Securing Your WAN Infrastructure

Enabling the Hybrid WAN Webinar Series

Presenter: Elisa Caredio, Product Manager

Host: Robb Boyd, Techwise TV
Date: Thursday 22nd January 2015, 10am PST
 Enabling the Hybrid WAN Webinar Series
• 6th November 2014 How to Deliver Uncompromising Branch Application Performance

• 16th December 2014 5 Ways to Lower Your Branch Costs

• 22nd January 2015 Securing Your WAN Infrastructure

• 5th February 2015 Ask Cisco: Deploying a Hybrid WAN Infrastructure
• 18th February 2015 Simplify Management of Your Branch Infrastructure

Visit Cisco Online Events:

http://www.cisco.com/web/learning/le21/le39/featured.html#technology_broadcasts_networks

© 2014 Cisco and/or its affiliates. All rights reserved.

 Your Presenters
Elisa Caredio Robb Boyd

Product Manager Techwise TV

3

© 2014 Cisco and/or its affiliates. All rights reserved.

 Todays’ Session: What You Will Learn

• Why secure your WAN infrastructure

• Benefits of Transport Independent Design using DMVPN
• Why secure Direct Internet Access
• Best practices for Threat Defense and Compliance
• Key Takeaways

© 2014 Cisco and/or its affiliates. All rights reserved.

 Why secure your WAN
infrastructure

© 2014 Cisco and/or its affiliates. All rights reserved.

 Why Secure Your WAN Infrastructure
Hybrid
Hybrid WAN
WAN
Transport
Transport
IPsec
IPsec Secure
Secure
Private
MPLS (IP-VPN) Cloud
Virtual
Private
Cloud
Branch
Internet

Direct Public
Direct Internet
Internet Cloud
Access
Access

• Secure WAN transport for private • Transport Independent Design • Comprehensive Threat Defense
and virtual private cloud access ensures consistent VPN Overlay with IOS Firewall/IPS
• across transition • Cloud Web Security (CWS)
Leverage local Internet path for
public cloud and Internet access • Certified strong encryption for scalable secure direct
Internet access
© 2014 Cisco and/or its affiliates. All rights reserved. 6
 Trends in the Threat Defense Market
• Data loss
Why enterprise security? • Compliance (economy)
• Disruption (0.5% to 2.5% revenue loss)

• 2012 - 100M malware samples

Threats!!! • 2013 - 200M samples (McAfee)
• Short lifecycle

Visibility • Intelligent solutions are 10 times more

valuable

• Appliance to Integrated
Changing consumption models
• On premise to SaaS

© 2014 Cisco and/or its affiliates. All rights reserved.

 “By 2016, 30% of advanced targeted
threats - up from less than 5% today -
will specifically target branch offices as
an entry point.”
Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard”, April 2013

© 2014 Cisco and/or its affiliates. All rights reserved.

 Intelligent WAN Deployment Models
Dual MPLS Hybrid Dual Internet

Internet
Public Enterprise Public Enterprise Public

MPLS MPLS+ Internet

MPLS Internet

Branch Branch Branch

 Highest SLA guarantees  More BW for key applications  Best price/performance

– Tightly coupled to SP  Balanced SLA guarantees  Most SP flexibility
ẋ Expensive – Moderately priced – Enterprise responsible for SLAs

© 2014 Cisco and/or its affiliates. All rights reserved.

 Benefits of Transport Independent
Design Using DMVPN

10

© 2014 Cisco and/or its affiliates. All rights reserved.

 Flexible Secure WAN Design Over Any Transport
Dynamic Multipoint VPN (DMVPN)

Transport-Independent Flexible Secure

Dynamic Full-Meshed
Simplifies WAN Design
Connectivity
• Easy multi-homing over any carrier • Consistent design over all
service transports
• Single routing control plane with • Automatic site-to-site IPsec
minimal peering to the provider tunnels
• Zero-touch hub configuration for
new spokes
Proven Robust Security
• Certified crypto and firewall for
compliance
• Scalable design with high-
performance cryptography in
hardware

Branch Data Center

Internet
ASR 1000
WAN
ISR

MPLS
ASR 1000 11

© 2014 Cisco and/or its affiliates. All rights reserved.

 Cisco IWAN Transport Independent Design
Using Dynamic Multipoint VPN (DMVPN)
• Proven IPsec VPN technology IWAN HYBRID
• Widely deployed, large scale
• Standards based IPsec and Routing
• Advanced QOS: hierarchical, per tunnel and adaptive

• Flexible & Resilient

Data Center
• Over any transport: MPLS, Carrier Ethernet, Internet, 3G/4G,..
• Hub-n-Spoke and Spoke-to-Spoke Topologies
• Multiple encryption, key management, routing options SP V
ISP A
• Multiple redundancy options: platform, hub, transports

• Secure
DMVPN DMVPN
• Industry Certified IPsec and Firewall Purple Blue
• NG Strong Encryption: AES-GCM-256 (Suite B) Internet MPLS

• IKE Version 2
• IEEE 802.1AR Secure unique device identifier

• Simplified IWAN Deployments

Branch
• Prescriptive validated IWAN designs
• Automated provisioning – Prime, APIC, Glue 12

© 2014 Cisco and/or its affiliates. All rights reserved.

 Hybrid WAN Designs
TRADITIONAL HYBRID IWAN HYBRID

Active/Standby Active/Active
WAN Paths WAN Paths
Primary With Backup
Data Center Data Center

Two IPsec Technologies ASR 1000 ASR 1000 ASR 1000 ASR 1000

GETVPN/MPLS SP V ISP A SP V
One IPsec Overlay
ISP A
DMVPN/Internet DMVPN

DMVPN GETVPN DMVPN DMVPN

Two WAN Routing
Internet MPLS Internet MPLS
Domains One WAN
MPLS: eBGP or Static Routing Domain
Internet: iBGP, EIGRP or OSPF
iBGP, EIGRP, or OSPF
Route Redistribution
Route Filtering Loop Prevention

ISR Branch ISR Branch

13

© 2014 Cisco and/or its affiliates. All rights reserved.

 IWAN Transport Independence
Consistent deployment models simplify operations

IWAN Dual MPLS IWAN HYBRID IWAN DUAL INTERNET

Data Center Data Center Data Center

ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000 ASR 1000

ISP A SP V ISP A SP V ISP A ISP C

DSL Cable

DMVPN DMVPN DMVPN DMVPN DMVPN DMVPN

MPLS MPLS Internet MPLS Internet Internet

ISR Branch ISR Branch ISR Branch

14

© 2014 Cisco and/or its affiliates. All rights reserved.

 What is Dynamic Multipoint VPN?
Cisco IOS Software Solution for Building IPsec and GRE VPNs in an Easy, Dynamic and
Scalable Manner
Two Proven Technologies
• Next-Hop Resolution Protocol (NHRP)
• Creates a distributed mapping database of VPN
(tunnel interface) to real (public interface)
addresses
• Multipoint GRE tunnel interface
• Single GRE interface to support multiple
GRE/IPsec tunnels and endpoints
• Simplifies size and complexity of configuration
• Supports dynamic tunnel creation
© 2014 Cisco and/or its affiliates. All rights reserved.
Major Features
• Configuration reduction and no-touch
deployment
• Passenger protocols (IP(v4/v6) unicast, multicast, and
dynamic routing protocols)
• Transport protocols (IPv4 and IPv6)
• Remote peers with dynamically assigned transport
addresses
• Spoke routers behind dynamic NAT; hub routers behind
static NAT
• Dynamic spoke-spoke tunnels for partial/full mesh
scaling
• Wide variety of network designs and options
• Redundancy Options (Intra and Inter – DMVPN)
15
• Segmentation with VRFs and SGT
 DMPVN and IPsec
• IPsec integrated with DMVPN, but not required • Bringing down a tunnel

• Packets Encapsulated in GRE, then Encrypted • NHRP signals IPsec to tear down tunnel
with IPsec • IPsec can signal NHRP if encryption is cleared or
lost
• Both IKEv1 (ISAKMP) and IKEv2 supported
• IKEv1/IKEv2 Keepalives monitor state of
• NHRP controls the tunnels, IPsec does
spoke-spoke and spoke-hub tunnels
encryption
• FIPS-140 certified and Suite-B strong
• Bringing up a tunnel
encryption support
• NHRP signals IPsec to setup encryption
• IKEv1 and IKEv2 authenticates peer, generates
SAs
• IPsec responds to NHRP and the tunnel is activated
• All NHRP and data traffic is Encrypted

16

© 2014 Cisco and/or its affiliates. All rights reserved.

 DMVPN Example
Dynamic Physical: dynamic
Tunnel0: 10.0.0.11
unknown
IP addresses
Spoke A
.1

192.168.1.0/24

192.168.0.0/24
Branch
.1
Internet

Physical: 172.17.0.1
Tunnel0: 10.0.0.1

LANs can have

Physical: dynamic
private addressing Tunnel0: 10.0.0.12
Static known
IP address
Spoke B
.1 17

© 2014 Cisco and/or its affiliates. All rights reserved. 192.168.2.0/24

 DMVPN Example Static Spoke-to-hub tunnels

Physical: dynamic
Tunnel0: 10.0.0.11

Spoke A
.1

192.168.1.0/24

192.168.0.0/24
Branch
.1
Internet

Physical: 172.17.0.1
Tunnel0: 10.0.0.1

Physical: dynamic
Tunnel0: 10.0.0.12

Spoke B
.1 18

© 2014 Cisco and/or its affiliates. All rights reserved. 192.168.2.0/24

 Static Spoke-to-hub tunnels

DMVPN Example Dynamic Spoke-to-spoke tunnels

Physical: dynamic
Tunnel0: 10.0.0.11

Spoke A
.1

192.168.1.0/24

192.168.0.0/24
Branch
.1
Internet

Physical: 172.17.0.1
Tunnel0: 10.0.0.1

Physical: dynamic
Tunnel0: 10.0.0.12

Spoke B
.1 19

© 2014 Cisco and/or its affiliates. All rights reserved. 192.168.2.0/24

 IWAN Automated Secure VPN Available
1H2015

Embedded
Embedded Trust
Trust
Devices
Devices Deploy,
Search,
Retrieve,
AX Revoke

4G Secure Boot Strap

IWAN
IWAN App,
App, Prime,
Prime, 33rd Party
rd
Party
Campus
Campus
Automatic Configuration and Trust
Establishment

AX
Metro-E Configuration
Configuration
Orchestration
Orchestration
Enterprise
Dynamic VPN Establishment APIC
Large WAN Core Key
Key and
and
Large Site
Site
MPLS Automatic Session Key Refresh
Certificate
Certificate
Controller
Controller
(IKEv2)
Resilient WAN POP
AX
Trust Revocation DC
Branch
ISP
Branch
Intelligent
Branch Optional
Optional External
External
Certificate
Certificate Authority
Authority
20

© 2014 Cisco and/or its affiliates. All rights reserved. 20

 Cisco Intelligent WAN
Transport Best Practices
• Private peering with Internet providers IWAN HYBRID
• Use same Internet provider for hub and spoke sites
• Avoids Internet Exchange bottlenecks between providers
• Reduces round trip latency
• DMVPN Phase 3 Data Center
• Scalable dynamic site-to-site tunnels
• Separate DMVPN per transport for path diversity
• Per tunnel QOS ISP A SP V
• NG Encryption – IKEv2 + AES-GCM-256 encryption
• Transport Settings DMVPN DMVPN
Purple Blue
• Use the same MTU size on all WAN paths
Internet MPLS
• Bandwidth settings should match offered rate
• Routing Overlay
• iBGP or EIGRP for high scale (1000+ sites)
• Single routing process, simplified operations Branch
• Front-side VRF to isolate external interfaces
21

© 2014 Cisco and/or its affiliates. All rights reserved.

 Securing Direct Internet
Access

22

© 2014 Cisco and/or its affiliates. All rights reserved.

 Securing the WAN
Direct Internet Access

IPS
IPsec VPN Corporate
Network
Firewall

Internet
Branch
Public
Direct Internet
Access

• Secure WAN transport for branch to head quarters connectivity

• Leverage local Internet path for public cloud and Internet access
• TD techniques provide the additional protection needed for DIA
• Improve application performance (right flows to right places)
• Reduced bandwidth consumption 23

© 2014 Cisco and/or its affiliates. All rights reserved.

 Securing the LAN
Branch
IPsec VPN Corporate
IPS Network
Firewall

Internet
Public
Guest Network Direct Internet
Access

• Guest devices are connected to separate VLAN/SSID

• Traffic from guest VLAN is directly routed to Internet
• Traffic is inspected as it traverses the branch router

24

© 2014 Cisco and/or its affiliates. All rights reserved.

 Elevating Branch Protection
Protection from External Threats

• Detect and contain threats from compromised devices in the branch network
using Cisco ISR platforms
• Zone Based Firewall is the starting point
• Industry leading threat defense using Snort and Cloud Web Security
• Distributed threat defense with centralized management
• Make every branch detect threats on its own network, with central management and
monitoring
• Safer guest access
• Guest network and devices on it are better protected now

25

© 2014 Cisco and/or its affiliates. All rights reserved.

 Best Practices for Threat
Defense and Compliance

26

© 2014 Cisco and/or its affiliates. All rights reserved.

 Cisco ISR with IOS Integrated Threat Defense
Firewall, VPN, IPS and Web Security

• For enterprises with distributed branch

offices Lower TCO and investment protection

• Cost-effective secure network infrastructure

solution that provides multi layered security Built on industry leading and proven
and meets compliance requirements open source components
• Cisco ISR with Integrated security features
• Virtual Private Networking
• Zone-Based Firewall Helps to achieve PCI compliance
• Web Security
• Intrusion detection and prevention
Centralized management for network
and security features

27

© 2014 Cisco and/or its affiliates. All rights reserved.

 Zone-Based Firewall
Integrated Network Defense for ISR and ASR1000 Routers
• Firewall Perimeter Control
Key Benefits
• External and internal protection: internal network
is no longer trusted • Secure Internet access to branch, without the need for
• Protocol anomaly detection and stateful inspection additional devices
• Securing Unified Communications • High performance with throughput up to 200Gbps
• Call flow awareness (SIP, SCCP, H323)
• Control threats right at the remote site and conserve WAN
• Prevent DoS attacks bandwidth
• Flexible Deployment Models • Interoperability with Cloud Web Security
• Split Tunnel-Branch/Remote Office/Store/Clinic
• Internal FW – International or un-trusted
locations/segments, addresses regulatory compliances
• Integrates with other IOS services
• Works with IPS, VPN, ISR Web Security Hacker ASR1K

• Works with SRE/ISM and WaaS Express

• Management Options and Flexibility Branch Offices oking
o rms Ch
W WAN Corporate Office
• Supports CLI, SNMP, CCP, and CSM
• Supports Cisco Configuration Engine

28

© 2014 Cisco and/or its affiliates. All rights reserved.

 Zone-Based Firewall
Examples of Zones

Internet

DMZ WAN

Guestnet
Trusted Self

Voice BYOD
29

© 2014 Cisco and/or its affiliates. All rights reserved.

 Zone-Based Firewall
Firewall Zone Rules

• Interfaces assigned to one of the Zones

VLAN1
• Traffic flows unrestricted between interfaces ✖
of same Zone ✔ Internet
• Traffic between two zones are blocked by
default VLAN1

• Zone to Zone polices needs to be defined

to allow traffic flow between zones Zone: Inside Zone: Outside

30

© 2014 Cisco and/or its affiliates. All rights reserved.

 Cloud Web Security (CWS)
Formerly ScanSafe

• Cloud Based Premium Service Key Benefits

• Real Time scanning of HTTP HTTPS web • Strong protection
content • Separation of SecOps vs. NetOps
• Robust, fast, scalable and reliable global • Complete control
datacenter infrastructure
• High ROI
• Flexible deployment options via Cisco attach
model and direct to cloud • Single management for thousands of endpoints/sites

• Support for roaming users

• Centrally managed granular web filtering
policies, with web 2.0 visibility and control
• Close to real-time reporting with cloud
retention, as part of the standard offering

31

© 2014 Cisco and/or its affiliates. All rights reserved.

 Cloud Web Security (CWS)
Secure Internet Access
IWAN
IWAN IPsec
IPsec VPN
VPN for
for
Firewall
Firewall &
& IPS/IDS
IPS/IDS to
to Private Cloud Traffic
Private Cloud Traffic
protect Internet Edge
protect Internet Edge
WAN1
(IP-VPN) Private
Cloud

WAN2
(Internet)
Secure
Secure Public
Public Cloud
Cloud
Branch
and
and Internet Access
Internet Access

Public
Cloud
ISR
ISR Connector
Connector toto
CWS
CWS Firewall towers
Firewall towers
CWS

Internet
Web
Web Filtering,
Filtering, Access
Access
Policy,
Policy, Malware
Malware Detect
Detect 32

© 2014 Cisco and/or its affiliates. All rights reserved.

 Cloud Web Security (CWS)
Advanced Threat Protection
AMP
CTA

Retrospection
FileRetrospection
Reputation

Analytics
Reputation
WebReputation

ThreatAnalytics
FileReputation

Behavior
FileBehavior
Signature
Malware
Signature
Malware

Threat
File
Web

File

File
Cloud Application
Application Visibility
Visibility &
& Control
Control
Web
Web Filtering
Filtering

Roaming Users 33
Headquarters Branch Office
© 2014 Cisco and/or its affiliates. All rights reserved.
 Cloud Web Security (CWS)
Web Filtering and Application Visibility and Control (AVC)

URL Filtering & Web Reputation Application Visibility and Control

• Identification and
classification of Reduce Disruptions From
applications (1000+
apps) e.g. iTunes, • Distracted Users
Facebook
• Legal Liabilities
• URL database covering
• Granular policies to • Data Loss via Web Traffic and Web
over 50M sites worldwide
control micro-applications Applications
• Real-time dynamic categorization for (75K+) e.g. Farmville on
unknown URLs FB or Videos on FB
• Cisco Web Reputation is integrated
with CWS and protects against a
• Control user interaction
broad range of URL-based threats
with the application

34

© 2014 Cisco and/or its affiliates. All rights reserved.

 Snort Intrusion Detection and Prevention Available
Summer
2015
Snort Benefits

Industry Cisco APIC Common ACI Architecture

Industry recognized
recognized IDS/IPS
IDS/IPS
APIC - Enterprise
APIC for datacenter
Meets Module
Meets PCI
PCI Compliance
Compliance

Cost
Cost effective
effective IDS/IPS
IDS/IPS for
for the
the Branch
Branch

Scalable management with APIC-EM

Cisco ISR 4K Snort

35

© 2014 Cisco and/or its affiliates. All rights reserved.

 Snort Intrusion Detection and Prevention Available
Summer
2015
Use Cases

Branch Threat Defense with Central Internet
• Snort is inspecting all traffic either on inside or
outside interface; ZBFW enforces access
control and is applied first
• Snort is protecting the branch against internal
and external threats
Threat Defense for Local Direct Internet Access
• Snort is inspecting all traffic on ether inside or
outside interfaces. We can apply different policies
(guest users, corporate users, etc.)
• Snort and CWS are positioned to secure Internet
access within the branch

36

© 2014 Cisco and/or its affiliates. All rights reserved.

 Snort Intrusion Detection and Prevention Available
Summer
2015
Deploying Snort

Deployment Workflow Major Components

1. Device provisioning • APIC-EM
2. Licensing • Orchestrate device provisioning
3. ISR 4K Container OVA installation • OVA installation and configuration
4. Container service activation
• Cisco Signature Store or Local Server for
5. Enabling IPS/IDS signature updates
6. Enable Snort configuration
• Alert Server for log collection
7. Reporting
8. Signature updates

Cisco APIC Common ACI Architecture

APIC - Enterprise
APIC for datacenter
Module

37

© 2014 Cisco and/or its affiliates. All rights reserved.

 Snort Intrusion Detection and Prevention Available
Summer
2015
Key Functionality

• Snort integrated into Cisco IOS XE and application

container
• Supported on ISR 4000 Series

• IPS/IDS functionality

• Centralized management using APIC-EM (Enterprise

Module)
• Log collection via external tools

• Ability to whitelist signatures

• Signature update mechanism using local update and via

APIC-EM

38

© 2014 Cisco and/or its affiliates. All rights reserved.

 Key Takeaways

39

© 2014 Cisco and/or its affiliates. All rights reserved.

 Security Management
• APIC-EM IWAN App manages and orchestrates IWAN DMVPN
• DMVPN simplified profiles are applied and DMVPN configuration and
provisioning is automated
• APIC-EM SNORT App configures Snort on the ISR4K
• Monitoring capabilities will be added in the future
• Other security components can be managed via
several tools, including Cisco Prime Infrastructure

40

© 2014 Cisco and/or its affiliates. All rights reserved.

 Secure your Hybrid WAN…
• DMVPN for secure connectivity across the WAN
• Proven large-scale IPsec VPN technology
• Flexible and secure
• Automated prescriptive IWAN designs

• CWS and ZBFW for Direct Internet Access

• Cloud based, single management technology for URL filtering and
malware protection with AMP
• ZBFW for perimeter control

• SNORT
• Cost-effective light-weight threat defense
• PCI compliance at the branch

41

© 2014 Cisco and/or its affiliates. All rights reserved.

 More Information
• Cisco Intelligent WAN
www.cisco.com/go/iwan
• Cisco Application Policy Infrastructure Controller
www.cisco.com/go/apic
• Cisco Integrated Services Routers
www.cisco.com/go/isr
• Cisco Router Security
www.cisco.com/go/routersecurity

42

© 2014 Cisco and/or its affiliates. All rights reserved.