Evolution of Cisco SD-WAN

Security and Journey

Towards SASE

Tahir Ali, Leader - Technical Marketing

BRKENT-2312
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

until February 24, 2023.

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 About Me -Tahir Ali
• TME-Technical Leader @Cisco SDWAN BU
• Since 2018: Part of initial Viptela integration team
• 2018-2006: MSPs and Partners
• Certifications:
• CCIE# 26070 (Security | Service Provider |Data
Center)
• AWS | Red-hat Associate
• Area of Expertise: SD-WAN Fabric, Policy, Security,
SDCI, Multi-region Fabric
• Interests: Mountains and Beaches
• LinkedIn : https://www.linkedin.com/in/tahiralimarvi/
BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-WAN innovations driving the new norm
Multicloud App Security AIOps
Experience
Enterprise FW, IPS,
SIG, Adv Malware Security and Analytics and
Voice Segmentation
Multicloud SaaS Protection Visibility
Optimization
Access Optimization
M365, Webex SSE
WAN
Insights
SSE
AppQoE – TCP Opt, Cisco
SDCI/Cloud FEC, DRE, etc.
Umbrella

Backbone

Intuitive DevOps MSP Platforms

Experience
Simplified UX
Intent Multi-tenant SD-WAN Remote
Automation SD-WAN Multi-Region Access 400G IP CEF
App Edge Fabric
Aggregation
Enhanced Automation Platform
Upgrade
Self Service
Portal Higher C8K Dataplane
API/SDK Co-managed Performance
SD-WAN Service

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security Challenges Segmentation
Isolate my IoT, CCTV,
What’s top of mind ? PoS and other traffic flows

DIA
SASE Cloud/SAAS
Connect , Control and Converge Secure App access
and Migration Journey

User/Device Identity
Operational Complexity Drive consistent identity
Ease of Config driven policy
Third-Party Integrations

Visibility
Monitoring and Visibility into the security stack
Key Message

By the end of this session, you will get a good understanding about Cisco SD-
WAN ‘s security capabilities and features, whether you are looking for
Integrated security or SASE, you will be able to apply this knowledge for your
organizations or clients.

Think Secure WAN, Think Cisco SD-WAN

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 • Section 1 : Integrated Security
• A look at current capabilities
• What’s New ?
• Demo

Section 2: Cloud Security

Agenda
•
• A look at current capabilities
• What’s New ?
• Demo

• Section 3: Evolution towards Unified SASE

• Cisco+ Secure Connect

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco SD-WAN
Security Today
Cisco SD-WAN Security Models
Flexible Security based on customer needs

SaaS/IaaS SaaS/IaaS
Application Application
Single platform for SIG Provider Lean branch with
Routing and Branch security in the cloud
Security at the
branch

Branch
Security

Integrated Security Cloud Security

Encrypted TLS control Embedded

Certs Segmentation
Tunnels plane Fabric Security BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
SD-WAN Integrated Security
vManage
Automated
Templates

Enterprise Firewall

Intrusion Prevention System

Cisco SD-WAN URL-Filtering

Fabric
URL TLS
ZBFW Filtering
IPS AMP Proxy
Advance Malware Protection
SD-WAN
MPLSFabric
DNS Security
HQ Branch

TLS/SSL Proxy
Cisco Enterprise Firewall with App-awareness

• Stateful Zone based Firewall

Inside Zone Private
• App-aware using NBAR2 (Layer 3-7 Data Center

visibility)
• VPNs (VRFs) / Interfaces as Zones
Employee 1
Outside Zone
• Self-Zones/Default-Zones
• HSL logging Branch
Edge
• FQDN Support Internet

• Geo-IP Support
• Flood attack prevention
• Session re-classification Employee 2
SAAS/IAAS
Inside Zone
• IPV6 support*

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Advance Protection Stack
IPS
• Detection or Prevention
• Snort 2.0 Engine
• Talos Threat intelligence
• Signature whitelist support
• Security-levels
(Conn,Bal,Sec)
• Customize log level
URL Filtering
• Enforce Acceptable Use
Controls
• Custom Allowed/Block lists
• Web Reputation score
• Web Categories
• Redirect or block page
• Customized log types
BRKENT-2312
TLS
Proxy
Cisco
AMP cloud
AMP
• Integration with AMP Cloud
• File Reputation
• File Retrospection
• Integration with Threat Grid
• File Analysis(sandboxing)
• Customize log level
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
What’s New ?

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 SD-WAN Unified Security Policy and Logging
Advanced NGFW Policy Per rule level logging Conn Events: NetFlow export
Policy Inspection Profile-Corp

IPS Policy Corp Source | Destination | Application | Firewall Action | Advanced Inspection
IPS Policy -Corp
AMP Policy Corp
IPS Policy-Dev
URL-F Policy Corp Google
User Any
Apps
Inspect N/A
AMP Policy Corp
TLS/SSL Policy Corp
Advanced Inspection
AMP Policy Dev User User Any Inspect
Corp

URL-F Policy Corp Advanced

Inspection Profile-Guest User Any Any Inspect N/A

URL-F Policy Guest

Advanced Inspection
URL Policy Guest Guest Any Any Inspect
Guest
TLS/SSL Policy Corp
TLS/SSL Policy Guest
TLS/SSL Policy Guest

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 Cisco SD-WAN Identity-based Firewall using ISE integrations
1
IP to
User/SGT Active Directory
2 Mapping
ZBFW policy
based on ISE/PXGrid
• Identity as part of Security Policies User/SGT 3
identity
• User/User-Group (20.9) vManage vSmart Dynamic
User/SGT to
• Security Group Tag (SGT)(20.10) OMP
IP mapping

• Security Compliance throughout the network Router

IAAS,SAAS

• Ease of Configuration Private Apps

Employee HR

4
Destination
ZBFW Policy Action SGT
SGT- SGT-

Source
Employee Permit All Employee
Contractor
SGT-HR Deny All SGT-IOT

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
High Level Architecture
vManage
User & User-group
1 / SGT list

IP to User/User-
3 group/SGT vSmart
mappings

Identity based
2 Security
Policies

On-Prem ISE-PIC
Agent
ISE/PX-
Grid
4
IP to Username /
User group /SGT
mapping using OMP

5
Datapath
VRF1/VPN1
SRC:10.1.10.220
DST: 10.1.100.52 6
IP
cEdge
 Custom IPS Signature and Offline
updates
Remote server

• Design for Air-gapped Network Cisco File

transfer 3
• Customers can upload signatures packages to
vManage using: Custom vManage
rules

Security policy
• File upload Browser upload
• Remote server (FTP, SCP etc.)
Apps
• Ability to upload custom rules for day-2
customization Employee

Operational Simplicity and Enhanced

Security Control for Cisco SDWAN NGFW IPS Policy Match rules

Source
Enterprise App Allow
Contractor
Exploit Deny
Visibility and Integrations

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Visibility -New SecOps Persona
• Security-focused dashboard
in vManage
• Used for Improved security
management, reporting, and deeper
security insights for the SecOps team

NetOps SecOps

Security Operations
SD-WAN

Remote Access Policy

Optimized Routing Security Insights

App Optimization Threat Response

Segmentation Reporting

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco SD-WAN Splunk Integration
Use Case 1 SoC
Dashboard
• Holistic view of all security events in
your network
• Top Threats
• Top Policy Hits
• View Top Applications accessed
• Drill down to device level from any
security widget

Use Case 2 Threat

Management

• List all IPS events in the network

• List all Malware events in the network
• View which devices are impacted by
threat events
Logs Indexing
Events Data Processing
Splunk
Alert Analytics Splunk
Use Case 3 Flow Analysis Cisco SD-WAN fabric Data Visualization
Lake Dashboard

• View device network patterns

• Top Network Talkers
• Generate reports

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Demo
Cloud Security
SASE Solution Your Way…

Integrated SASE Unified SASE

SASE Cisco+ Secure Connect

a la carte Unified solution on converged
Build-your-own SASE approach platform with turnkey operations

+ SD-WAN
+
SD-WAN

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SD-WAN – Cloud based Security Overview

Internet/Cloud Applications

• Auto-onboarding
SIG Provider • Data policy or route-based
• Easy to Use SIG Template (Umbrella/ZScaler/Other) redirection with fall-back
• ECMP (4 active/4 backup)
support
• Weighted Load balance
• GRE support for higher
• Service Tracker for failover
throughput (zscaler)
• COR SAAS support for SIG
• Third-Party Tunnel (manual)
• Source based LB
• New->Tested with
• DC selection for compliance SD-WAN Branch (Netskope/Cloud-flare/Palo)

Employees Guests
(VPN1) (VPN2)

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What’s New
 SIG Tunnel Monitoring

Enhanced Monitoring and Visibility for SIG tunnels :

• State of the SIG tunnel : Provides the status of

all the tunnels whether it is UP-ACTIVE / Down.

• Security Events : vManage gets the Important

event notifications from the Edge router using
Netconf. It includes the events related to SIG
tunnel bring up.

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 For Reference

Monitoring – Tunnels

1) Tunnel id
2) Tunnel name
3) Tunnel Status – Local & remote
4) Type of ha-pair (Active/Backup)
5) SIG Provider
6) Destination Data Center
7) Transport Type – IPSec / GRE
8) Events/Notifications
9) Tracker
10) Site ID
11) Host Name
12) Packets In/Out (Local device)

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Umbrella Multi-ORG support
Internet

20.11/17.11 Cisco vManage –Umbrella Integration:

• Ability to select multiple child org Cisco

• Simple integration using parent org id Umbrella
• SIG tunnel support
• DNS Security
UMB Parent
Flexibility to deploy distributed cloud security ORG
enforcement policies and compliance
EMEA Child ORG id 1 Child ORG id 2
AMER
Block Social Allow
Media Social Media
Demo
Unified SASE
Cisco+ Secure Connect SASE Vision
Secure Connect Dashboard

Remote
Cloud
Access ZTNA Decryption DLP CASB Global Internet
Interconnect
Client

Unmanaged
On- Endpoint Cloud On-
Device ZTNA Prem SD-WAN SaaS
Analytics Ramps
Browser

Meraki Both Onramp

ZTNA Analytics Content L3-L7 SWG
Viptela Filtering FW IaaS/Colo
(New)
SD-WAN

Interconnect Everything Security Everywhere

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Cisco+ Secure Connect High-level Architecture
Customer edge Service edge Platform Customer
environments
Posture Identity
Sanctioned Salesforce
Clientless Browser Dashboard SaaS Microsoft office
Access
End-User

Services General internet

Client-based Cloud Traffic
Access Cloud-control plane
End-User Acquisition

Private applications

Interconnect

Interconnect
Zero-trust proxy
In branch/
on network Cloud security
End-User

HQ/branch
Cloud data plane

Acquire traffic Gather missing information Connect to apps wherever

Acquire information
into the Cisco Secure and authorize the flow they are: SaaS, Public Cloud,
from the edge
Cloud/SASE Fabric Data Center or Sites
1 2 3 4

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Cisco SDWAN Interconnect
Remote access users connecting to private applications behind
Viptela fabric
vManage

Cloud
Traffic
HTTPS
Acquisition
DNS CD L3/4/7 Secure web Cloud-access
Branch Hub Site security broker Browser
security firewall gateway
(CASB)
Redundant DTLS
IPsec (BGP)
AnyConnect
Branch Viptela
Redundant MFA Device posture
Fabric DC
Secure Connect
and health
Dashboard

Global Interconnect
Branch

Viptela Branch
Sites

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Secure Connect Available Regions
North America Regions

• US West
• US East

Europe Regions

• EU West
• EU East

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Key Take-away
Embedded Security Fabric Security SASE

Firewall Encrypted Encrypted DNS security IPsec/GRE Tunnel Simplified

Segmentation Connection Configuration
Stateful With Multi- Control Data Plane
ZBFW Topology Plane

Traffic Steering Traffic Load Layer-7 Health

Snort Policies Balancing Check
Enhanced HW Based Device
IPS (ECMP)
AMP Security – Authentication
Protection
File Reputation & Pairwise keys (SUDI) Cisco SIG Integration
against
Sandboxing from Talos
complex threats
Cisco

Monitoring & Visibility

Umbrella

Third Party SIG partnership

URL Filtering Unified Policy &
82+ Web Logging
Categories
Zero Trust
with Identity vManage SecOps End-to-End
Dashboard Monitoring & Visibility

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Continue
Agenda Your Education

Visit the Cisco Showcase for related demos.

Book your one-on-one Meet the Engineer meeting.

Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.

Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.

BRKENT-2312 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Thank you