-sd-wan-fabric/ta-p/3958988
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_

Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301
SD-WAN Security – External Resources
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
SD-WAN Security – Cisco Validated Design Guides
Security Policy Design Guide:
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-security-policy-design-
guide.html
Secure DIA Deployment Guide:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-secure-direct-internet-
access-usecase-guide.html
Compliance Deployment Guide:

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-
deploy-guide-2019nov.pdf
Guest Access Deployment Guide:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-secure-guest-access-
deploy-guide.html
Secure Direct Cloud Access Deployment Guide:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-secure-direct-cloud-
access-deploy-guide.html
Thank you
#CiscoLive
#CiscoLive

DGTL BRKRST 2377

Uploaded by

Copyright:

Available Formats

DGTL BRKRST 2377

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DGTL BRKRST 2377

Uploaded by

Copyright:

Available Formats

#CiscoLive

BS in Electrical and Electronics Engineering

2013 – 2018 TME

2018 - Distinguished Speaker Cisco Live (EUR and ANZ) # 35505

Mobile Users Campus & Branch Users

Branches X100+ Exposure to cyber threats

Inconsistent user experience

More users, things and applications, everywhere

IOT Users Mobile

SECURE WAN EDGE

Users Devices • Zero-trust

Software Defined WAN is a new user friendly approach to centrally provision

• Lowers Operational Cost

Cloud Data Center Campus Branch CoLo

Smart Account or Virtual

Device list is passed to PnP

Trustworthy technologies enhance the security and resilience of Cisco solutions

Complexity Level Low Low Medium Medium High Low

C4331#show license udi

• Binds the hardware identity to a key pair in a

• Connections with the device can be authenticated

• IEEE 802.1AR Compliant

2 (Encrypted with Cisco’s PRIVATE key) Digital signature with

Step 1 Step 2 Step 3 Step 4

Hardware CPU CPU CPU CPU CPU

Secure boot checks images and verifies that software is

• Certificate is stored in on-board Tamper Proof

• DigiCert or Cisco root CA chain of trust is used to

• Enterprise root CA chain of trust can be used to

• OTP/Token is generated by vManage

• vManage signs certificate(s) for the Cloud router

• DigiCert or Cisco root CA chain of trust is used to

1 2 3 1. Private and public keys are generated on the control

3. Certificate is signed by Digicert/Cisco

4 4. Certificate is installed into the control element

2. Certificate Signing Request is generated

3. Certificate automatically signed by Cisco PnP linked

WAN Edge WAN Edge * Can be influenced by the control policies

WAN Edge Transport2 WAN Edge

Remote (received) Remote (received)

IP UDP ESP Original Packet

WAN Edge Transport2 WAN Edge

IP UDP ESP Data

Authenticated Control Plane

Intrusion Protection System

Secure Internet Gateway

Hours instead of weeks and months

Firewall and IPS Web Protection E-mail security

2. Benefit Regional SaaS PoP

Cloud Security Integrated Security @Regional Hub

• Lean Branch with • Single platform for • Security Services as VNF

Employee Point of Sale HQ Destined Traffic

Use Cases Requirements

• PCI-DSS - Retail stores • Segmentation

Ent. FW App DNS/web layerURL Filtering Guest Internet Traffic

Use Cases Requirements

• Retail stores • Segmentation

VPN1 VPN2 Data Center

Use Cases Requirements