SD WAN Security

Decrease the Attack Surface

SD-WAN security allows end users to connect directly to cloud applications and resources without backhauling through a remote data center or hub. This will enable organizations to offload guest traffic to the Internet instead of using up WAN and data center resources. The DIA model, where Internet access is distributed across many branches, increases the network’s attack surface and makes security compliance a critical task for almost every organization.

A Layered Approach to Security 

The broad threat landscape includes cyber warfare, ransomware, and targeted attacks. Firewalling, intrusion prevention, URL filtering, and malware protection must be leveraged to prevent, detect, and protect the network from all threats. The branches can consume Cisco SD-WAN security through integrated security applications within powerful WAN Edge routers, cloud services, or regional hubs where VNF-based security chains may be leveraged or robust security stacks may already exist.

The Role of Cisco Umbrella

This post will address Cisco SD-WAN security features for the control plane elements, data plane forwarding, and the integrated SD-WAN security features that can be used for Direct Internet Access (DIA). Just to let you know, SD-WAN can be combined with Cisco Umbrella via a series of redundant IPsec tunnels for additional security measures, increasing the robustness of your WAN Security.

In addition, the WAN architecture can provide simplicity regarding application deployment and management. First, however, the mindset must shift from a network topology focus to an application services topology. This is what SD-WANs’ initial focus was on.

Related: For additional pre-information, you may find the following posts helpful:

1. SD WAN Tutorial
2. WAN Monitoring
3. Virtual Firewalls

Back to Basics: SD-WAN Security

Unveiling the Security Risks in SD-WAN Deployments

While SD-WAN offers enhanced network performance and agility, it also expands the attack surface for potential security breaches. The decentralized nature of SD-WAN introduces complexities in securing data transmission and protecting network endpoints. Threat actors constantly evolve tactics, targeting vulnerabilities within SD-WAN architectures to gain unauthorized access, intercept sensitive information, or disrupt network operations. Organizations must be aware of these risks and implement robust security measures.

Implementing Strong Authentication and Access Controls

Robust authentication mechanisms and access controls are essential to mitigate security risks in SD-WAN deployments. Multi-factor authentication (MFA) should be implemented to ensure that only authorized users can access the SD-WAN infrastructure.

Additionally, granular access controls should be enforced to restrict privileges and limit potential attack vectors. By implementing these measures, organizations can significantly enhance the overall security posture of their SD-WAN deployments.

Ensuring Encryption and Data Privacy

Protecting data privacy is a critical aspect of SD-WAN security. Encryption protocols should be employed to secure data in transit between SD-WAN nodes and across public networks. By leveraging robust encryption algorithms and key management practices, organizations can ensure the confidentiality and integrity of their data, even in the face of potential interception attempts. Data privacy regulations, such as GDPR, further emphasize the importance of encryption in safeguarding sensitive information.

Monitoring and Threat Detection

Continuous monitoring and threat detection mechanisms are pivotal in maintaining SD-WAN security. Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) tools can provide real-time insights into network activities, identifying potential anomalies or suspicious behavior. Through proactive monitoring and threat detection, organizations can swiftly respond to security incidents and mitigate potential risks before they escalate.

WAN Technologies

All networks experience latency, which refers to the time between a data packet being sent and received or the round-trip time. All networks also experience jitter, which is the variance in the time delay between data packets- basically, a “disruption” in the sending and receiving packets.

However, there are ways we can help manage the experience for all. For example, we can implement quality of service (QoS), which we can utilize to prioritize traffic, such as voice and video, where fluctuations in the network due to these factors are noticeable. In addition, there are mechanisms to route traffic dynamically, such as Multiprotocol Label Switching Traffic Engineering (MPLS-TE).

MPLS Traffic Engineering

Today, we are plunging into cloud adoption, where almost everything can be offered “As a Service.” So, how do we match the needs of today’s cloud computing, the benefits of QoS, MPLS-TE, and the dynamism we need for modern networks? Hence SD-WAN.

MPLS TE is a technology that enables network operators to control traffic flow through their networks by establishing specific paths for data packets. Providing traffic engineering capabilities ensures efficient utilization of network resources, improves network performance, and enhances Quality of Service (QoS).

♦ Benefits of MPLS Traffic Engineering

Efficient utilization of network resources: MPLS TE enables network operators to allocate bandwidth intelligently, ensuring optimal utilization of available resources. This prevents congestion and improves overall network performance.

Improved network reliability: By creating explicit paths for traffic, MPLS TE allows network operators to reroute traffic in the event of link failures or network congestion. This enhances network resiliency and minimizes service disruptions.

Enhanced QoS: MPLS TE enables operators to prioritize certain types of traffic, ensuring that critical applications receive the necessary bandwidth and low latency they require. This results in a better end-user experience and improved QoS.

Video: SD-WAN Tutorial

In the following video, we will address the basics of SD-WAN and the challenges of the existing WAN. We will also go through popular features of SD-WAN and integration points with, for example, SASE.

SD WAN’s initial focus

The initial SD-WAN deployment model was about bringing up corporate communications with the organizational fabric and corporate communications with the SD WAN overlay. There was an immediate ROI as you could bring cheap broadband links into the branch and connect to the organization’s network with the SD-WAN overlay.

For some time now, we have been gaining benefits from the base of SD-WAN, such as site connection; we are now in a position to design and implement the application optimizations that SD-WAN offers, such as integrated security. This enables us to get additional benefits from SD-WAN.

From a security perspective, end-to-end segmentation and policy are critical. The control, data, and management planes must be separated throughout the environment and secured appropriately. In addition, the environment should support native encryption that is robust and scalable and offers lightweight key management.

SD-WAN Security Features: DIA

With SD-WAN, we can now instead go directly from the branch through DIA to the applications hosted in the Cloud by leveraging DNS and geo-location services for the best possible performance. This, however, presents different types of attack surfaces that we need to deal with.

We have different security implications for moving the Internet edge to the branch. In the DIA model, Internet access is distributed across many components; for example, unsecured guest users are allowed Internet access directly. They may be guests, but we are responsible for content filtering and ensuring compliance. So, we have internal and external attack vectors that need to be considered with this new approach to the WAN.

You could group these threats into three main categories. Outside-in threats could consist of denial of services or unauthorized access. Inside-out threats could be malware infection or phishing attacks.

Then, we have internal threats where lateral movements are a real problem. With every attack vector, the bad actor must find high-value targets, which will likely not be the first host they land on.

So, to protect against these threats, we need a new security model with comprehensive, integrated security at the branch site. So, the branch leveraged the appropriate security mechanisms, such as application-aware firewalling, intrusion prevention, URL filtering, and malware protection, to prevent, detect, and protect the network and the various identities from all threats. 

SD-WAN Deployment Models

SD-WAN can be designed in several ways. For example, you can have integrated security at the mentioned branch. We can also consume security through cloud services or regional hubs where VNF-based security chains may be leveraged. So, to enable or deploy SD-WAN security, you can choose from different types of security models.  

The first model would be cloud security, often considered a thin branch with security in the Cloud. This design or deployment model might not suit, for example, healthcare. Then, we have integrated protection with a single platform for routing and security at the branch. This deployment model is widespread, and we will examine a use case soon. 

A final deployment model would be the regional hub design. We have a co-location or carrier-neutral facility (CNF) where the security functions are virtual network functions (VNFs) at the regional collection hub. I have seen similar architecture with a SASE deployment and segment routing between the regional hubs.

Recap: WAN Challenges

First, before we delve into these main areas, let me quickly recap the WAN challenges. We had many sites connected to the MPLS site without a single pane of glass. With many locations, you could not see or troubleshoot, and it could be the case that one application was taking up all the bandwidth. 

Visibility was a big problem; any gaps in visibility would affect your security. In addition, there needed to be more application awareness, which resulted in complex operations, and a DIY approach to application optimization and WAN virtualization resulted in fragmented security.

Highlighting SD-WAN

SD-WAN solves all the challenges that give you an approach to centrally provision, manage, monitor, and troubleshoot the WAN edges. So, SD-WAN is not a single VM; it is an array of technologies grouped that fall under the umbrella of SD-WAN. As a result, it increases application performance over the WAN while offering security and data integrity.

So, we have users, devices, and things, and we no longer have one type of host to deal with. We have many identities and identity types. One person may have several devices that need an IP connection and communicate to applications hosted in the primary data center, IaaS, or SaaS. 

IP connectivity must be done securely and on a scale while gaining good telemetry. We know the network edges send a wealth of helpful information or telemetry. We can predict or know that you need to upgrade specific paths, which helps monitor traffic patterns and make predictions. Of course, all this needs to operate over a security infrastructure.

Introduction to SD-WAN Security Features

SD-WAN security is extensive and encompasses a variety of factors. However, it falls into two main categories. First, we have the security infrastructure category, which secures the control and data plane.

Then, we have the DIA side of things, where we need to deploy several security functions, such as intrusion prevention, URL filtering, and an application-aware firewall, to name a few. SD-WAN can be integrated with SASE for DNS-layer filtering. The Cisco version of SASE is Cisco Umbrella.

Now, we need to have layers of security known as the defense-in-depth approach, and DNS-layer filtering is one of the most critical layers, if not the first layer of defense. Everything that wants IP connectivity has to perform a DNS request, so it’s an excellent place to start.

SD-WAN Security Features: Secure the SD-WAN Infrastructure

The SD-WAN infrastructure is what builds the SD-WAN fabric. Consider a material a mesh of connectivity that can take on different topologies. We have several SD-WAN components that can reside in the Cloud or on-premise. These components are the Cisco vBond, vAnalytics, vManage, and vSmart controllers. But, of course, having these components on the Cloud or on-premises depends on whether you are cloud-ready.

SD-WAN vBond

The Cisco vBond is the orchestration plane and orchestrates the control and management plane. The Cisco vBond is the entry into the network and is the first point of authentication. So if you pass authentication, the vBond will tell the WAN Edge device that is trying to come online in the fabric who they need to communicate in the Cloud or on-premises, depending on the design, to build a control plane and data plane and get into the fabric securely. 

Essentially, the vBond distributes connectivity information of the vManage/vSmarts to all WAN edge routers.

The Cisco vBond also acts as a STUN server, allowing you to get around different types of Network Address Translation (NAT). So there are different types of NAT, and we need a unit or a device that can be aware of NAT and tell the WAN edge devices that this is your real IP and port, so when you build the control information, you make sure you have the correct address. 

The Cisco vSmart

The Cisco vSmart is the brain of the solution and facilitates fabric discovery. The Cisco vSmart performs the policy, routes, and key exchange. In addition, all the WAN edge devices, physical or virtual, will build connectivity to multiple vSmart controllers in different regions for redundancy.

So, the vSmart acts as a dissemination point that distributes data plane and application-aware routing policies to the WAN edge routers. It’s like an enhanced BGP route reflector (RR) but reflects much more than routes, such as policy, control, and security information. This drastically reduces complexity and offers a highly resilient architecture.

These devices connect to the control plane security with TLS or DTLS tunneling. You can choose this when you are setting up your SD-WAN. All of this is configured via the vManage.

Data Plane

Then we have the data plane that could be physical and virtual—known as your WAN edge that is responsible for moving packets. It no longer has to deal with the complexity of a control pane on the WAN side, such as BGP configurations and maintaining peering relationships. Of course, it would help if you still had a control pane on the LAN site, such as route learning via OSPF. But on the WAN side, all the complex peerings have been pushed into the vSmart controllers. 

The WAN edge device establishes as DLTS or TLS tunnels to the SD-WAN control plane that consists of the vSmart controllers. In addition to the DTLS and TLS tunnel, the WAN edge creates a secure control plane with the vSmarts and Cisco’s purpose-built Overlay Management Protocol (OMP).

OMP is the enhanced routing protocol for SD-WAN. You can add a lot of extensions to OMP to enhance the SD-WAN fabric. It is a lot more intelligent than a standard routing protocol.

Cisco vManage

vManage is the UI you can use for Day 0, Day 1, and Day 2 operations. All policies, routing, and QoS security are configured in vManage. Then, vManage pushes this directly to the WAN edge or the vSmart. It depends on what you are looking for.

If you reconfigure a box, such as an IP address, this could get pushed down directly to the box with NETCONF; however, if you change the policy to a remote site. That does not get pushed down via the vManage. So, in the case of advanced configurations, the vSmart will carry out some path calculation and push this down in a state mode to the WAN Edge.

SD-WAN Security Features: Device Identity

So now we have started to secure the fabric, and everything is encrypted for the control plane side of things. But before we get into the data plane security, we must look at physical security. So here, we need to address device and software authentication. How can you authenticate a Cisco authentic device and make sure that Cisco OS runs on that device? Unfortunately, many counterfeit devices are produced, but those, when booted up, will not even load.

In the past, many vulnerabilities were found in the IOS classic routes. We had, for example, runtime infection and static infection. Someone could access the devices and modify them for all of these to be successful. With some vulnerabilities, it contacted C&C servers when the router came online. So, Malware in IOS is a real threat. There was a security breach that affected the line cards. 

However, now Cisco is authenticating Cisco hardware and Cisco software. And this is done with Cisco Trust Anchor modules. We also need to secure the OS, which is done with Cisco Secure Boot. 

SD-WAN Security Features: Secure Control Plane

We have taken the burden from the WAN edge router. The traditional WAN had integrated control and data plane where we had high complexity, limited scale, and path selection. So, even if you use DMVPN, you still carry out the routing, such as EIGRP or OSPF. So you are not saved from this. We will have the IKE and routing components with DMVPN. IKE in large environments is hard to scale. 

DMVPN operates with Phases, and below, we have DMVPN phase 3. DMVPN Phase 3 allows on-demand spoke-to-spoke tunnels. This is carried out with the hub router; in our case, R11 sends a Traffic Indication message to the spokes telling the spoke to override the routing table and go directly to the other spoke. Therefore, spoke-to-spoke traffic does not need to flow through the hub.

With SD-WAN, we have a network-wide control pane different from that of DMVPN. Moreover, as the WAN edge has secure and authenticated connectivity to the vSmart controllers, we can use the vSmart controllers to remove the complexity, especially for central key rotation. So now, with SD-WAN, you can have IKE-less architecture. 

So you only need a single peering to the vSmart, which allows you to scale horizontally. On top of this, we have OMP. It was designed from the ground up to be very extensive and to carry values that mean something to SD-WAN. It is not just used to replace a routing protocol; it can do much more than have IP prefixes. It can take the keys, policy information, service insertion, and multicast node information.

The TLOC 

It is also distributed, allowing edge devices to provide their identity in the fabric. We have TLOC that will enable you to build a fabric. The TLOC allows you to make any network design you wish. The TLOC is a transport locator with a unique WAN fabric identity. The TLOC is on every box, composed of system IP, color, or label for the transport and the encapsulation ( IPsec and GRE ). Now, we can make a differential on every box, and you can have much more control. You can carry all the TLOC and sub information in the OMP peerings.

Once the TLOC is advertised to the vSmart controllers, the vSmart advertises it to the WAN edges. We have a full mesh in this case, but you can limit who can learn the TLOC or block it to build a hub-and-spoke topology.

You can change the next hop of a TLOC to change where a route is advertised. When you think about it, in the past, changing BGP on a wide scale was challenging as it was box by box, but now, with SD-WAN, we can quickly build the topology.

SD-WAN Security Features: Secure Data Plane

So we have secure connectivity from their WAN edge to the vSmart. We have an OMP that runs inside secure DLTS/TLS tunnels. And this is all dynamic. The OMP session to the Smart to the WAN edge can get the required information, such as TLOC and security keys. Then, the WAN edge devices can build an IPsec tunnel to each other, and this is not just standard IPsec but UDP-based IPsec. The UDP-based IPsec tunnels between two boxes allow tunnels over multiple types of transport. The transport and fabric are now agnostic.

We still have route learning on the LAN side, and this route is placed into a VPN, just like a VRF. So this is new reachability information learned from the LAN and sent as an OMP update to the vSmart. The vSmart acts as a route reflector and reflects this information. The vSmart makes all the path decisions for the network.

If you want to manipulate the path information, you can do this in the vSmart controller. So you can drive preference for other transports or change the next hop from the controller without any box-by-box configuration.

SD-WAN Security Features: Direct Internet Access

Next, let us examine direct internet access. So, for direct access, we have several use cases that we need to meet. The primary use case is PCI compliance, so before the packet leaves the branch, it needs to be inspected with a stateful firewall and an IPS solution. The SD-WAN enterprise firewall is application-aware, and we have IPS integrated with SD-WAN that can solve this use case.

Then, we have a guest access use case. Where guests are working in a branch office. We need content filtering for these guests, too. SD-WAN can run URL filtering that can be used here—also, direct cloud access use case. So we want to provide optimal performance to employee traffic but select and choose applications and send them directly from the branch to the Cloud and other applications to the HQ. Again, the DNS web layer security would be helpful here.

So the main features, enterprise firewall, URL filtering, and IPS, are on the box, with the DNS layer filtering being a cloud feature with Cisco Umbrella. This provides complete edge security and does not need a two-box solution, except for the additional Cisco Umbrella, a cloud-native solution dispersed around the globe with security functions delivered from PoPs.

Example of a Cisco device or VNF

One way to consume Cisco SD-WAN security is by leveraging Cisco’s integrated security applications within a rich portfolio of powerful WAN Edge routers, such as the ISR4000 series. On top of the native application-aware stateful firewall, these WAN Edge routers can dedicate compute resources to application service containers running within IOS-XE to enable in-line IDS/IPS, URL filtering, and Advanced Malware Protection (AMP).

Remember, Cisco SD-WAN security can also be consumed through cloud services or regional hubs where VNF-based security chains may be leveraged, or robust security stacks may already exist.

SD-WAN Security Features

WAN Security: Enterprise Firewall

Traditional branch firewall design involves deploying the appliance in either in-line Layer 3 mode or transparent Layer 2 mode behind or even ahead of the WAN Edge router. Now, for stateful inspection, we have to have another device. This adds complexity to the enterprise branch and creates unnecessary administrative overhead in managing the added firewalls. 

A proper firewall protects stateful TCP sessions, enables logging, and ensures that a zero-trust domain is implemented between segments in the network. Cisco SD-WAN takes an integrated approach and implements a robust Application-Aware Enterprise Firewall directly into the SD-WAN code.

Cisco SD-WAN takes an integrated approach. It has implemented an application-aware enterprise firewall directly into the SD-WAN code, so there is no need for another inspection device.

Cisco has integrated the stateful firewall with the NBAR 2 engine. Now, with these two, we have good application visibility and granularity. In addition, the enterprise firewall can also do application detection with the very first packet. The Cisco SD-WAN firewall provides stateful inspection, zone-based policies, and segment awareness. It can also classify over 1,400 Layer 7 applications and apply granular policy control to them based on category or an individual basis.

Video: Stateful Packet Inspection

We know we have a set of well-defined protocols that are used to communicate over our networks. Let’s call these communication rules. You are probably familiar with the low-layer transport protocols, such as TCP and UDP, and higher application layer protocols, such as HTTP and FTP.

Generally, we interact directly with the application layer and have networking and security devices working at the lower layers. So when Host A wants to talk to Host B, it will go through several communication layers with devices working at each layer. A stateful firewall is a device that works at one of these layers.

WAN Security: Intrusion Prevention

An IDS/IPS can inspect traffic in real-time to detect and prevent attacks by comparing the application behavior against a known database of threat signatures. This is based on the Snort engine and runs as a container. So, Snort is the most widely deployed intrusion prevention system globally. The solution is combined with Cisco Talos, which puts out the signatures. The Cisco Talos Intelligence Group is one of the world’s largest commercial threat intelligence teams comprising researchers, analysts, and engineers.

Cisco vManage connects to the Talos signature database, downloads the signatures on a configurable periodic or on-demand basis, and pushes them down into the branch WAN Edge routers without user intervention. Signatures are rules that an IDS and an IPS use to detect typical intrusive activity. Also, you can use the allowlist approach if you see many false positives. It is better to start this in detect mode so the engine can learn before you start blocking.

Intrusion detection and prevention (IDS/IPS) can inspect traffic in real-time to detect and prevent cyberattacks and notify the network operator through Syslog events and dashboard alerts. IDS/IPS is enabled through IOS-XE application service container technology. KVM and LxC containers are used, and they differ mainly in how tightly they are coupled to the Linux kernel used in most network operating systems, such as IOS XE.

The Cisco SD-WAN IDS/IPS runs Snort, the most widely deployed intrusion prevention engine globally, and leverages dynamic signature updates published by Cisco Talos. The signatures are updated via vManage or manually using CLI commands available on the WAN Edge device.

WAN Security: URL filtering

URL filtering is another Cisco SD-WAN security function that leverages the Snort engine to inspect HTTP and HTTPS payloads to provide web security at the branch. In addition, the URL filtering engine enforces acceptable use controls to block or allow websites.  They download the URL database and block based on over 80 categories. They can also make decisions based on a web application score. This information is gained from Webroot/Brightcloud. 

URL Filtering leverages the Snort engine to provide comprehensive web security at the branch. It can be configured to permit or deny websites based on 82 different categories, the site’s web reputation score, and a dynamically updated URL database when an end user requests access to a particular website through their web browser. The URL Filtering engine inspects the web traffic, queries any custom URL lists, compares the URL to the blocked or allowed categories policy, and finally consults the URL Filtering database.

WAN Security: Advanced Malware Protection and Threat Grid

Advanced Malware Protection (AMP) and Threat Grid are the newest additions to the SD-WAN security features. As with URL filtering, both AMP and Threat Grid leverage the Snort engine and Talos for the real-time inspection of file downloads and malware detection. AMP can block malware entering your network using antivirus detection engines, one-to-one signature matching, machine learning, and fuzzy fingerprinting.

WAN Security: DNS Web Layer Security

Finally, we have DNS layer security. Some countries have a rule that you cannot inspect HTTP or HTTPS packets to filter content. So, how can you filter content if you can’t inspect HTTP or HTTPS packets?

We can do this with DNS packets. So before the page is loaded in the browser, the client sends a DNS request to the DNS server for the website, asking for a name to IP mapping. Once registered with Umbrella cloud, the WAN Edge router intercepts DNS requests from the LAN and redirects them to Umbrella resolvers. If the requested page is a known malicious site or is not allowed (based on the policies configured in the Umbrella portal, the DNS response will contain the IP address for an Umbrella-hosted block page. 

DNS web layer security also supports DNSCrypt, EDNS, and TLS decryption. In the same way that SSL turns HTTP web traffic into HTTPS encrypted web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It does not require changes to domain names or how they work; it simply provides a method for securely encrypting communication between the end user and the DNS servers in the Umbrella cloud located around the globe.

In some scenarios, it may be essential to avoid intercepting DNS requests for internal resources and passing them on to an internal or alternate DNS resolver. To meet this requirement, the WAN Edge router can leverage local domain bypass functionality, where a list of internal domains is defined and referenced during the DNS request interception process.