TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
0 likes263 views
The document is a Q&A session on Cisco's SD-WAN security capabilities. Questions covered include how SD-WAN handles network access control, quality of service, central management software, integration with other Cisco products, differences compared to dedicated firewalls, hardware options for different site sizes, scalability, routing protocols supported, intrusion protection, and centralized management of security policies.
![© 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 2 of 4
is the copyright footer]]
Q. Does SD-WAN replace MPLS?
A. It can. SD-WAN is transport independent; it can run on top of any transport. Multiprotocol Label Sw itching
(MPLS) can still be used as the underlay for the SD-WAN overlay, alongside the internet and 4G/5G. SD-WAN is
transport agnostic, and it doesn’t replace MPLS. Instead, it encourages the customer to leverage the internet as
their second transport and run one single overlay over MPLS/Internet.
Q. What about control plane security? It’s all kind of hidden if you’re using vManage in the cloud. Support
for SAML, MFA, whitelisting of IP access, etc. seems to be a problem.
A. The control plane is the same w hether the solution is on-premises or cloud hosted. It has a zero-trust approach.
If you need more details, please reach out to your Cisco account team. The control plane communication betw een
vManage, vBond, vSmart, and the edge routers is secured using a Datagram Transport Layer Security (DTLS)
tunnel, w hich uses Advanced Encryption Standard (AES)-256 ciphers for encryption, and authentication is taken
care of w ith digital certificates.
Q. Our network has four main sites and four remote sites. Do you have different hardware router sizes for
main sites with higher bandwidth and lower-end routers for remote sites with lower bandwidth, at a lower
cost?
A. Absolutely! You can choose from any Cisco 1000 or 4000 Series ISR for branches. For higher scale at the
main sites, you may w ant to consider an ASR 1000-X or 1000-HX platform.
Q. What is the current device scalability for configuration pushes and device management? I’m coming
from a major enterprise with thousands of branches, close to 100 campus locations, and upwards of 100
data centers and co-locations.
A. The architecture easily scales to 10,000+ node systems, Viptela currently has the largest production SD-WAN
implementations, w ith customers running over 6000 nodes. Viptela also has the largest SD-WAN market share
among Global 2000 customers. We have production deployments at close to 10,000 sites. I am talking production
deployed today, not future planning. You are covered for deployments of any size.
Q. Is DNS Security via DNSSEC?
A. DNS Security means Cisco Umbrella®.
Q. What is the timeline to get full security in ASR and vEdge?
A. Some of the security features require containers, w hich are not there on all platforms. Full security is offered
on the Cisco 1000 and 4000 Series ISRs. vEdge and the ASR 1000 Series w illhave a subset of security features.
That said, some of the missing features can be augmented by Cisco Umbrella cloud security, w hich now also
supports Secure Internet Gatew ay (SIG), not just DNS-based security.
Q. Does SD-WAN support routing like Open Shortest Path First (OSPF) and Border Gateway Protocol
(BGP)?
A. Yes to both, plus Enhanced Interior Gatew ay Routing Protocol (EIGRP) on Cisco routing platforms.
Q. What kind of intrusion protection system (IPS) is native in the vEdge SD-WAN deployment?
A. We use Cisco Snort® IPS today, backed by Cisco Talos threat intelligence.](https://image.slidesharecdn.com/tww314-sd-wan-qa-may2019corpeditpdf-190726170544/85/TechWiseTV-Workshop-314-Q-A-Cisco-SD-WAN-Security-2-320.jpg)
![© 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 3 of 4
Q. We plan on using the ASR 1000 Series for 1 gig to 4 gig encryption. You are not planning to support
Umbrella there and want us to distribute that out somehow?
A. Cisco Umbrella monitoring is built into the Secure SD-WAN solution today. If you w ant to create a cloud
security policy, you w ill need to use a full Cisco Umbrella suite, w hich has API connectors to your routers. [[Please
delete the legal block above. It goes only on the last page. Copyright line should stay in footer]]
Q. Will vManage apply to Meraki users as well?
A. No, Meraki has its ow n management platform.
Q. What code are you running for vManage and on vEdge?
A. The latest. Version 19.1 on controllers and 16.11.1 on Cisco IOS® XE SD-WAN routers. We are not show ing
vEdge here; that has a subset of this functionality.
Q. What web browsers can be used to view vManage without any quirks?
A. I use Chrome.
Q. How about EIGRP on vEdge?
A. EIGRP is not planned for vEdge. vEdge can do OSPF and BGP.
Q. Is there a way to see statistics for more than seven days?
A. Absolutely! You can choose to go as far back as the data is held in the vManage stats database. It's based on
the database size configured.
Q. Is this the Cisco Firepower Threat Defense firewall or the router zone-based firewall?
A. This is using the DNS Layer cloud-defined app firew all, not the Firepow er Threat Defense NGFW.
Q. Can you load-balance per flow on multiple SD-WAN links? if so, is packet order correction available?
A. Yes, w e do per-flow routing. We do not do reordering on the routers.
Q. We have Cisco Firepower on our edge and in our data center. Do we need SD-WAN Security?
A. You can't compare SD-WAN Security w ith a firew all. The security part of SD-WAN Security is integrated w ithin
the SD-WAN platform and does not exist outside of it.
Q. So Viptela now has an incorporated firewall feature, or is it service chaining to a firewall?
A. What Kural is describing are security features integrated into SD-WAN and managed by vManage. You of
course still have an option of service insertion. You can do both at the same time too.
Q. How does this address zero-day attacks?
A. The Cisco Talos cloud receives something like 20 billion events a day. IPS and AMP are integrated w ith Talos,
so you can enjoy all this threat intelligence.
Q. What products are required to be able to create this ecosystem?
A. It’s all integrated. All you need is Cisco SD-WAN pow ered by Viptela and an appropriate subscription Cisco
DNA license.
Q. Can events still be logged to an external SIEM tool, such as Splunk, Embedded Syslog Manager (ESM),
etc., for further review or event correlation?
A. Yes, they can. We generate syslogs, but they are rate limited to protect the router CPU. We can also export
events in NetFlow v9 format, but you need a receiver that can parse it. Check out Cisco Stealthw atch.
Q. Is SD-WAN managed by vManage – both the ISR/ASR and the VEdge platforms?
A. Yes. You can manage netw orking and security on all those platforms via vManage.
Q. So alerting is handled by other apps versus vManage?
A. Please define alerting. Each device alerts vManage but can also generate messages to an external system.](https://image.slidesharecdn.com/tww314-sd-wan-qa-may2019corpeditpdf-190726170544/85/TechWiseTV-Workshop-314-Q-A-Cisco-SD-WAN-Security-3-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security (20)
Ad
More from Robb Boyd (20)
Ad
Recently uploaded (20)
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
- 1. Q&A © 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 1 of 4 TechWiseTV Workshop: Cisco SD-WAN Security May 8, 2019 Q. Can SD-WAN eliminate the requirement of network access control (NAC)? A. If by NAC you mean user authentication, it is a multiphased story. Today it is based on 802.1X identity. In the future you w ill be able to use scalable group tags (SGTs) for a more meaningful approach. Q. How do you manage and control quality of service (QoS) (voice/video) over the internet part of SD- WAN? A. Many options are available: device QoS, routing based on SLA (app-aw are routing), link remediation like Fast EtherChannel (FEC)/duplication, and also things like TCP optimization, fragmentation avoidance, and so on. Stay tuned for more in the future. Q. The central management software – are you referring to NMS? A. It is Cisco® vManage, w hich manages all elements of SD-WAN and integrated security features. Q. I assume it integrates with Cisco Prime® Infrastructure as well? A. vManage is the single tool for everything SD-WAN. Q. What type of zone-based firewall (ZBFW) is in use, and will he be going into more detail about how branch routers drop packets from IPs that have not registered with the SD-WAN head end? A. Stay tuned for much more detail from Kural. Q. Does this or will it in the future be part of the Cisco Meraki® devices? A. Meraki leverages some of the same security back-end repositories. Cisco has tw o different SD-WAN offerings, each w ith integrated security. Q. For internet-destined traffic, how does the SD-WAN security architecture stack up against a Cisco Firepower® Threat Defense or ASA/Firepower device? What are the differences? A. Good question! Cisco Firepow er Threat Defense/ASA are dedicated NGFWs, and they have some additional capabilities. At the same time, both Cisco Firepow er Threat Defense/ASA and SD-WAN security have the same back-end engines, such as Cisco Talos®. A feature-by-feature comparison is not appropriate. Q. Are Viptela and Cisco SD-WAN one and the same now? A. Cisco has tw o leading SD-WAN security solution options, one pow ered by Viptela and one pow ered by Meraki. Q. Wait, I thought that the firewall used by SD-WAN was the Viptela zone-based firewall and not the Cisco zone-based firewall. With that said, does that Garner Magic Quadrant reference still apply? A. Cisco Secure SD-WAN includes Cisco Layer 3/Layer 4 app firew all/cloud-defined firew all. Yes, the Gartner Magic Quadrant still applies. [[Please move the legal block below to the bottom of the last page. All you need here
- 2. © 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 2 of 4 is the copyright footer]] Q. Does SD-WAN replace MPLS? A. It can. SD-WAN is transport independent; it can run on top of any transport. Multiprotocol Label Sw itching (MPLS) can still be used as the underlay for the SD-WAN overlay, alongside the internet and 4G/5G. SD-WAN is transport agnostic, and it doesn’t replace MPLS. Instead, it encourages the customer to leverage the internet as their second transport and run one single overlay over MPLS/Internet. Q. What about control plane security? It’s all kind of hidden if you’re using vManage in the cloud. Support for SAML, MFA, whitelisting of IP access, etc. seems to be a problem. A. The control plane is the same w hether the solution is on-premises or cloud hosted. It has a zero-trust approach. If you need more details, please reach out to your Cisco account team. The control plane communication betw een vManage, vBond, vSmart, and the edge routers is secured using a Datagram Transport Layer Security (DTLS) tunnel, w hich uses Advanced Encryption Standard (AES)-256 ciphers for encryption, and authentication is taken care of w ith digital certificates. Q. Our network has four main sites and four remote sites. Do you have different hardware router sizes for main sites with higher bandwidth and lower-end routers for remote sites with lower bandwidth, at a lower cost? A. Absolutely! You can choose from any Cisco 1000 or 4000 Series ISR for branches. For higher scale at the main sites, you may w ant to consider an ASR 1000-X or 1000-HX platform. Q. What is the current device scalability for configuration pushes and device management? I’m coming from a major enterprise with thousands of branches, close to 100 campus locations, and upwards of 100 data centers and co-locations. A. The architecture easily scales to 10,000+ node systems, Viptela currently has the largest production SD-WAN implementations, w ith customers running over 6000 nodes. Viptela also has the largest SD-WAN market share among Global 2000 customers. We have production deployments at close to 10,000 sites. I am talking production deployed today, not future planning. You are covered for deployments of any size. Q. Is DNS Security via DNSSEC? A. DNS Security means Cisco Umbrella®. Q. What is the timeline to get full security in ASR and vEdge? A. Some of the security features require containers, w hich are not there on all platforms. Full security is offered on the Cisco 1000 and 4000 Series ISRs. vEdge and the ASR 1000 Series w illhave a subset of security features. That said, some of the missing features can be augmented by Cisco Umbrella cloud security, w hich now also supports Secure Internet Gatew ay (SIG), not just DNS-based security. Q. Does SD-WAN support routing like Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP)? A. Yes to both, plus Enhanced Interior Gatew ay Routing Protocol (EIGRP) on Cisco routing platforms. Q. What kind of intrusion protection system (IPS) is native in the vEdge SD-WAN deployment? A. We use Cisco Snort® IPS today, backed by Cisco Talos threat intelligence.
- 3. © 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 3 of 4 Q. We plan on using the ASR 1000 Series for 1 gig to 4 gig encryption. You are not planning to support Umbrella there and want us to distribute that out somehow? A. Cisco Umbrella monitoring is built into the Secure SD-WAN solution today. If you w ant to create a cloud security policy, you w ill need to use a full Cisco Umbrella suite, w hich has API connectors to your routers. [[Please delete the legal block above. It goes only on the last page. Copyright line should stay in footer]] Q. Will vManage apply to Meraki users as well? A. No, Meraki has its ow n management platform. Q. What code are you running for vManage and on vEdge? A. The latest. Version 19.1 on controllers and 16.11.1 on Cisco IOS® XE SD-WAN routers. We are not show ing vEdge here; that has a subset of this functionality. Q. What web browsers can be used to view vManage without any quirks? A. I use Chrome. Q. How about EIGRP on vEdge? A. EIGRP is not planned for vEdge. vEdge can do OSPF and BGP. Q. Is there a way to see statistics for more than seven days? A. Absolutely! You can choose to go as far back as the data is held in the vManage stats database. It's based on the database size configured. Q. Is this the Cisco Firepower Threat Defense firewall or the router zone-based firewall? A. This is using the DNS Layer cloud-defined app firew all, not the Firepow er Threat Defense NGFW. Q. Can you load-balance per flow on multiple SD-WAN links? if so, is packet order correction available? A. Yes, w e do per-flow routing. We do not do reordering on the routers. Q. We have Cisco Firepower on our edge and in our data center. Do we need SD-WAN Security? A. You can't compare SD-WAN Security w ith a firew all. The security part of SD-WAN Security is integrated w ithin the SD-WAN platform and does not exist outside of it. Q. So Viptela now has an incorporated firewall feature, or is it service chaining to a firewall? A. What Kural is describing are security features integrated into SD-WAN and managed by vManage. You of course still have an option of service insertion. You can do both at the same time too. Q. How does this address zero-day attacks? A. The Cisco Talos cloud receives something like 20 billion events a day. IPS and AMP are integrated w ith Talos, so you can enjoy all this threat intelligence. Q. What products are required to be able to create this ecosystem? A. It’s all integrated. All you need is Cisco SD-WAN pow ered by Viptela and an appropriate subscription Cisco DNA license. Q. Can events still be logged to an external SIEM tool, such as Splunk, Embedded Syslog Manager (ESM), etc., for further review or event correlation? A. Yes, they can. We generate syslogs, but they are rate limited to protect the router CPU. We can also export events in NetFlow v9 format, but you need a receiver that can parse it. Check out Cisco Stealthw atch. Q. Is SD-WAN managed by vManage – both the ISR/ASR and the VEdge platforms? A. Yes. You can manage netw orking and security on all those platforms via vManage. Q. So alerting is handled by other apps versus vManage? A. Please define alerting. Each device alerts vManage but can also generate messages to an external system.
- 4. © 2019 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public. Page 4 of 4 Q. So all security platforms that Cisco has – ASA , Cisco’s NGFW, IPS, etc. A. No. You can manage SD-WAN Security via vManage on ISRs, ASRs, CSRs, and vEdge platforms. Q. How impactful to production is it normally to get existing devices and network tied into SD-WAN? (Assuming you already have supported routers, etc.) A. It is as simple as buying a Cisco DNA license and upgrading existing routers to the Cisco IOS XE SD-WAN code. Of course, you need to consider communication to nonmigrated sites. This requires planning ahead of time. Q. Does vManage have an API that can be accessed? Is it read and write? A. EVERYTHING in vManage can be done using REST APIs! Full read and w rite. Q. What is a common way for SD-WAN converted sites to communicate with non-SD-WAN converted sites? Would they route to some head-end device and be routed from there? A. Yes, this is the recommended approach. Some customers do direct connection at each migrated site. It is dangerous and can cause routing loops if the administrator is not careful, but it can be done. To minimize latency, w e advocate establishing several transition hubs w here overlay and underlay are inter-routed. Q. Can the block page be redirected to a page that provides information vs. just a giving a blank page to the user? A. This is part of our future serviceability enhancements. Today it’s session reset for AMP. For URL filtering, you can present a page. Q. Does Role-Based Access Control (RBAC) have support for external groups like AD, RADIUS, and TACACS? A. Yes. You can use SSO or RADIUS/TACACS. Your Active Directory can be integrated to those. Q. Is there any technical documentation on SD-WAN QoS in detail? A. Check sdw an-docs.cisco.comand ciscolive.com. Q. Wait, we have ZBFW in our ISR and ASRs now . A. ZBFW w as there in Cisco IOS XE. We have enabled it in SD-WAN managed by vManage. We have also added Layer 7 intelligence to it. Q. Is Secure Sockets Layer (SSL) decryption available for traffic inspection? A. Not today, but stay tuned. Q. We're running a Cisco iWAN DMVPN overlay right now with fully licensed 4000 Series ISRs at the branch level. Are there any licensing considerations when moving to Vipte la? A. Yes! Please talk to your Cisco account team. Q. Will this be a parity feature with Cisco Meraki? A. We are not after feature parity, w e are after solving customer problems. Choose the solution that fits your needs. Q. Would this solution replace or supplement Firepower? A. Yes, and it depends. If you are using the SD-WAN solution and have been using additional firew alls for its security, you can use the current integrated security instead of a firew all. Q. Can you load-balance a single flow over two separate links? A. No. This is a very bad practice that some other SD-WAN vendors are promoting. It makes a great demo but can introduce severe performance issues. Q. Is the policy configuration as granular? A. We have not yet found a request that w e have not been able to build a policy for. Trust me, w e have seen some really crazy ones out there.