SD WAN Security
This post will address Cisco SD WAN security for the control plane elements, data plane forwarding, and the integrated SD-WAN security features that can be used for Direct Internet Access (DIA). Keep in mind that SD-WAN can be integrated with Cisco Umbrella via a series of redundant IPsec tunnels for additional security measures increasing the robustness of your WAN Security. The WAN architecture can provide simplicity in terms of application deployment and management. First, however, the mindset must shift from a network topology focus to an application services topology. This is what SD-WANs’ initial focus was on.
The initial SD-WAN deployment model was about bringing up corporate communications with the organizational fabric and corporate communications with the SD WAN overlay. There was an immediate ROI as you could bring cheap broadband links into the branch and connect to the organization’s network with the SD-WAN overlay. For some time now, we have been gaining the benefits from the base of SD-WAN, such as site connection; we are now in a position to design and implement the application optimizations that SD-WAN offers, such as integrated security. This enables us to get additional benefits from SD-WAN.
For additional pre-information, you may find the following posts helpful:
- A key point: Video on Introducing SD-WAN.
You can view the following video if you are new to SD-WAN or want a quick recap on SD-WAN and its core features. We will look at the drivers for SD-WAN and the problems with the traditional WAN. SD-WAN is mainstream now, and there are important reasons why its popularity has grown so fast. We want to move away from running routing protocols at the WAN edge. We will also look at the standard features of SD-WAN: for example, its ability to create topology on the fly to suit your different application requirements.
From a security perspective, end-to-end segmentation and policy are critical. The control, data, and management planes must be separated across the entire environment and secured appropriately. In addition, the environment should be able to support native encryption that is robust and scalable and offer lightweight key management.
Cisco SD WAN Security
Cisco SD-WAN Security: DIA
With SD-WAN, we can now instead go directly from the branch through DIA to the applications hosted in the Cloud by leveraging DNS and geo-location services for the best possible performance. This, however, presents different types of attack surfaces that we need to deal with.
We have different security implications for moving the Internet edge to the branch. The DIA model—where Internet access is distributed across many branches; for example, unsecured guest users are allowed Internet access directly. They may be guests, but we are responsible for content filtering and ensuring compliance. So we have internal and external attack vectors that need to be considered with this new approach to the WAN.
You could group these threats into three main categories. Outside-in threats could consist of denial of services or unauthorized access. Inside-out threats could be malware infection or phishing attacks. Then we have internal threats where lateral movements are a real problem. With every attack vector, the bad actor must find high-value targets, which will likely not be the first host they land on.
So to protect against these threats, we need to have a new security model with comprehensive, integrated security at the branch site. So, the branch leveraged the appropriate security mechanisms, such as application-aware firewalling, intrusion prevention, URL filtering, and malware protection, to prevent, detect, and protect the network and the various identities from all threats.
SD-WAN Deployment Models
SD-WAN can be designed in several ways. You can have integrated security at the branch that we just mentioned. We can also consume security through cloud services or regional hubs where VNF-based security chains may be leveraged. So, to enable or deploy SD-WAN security, you can choose from different types of security models.
The first model would be cloud security, often considered a thin branch with security in the Cloud. This design or deployment model might not suit, for example, healthcare. Then we have integrated protection with a single platform for routing and security at the branch. This deployment model is widespread, and we will examine a use case soon.
A final deployment model would be the regional hub design. We have a co-location or carrier-neutral facility (CNF) where the security functions are virtual network functions (VNFs) at the regional collection hub. I have seen similar architecture with a SASE deployment and segment routing between the regional hubs.
Introduction to Cisco SD-WAN Security
SD-WAN security is extensive that encompasses a variety of factors. However, it falls into two main categories. First, we have the security infrastructure category, which is about securing the control and data plane. Then we have the DIA side of things, where we need to deploy several security functions such as intrusion prevention, URL filtering, and an application-aware firewall, to name a few. SD-WAN can be integrated with SASE for DNS-layer filtering. The Cisco version of SASE is Cisco Umbrella.
Now we need to have layers of security known as the defense-in-depth approach, and DNS-layer filtering is one of the most critical layers, if not the first layer of defense. Everything that wants IP connectivity has to perform a DNS request, so it’s an excellent place to start.
Recap: WAN Challenges
First, before we delve into these main areas, let me quickly recap the WAN challenges. We had many sites connected to the MPLS site without a single pane of glass. With many locations, you could not see or troubleshoot, and it could be the case that one application was taking up all the bandwidth. Visibility was a big problem; any gaps in visibility would affect your security. In addition, there needed to be more application awareness which resulted in complex operations, and a DIY approach to application optimization and WAN virtualization resulted in fragmented security.
SD-WAN solves all the challenges that give you an approach to centrally provision the WAN edges, manage, monitor, and troubleshoot. So, SD-WAN is not a single VM; it is an array of technologies grouped that fall under the umbrella of SD-WAN. As a result, it increases application performance over the WAN while offering security and data integrity.
So we have users, devices, and things, and we don’t have one type of host to deal with anymore. We have many identities and identity types. One person may have several devices that need an IP connection and communicate to applications hosted in the primary data center, IaaS, or SaaS.
IP connectivity must be done securely and on a scale while gaining good telemetry. We know the network edges send a wealth of helpful information or telemetry. We can predict or know that you need to upgrade specific paths helpful in monitoring traffic patterns and making predictions. Of course, all this needs to operate over a security infrastructure.
Cisco SD WAN Security: Secure the SD-WAN Infrastructure
The SD-WAN infrastructure is what builds the SD-WAN fabric. Consider a fabric a mesh of connectivity that can take on different topologies. So we have several SD-WAN components which can reside in the Cloud or on-premise. These components are the Cisco vBond, vAnalytics, vManage, and vSmart controllers. Of course, having these components on the Cloud or on-premises depends on whether you are cloud-ready.
The Cisco vBond is the orchestration plane and orchestrates the control and management plane. The Cisco vBond is the entry into the network and is the first point of authentication. So if you pass authentication, the vBond will tell the WAN Edge device that is trying to come online in the fabric who they need to communicate in the Cloud or on-premises, depending on the design, to build a control plane and data plane and get into the fabric securely. Essentially, the vBond distributes connectivity information of the vManage/vSmarts to all WAN edge routers.
The Cisco vBond also acts as a STUN server, allowing you to get around different types of Network Address Translation (NAT). So there are different types of NAT, and we need a unit or a device that can be aware of NAT and tell the WAN edge devices that this is your real IP and port, so when you build the control information, you make sure you have the correct address.
The Cisco vSmart
The Cisco vSmart is the brain of the solution and facilitates fabric discovery. The Cisco vSmart performs the policy, routes, and key exchange. All the WAN edge devices, physical or virtual, will build connectivity to multiple vSmart controllers in different regions for redundancy.
So, the vSmart acts as a dissemination point that distributes data plane and application-aware routing policies to the WAN edge routers. It’s like an enhanced BGP route reflector (RR) but reflects much more than routes, such as policy, control, and security information. This does drastically reduce complexity and offers a highly resilient architecture.
These devices connect to the control plane security with TLS or DTLS tunneling. You can choose this when you are setting up your SD-WAN. All of this is configured via the vManage.
Then we have the data plane that could be physical and virtual—known as your WAN edge that is responsible for moving packets. No longer does it have to deal with the complexity of a control pane on the WAN side, such as BGP configurations and maintaining peering relationships. Of course, it would help if you still had a control pane on the LAN site, such as route learning via OSPF. But on the WAN side, all the complex peerings have been pushed into the vSmart controllers.
The WAN edge device establishes as DLTS or TLS tunnels to the SD-WAN control plane that consists of the vSmart controllers. In addition to the DTLS and TLS tunnel, the WAN edge creates a secure control plane with the vSmarts with Cisco’s purpose-built Overlay Management Protocol (OMP). OMP is the enhanced routing protocol for SD-WAN. You can add a lot of extensions to OMP to enhance the SD-WAN fabric. It is a lot more intelligent than a standard routing protocol.
vManage is the UI you can use for Day 0, Day 1, and Day 2 operations. All policies, routing, and QoS security are configured in vManage. Then vManage pushes this directly to the WAN edge or the vSmart. It depends on what you are looking for.
If you reconfigure a box, such as an IP address, this could get pushed down directly to the box with NETCONF; however, if you change the policy to a remote site. That does not get pushed down via the vManage. So, in the case of advanced configurations, the vSmart will carry out some path calculation and push this down in a state mode to the WAN Edge.
Cisco SD WAN Security: Device Identity
So now we have started to secure the fabric, and everything is encrypted for the control plane side of things. But next, before we get into the data plane security, we must look at physical security. So here, we need to address device and software authentication. How can you authenticate a Cisco authentic device and make sure that Cisco OS is running on that device? Unfortunately, many counterfeit devices are produced, but those, when booted up, will not even load.
In the past, many vulnerabilities were found in the IOS classic routes. We had, for example, runtime infection and static infection. Someone could access the devices and modify them for all of these to be successful. With some of the vulnerabilities, it reached out to C&C servers when the router came online. So Malware in IOS is a real threat. There was a security breach where it even affected the line cards.
However, now Cisco is authenticating Cisco hardware and Cisco software. And this is done with Cisco Trust Anchor modules. We also need to secure the OS, which is done with Cisco Secure Boot.
Cisco SD WAN Security: Secure Control Plane
So we have taken the burden from the WAN edge router. The traditional WAN had integrated control and data plane where we had high complexity and limited scale, and path selection. So, even if you use DMVPN, you still carry out the routing, such as EIGRP or OSPF. So you are not saved from this. We will have the IKE and routing components with DMVPN. IKE in large environments is hard to scale.
So with SD-WAN, we have a network-wide control pane different from that of DMVPN. As the WAN edge has secure and authenticated connectivity to the vSmart controllers, we can use the vSmart controllers to remove the complexity, especially for central key rotation. So now, with SD-WAN, you can have IKE-less architecture.
So you only need a single peering to the vSmart, which allows you to scale horizontally. On top of this, we have OMP. It was designed from the ground up to be very extensive and to carry values that mean something to SD-WAN. It is not just used to replace a routing protocol; it can do much more than have IP prefixes. It can take the keys, policy information, service insertion, and multicast node information.
It is also distributed and allows edge devices to provide their identity in the fabric. So we have TLOC that will enable you to build a fabric. The TLOC allows you to make any network design you wish. The TLOC is a transport locator with and unique identity in the WAN fabric. The TLOC is on every box, composed of system IP, color, or label for the transport and the encapsulation ( IPsec and GRE ). So now we can make a differential on every box, and you can have much more control. So you can carry all the TLOC information in the OMP peerings along with the sub information.
So once the TLOC is advertised to the vSmart controllers, the vSmart advertises this to the WAN edges. In this case, we have a full mesh, or you can limit who can learn the TLOC, and then you can block TLOC to build a hub and spoke topology. If you want, you can change the next hop of a TLOC to change where a route is advertised. When you think about it, in the past changing BGP on a wide scale was challenging as it was box by box, but now, with SD-WAN, we can quickly build the topology.
Cisco SD WAN Security: Secure Data Plane
So we have secure connectivity from their WAN edge to the vSmart. So we have an OMP that runs inside secure DLTS/TLS tunnels. And this is all dynamic. So the OMP session to the Smart to the WAN edge can get the required information. Such as TLOC and security keys. Then the WAN edge devices can build an IPsec tunnel to each other, and this is not just standard IPsec but UDP-based IPsec. The UDP-based IPsec tunnels between two boxes allow tunnels over multiple types of transport. The transport and fabric are now agnostic.
So we still have route learning on the LAN side, and this route is placed into a VPN, just like a VRF. So this is new reachability information learned from the LAN and sent as an OMP update to the vSmart. The vSmart acts as a route reflector and reflects this information. The vSmart makes all the path decisions for the network. So if you want to manipulate the path information, you can do this in the vSmart controller. So you can drive preference for other transports, or you can even change the next hop from the controller without any box-by-box configuration.
Cisco SD WAN Security: Direct Internet Access
Next, let us examine direct internet access. So direct access, we have several use cases that we need to meet. The primary use case is PCI compliance, so before the packet leaves the branch, it needs to be inspected with a stateful firewall and an IPS solution. The SD-WAN enterprise firewall is application-aware, and we have IPS integrated with SD-WAN that can solve this use case.
Then we have a guest access use case. Where guests are working in a branch office. We need content filtering for these guests too. SD-WAN can run URL filtering that can be used here. Also, direct cloud access use case. So we want to provide optimal performance to employee traffic but select and choose applications and send them directly from the branch to the Cloud and other applications to the HQ. Again, the DNS web layer security would be helpful here.
So the main features, enterprise firewall, URL filtering, and IPS, are on the box, with the DNS layer filtering being a cloud feature with Cisco Umbrella. This provides complete edge security and does not need a two-box solution, except for the additional Cisco Umbrella, a cloud-native solution dispersed around the globe with security functions delivered from PoPs.
- Example of a Cisco device or VNF
One way to consume Cisco SD-WAN security is by leveraging Cisco’s integrated security applications within a rich portfolio of powerful WAN Edge routers, such as the ISR4000 series. On top of the native application-aware stateful firewall, these WAN Edge routers can dedicate compute resources to application service containers running within IOS-XE to enable in-line IDS/IPS, URL filtering, and Advanced Malware Protection (AMP). Remember, Cisco SD-WAN security can also be consumed through cloud services or regional hubs where VNF-based security chains may be leveraged, or robust security stacks may already exist.
WAN Security: Enterprise Firewall
Traditional branch firewall design involves deploying the appliance in either in-line Layer 3 mode or transparent Layer 2 mode behind or even ahead of the WAN Edge router. Now, for stateful inspection, we have to have another device. This adds complexity to the enterprise branch and creates unnecessary administrative overhead in managing the added firewalls.
Cisco SD-WAN takes an integrated approach and has implemented an application-aware enterprise firewall directly into the SD-WAN code. So there is no need to have another device for inspection.
Cisco has integrated the stateful firewall with the NBAR 2 engine. Now with these two, we have good application visibility and granularity. In addition, the enterprise firewall can also do application detection with the very first packet.
WAN Security: Intrusion Prevention
An IDS/IPS can inspect traffic in real-time to detect and prevent attacks by comparing the application behavior against a known database of threat signatures. This is based on the Snort engine and runs as a container. So Snort is the most widely deployed intrusion prevention system in the world. The solution is combined with Cisco Talos, which puts out the signatures. The Cisco Talos Intelligence Group is one of the world’s largest commercial threat intelligence teams comprising researchers, analysts, and engineers.
Cisco vManage connects to the Talos signature database, downloads the signatures on a configurable periodic or on-demand basis, and pushes them down into the branch WAN Edge routers without user intervention. Signatures are a set of rules that an IDS and an IPS uses to detect typical intrusive activity. Also, you can use the allowlist approach if you see many false positives. It is better to start this in detect mode, so the engine can learn before you start blocking.
WAN Security: URL filtering
URL filtering is another Cisco SD-WAN security function that leverages the Snort engine to inspect HTTP and HTTPS payloads to provide web security at the branch. In addition, the URL filtering engine enforces acceptable use controls to block or allow websites. Here, they download the URL database and block based on over 80 categories; They can also make decisions based on a web application score. This information is gained from Webroot/Brightcloud.
WAN Security: Advanced Malware Protection and Threat Grid
Advanced Malware Protection (AMP) and Threat Grid are the newest additions to Cisco SD-WAN security. As with URL filtering, both AMP and Threat Grid leverage the Snort engine and Talos for the real-time inspection of file downloads and malware detection. AMP can block malware trying to enter your network using antivirus detection engines, one-to-one signature matching, machine learning, and fuzzy fingerprinting
WAN Security: DNS Web Layer Security
Finally, we have DNS layer security. Some countries have this rule that you cannot look into HTTP or HTTPS packets to do filtering. How can you filter content if you can’t look into HTTP or HTTPS packets? So we can do this with DNS packets. So before the page is loaded in the browser, the client sends a DNS request to the DNS server for the website asking for a name to IP mapping. Once registered with Umbrella cloud, the WAN Edge router intercepts DNS requests from the LAN and redirects them to Umbrella resolvers. If the requested page is a known malicious site or is not allowed (based on the policies configured in the Umbrella portal, the DNS response will contain the IP address for an Umbrella-hosted block page.
DNS web layer security also supports DNSCrypt, EDNS, and TLS decryption. In the same way that SSL turns HTTP web traffic into HTTPS encrypted web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It does not require changes to domain names or how they work; it simply provides a method for securely encrypting communication between the end user and the DNS servers in the Umbrella cloud located around the globe.
In some scenarios, it may be essential to avoid intercepting DNS requests for internal resources and passing them on to an internal or alternate DNS resolver. To meet this requirement, the WAN Edge router can leverage local domain bypass functionality, where a list of internal domains is defined and referenced during the DNS request interception process.