Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury...
-
Upload
truongcong -
Category
Documents
-
view
221 -
download
2
Transcript of Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury...
![Page 1: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/1.jpg)
![Page 2: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/2.jpg)
Bezpečnostní vlastnosti a funkce Intelligent WAN architektury
TECH-WAN: Building a Secure Intelligent WAN
Gaweł Mikołajczyk [email protected] Security Technical Solutions Architect CCIE #24987, CISSP-ISSAP, CISA, C|EH, SFCE
![Page 3: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/3.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Embracing the Holistic Threat Continuum
3
Control Enforce Harden
Detect Block
Defend
Scope Contain
Remediate
Infrastructure
and Protocols
Network
Firewall
Next-Generation
Firewall (NGFW) Next-Generation
IPS (NGIPS)
Web Security
Content Filtering
Mobile Users
Remote Access
VPN
Email Security
SSL Decryption
and Inspection
Network Forensics Advanced Malware
Protection (AMP)
Incident Response
Open Source
Custom Tools
Context-Awareness Attribution
![Page 4: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/4.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Threat-Centric Security Approach
The problem is the THREATS.
What high value assets am I trying to protect?
– Intellectual property, customer and employee data,
– Network and compute infrastructure
What are the possible threats?
– Internal and External, Structured and Unstructured
How do I detect and mitigate the threats?
– This is what this session is about at the Internet Edge
What is my incident response approach?
– Will I just sit there or clean up my environment?
4
BRKSEC-2135 The Importance of Threat-Centric Security
![Page 5: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/5.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
About the Speaker
5
CCIE#24987
@gapheu
/gawelmikolajczyk
Gaweł Mikołajczyk SFCE#123985
![Page 6: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/6.jpg)
IOS Hardening
![Page 7: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/7.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
“Why Would Anyone Hack Into My Router?”
7
Enterprise
Network
mbehring
Internet
FTP
BRKSEC-2345 Critical Infrastructure Protection (2013 London)
tunnel
PBR2: from Server to PC Next hop tunnel
PBR1: from PC to Server Next hop tunnel
FTP
Server
CLIENT
![Page 8: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/8.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Physical Security Principles and Procedures
Can detect takeover of device
– MUST detect login of authorised admin
– MUST detect brute force SSH attacks
– MUST detect password recovery
– MUST detect device replacement (UDI)
– MUST check device integrity regularily OS, configuration, file system
Cannot detect wiretap
– MUST protect all control plane protocols (BGP, IGP, LDP)
– MUST protect all management plane protocols (SSH, SNMP) Only data plane attacks are possible
After each reboot, link-down event, etc:
– Device could have been replaced
– Password recovery could have been done
– Check system: Unique Device Identifier (UDI), OS, configuration,
enable password
After unexpected login from admin:
– Change password for that admin
– Check system OS, configuration, enable password
Regularly (ex: once in 24h)
– Check system: OS, configuration, enable password
8
AAA
server
scripts
Syslog
server
You could have missed an event.
![Page 9: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/9.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Device Software Authenticity Challenges Today
Boot ROM
OS
Configuration
BOOTS
USES
Unique Device
Identifier (UDI)
• Misconfiguration
• Lacking security
• Sabotage
• Protocol vulnerability
• OS vulnerability
• Rootkit
• Physical attacks
• Physical attacks
![Page 10: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/10.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Device Software Authenticity Outlook for the Future
10
Boot ROM
OS with Vendor Signature
Configuration with Checksum
CHECKS OS CORRECTNESS, BOOTS
VERIFIES FIRST, THEN USES
Secure Unique Device
Identifier (SUDI) (802.1AR)
PHYSICALLY SECURE
• SUDI allows for globally unique, secure device identification
– Cannot replace device
• Boot process secured
– Cannot modify Boot ROM
– Cannot modify OS
• Secure OS coding practices
– CSDL Practices
– Reduces vulnerabilities
• Upgrade procedures
http://standards.ieee.org/findstds/standard/802.1AR-2009.html
![Page 11: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/11.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Verifying Software Authenticity on Routers
11
Use the verify /md5 privileged EXEC command to verify the integrity of image files stored on the Cisco IOS file system or can also provide an MD5 hash to the verify command.
Router# verify /md5 sup-bootdisk: c7600rsp72043-advipservicesk9-mz.151-3.S3 .....<output truncated>.....Done! e383bf779e137367839593efa8f0f725
Router# configure terminal Router(config)# file verify auto Configure the file verify auto Cisco IOS feature
gdb *, test *, tlcsh *, service internal, attach *, remote *, ipc-con *, if-con *, execute-on *, show region, show memory *, show platform *
The presence of the following commands should trigger
further investigation. The asterisk symbol * indicates any
text that follows the command itself.
IOS supports digitally signed images on some platforms.
Verify the authenticity and integrity of the binary file by
using the show software authenticity file command.
http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
Router# show software authenticity file c1900-universalk9-mz.SPA.152-4.M2 File Name : c1900-universalk9-mz.SPA.152-4.M2 Image type : Production Signer Information Common Name : CiscoSystems Organization Unit : C1900 Organization Name : CiscoSystems Certificate Serial Number : 509AC949 Hash Algorithm : SHA512 Signature Algorithm : 2048-bit RSA Key Version : A
![Page 12: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/12.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
IOS Hardening Best Practices
Cisco Guide to Harden Cisco IOS Devices
– Secure Operational Procedures Monitor Security Advisories
Leverage AAA, Centralize Log Collection
Use Secure Protocols when possible
– Management Plane (SSH, SNMP, NetFlow) Disable unused Services, Password Security
Secure Management Sessions
Thresholding for Memory, CPU, Leaks
Management Plane Protection (MPP)
– Control Plane (ICMP, BGP, RSVP) Control Plane Policing (CoPP), Protection (CPPr), HW Rate-Limiters
– Data Plane (production traffic) Antispoofing with uRPF, IPSG, Port Security, DAI, ACLs
Traffic Access Control
12
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
![Page 13: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/13.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
I understand my network. A Cisco Example.
Offices in 100+ countries
15 Billon Flows per day
125,000 endpoints (with laptops and phones)
150,000+ servers of all types
40,000 routers
1,500 labs
350 IPS Sensors / 1.5M Alerts per day
12 major Internet POPs
One CSIRT analyst for every 7,000 employees
13
HUGE COMPLEXITY.
„3D COMPLEXITY CUBE”
![Page 14: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/14.jpg)
Secure WAN Transport
14
![Page 15: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/15.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Step 1: Secure Transport
IPSec with DMVPN overlay Secure transport independent overlay
Add Strong Cryptography: IKEv2 + AES-GCM 256
Step 2: Threat Defense
IOS Zone-based Firewall or ACLs
Minimize exposure DHCP addressing for Internet and tunnel interfaces
Don’t put tunnel addresses into DNS
Step 3: Choose your performance level Size router based on Encryption with Services and WAN bandwidth
Head-end: ASR1000 or ISR4451X
Branch: ISR-G2
DSL Cable
Branch ISR-G2
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Securing the Intelligent WAN
![Page 16: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/16.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Best Practice: VRF-Aware DMVPN
Keeping the Default Routes in Separate VRFs with Front Door VRF
Enable FVRF DMVPN on the Spokes
Allow the ISP learned Default Route in the VRF INET-PUBLIC and use for tunnel establishment
Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall
Allows for consistent implementation of corporate security policy for all users
VPN-DMZ
Internet Edge
Block
default
default
INSIDE
OUTSIDE default
default
default
default
EIG
RP
Internet
VRF: INET-PUBLIC
VRF: INET-PUBLIC
![Page 17: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/17.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Securing IWAN Transports with Front-door VRF Isolation of external networks
Virtual Route Forwarding (VRFs) create multiple logical routers on a single device
– Separate control/forwarding planes per VRF
– No connectivity between VRFs by default
– Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks
Provider VRF minimizes threat exposure
– Default routing only in Provider VRF
– Provider assigned IP addressing hides internal network
– Provider IP address used as IPSec tunnel source
– Only IPsec allowed between internal Global and Provider Front Side VRFs
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
…
Front Side
Provider VRF
Provider Assigned
WAN IP Address
192.168.254.254
VRFs have
independent
routing and
forwarding
planes IPSec Tunnel
Interface
Global
Enterprise
VRF
IOS ZBFW or
ACL to permit
only authorized
traffic; i.e. IPsec
![Page 18: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/18.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting the Public facing IWAN Interfaces
Use ACLs, ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers
Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access
Typical ACL for protecting the Internet interface
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
!
![Page 19: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/19.jpg)
Secure Direct Internet Access (DIA)
![Page 20: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/20.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Central versus Direct Internet Access
20
Central Internet Access
Internet link remains unused during normal operations
Sub-optimal access to cloud based resources
All traffic traverses the WAN
Direct Internet Access
Internet link is used during normal operations
Optimal access to cloud based resources
Only Internal traffic traverses the WAN
![Page 21: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/21.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Central versus Direct Internet Access Direct (local) Internet Central Internet
RS230-1941#sh ip route
Gateway of last resort is 10.10.34.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/2561280] via 10.4.34.1, 1w1d, Tunnel10
10.0.0.0/8 is variably subnetted, 110 subnets, 10 masks
D EX 10.10.0.0/16 [170/2560512] via 10.10.34.1, 1w1d,
Tunnel10
D EX 10.10.0.0/20 [170/2561024] via 10.10.34.1, 1w1d,
Tunnel10
RS250-1941#sh ip route
Gateway of last resort is 172.18.100.129 to network 0.0.0.0
S* 0.0.0.0/0 [15/0] via 172.18.100.129
10.0.0.0/8 is variably subnetted, 107 subnets, 11 masks
D EX 10.10.0.0/16 [170/26880512] via 10.10.34.1, 1w1d,
Tunnel10
D EX 10.10.0.0/20 [170/26881024] via 10.10.34.1, 1w1d,
Tunnel10
![Page 22: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/22.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Non Redundant
Internet WAN
MPLS + Internet
WAN
Redundant
Links
Internet
MPLS VPN Internet
Internet
Internet
MPLS VPN Internet
Internet
Internet
Redundant
Links & Routers
WAN Remote-site Designs with Direct Internet
![Page 23: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/23.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ISR-G2 with Cloud Web Security Connector
Connector is integrated into Cisco ISR G2 Router Platforms
– VRF Aware CWS Connector with IOS release 15.4(1)T
Redirection of web traffic is happens transparently on the remote-site router
Tower Redundancy
Single point of policy management and monitoring
Internet G0/0
Secure Remote Site
![Page 24: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/24.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Web requests
Allowed traffic
Filtered traffic User
HTTP and HTTPS client requests are redirected to a CWS
proxy (tower) in the cloud.
Requests are checked against configured policies and
filtered.
Clean requests are directed back to the client.
High-level Data Flow with Cloud Web Security
Internet
![Page 25: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/25.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Centralized Management
28
Cisco ScanCenter Portal
![Page 26: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/26.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Create Group
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 0 893EECEED111C32D2A205A8204079043
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Must Match
![Page 27: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/27.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Generate Group Key
![Page 28: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/28.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Generate Group Key
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 0 893EECEED111C32D2A205A8204079043
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Must Match
![Page 29: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/29.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Create Filter
![Page 30: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/30.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Create Policies
![Page 31: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/31.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
CWS Tower Communication Modify ACL for CWS communication
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
!
ip access-list extended ACL-INET-PUBLIC
remark Allow-DMVPN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
remark Allow-DHCP
permit udp any any eq bootpc
remark Allow-ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
remark allow-CWS
permit tcp any eq 8080 any
![Page 32: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/32.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Configuration
36
Basic CWS Configuration for Direct Internet Access
interface Tunnel10
description DMVPN
content-scan out
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 7 04095B242A071A6A513B5133422D2F550B7901706310744652332152040F010502
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Internet
CWS Towers
G0/0
Secure Remote Site
![Page 33: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/33.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Traffic Whitelists
CWS Whitelisting for Internal web services - ACL
ip access-list extended CWS-EXCLUDE
permit ip any 10.0.0.0 0.255.255.255
Internet
CWS Towers
G0/0
Internal Web
Services
80/443
content-scan whitelisting
whitelist acl name CWS-EXCLUDE
Secure Remote Site
![Page 34: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/34.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Verify CWS on Clients
![Page 35: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/35.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Verify CWS Operation from host
![Page 36: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/36.jpg)
Full Services Secure Direct Internet Access
![Page 37: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/37.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Secure Direct Internet Access
IOS Zone Based Firewall
Security Zone
OUTSIDE
Central Site
Internet
Secure Remote Site
IOS Zone
Firewall
DMVPN
Security Zone
INSIDE
• Stateful IOS Zone Based Firewall replaces static ACL configured on outside Interfaces.
• Zone Firewall provides stateful inspection for inside to outside user traffic flows.
– Only traffic originating from the INSIDE zone is allowed into the internal remote-site networks.
• Firewall policy allows the router to accept DMVPN, DHCP and ICMP traffic destined to the router itself.
• Firewall policy allows the router to originate DMVPN, DHCP and ICMP traffic from the router itself.
![Page 38: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/38.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Remote Site Security IOS Zone Firewall configuration – Inside to outside traffic
Security Zone
OUTSIDE
Central Site
Internet
Secure Remote Site
IOS Zone
Firewall
DMVPN
Security Zone
INSIDE
zone security INSIDE
zone security OUTSIDE
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
![Page 39: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/39.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
IOS Zone Firewall
Zone-pair and Zone members
interface GigabitEthernet0/0
description Internet Connection
zone-member security OUTSIDE
Interface GigabitEthernet0/2.64
description Wired Data
zone-member security INSIDE
interface Tunnel10
description DMVPN-1 tunnel interface
zone-member security INSIDE
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
Gig0/0
Zone OUTSIDE
G0/2.64
Zone INSIDE
Tunnel 10
Zone INSIDE
![Page 40: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/40.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Direct Internet Access with NAT/PAT Basic NAT/PAT configuration
Central Site
Internet
Secure Remote Site
DMVP
N
IP NAT Inside IP NAT Outside
ip access-list standard NAT
permit 10.10.31.0 0.0.0.255
ip nat inside source list NAT interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/2.64
ip nat inside
![Page 41: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/41.jpg)
Full Services Direct Internet Access Routing with F-VRF
![Page 42: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/42.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Direct Internet Access Routing with F-VRF
With Front Door VRF the Internet interface is placed into a VRF isolating the ISP default route from the global table.
For traffic to get to the Internet we need a method to route outbound traffic from the global table to the Internet facing VRF.
For return traffic we need a method to route inbound traffic from the outside VRF to the global table.
Full Services Internet Access with Front Door VRF
DHCP Derived
Default Route from ISP
0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
Internet
G0/0
VRF INET-PUBLIC1
Global Table
![Page 43: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/43.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN WAN with Local Internet
Full services Internet with front door VRF
L2
FVRF – INET-PUBLIC1
Public Cloud/
Internet
DHCP
Global Table
G0/0
Local Internet Access 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
![Page 44: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/44.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – Routing traffic outbound to the Internet
DHCP Derived
Default Route 0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
Internet
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 10 interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0
VRF INET-PUBLIC1
Global Table
Default Route 0.0.0.0 0.0.0.0
Default Distance 10 DM
VP
N
From Global to INET-PUBLIC1
(via G0/0)
![Page 45: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/45.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – View Routing tables for outbound traffic
RS231-2911#sh ip route <-GLOBAL TABLE
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [10/0] via 172.18.101.121, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 112 subnets, 10 masks
D EX 10.10.0.0/16 [170/1536512] via 10.10.34.1, 02:32:14, Tunnel10
D EX 10.10.0.0/20 [170/1537024] via 10.10.34.1, 02:32:14, Tunnel10
RS231-2911#sh ip route vrf INET-PUBLIC1
Routing Table: INET-PUBLIC1
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 172.18.101.121
172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.18.101.120/29 is directly connected, GigabitEthernet0/0
S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0
Internet
G0/0
VRF INET-PUBLIC1
Global Table
DM
VP
N
10.10.31.0/24
![Page 46: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/46.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – Routing for return traffic inbound from the Internet
Internet
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0
VRF INET-PUBLIC1
Global Table
DM
VP
N
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
10.10.31.0/24
From INET-PUBLIC1 to Global
![Page 47: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/47.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router MPLS Primary DMVPN Backup with Local Internet
Full services Internet with front door VRF
Public Cloud/
Internet
MPLS WAN
DHCP
Local Internet Access 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
![Page 48: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/48.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – outbound traffic
DM
VP
N-o
INE
T
DM
VP
NoM
PLS
Secondary Internet Path
EIGRP Derived
Central-site Default Route
0.0.0.0 0.0.0.0
Admin Distance 170 Global Table
Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 10
MPLS VPN
10.10.31.0/24
Global Table
Default Route 0.0.0.0 0.0.0.0
Default Distance 10
Primary Internet Path
From Global to INET-PUBLIC1
(via G0/0)
Primary Internet Path
DHCP Derived
Default Route 0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
![Page 49: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/49.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – return traffic
DM
VP
N-o
INE
T
DM
VP
N-o
MP
LS
Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0 G0/1
MPLS VPN
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
Global Table
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
10.10.31.0/24
![Page 50: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/50.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF
Public Cloud/
Internet
Local Internet Access Primary 0.0.0.0 0.0.0.0
Public Cloud/
Internet
Local Internet Access Secondary 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
DMVPNoINET
![Page 51: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/51.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
61
Full services Internet with front door VRF – Egress Traffic
DM
VP
NoIN
ET
DM
VP
NoIN
ET
Secondary Internet Path
From Global to INET-PUBLIC2
(via G0/1)
Default Route 0.0.0.0 0.0.0.0
Admin Distance 15
Primary Internet Path
From Global to INET-PUBLIC1
(via G0/0)
Default Route 0.0.0.0 0.0.0.0
Admin Distance 10
Internet Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC2
ip address dhcp
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0 G0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 15
10.10.31.0/24
Global Table
![Page 52: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/52.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – return traffic
DM
VP
NoIN
ET
DM
VP
NoIN
ET
Internet Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC2
ip address dhcp
ip policy route-map INET-INTERNAL
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0 G0/1
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
10.10.31.0/24 Global Table
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
![Page 53: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/53.jpg)
Additional DIA Routing Considerations
![Page 54: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/54.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ip sla 110
icmp-echo x.x.x.x source-interface GigabitEthernet0/0
vrf INET-PUBLIC1
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo y.y.y.y source-interface GigabitEthernet0/0
vrf INET-PUBLIC1
threshold 1000
frequency 15
ip sla schedule 111 life forever start-time now
track 60 ip sla 110 reachability
track 61 ip sla 111 reachability
track 62 list boolean or
object 60
object 61
IP SLA
Probes
Note: This method is compatible with dual Internet DHCP design.
Black Hole Route Detection
IP SLA
Lost connection to ISP but DHCP route stays in the routing table
event manager applet DISABLE-STATIC-GIG0-0
event track 62 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
10"
action 4 cli command "end"
action 99 syslog msg “DEFAULT IP ROUTE via GIG0/0 DISABLED"
![Page 55: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/55.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Preventing internal traffic from leaking to the Internet
Internal Traffic Null route takes effect during link failure
ip route 10.0.0.0 255.0.0.0 Null0 254
MPLS VPN Internet
Primary WAN
-to central site- 10.4.48.10 via BGP or EIGRP
10.5.244.25
Default Route
0.0.0.0 0.0.0.0
10.4.48.10 via 0.0.0.0 0.0.0.0
10.5.244.25
10.4.48.10
via
10.5.244.25
NULL0 10.5.244.0/24
RS250-1941#sh ip route
Gateway of last resort is 172.18.100.129 to network 0.0.0.0
S* 0.0.0.0/0 [10/0] via 172.18.100.129
10.0.0.0/8 is variably subnetted, 107 subnets, 11 masks
S 10.0.0.0/8 is directly connected, Null0
![Page 56: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/56.jpg)
Direct Internet Access Use Cases
![Page 57: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/57.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
67
Guest Internet Access with VRF
VRF – INET-PUBLIC1
Internet DHCP
Global Table
G0/0 Trunk
Trusted Wired VLAN
(64)
Guest VLAN
(80)
Trusted WLAN
Guest Wired VLAN
Trunk
![Page 58: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/58.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
68
Place Guest VLAN in the outside VRF
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
encapsulation dot1Q 80
ip address 192.168.19.1 255.255.255.0
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0
GUEST-NET VLAN
G0/2.80
VRF INET-PUBLIC1
interface GigabitEthernet0/2.64
description INERNAL-DATA
ip address 10.10.31.1 255.255.255.0
G0/2.64
INTERNAL-DATA VLAN
Global Table
![Page 59: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/59.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
69
Routing table view
RS231-2911#sh ip route vrf INET-PUBLIC1
Routing Table: INET-PUBLIC1
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 172.18.101.121
172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.18.101.120/29 is directly connected, GigabitEthernet0/0
S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0
L 172.18.101.122/32 is directly connected, GigabitEthernet0/0
192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.19.0/24 is directly connected, GigabitEthernet0/2.80
L 192.168.19.1/32 is directly connected, GigabitEthernet0/2.80
Internet
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
![Page 60: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/60.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
70
Guest IOS VRF-aware DHCP Configuration with public DNS
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
ip dhcp excluded-address vrf INET-PUBLIC1 192.168.19.1 192.168.19.19
!
ip dhcp pool GUEST-DHCP
vrf INET-PUBLIC1
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
domain-name cisco.guest
dns-server 8.8.8.8 <-Google Public DNS
Internet
GUEST User
G0/2.80
DHCP Request
![Page 61: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/61.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
71
Guest VRF aware NAT Configuration
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip nat outside
ip nat inside source list NAT interface GigabitEthernet0/0 vrf INET-PUBLIC1 overload
ip access-list extended NAT
permit ip 10.10.31.0 0.0.0.255 any
permit ip 192.168.19.0 0.0.0.255 any
Central Site
Internet
DMVPN
IP NAT Inside
IP NAT Outside
GUEST
G0/0
G0/2.80
![Page 62: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/62.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local internet
72
IOS Zone Firewall configuration – Guest to outside traffic
Security Zone
OUTSIDE
Central Site
Internet
IOS Zone
Firewall
DMVPN
Security Zone
GUEST
zone security GUEST
class-map type inspect match-any GUEST-TO-OUTSIDE-CLASS
match protocol dns
match protocol http
match protocol https
match protocol ftp
match access-group name GUEST-OUT
zone-pair security GUEST source GUEST destination OUTSIDE
service-policy type inspect GUEST-TO-OUTSIDE-POLICY
policy-map type inspect GUEST-TO-OUTSIDE-POLICY
class type inspect GUEST-TO-OUTSIDE-CLASS
inspect
class class-default
drop
GUEST
ip access-list extended GUEST-OUT
deny ip any any
![Page 63: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/63.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
73
Guest Firewall Zone configuration
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
zone-member security GUEST
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
zone-member security OUTSIDE
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
interface GigabitEthernet0/2.64
description INERNAL-DATA
ip address 10.5.204.1 255.255.255.0
zone-member security INSIDE
![Page 64: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/64.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
74
Guest VLAN in with interface group mapped to CWS policies
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
user-group default GUEST-GRP
ip address 192.168.19.1 255.255.255.0
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
content-scan out
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
![Page 65: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/65.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
75
CWS Guest Policy – Create a Guest Directory Group
![Page 66: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/66.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
76
CWS Guest Policy – Create Guest Filters
![Page 67: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/67.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
77
CWS Guest Policy – Create Guest Policy Rules
![Page 68: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/68.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
CWS Guest Policy – Guest Group is not able to browse Gambling sites
78
![Page 69: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/69.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
79
CWS whoami.scansafe.net
Internal User Guest User
![Page 70: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/70.jpg)
TrustSec in the WAN
![Page 71: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/71.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
TrustSec is consistent, location-independent policy
WLC Switches
Internet SSL-VPN
ASA
Wired Environment Wi-Fi Environment Remote Access
Target: CY14 1H
Employee
(SGT=55)
Employee
(SGT=55)
Employee
(SGT=55)
Application X
(SGT 100)
Virtual Machines
(SGT 200)
LoB (Eng)
(SGT 300)
Employee (SGT 55)
Regardless of topology or location,
TrustSec provides consistent resource access policy
![Page 72: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/72.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Policy Admin
Point
Users and Systems are Classified into Security Groups based on Context. Traffic is then Tagged with the Security Group ID
Tags can be applied to traffic from specific users, servers, networks or network connections.
Provides virtual network segmentation, flexible access control and FW rule automation
A good Strategic fit with Cisco SDN
User, Device
Campus Switch Router Router DC Switch
HR Servers
Fin Servers SGT = 4
SGT = 10
ISE Directory
Classification
Data
TrustSec Classification, Propagation, Enforcement
Data SGT:5
Enforcement
SGT = 5
Propagation
![Page 73: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/73.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ISR-EDGE2
Identity Services
Engine (ISE)
1
2
3
1. Dot1X process used to obtain user credentials on embedded switch
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
SGT/IP Mapping is available on the ISR device (no matter if user
authentication was performed using Dot1X or Auth-Proxy)
ISR with LAN
Switching HWIC
TrustSec Integration – IP/SGT Mapping – 802.1X
83
EHWIC-SW
![Page 74: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/74.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Trustsec Integration – IP/SGT Mapping – Auth-Proxy
84
Identity Services
Engine (ISE)
1 2
3 192.168.12.12
1. Auth-Proxy process used to obtain user credentials
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
ISR-EDGE2
ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0
![Page 75: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/75.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP SXP Listener SXP Speaker
Trustsec Integration SXP: SGT Exchange Protocol
85
ISR-CENTRAL ISR-EDGE2
ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 INTERNAL 172.19.38.1 2 INTERNAL 192.168.2.25 2 INTERNAL 192.168.10.2 2 INTERNAL 192.168.11.1 2 INTERNAL 192.168.12.1 2 INTERNAL 192.168.12.12 4 LOCAL IP-SGT Active Bindings Summary ==================================== Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 6 Total number of active bindings = 7
ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 SXP 172.19.38.1 2 SXP 192.168.2.25 2 SXP 192.168.10.2 2 SXP 192.168.11.1 2 SXP 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 7 Total number of active bindings = 7
![Page 76: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/76.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Zone OUTSIDE Zone INSIDE
F0 F1
Hdr Data
Incoming IP Packets
Branch-n
Branch-1
Branch-2
. . .
Trustsec Integration Building ZFW Policies based on Security Group Tags
86
ISR-CENTRAL
class-map type inspect match-any CLASS1 match protocol http match protocol telnet match protocol ssh match protocol icmp
class-map type inspect match-any SGT1 match security-group source tag 3
class-map type inspect match-all EMPLOYEES match class-map CLASS1 match class-map SGT1
IP Address SGT
192.168.1.1 3
![Page 77: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/77.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP Configuration
isr-cts2-2911c# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
isr-cts2-2911c(config)#cts sxp enable
isr-cts2-2911c(config)#cts sxp default password cisco
isr-cts2-2911c(config)#cts sxp connection peer 1.1.1.2 source 1.1.1.1 password default mode
local speaker
isr-cts2-2911c(config)#end
isr-cts2-2911c#
isr-cts2-2921a# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
isr-cts2-2921a(config)#cts sxp enable
isr-cts2-2921a(config)#cts sxp default password cisco
isr-cts2-2921a(config)#cts sxp connection peer 1.1.1.1 source 1.1.1.2 password default mode
local listener
isr-cts2-2921a(config)#end
isr-cts2-2921a#
Speaker
Listener
Enable SXP
SXP default password
peer ip address source ip address
![Page 78: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/78.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
show sxp connection brief
isr-cts2-2921a# show cts sxp connections brief
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
1.1.1.1 1.1.1.2 On 0:00:00:16 (dd:hr:mm:sec)
10.1.1.1 20.1.1.1 On 0:00:00:15 (dd:hr:mm:sec)
Total num of SXP Connections = 2
isr-cts2-2921a#
Duration since the connection is in
the indicated status
![Page 79: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/79.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Verify IP-SGT Bindings isr-cts2-2911c#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
1.10.1.1 10 CLI
1.11.1.1 11 CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 2
Total number of active bindings = 2
IPv4 SGT bindings
Total no. of active bindings
isr-cts2-2921a#show cts role-based sgt-map all ipv6
Active IP-SGT Bindings Information
IP Address SGT Source
================================================================
1001:100:1::1 610 SXP
2001:100:1::1 620 CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 1
Total number of SXP bindings = 1
Total number of active bindings = 2
Source of learning
IPv6 bindings
IPv4 ip-sgt bindings
Total no. of active ipv6 bindings
![Page 80: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/80.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch Segmentation/SXP WAN
90
. . .
WAN
Data Center
SXPv4
Speaker-1
Listener-2 Listener-1
Speaker-300
N7K
Cat6K
ASR1K ASR1K
SXPv4
Cat6K
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
Bidirectional SXP with Loop Detection available now:
– ISRG2 15.4(1)S
– ASR1000/ISR4k/CSR XE 3.11
Allows ASR1000 to be an IP/SGT relay from remote to remote
SXP is a full replication model – each remote router will learn all IP/SGT bindings
![Page 81: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/81.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Inline tagging across WAN -
– IPsec, DM-VPN, GET-VPN
Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR)
91
Branch Segmentation/Inline Tagging Across WAN
• Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance
• SGT is used only as a source criteria only in ISR G2 Zone-Based Firewall
Cat3750-X
Branch B
SGT over
GET-VPN, DM-
VPN or IPsec VPN
HQ
Inline SGT ASR1000
Router
Branch A
ISRG2
ISRG2
e.g. 2951/3945
![Page 82: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/82.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP WAN Aggregation Option
92
SGT Capable Enforcement
Switch or Firewall
Speakers & Listeners
SXP
Listeners
SGT Capable Enforcement
Switch or Firewall
SXP Speakers
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
IP Address SGT
10.1.254.1 Production User –
10
10.1.254.10 Developer – 20
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
10.1.254.1 Production User –
10
10.1.254.10 Developer - 20
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
10.1.254.1 Production User –
10
10.1.254.10 Developer - 20
Aggregators handling SXP control plane
Not in the traffic path
All bindings received at DC Edge
Peer only with the aggregators
![Page 83: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/83.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public 93
Campus & Branch Segmentation
Cat6800/Sup2T
Catalyst
3850
HR
10.1.10.101
(DHCP)
Nexus 5K Nexus 2K
Nexus1000v
ASR1000
ISR3900
ISR2900
ISR1900
ISR4451
ISE
ASA5500-X
Catalyst
3850
Nexus 2K
Nexus 7
000
ASA5500-X
Branch B
Branch C
Branch D
WAN
(GETVPN,
DMVPN,
IPsec VPN)
HR
10.1.10.102
(DHCP)
Wired
Finance
10.2.1.52
(DHCP)
Finance
10.2.1.51
(DHCP) BYOD-Guest
192.168. 1.10.20
(DHCP)
BYOD-HR
192.168. 50.103
(DHCP)
VLAN10
Catalyst
3850
SSID: Vender-net
SSID: Corp-net
SSID: Corp-net
HR
20.10.18.103
(DHCP)
VLAN18
HE Finance BYOD Corp BYOD
Vendor
HR Finance BYOD-Corp BYOD-Vendor
![Page 84: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/84.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Store
Retail customer
Existing segmentation scheme used up to 25 subnets/VLANs in stores
Segmentation for reasons including PCI
Additional segments would break route summarisation
PCI
POS
![Page 85: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/85.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Store
ISR
Retail customer
Catalyst 3850 allowed SGACL segmentation in stores
No new VLANs/segments required
DM-VPN used to carry SGT inline between stores
ASR
PCI
POS Cat 3850
ISE
DM-VPN
Store Store
![Page 86: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/86.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
ISR
Financial Branch – Before TrustSec
Existing network had 4 subnets/VLANs per branch
No use of 802.1X
Extensive IP-based rules in DC Firewalls
![Page 87: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/87.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
Financial branch – with TrustSec
Rules in DC Firewalls based on simple categories
L3 Interface-SGT maps
– Each subnet/VLAN gets an SGT, IP-SGT bindings created
– Same SGTs in every branch
SXP
SXP
ISR
![Page 88: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/88.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
Financial branch
Enable 802.1X passively
Enable SXP in access switch (Switches only capable of SXP)
Coarse-grained roles from VLAN mappings
AND Fine-grained roles from authentication
L3 Interface-SGT maps still in place
Bindings from SXP take priority over static SGTs
SXP
SXP
ISR
ISE
SXP
![Page 89: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/89.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650
WLC 5760
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X, 3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (7E, 8), 4500X
Catalyst 6500E (Sup720)
Catalyst 6500E (2T), 6800
WLC 2500, 5500, WiSM2
WLC 5760
Nexus 1000v
Nexus 6000/5600
Nexus 5500/22xx FEX
Nexus 7000/22xx FEX
ISRG2, CGS2000
ASR1000
ASA5500 Firewall, ASASM
SXP
SXP
IE2000/3000, CGS2000 NEW
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
NEW inline tagging
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-X
Catalyst 3750-X
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Catalyst 3850/3650
WLC 5760
Nexus 7000
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500 Firewall
ASAv Firewall
ASR 1000 Router
CSR-1000v Router
SXP
SGT
NEW
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000
NEW
Nexus 5500
NEW
Nexus 5600
NEW
NEW
NEW
SXP SGT NEW
NEW
SGT
NEW
GETVPN. DMVPN, IPsec
SGT
www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
![Page 90: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/90.jpg)
Cyber Threat Defense Solution (CTD)
103
![Page 91: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/91.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Making use of the WAN Traffic Patterns
Source and Destination Address (IPv4/IPv6)
Source and Destination Port
Protocol, Application
DSCP
Ingress Interface
BGP Next-Hop Field
MPLS label Info
Multicast Info
L2 information (802.1q tag, CoS field, etc)
104
![Page 92: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/92.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
NetFlow Technology Brief
Standards-based Flow Technology, with a long history (90’s, IOS 11.x)
– NFv5, NFv9, IPFIX, NSEL, FNF (Flexible NetFlow)
– Both Data Format and Protocol to transport the Flow Information from Exporter to Collector
– Exported Creates Cache Entry based on Key Fields, exports expired/terminated flows to Collector
– Configuration Defined by Flow Record, Exporter, Flow Monitor and Device Interface
– Efficient, Low Overhead, Binary Format, many (20-50) flow records per packet
Supported by the majority of the network Infrastructure, but mileage may greatly vary
– IOS/-XE/-XR Routers, Catalyst and Nexus Switches
– ASA provides NSEL (NetFlow Security Event Logging) support – state-based with NAT stitching
If cannot export natively – generate with SPAN-attached applance
– Cisco NetFlow Generation Appliance (NGA)
– Lancope FlowSensor Appliance (FS)
For Network Forensics and Behavioral Anomaly Detection, unsampled (1:1) NetFlow
– Sampled NetFlow still useful for traffic accounting, billing, understanding protocol mix, network planning
NetFlow instrumentation is the foundation for Traceback and Attribution
New security use for a very well-known technology
105
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
SPAN
![Page 93: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/93.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Network-Based Anomaly Detection (NBAD)
Concern Index tracks hosts appearing to compromise the network integrity
106
• File Sharing Index indicates a peer-to-peer host activity
• Target Index visualizes hosts appearing to be victims of suspicious behaviour
• Host Group Targeted Reporting unveils Network and Application traffic patterns
Application
Report Inbound/Outbound
Traffic Report
![Page 94: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/94.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Catching the Insider Threats with CTD
107
• Unauthorized Access violation attempted, denied by the Firewall
• Internal Reconaissance Concern Index Event, scanning on tcp/445
• Data Hoarding – transferring an large amount of data through the network
– Suspect Data Hoarding – host downloading inbound from many hosts
– Target Data Hoarding – host uploading unusual amount outbound to multiple hosts
• Data Exfiltration – identify suspicious transfers through Internet Edge over a long time
![Page 95: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/95.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Handling the Indicators of Compromise (IoCs)
Indentify Suspected Malware Infected Hosts in the Client Host Groups
108
• Visualize the Malware Infection Spread with Worm Tracker
– Primary and Secondary Infections
– Subnets being scanned
• Apply Context-Aware Telemetry from ISE to understand the affected Users
• Investigate all the Hosts Touched by the originally Infected Host
![Page 96: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/96.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cyber Threat Defense Solution (CTD) Overview
StealthWatch FlowCollector*
StealthWatch Management
Console*
Management
StealthWatch FlowReplicator replicates NetFlow and other protocols
Other Traffic Analysis Software
Cisco ISE
Netflow enabled
IOS device
NetFlow NetFlow
NetF
low
* Virtual or Physical Edition
![Page 97: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/97.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Example Attack Detection without Signatures High Concern Index (CI) indicates a
significant number of suspicious
events that deviate from established
baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan
ICMP echo
CEO PC
1. ECHO -> CI = CI + 1
2. ECHO -> CI = CI + 2
3. ECHO -> CI = CI + 4
4. ECHO -> CI = CI + 8
Simplified Example:
![Page 98: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/98.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Operational Network & Security Intelligence (ONSI)
Network and Security
Intelligence
Dashboard
![Page 99: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/99.jpg)
Summary
112
![Page 100: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/100.jpg)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Embracing the Holistic Threat Continuum
113
Control Enforce Harden
Detect Block
Defend
Scope Contain
Remediate
Infrastructure
and Protocols
Network
Firewall
Next-Generation
Firewall (NGFW) Next-Generation
IPS (NGIPS)
Web Security
Content Filtering
Mobile Users
Remote Access
VPN
Email Security
SSL Decryption
and Inspection
Network Forensics Advanced Malware
Protection (AMP)
Incident Response
Open Source
Custom Tools
Context-Awareness Attribution
![Page 101: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/101.jpg)
„ If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ”
• Bruce Schneier
• Security Guru
![Page 102: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/102.jpg)
![Page 103: Bezpečnostní a funkce Intelligent - Cisco - Global Home … funkce Intelligent WAN architektury TECH-WAN: Building a Secure Intelligent WAN Gaweł Mikołajczyk gmikolaj@cisco.com](https://reader034.fdocument.pub/reader034/viewer/2022051602/5af1b2227f8b9abc788ec4d2/html5/thumbnails/103.jpg)