Professional Documents
Culture Documents
Brkent 2312
Brkent 2312
BRKENT-2312
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
About Me -Tahir Ali
• TME-Technical Leader @Cisco SDWAN BU
• Since 2018: Part of initial Viptela integration team
• 2018-2006: MSPs and Partners
• Certifications:
• CCIE# 26070 (Security | Service Provider |Data
Center)
• AWS | Red-hat Associate
• Area of Expertise: SD-WAN Fabric, Policy, Security,
SDCI, Multi-region Fabric
• Interests: Mountains and Beaches
• LinkedIn : https://www.linkedin.com/in/tahiralimarvi/
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-WAN innovations driving the new norm
Multicloud App Security AIOps
Experience
Enterprise FW, IPS,
SIG, Adv Malware Security and Analytics and
Voice Segmentation
Multicloud SaaS Protection Visibility
Optimization
Access Optimization
M365, Webex SSE
WAN
Insights
SSE
AppQoE – TCP Opt, Cisco
SDCI/Cloud FEC, DRE, etc.
Umbrella
Backbone
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security Challenges Segmentation
Isolate my IoT, CCTV,
What’s top of mind ? PoS and other traffic flows
DIA
SASE Cloud/SAAS
Connect , Control and Converge Secure App access
and Migration Journey
User/Device Identity
Operational Complexity Drive consistent identity
Ease of Config driven policy
Third-Party Integrations
Visibility
Monitoring and Visibility into the security stack
Key Message
By the end of this session, you will get a good understanding about Cisco SD-
WAN ‘s security capabilities and features, whether you are looking for
Integrated security or SASE, you will be able to apply this knowledge for your
organizations or clients.
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Section 1 : Integrated Security
• A look at current capabilities
• What’s New ?
• Demo
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco SD-WAN
Security Today
Cisco SD-WAN Security Models
Flexible Security based on customer needs
SaaS/IaaS SaaS/IaaS
Application Application
Single platform for SIG Provider Lean branch with
Routing and Branch security in the cloud
Security at the
branch
Branch
Security
Enterprise Firewall
TLS/SSL Proxy
Cisco Enterprise Firewall with App-awareness
visibility)
• VPNs (VRFs) / Interfaces as Zones
Employee 1
Outside Zone
• Self-Zones/Default-Zones
• HSL logging Branch
Edge
• FQDN Support Internet
• Geo-IP Support
• Flood attack prevention
• Session re-classification Employee 2
SAAS/IAAS
Inside Zone
• IPV6 support*
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Advance Protection Stack
TLS
Proxy
Cisco
AMP cloud
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
What’s New ?
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
SD-WAN Unified Security Policy and Logging
Advanced NGFW Policy Per rule level logging Conn Events: NetFlow export
Policy Inspection Profile-Corp
IPS Policy Corp Source | Destination | Application | Firewall Action | Advanced Inspection
IPS Policy -Corp
AMP Policy Corp
IPS Policy-Dev
URL-F Policy Corp Google
User Any
Apps
Inspect N/A
AMP Policy Corp
TLS/SSL Policy Corp
Advanced Inspection
AMP Policy Dev User User Any Inspect
Corp
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco SD-WAN Identity-based Firewall using ISE integrations
1
IP to
User/SGT Active Directory
2 Mapping
ZBFW policy
based on ISE/PXGrid
• Identity as part of Security Policies User/SGT 3
identity
• User/User-Group (20.9) vManage vSmart Dynamic
User/SGT to
• Security Group Tag (SGT)(20.10) OMP
IP mapping
Employee HR
4
Destination
ZBFW Policy Action SGT
SGT- SGT-
Source
Employee Permit All Employee
Contractor
SGT-HR Deny All SGT-IOT
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
High Level Architecture
vManage
User & User-group
1 / SGT list
IP to User/User-
3 group/SGT vSmart
mappings
Identity based
2 Security
Policies
On-Prem ISE-PIC
Agent
ISE/PX-
Grid
4
IP to Username /
User group /SGT
mapping using OMP
5
Datapath
VRF1/VPN1
SRC:10.1.10.220
DST: 10.1.100.52 6
IP
cEdge
Custom IPS Signature and Offline
updates
Remote server
Security policy
• File upload Browser upload
• Remote server (FTP, SCP etc.)
Apps
• Ability to upload custom rules for day-2
customization Employee
Source
Enterprise App Allow
Contractor
Exploit Deny
Visibility and Integrations
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Visibility -New SecOps Persona
• Security-focused dashboard
in vManage
• Used for Improved security
management, reporting, and deeper
security insights for the SecOps team
NetOps SecOps
Security Operations
SD-WAN
Segmentation Reporting
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco SD-WAN Splunk Integration
Use Case 1 SoC
Dashboard
• Holistic view of all security events in
your network
• Top Threats
• Top Policy Hits
• View Top Applications accessed
• Drill down to device level from any
security widget
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Demo
Cloud Security
SASE Solution Your Way…
+ SD-WAN
+
SD-WAN
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SD-WAN – Cloud based Security Overview
Internet/Cloud Applications
• Auto-onboarding
SIG Provider • Data policy or route-based
• Easy to Use SIG Template (Umbrella/ZScaler/Other) redirection with fall-back
• ECMP (4 active/4 backup)
support
• Weighted Load balance
• GRE support for higher
• Service Tracker for failover
throughput (zscaler)
• COR SAAS support for SIG
• Third-Party Tunnel (manual)
• Source based LB
• New->Tested with
• DC selection for compliance SD-WAN Branch (Netskope/Cloud-flare/Palo)
Employees Guests
(VPN1) (VPN2)
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What’s New
SIG Tunnel Monitoring
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
For Reference
Monitoring – Tunnels
1) Tunnel id
2) Tunnel name
3) Tunnel Status – Local & remote
4) Type of ha-pair (Active/Backup)
5) SIG Provider
6) Destination Data Center
7) Transport Type – IPSec / GRE
8) Events/Notifications
9) Tracker
10) Site ID
11) Host Name
12) Packets In/Out (Local device)
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Umbrella Multi-ORG support
Internet
Remote
Cloud
Access ZTNA Decryption DLP CASB Global Internet
Interconnect
Client
Unmanaged
On- Endpoint Cloud On-
Device ZTNA Prem SD-WAN SaaS
Analytics Ramps
Browser
Private applications
Interconnect
Interconnect
Zero-trust proxy
In branch/
on network Cloud security
End-User
HQ/branch
Cloud data plane
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cisco SDWAN Interconnect
Remote access users connecting to private applications behind
Viptela fabric
vManage
Cloud
Traffic
HTTPS
Acquisition
DNS CD L3/4/7 Secure web Cloud-access
Branch Hub Site security broker Browser
security firewall gateway
(CASB)
Redundant DTLS
IPsec (BGP)
AnyConnect
Branch Viptela
Redundant MFA Device posture
Fabric DC
Secure Connect
and health
Dashboard
Global Interconnect
Branch
Viptela Branch
Sites
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Secure Connect Available Regions
North America Regions
• US West
• US East
Europe Regions
• EU West
• EU East
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Key Take-away
Embedded Security Fabric Security SASE
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Continue
Agenda Your Education
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Thank you