Scribd
Upload
234 views107 pages

BRKSEC-2342. - Branch Router Securitypdf

Uploaded by

Sergey Denisenko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
234 views107 pages

BRKSEC-2342. - Branch Router Securitypdf

Uploaded by

Sergey Denisenko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 107

#CLUS

Branch Router
Security

Kureli Sankar, Manager Technical Marketing


@jmckg
BRKSEC-2342

#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2342


by the speaker until June 16, 2019.

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Me
• BS in Electrical and Electronics Engineering
• 2006 – 2013 TAC Engineer
• CCIE Security #35505

• 2013 – 2018 TME


• 2019 – Present TME, Manager
• Areas of expertise
• IOS and IOS-XE security features
• SD-WAN Security solutions # 35505
• 2018 - Distinguished Speaker Cisco Live (EUR and ANZ)

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Device Identity
• Data Plane Security
Zone Based Firewall
Snort IPS
URL Filtering
Cisco Umbrella Integration
Advance Malware Protection and Threat Grid
Firepower Threat Defense for ISR
Encrypted Traffic Analytics (ETA)
• Control Plane Security
• Management Plane Security
• IOS-XE VS XE SD-WAN
• Management
• Live Demo

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Enterprise Routing Portfolio
Branch Aggregation
ISR 900 ISR 1000 ISR 4000 ASR 1000

• WAN and voice module • Hardware and software redundancy


• Fixed and fan less flexibility • High-performance service with
• IOS Classic based • Integrated wired and • Compute with UCS E hardware assist
wireless access
• Integrated Security stack
• PoE/PoE+
• WAN Optimization

vEdge 5000
vEdge 100 vEdge 1000 & 2000

SD-WAN
• Modular
• 4G LTE & Wireless • Fixed/Pluggable • RPS
Module

Virtual and Cloud

Cisco ENCS • Service chaining virtual functions


CSR 1000V • Cisco DNA virtualization
• Extend enterprise routing,
• Options for WAN connectivity
security & management to
• Open for 3rd party services & cloud
apps

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Device Identity
Device Identity - Appendix

• RNG – Random Number Generator


• ASLR – Address Space Layout Randomization
• BOSC - Built-in Object Size Checking
• X-Space – Execution Space
• TAm – Trust Anchor Module
• RTD – Run Time Defense
• PKI – Public Key Infrastructure

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Foundations of Trustworthy Technologies

Secure Boot of Signed Images Trust Anchor module (TAm) Runtime Defenses (RTD)

• Helps prevent malicious code from • Tamper-resistant chip with X.509 • Protects against injection of
booting on a Cisco platform cert installed at manufacturing malicious code into running code
• Automated integrity checks • Provides unique device identity • Makes it harder for attackers to
• Monitors startup process and and anti-counterfeit protections exploit vulnerabilities in running
shuts down if compromised software
• Secure, non-volatile on-board
• Faster identification of threats storage and RNG/crypto services • Runtime technologies include
ASLR, BOSC, and X-Space
• Enables zero-touch provisioning;
minimizes deployment costs

Trustworthy technologies enhance the security and resilience of Cisco solutions

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Hardware-Anchored Secure Boot
Step 5 Step 6

Step 1 Step 2 Step 3 Step 4 Trust


Trust
Anchor Anchor
module module

Hardware CPU CPU CPU CPU CPU


Anchor Microloader Bootloader OS OS OS
Microloader

Microloader Bootloader OS launched Authenticity and Trust Anchor


checks Bootloader checks OS license checks module provides
critical services

First instructions run on CPU stored in tamper-resistant hardware

Software authenticity checks Hardware authenticity check

Cisco hardware-anchored secure boot verifies platform authenticity and integrity. Provides a secure device
identity for authentication. Helps prevent inauthentic or compromised code from booting on a Cisco platform.

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure (UDI) = SUDI

C4331#show license udi


SlotID PID SN UDI
-----------------------------------------------------------------
* ISR4331/K9 FDO21XXXXXX ISR4331/K9:FDO21XXXXXX

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Trust Anchor module (TAm)
Secure Unique Device ID (SUDI)
X.509 Certificate = Device’s Identity
• Manufacturer-installed certificate
• Hardware serial numbers

TAm Features: • Device-unique public key

• Tamper-resistant chip

• Hardware-anchored device Key Use Cases


identity
• Verifying the integrity of a device’s identity
• Secure onboard storage
• Onboarding a new device – Secure Zero Touch
• Built-in crypto functions including Provisioning
random number generator (RNG)
• Secure enrollment within an organization's PKI
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Zone Based Firewall
Zone Based Firewall Use Case: PCI Compliance

Internet
Data Centre
Applications

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Zone Based Firewall – Benefits and Requirements

Benefits Requirements
• PCI * compliance • SEC-K9 license
• Stateful firewall built into • XE 3.9 and above on ISR 4K
branch routers • XE 16.6.1 and above on ISR 1K
• VLAN Segmentation • XE 16.8.1 and above on ISRv
• Supports VRF • XE 3.7S and above on ASR1K
• Supports IPv6 • XE 3.10S and above on CSR 1000V

* PCI – Payment Card Industry


#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Zone Based Firewall

• Custom Zone
• default zone
• “default” security zone for all INSIDE
interfaces
• default zone has always been in IOS-XE
• default zone support on ISR-G2 is from
15.6(1)T
• Self Zone

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Zone Based Firewall
Configuration Theory - directional, different policy based on packet direction

Identify traffic Take action using Apply action


using class-map policy-map using zone-pair

• Access-list • Inspect • Service policy


applied to traffic
• Protocols • Pass
• Apply zones to
• Drop interface

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Zone Based Firewall - Custom Zone
zone security INSIDE
zone security OUTSIDE

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS Data Centre


match protocol ftp
match protocol tcp | or match access-list Applications
match protocol udp
match protocol icmp
Security Zone
Internet OUTSIDE
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS G0/0/0
inspect
class class-default
drop

zone-pair security IN_OUT source INSIDE destination OUTSIDE


service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Interface G0/0/0 Security Zone


zone security OUTSIDE INSIDE
Interface G0/0/1
Zone security INSIDE G0/0/1

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Zone Based Firewall – Default Zone
zone security default
zone security OUTSIDE

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS Data Centre


match protocol ftp
match protocol tcp | or match access-list
Applications
match protocol udp
match protocol icmp
Security Zone
Internet OUTSIDE
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS G0/0/0
inspect
class class-default
drop

zone-pair security IN_OUT source default destination OUTSIDE


service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Security Zone
Interface G0/0/0 default
zone security OUTSIDE
G0/0/1

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Zone Based Firewall – Self Zone

• Pre-defined zone member Monitoring traffic Routing Protocols


• Protects traffic TO and FROM router • SNMP • EIGRP
• Syslogs • OSPF
• Traffic sourced or destined to router
• Netflow • BGP
• Excludes THROUGH the box NAT traffic
Management VPN
traffic • ESP
• Two differences
• SSH • GRE
• Pre-defined and available for use • Telnet • NAT-T
• Explicit allow compared to explicit deny • HTTP Self Zone • ISAKMP

• Use to protect management and control


plane traffic

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Zone Based Firewall
Self Zone inbound - Inbound traffic to the router itself

class-map type inspect match-any INSPECT-ACL-IN-CLASS


match access-group name ACL-RTR-IN

ip access-list extended ACL-RTR-IN class-map type inspect match-any PASS-ACL-IN-CLASS


permit udp host y.y.y.y any eq 4500 match access-group name ESP-IN
permit udp host y.y.y.y any any eq isakmp match access-group name DHCP-IN
permit icmp host x.x.x.x any echo match access-group name GRE-IN
permit icmp host x.x.x.x any echo-reply
permit icmp any any ttl-exceeded policy-map type inspect ACL-IN-POLICY
permit icmp any any port-unreachable class type inspect INSPECT-ACL-IN-CLASS
permit udp any any range 33434 33463 ttl eq 1 inspect
class type inspect PASS-ACL-IN-CLASS
ip access-list extended ESP-IN pass
permit esp host x.x.x.x any class class-default
drop
ip access-list extended DHCP-IN
permit udp any eq bootps any eq bootpc

ip access-list extended GRE-IN zone-pair security TO-ROUTER source OUTSIDE destination self
permit gre host x.x.x.x any service-policy type inspect ACL-IN-POLICY

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Zone Based Firewall
Self Zone outbound – Outbound traffic from the router itself

class-map type inspect match-any INSPECT-ACL-OUT-CLASS


match access-group name ACL-RTR-OUT

class-map type inspect match-any PASS-ACL-OUT-CLASS


match access-group name ESP-OUT
match access-group name DHCP-OUT
ip access-list extended ACL-RTR-OUT
permit udp any host y.y.y.y eq 4500 policy-map type inspect ACL-OUT-POLICY
permit udp any host y.y.y.y eq isakmp class type inspect INSPECT-ACL-OUT-CLASS
permit icmp any host y.y.y.y inspect
class type inspect PASS-ACL-OUT-CLASS
pass
ip access-list extended ESP-OUT class class-default
permit esp any host y.y.y.y drop

ip access-list extended DHCP-OUT


permit udp any eq bootpc any eq bootps zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
App-aware Firewall – Benefits and Requirements
Benefits Requirements
• Application Visibility and Granular • AppX license (includes
control Sec-K9)
• 1400+ layer 7 applications classified • XE 16.9.1 and above
• Allow or block traffic by application, on ISR4K, ISR1K, CSR
category, application-family or and ASR1K
application-group
• Segmentation
• PCI compliance
• Supports VRF
• Supports IPv6

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Ent. Firewall App Aware - Configuration
zone security INSIDE policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
zone security OUTSIDE class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
service-policy avc AVC-POLICY
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
class class-default
match protocol ftp drop
match protocol tcp [AND / OR] match access-group name
match protocol udp
match protocol icmp zone-pair security IN_OUT source INSIDE destination
OUTSIDE
class-map match-any AVC-CLASS service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
match protocol yahoo
match protocol amazon Interface G0/0/0
match protocol attribute category consumer-streaming zone security OUTSIDE
match protocol attribute category gaming Interface G0/0/1
match protocol attribute category social-networking Zone security INSIDE

policy-map type inspect avc AVC-POLICY


class AVC-CLASS
deny
class class-default
allow

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Snort IPS
Snort IPS Use Case: PCI Compliance

Internet
Data Centre
Applications

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Snort IPS - Appendix
• VPG – Virtual Port Group
• DIA – Direct Internet Access
• CSR - Cloud Services Router
• WL – White Listing
• OVA – Open Virtual Appliance
• UTD – Unified Threat Defense
• PCI – Payment Card Industry
• TCO – Total Cost of Ownership
• VMAN – Virtualization Manager

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Snort IPS – Benefits and Requirements

Benefits Requirements
• PCI compliance. • SEC-K9 license
• Threat protection built into • 4 GB additional memory
ISR and ISRv branch • XE 3.16.1 and above on
routers ISR4K
• Complements ISR • XE 16.8.1 and above on ISRv
Integrated Security
• XE 16.3.1 and above on CSR
• Lightweight IPS solution
• Subscription (1Yr, 3Yr or
with low TCO and
5Yr)
automated signature
updates • Monitoring via 3-rd party
• Supports VRF (16.6)
• Supports IPv6

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Security App Hosting Profile & Resources
4431 / 4451 / 4461 4331 / 4351 4321 / 4221
Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)

PPE1 PPE2 IOS SVC1


PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE I/O Data Plane
Crypto (2 cores)

I/O
PPE3 SVC2 SVC3
PPE6 PPE7 PPE8 PPE9 BQS SVC2 SVC3 Crypto

Linux
CPP Code Linux Linux
Medium
Total No of Low Profile High Profile
Profile
CP Cores % of CPU % of CPU
% of CPU
4221 2 50% _ _
4321 2 50% _ _
4331 4 25% 50% 75%
4351 4 25% 50% 75%
4431 4 (8) 25% 50% 75%
4451 4 (8) 25% 50% 75%
4461 4 (8) 25% 50% 75%
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Snort IPS Configuration –Virtual Service Networking

Container
Purpose of the VPGs
• VPG1 <==> eth2 (data plane)

eth1 eth3 eth2 • Container Management

G0 • VPG0 <==> eth1


VPG0 VPG1
[OR]
G0/0/0 G0/0/1
• eth3 can be mapped to dedicated
mgmt port G0 of the router
ISR 4K/CSR

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Snort IPS – Configuration using VMAN
Step 1 Configure virtual service Step 4 Configuring UTD (service plane)
virtual-service install name myips package utd engine standard
flash:utd.ova logging host 10.12.5.55
logging syslog
threat-inspection
Step 2 Configure Port Groups threat protection (protection-ips, detection-ids)
interface VirtualPortGroup0 policy security (balanced, connectivity)
description Management interface logging level warning
signature update server cisco username <blah>
ip address 172.18.21.1 255.255.255.252 signature update occur-at daily 0 0
interface VirtualPortGroup1 whitelist
description Data interface
ip address 192.0.2.1 255.255.255.252 Step 5 Enabling UTD (data plane)
utd
Step 3 Activate virtual service and configure all-interfaces
engine standard
virtual-service myips fail close (fail open is default)
vnic gateway VirtualPortGroup0
guest ip address 172.18.21.2 Step 6 Whitelisting (optional)
vnic gateway VirtualPortGroup1 utd threat-inspection whitelist
guest ip address 192.0.2.2 signature id 21599 comment Index
activate signature id 20148 comment ActiveX

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Intrusion Prevention – Configuration using IOx
Step 1 Configure virtual service Step 4 Configuring UTD (service plane)
app-hosting install appid utd package bootflash:utd.tar utd engine standard
logging host 10.12.5.55
Step 2 Configure Port Groups logging syslog
interface VirtualPortGroup0 threat-inspection
description Management interface threat protection (protection-ips, detection-ids)
policy security (balanced, connectivity)
ip address 192.168.1.1 255.255.255.252
logging level warning
interface VirtualPortGroup1 signature update server cisco username <blah>
description Data interface signature update occur-at daily 0 0
ip address 192.0.2.1 255.255.255.252 whitelist

Step 5 Enabling UTD (data plane)


Step 3 Activate virtual service and configure utd
iox all-interfaces
app-hosting appid utd engine standard
app-vnic gateway0 virtualportgroup 0 guest-interface 0 fail close (fail open is default)
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1 Step 6 Whitelisting (optional)
guest-ipaddress 192.0.2.2 netmask 255.255.255.252 utd threat-inspection whitelist
app-resource package-profile low (medium, high) signature id 21599 comment Index
start signature id 20148 comment ActiveX

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Snort IPS - Resources

At-A-Glance
http://www.cisco.com/c/dam/en/us/products/collateral/security/router
-security/at-a-glance-c45-735895.pdf

Data Sheet
http://www.cisco.com/c/en/us/products/collateral/security/router-
security/datasheet-c78-736114.html

Snort IPS Deployment Guide


http://www.cisco.com/c/en/us/products/collateral/security/router-
security/guide-c07-736629.html

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
URL Filtering
URL Filtering Use Case: Guest Internet Access

Internet

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
URL – Filtering - Appendix
• VPG – Virtual Port Group
• DIA – Direct Internet Access
• CSR - Cloud Services Router
• WL – White Listing
• OVA – Open Virtual Appliance
• UTD – Unified Threat Defense
• PCI – Payment Card Industry
• TCO – Total Cost of Ownership
• VMAN – Virtualization Manager

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
URL Filtering Requests for “risky” domain requests

Benefits
• Content Filtering for BYOD
URL Filtering
• 82+ Web Categories with dynamic
updates from Webroot/BrightCloud
White/Black lists of
• Block based on Web Reputation score
custom URLs
• Create custom Black and White Lists
• Customizable Block Page
• Supports VRF and IPv6
Block/Allow based on
Requirements Categories,
Reputation
• SEC-K9 license
• 4 GB additional memory
• XE 16.3 and above on CSR
• Multitenancy 16.6.1 on CSR
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
URL Filtering – Configuration using VMAN
Step 1 Configure virtual service Step 4 Configure (optional) white and black list
virtual-service install name myips package parameter-map type regex wlist
flash:utd.ova pattern www.google.com
pattern www.cisco.com
Step 2 Configure Port Groups parameter-map type regex blist
interface VirtualPortGroup0 pattern www.exmaplehoo.com
description Management interface pattern www.bing.com
ip address 172.18.21.1 255.255.255.252
interface VirtualPortGroup1 Step 5 Configure web-filter profile
description Data interface utd engine standard multi-tenancy
ip address 192.0.2.1 255.255.255.252 web-filter url profile URL-FILTER-POLICY
blacklist
parameter-map regex blist
Step 3 Activate virtual service and configure
whitelist
virtual-service utd parameter-map regex wlist
vnic gateway VirtualPortGroup0
guest ip address 172.18.21.2
vnic gateway VirtualPortGroup1
guest ip address 192.0.2.2
profile urlf-low
activate
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
URL Filtering – Configuration using VMAN
Step 6 Attach blacklist and whitelist to the profile Step 8 Configure data plane policy
utd engine standard multi-tenancy utd global
web-filter url profile URL-FILTER-POLICY logging syslog
categories block !
abortion utd engine standard multi-tenancy
abused-drugs policy utd-policy
adult-and-pornography vrf 1, 2
bot-nets all-interfaces
alert all fail close
reputation web-filter url profile URL-FILTER-POLICY
block-threshold moderate-risk

Step 7 Configure and attach block page


utd engine standard multi-tenancy
web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
web-filter url profile URL-FILTER-POLICY
block page-profile block-URL-FILTER-POLICY

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
URL Filtering – Configuration using IOx
Step 1 Configure virtual service
Step 4 Configure (optional) white and black list
app-hosting install appid utd package bootflash:utd.tar
parameter-map type regex wlist
pattern www.google.com
Step 2 Configure Port Groups pattern www.cisco.com
interface VirtualPortGroup0 parameter-map type regex blist
description Management interface pattern www.exmaplehoo.com
ip address 192.168.1.1 255.255.255.252 pattern www.bing.com
interface VirtualPortGroup1
description Data interface
ip address 192.0.2.1 255.255.255.252 Step 5 Configure web-filter profile
utd engine standard multi-tenancy
web-filter url profile URL-FILTER-POLICY
Step 3 Activate virtual service and configure categories block
iox abortion
app-hosting appid utd abused-drugs
app-vnic gateway0 virtualportgroup 0 guest-interface 0 adult-and-pornography
guest-ipaddress 192.168.1.2 netmask 255.255.255.252 bot-nets
app-vnic gateway1 virtualportgroup 1 guest-interface 1 alert all
guest-ipaddress 192.0.2.2 netmask 255.255.255.252 reputation
app-resource package-profile urlf-low block-threshold moderate-risk
start

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
URL Filtering – Configuration using IOx
Step 6 Attach blacklist and whitelist to the profile Step 8 Configure data plane policy
utd engine standard multi-tenancy utd global
web-filter url profile URL-FILTER-POLICY logging syslog
blacklist !
parameter-map regex blist utd engine standard multi-tenancy
whitelist policy utd-policy
parameter-map regex wlist vrf 1, 2
all-interfaces
fail close
web-filter url profile URL-FILTER-POLICY
Step 7 Configure and attach block page
utd engine standard multi-tenancy
web-filter block page profile block-URL-FILTER-
POLICY
text “WHAT ARE YOU DOING??!!!”
web-filter url profile URL-FILTER-POLICY
block page-profile block-URL-FILTER-POLICY

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
URL Filtering - Resources

Configuring Multi-Tenancy for Unified Threat Defense

https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_data_utd/configuration/xe-16/sec-data-utd-xe-16-
book/sec-data-utd-xe-16-book_chapter_011.pdf

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cisco Umbrella
Integration
Cisco Umbrella Integration

Internet

VPN2 Data Centre


SaaS Applications

Employee Guest Direct Cloud Access HQ Destined Traffic


Employee Internet Traffic
Guest Internet Traffic

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco Umbrella Integration

• Token - Token is ONLY used for Device Registration and obtain Origin ID
• Origin ID – Device ID. Good until someone deletes that Network Device Identity from the dashboard.
• EDNS – Extension mechanisms for DNS
• CFT – Common Flow Table
• PTR – Pointer Record
• DNSCrypt – Protocol that authenticates communications between a DNS client and a DNS resolver
• FQDN – Fully Qualified Domain Name
• API – Application Programming Interface
• ReST API – Representational State Transfer API
• FMAN – Forwarding Manager
• CPP – Cisco Packet Processor (external name is Quantum Flow Processor)
• Phishing - The fraudulent practice of sending emails purporting to be from reputable
companies in order to induce individuals to reveal personal information, such as
passwords and credit card numbers.

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Umbrella Integration – Benefits and Requirements
Benefits Requirements

• DNS layer protection • Provision to get token ID and


portal login
• No need to look within
HTTP or HTTPS packets • SEC-K9 license
• Complements ISR • XE 16.3 and above on ISR 4K Malware

Integrated Security series routers C2 Callbacks


Phishing
• Configure policies • XE 16.8.1 and above on ISRv
based on ’tags’ per and ISR 1K series routers
interface • XE 16.10.1 and above on
• Supports VRF ASR1K
• XE 16.3 and above on CSR
• Per device subscription
• Monitoring and Reporting via
Umbrella Portal
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco Umbrella Integration - Solution Overview

Safe Blocked
request request

DNS Request (1) Cisco Umbrella


DNS Response (4) Internet

Approved Content (5)

Martha
Router running IOS-XE Web Servers

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco Umbrella Integration - Packet Flow with DNSCrypt
Client ASR, ISRv, CSR, ISR4K or Cisco Umbrella
ISR1K
Cisco Umbrella Provision Customer
Connector Get Token for Device Registration

Device (interface) Registration, DNSCrypt Key Exchange

Device ID, DNSCrypt Key


DNS Query
Encrypted DNS Query + EDNS

Apply Customer Policy


Encrypted DNS Response
DNS Response

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cisco Umbrella – Software Architecture

Control Plane
IOSd
Device DNSCrypt CLI Configuration
Registration Auth & Key Exchange

FMAN/CPP Client
Database Table CLI Data Path IOS Configuration
Management Management Download

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Umbrella – Software Architecture

Data Plane

Local Domain
Configuration Ingress RegEx Egress
Forward Add EDNS
LAN OpenDNS Encrypt WAN

Keys
Egress Session Table Ingress
LAN Restore WAN
Encryption Decryption
DNS SRC
Lib

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cisco Umbrella – Configuration
Step 1 Certificate import (mandatory for device registration Step 2 Configure local domain (optional) and token
via https) parameter-map type regex dns_bypass
Router(config)#crypto pki trustpool import terminal pattern www.cisco.com
% Enter PEM-formatted CA certificate. pattern .*eisg.cisco.*
% End with a blank line or "quit" on a line by itself.
30820494 3082037C A0030201 02021001 FDA3EB6E Router(config)#parameter-map type umbrella global
CA75C888 438B724B Router(config-profile)#token 562D3C7FF844001C70E7
…. Router(config-profile)#local-domain dns_bypass
quit

Step 3 Enable OpenDNS “out” and “in” with a tag


Router(config-if)#interface g0/0/0
Router(config-if)#description Internet facing
Router(config-if)#umbrella out

Router(config-if)#interface g0/0/1
Router(config-if)#description Guest facing
Router(config-if)#umbrella in Guest

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cisco Umbrella - Resources
At-A-Glance (AAG):
http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/at-a-
glance-c45-737403.pdf

Frequently Asked Questions (FAQ):


https://www.cisco.com/c/dam/en/us/products/collateral/security/firewalls/td-umbrella-
faqs.pdf

Cisco Umbrella Configuration Guide:


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-
16/sec-data-umbrella-branch-xe-16-book/sec-data-umbrella-bran.html

CWS EOL announcement:


http://www.cisco.com/c/en/us/products/collateral/security/cloud-web-security/eos-eol-
notice-c51-738257.html

Cisco Umbrella Video:


https://youtu.be/CGeLQTWKaPQ
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Advanced Malware
Protection and Threat Grid
Advanced Malware Supported
only on XE

Protection and ThreatGrid


SD-WAN

AMP
• Integration with AMP
File reputation
File retrospection
Internet Check Signature
• Integration with Threat Grid
File Analysis

• Backed with valuable Threat


Intelligence
Malware
• HTTP, FTP, SMB, IMAP, POP3, Check file
Sandbox
SMTP

Threat Grid
BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
AMP and TG – CLI rendered
Step 1 Configure file-reputation and file-analysis Step 4 Configure File Inspection Profile
utd engine standard multi-tenancy
utd engine standard multi-tenancy
file-inspection profile AMP-Policy-fi-profile
utd global
analysis profile AMP-Policy-fa-profile
file-reputation
reputation profile AMP-Policy-fr-profile
cloud-server cloud-isr-asn.amp.cisco.com
est-server cloud-isr-est.amp.cisco.com
file-analysis Step 5 Configure Policy
cloud-server isr.api.threatgrid.com utd engine standard multi-tenancy
apikey 0 vlepa30tnfg76cning92e7p policy utd-policy-vrf-1
all-interfaces
Step 2 Configure File inspection fail close
file-inspection profile AMP-Policy-fi-profile
utd engine standard multi-tenancy
vrf 1
file-reputation profile AMP-Policy-fr-profile
policy utd-policy-vrf-global
alert level info
all-interfaces
file-analysis profile AMP-Policy-fa-profile
fail close
file-types
file-inspection profile AMP-Policy-fi-profile
pdf
vrf global
new-office ..
alert level critical

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Firepower Threat
Defense for ISR
Firepower Threat Defense for ISR

Internet

NGFW VPN2 Data Centre


SaaS Applications

Employee Guest HQ Destined Traffic


Employee Internet Traffic
Guest Internet Traffic

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Firepower Threat Defense for ISR - Appendix
• UTD – Unified Threat defense
• RITE – Router IP traffic export feature
• BDI - Bridge domain interface
• VPG – Virtual Port Group
• CIMC – Cisco Integrated Management Controller
• UCS – Unified Computing System
• QFP – Quantum Flow Processor
• UCS E-series - Unified computing system – Express (Blade servers for ISR routers)
• AMP – Advance Malware Protection
• TG – Threat Grid

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Firepower Threat Defense for ISR - using BDI method
• Host the sensor VM on the UCS-E

• FTDv is in inline mode

• Packets ingress via the UCS E front panel port

• Firepower sensor examines traffic; allowed packets egress the WAN interface

UCS-E front panel Port Ge2 ESXi


S
UCS-E
W
ucse 2/0/1
I
STP blocked
T interface
C LAN port G0/0/2 WAN port G0/0/3
H
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Firepower Threat Defense for ISR - FTDv using BDI
Switch Config
Enable Rapid Spanning Tree on the Switch
WAN spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 20,30 hello-time 1
spanning-tree vlan 20,30 forward-time 4

Port connected to the routers G0/0/2 Port


G0/0/2 interface GigabitEthernet1/0/1
UCS E Ge 2
VNF STP description connected to ISR-4451 G0/0/2
blocked switchport trunk allowed vlan 20,30
interface switchport mode trunk
G1/0/5 G1/0/1 spanning-tree cost 100

Port connected to the UCS-E Front Panel Ge 2 Port


interface GigabitEthernet1/0/5
description Connected to Ge 2 port on the UCS-E Blade
LAN switchport trunk allowed vlan 20,30
switchport mode trunk
spanning-tree cost 10
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Firepower Threat Defense for ISR – FTDv using BDI
VNIC 2 == Ge 2 VNIC 1 == UCS 2/0/1
Firepower
Sensor
Corporate HQ
CIMC

BDI 20 - 10.20.20.1
M

G1/0/5
G0/0/2 INTERNET
Firepower
G1/0/1 G0/0/3 Mgmt
Host in vlan 20 128.107.213.x 10.1.10.252
10.20.20.20 2650 Switch Center
GW 10.20.20.1 ISR 4451
UCS E 140S FMC

MGMT VNIC 0 == UCS 2/0/0 Laptop to Internet Traffic

.200 10.20.40.150 Laptop to ESXi and FP

Firepower
Management Traffic
Sensor

FP ESXi #CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Firepower Threat Defense for ISR - FTDv using BDI
Router Config

vNIC2 Inside vNIC1 Outside

UCS E Front Panel Port


interface ucse2/0/1
no ip address
negotiation auto
switchport mode trunk
interface GigabitEthernet0/0/2 Firepower service instance 20 ethernet
no ip address encapsulation dot1q 20
negotiation auto STP blocked rewrite ingress tag pop 1 symmetric
interface bridge-domain 20
service instance 20 ethernet For vlan 20 interface BDI20
encapsulation dot1q 20 ip address 10.20.20.1 255.255.255.0
rewrite ingress tag pop 1 symmetric ip nat inside
bridge-domain 20
ip access-list extended NAT-ACL
permit ip 10.20.20.0 0.0.0.255 any
interface GigabitEthernet0/0/3
ip address 128.107.213.x 255.255.255.0
ip nat outside
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Firepower Threat Defense for ISR – using VRF method

• Host the Sensor on the UCS-E


• FTDv is in routed mode
• Packets ingress via the router’s copper port
• Inside interface of FTDv is ucse 2/0/0
• Firepower sensor examines traffic; allowed packets are sent to router using ucse 2/0/1

ESXi
UCS E-Series
ucse 2/0/0 ucse 2/0/1

LAN port G0/0/2 WAN port G0/0/3

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Firepower Threat Defense for ISR – FTDv using VRF
MGMT
ESXi
VNIC2 == Ge 2
10.20.40.150

Sensor
10.20.40.200

VNIC 0 == UCS 2/0/0 Fire POWER VNIC 1 == UCS 2/0/1 Corporate HQ
Sensor

INTERNET
VRF inside U2/0/0.10 U2/0/1.15
Internet
10.10.10.1 10.10.10.2

G1/0/1 .1 G0/0/3
Laptop in vlan 20 ISR 4451 10.1.10.252
2650 Switch G0/0/2.20 128.107.213.x
10.20.20.20 UCS E 140S
GW 10.20.20.1 VRF inside FMC

http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing
/ucs-e-series-servers/white-paper-c11-739289.html#_Toc486544453
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Firepower Threat Defense for ISR – FTDv using VRF

vNIC0 Inside vNIC1 Outside

interface GigabitEthernet0/0/2.20 interface ucse2/0/1.15


ip vrf forwarding inside encapsulation dot1q 15
ip address 10.20.20.1 255.255.255.0 ip address 10.10.10.2 255.255.255.0
Firepower
ip nat inside
interface GigabitEthernet0/0/3
interface ucse2/0/0.10 ip address 128.107.213.197 255.255.255.0
encapsulation dot1q 10 ip nat outside
vrf forwarding inside
ip address 10.10.10.1 255.255.255.0 ip access-list extended NAT-ACL
permit ip 10.20.20.0 0.0.0.255 any

ip route vrf inside 0.0.0.0 0.0.0.0 10.10.10.2 ip nat inside source list NAT-ACL interface
GigabitEthernet0/0/3 overload
ip route 0.0.0.0 0.0.0.0 128.107.213.129
ip route 10.20.20.0 255.255.255.0 10.10.10.1

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco Firepower Threat Defense for ISR – IPS using VRF
Optional Fail Open
event manager applet ipsla_ping-down
event syslog pattern "1 ip sla 1 state Up -> Down"
action 1.0 cli command "enable"
action 1.5 cli command "config term"
action 2.0 cli command "interface g0/0/2.20"
ip sla 1 action 2.5 cli command "no ip vrf forwarding"
action 2.6 cli command "ip address 10.20.20.1 255.255.255.0"
icmp-echo 10.10.10.2 source-ip
action 2.7 cli command "ip nat inside"
10.10.10.1
action 2.8 cli command "zone security EMPLOYEE"
vrf inside
action 3.1 cli command "write mem"
threshold 500
timeout 1000 event manager applet ipsla_ping-down
frequency 2 event syslog pattern "1 ip sla 1 state Up -> Down"
! action 1.0 cli command "enable"
ip sla schedule 1 life forever start-time action 1.5 cli command "config term"
now action 2.0 cli command "interface g0/0/2.20"
! action 2.5 cli command "ip vrf forwarding inside"
track 1 ip sla 1 action 2.6 cli command "ip address 10.20.20.1 255.255.255.0"
delay down 3 action 2.7 cli command "no ip nat inside"
action 2.8 cli command "no zone security EMPLOYEE"
action 3.1 cli command "write mem"

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cisco Firepower Threat Defense for ISR – IPS using VRF
Optional Fail Open

event manager applet ipsla_ping-down event manager applet ipsla_ping-up


event syslog pattern "1 ip sla 1 state Up -> Down" event syslog pattern "1 ip sla 1 state Down -> Up"
action 1.0 cli command "enable" action 1.0 cli command "enable"
action 1.5 cli command "config term" action 1.5 cli command "config term"
action 2.0 cli command "interface g0/0/2.20" action 2.0 cli command "interface g0/0/2.20"
action 2.5 cli command "no ip vrf forwarding" action 2.5 cli command "ip vrf forwarding inside"
action 2.6 cli command "ip address 10.20.20.1 action 2.6 cli command "ip address 10.20.20.1 255.255.255.0"
255.255.255.0" action 2.7 cli command "no ip nat inside"
action 2.7 cli command "ip nat inside" action 2.8 cli command "no zone security EMPLOYEE"
action 2.8 cli command "zone security EMPLOYEE" action 3.1 cli command "interface g0/0/2"
action 3.0 cli command "interface g0/0/2" action 3.2 cli command "ip vrf forwarding inside"
action 3.1 cli command "no ip vrf forwarding" action 3.3 cli command "ip address 10.20.40.1 255.255.255.0"
action 3.2 cli command "ip address 10.20.40.1 action 3.4 cli command "no ip nat inside"
255.255.255.0" action 3.5 cli command "no zone security EMPLOYEE"
action 3.3 cli command "ip nat inside" action 3.6 cli command "interface t1"
action 3.4 cli command "zone security EMPLOYEE" action 3.7 cli command "ip vrf forwarding inside"
action 3.5 cli command "interface t1" action 3.8 cli command "ip address 10.1.20.3 255.255.255.0"
action 3.6 cli command "no ip vrf forwarding" action 3.9 cli command "no zone security EMPLOYEE"
action 3.7 cli command "ip address 10.1.20.3 action 4.0 cli command "write mem"
255.255.255.0"
action 3.8 cli command "zone security EMPLOYEE"
action 3.9 cli command "write mem"
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Firepower Threat Defense for ISR - Resources

Configuration Guide - Firepower Threat Defense for ISR


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-3s/sec-data-utd-xe-3s-
book/sec-data-fpwr-utd.html

Firepower Threat Defense for ISR


http://www.cisco.com/c/en/us/products/security/router-security/firepower-threat-defense-isr.html

Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using UCS-E front panel port
https://community.cisco.com/t5/security-documents/firepower-threat-defense-ngipsv-for-isr-ips-using-front-panel/ta-
p/3155017

Firepower Threat Defense for ISR 4K & G2 - IPS inline mode using VRF method
https://community.cisco.com/t5/security-documents/firepower-threat-defense-ngipsv-for-isr-4k-amp-g2-ips-inline/ta-
p/3162267

UCS E-Series
http://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-e-series-servers/white-paper-listing.html

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Additional Resources
Cisco UCS E-Series Deployment White Paper
https://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-e-series-servers/white-paper-c11-
739289.html#_Toc486544453

Deployment Examples: Cisco UCS E-Series Integration with Passive and Inline Services on ESXi White
Paper
https://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-e-series-servers/white-paper-c11-
739289.html

Firepower Management Center Configuration Guide


https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-
guide-v622.html

Configuration Examples and Technotes


https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-configuration-examples-list.html

Firepower Threat Defense show commands


https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Thre
at_Defense/s_5.html

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Additional Resources

Cisco NGFWv Data Sheet


https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-742480.html

Cisco NGFWv for VMware Deployment Quick Start Guide


https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-fdm-vmware-
qsg.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vm
ware/ftdv/ftdv-vmware-qsg.html

NGFWv Communities Documentation


https://supportforums.cisco.com/t5/security-documents/firepower-threat-defense-ngfwv-on-ucs-e-series-blade-
on-isr-4k/ta-p/3215394

https://community.cisco.com/t5/security-documents/firepower-threat-defense-ngfwv-on-ucs-e-series-blade-on-
isr-4k/ta-p/3215375

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Encrypted Traffic
Analytics (ETA)
Finding malicious activity in encrypted traffic

Network Devices Cisco Stealthwatch


* Other devices will be supported soon

NetFlow Cognitive
Analytics
Malware
detection and
Telemetry for ‘Metadata’ cryptographic
encrypted malware detection compliance
and cryptographic compliance

Leveraged network Faster investigation Higher precision Stronger protection

Enhanced NetFlow from


Enhanced analytics Global-to-local Continuous
Cisco’s cat9k switches and
and machine learning knowledge correlation Enterprise-wide compliance
routers

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Encrypted Traffic Analytics – Benefits and Requirements

Benefits Requirements
Identifies malware in encrypted • SEC-K9 license
traffic without decrypting • XE 16.6.2 and above on ASR,
Crypto audit ISR 4K, 1K, ISRv and CSR
• Stealthwatch Management
• Supports VRF (16.8.1)
• Support IPv6 (coming in 16.12.1)

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
How do we inspect encrypted traffic?

Sequence of Packet Threat


Initial Data Packet
Lengths and Times Intelligence Map
Make the most of the Identify the content type through the Who’s who of the Internet’s
unencrypted fields size and timing of packets dark side

C2 message
Data exfiltration

Self-Signed certificate Broad behavioral information about the


servers on the Internet.

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Encrypted Traffic Analytics – Configuration
Step 1 Step 1 – Configure ETA with an optional whitelist access-list
Router (config)#ip access-list extended 101
Router(config-ext-nacl)# permit ip host 10.20.20.2 any
Router(config-ext-nacl)# permit ip any host 10.20.20.2

Router(config)#et-analytics
Router(config-et-analytics)#ip flow-export destination 10.1.10.200 2055
Router(config-et-analytics)#whitelist acl 101

Step 2 Enable ETA under the interfaces


Router(config)#interface GigabitEthernet0/0/2.20
Router(config-subif)#et-analytics enable

Router(config)#interface GigabitEthernet0/0/2.30
Router(config-subif)#et-analytics enable

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Encrypted Traffic Analytics (ETA) - Resources
Encrypted Traffic Analytics (ETA)
https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html

ETA Configuration Guide for Routers


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-16-6/nf-xe-16-6-book/encrypted-traffic-
analytics.html

Cognitive Analytics
https://cognitive.cisco.com
Stealthwatch and CTA Configuration Guide
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cta/configuration/SW_6_9_1_Stealthwatch_and_CTA
_Configuration_Guide_DV_1_6.pdf

Detecting Encrypted Traffic Malware Traffic (Without Decryption) blog


https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption

Cisco Validated Design (CVD) Guide for ETA Deployment


https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Encrypted-Traffic-Analytics-Deployment-
Guide-2017DEC.pdf

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Troubleshooting

Firepower Threat Defense for ISR - Troubleshooting


https://supportforums.cisco.com/document/13078621/troubleshooting-firepower-threat-defense-isr
Cisco Umbrella (OpenDNS) - Troubleshooting
https://supportforums.cisco.com/document/13229216/cisco-umbrella-opendns-troubleshooting

Packet Tracer
http://www.cisco.com/c/en/us/support/docs/content-networking/adaptive-session-redundancy-
asr/117858-technote-asr-00.html

TAC Troubleshooting Tools


http://www.cisco.com/c/en/us/support/web/tools-catalog.html

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Control Plane
Security
Control Plane Policing
Police inbound UDP traffic to 16 Kbps

ip access-list extended UDP


permit udp any any

class-map match-all UDP


match access-group name UDP

policy-map CoPP
class UDP
police 16000 conform-action transmit exceed-action drop violate-action drop

control-plane
service-policy input CoPP

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Punt Policing and Monitoring
Punt policing frees the RP from having to process noncritical traffic.

• Global Configuration
platform punt-police queue 20 9000 10000

Introduced
• Per Interface Configuration (PPS) in IOS-XE
16.4.1
platform punt-interface rate 10

interface G0/0/3
punt-control enable 20

show platform software infrastructure punt statistics

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Management
Plane Security
Management Plane Protection
• Allow only ssh and snmp

Router(config)# control-plane host


Router(config-cp-host)# management-interface GigabitEthernet 0/0/3 allow ssh snmp

Router# show management-interface

Management interface GigabitEthernet 0/0/3


Protocol Packets processed
ssh 0
snmp 0

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
IOS-XE VS XE SD-WAN
IOS-XE

ZBF+NBAR2 Snort IPS URL Filtering


• ISR G2 and 4K Series Routers • ISR 4K Series Routers • CSR
• ISR 1K Series Routers • ISRv
• ISRv • CSR
• ASR
• CSR

Firepower Threat
Umbrella Integration Defense
ETA
• ISR 4K Series Routers • ISR G2 and ISR 4K Series Routers • ISR 4K Series Routers
• ISR 1K Series Routers with UCS E-Series Blades • ISR 1K Series Routers
• ISRv • ENCS • ISRv
• ASR • ASR
• CSR • CSR

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
XE SD-WAN

Ent. FW App Aware IPS URL-F


• ISR 4K Series Routers • ISR 4K Series Routers • ISR 4K Series Routers
• ISR 1K Series Routers • ISR 1K Series Routers • ISR 1K Series Routers
• ISRv • ISRv • ISRv
• CSR * • CSR * • CSR *
• ASR

DNS/web-layer sec AMP (file reputation) TG (file analysis)


• ISR 4K Series Routers • ISR 4K Series Routers • ISR 4K Series Routers
• ISR 1K Series Routers • ISR 1K Series Routers • ISR 1K Series Routers
• ISRv • ISRv • ISRv
• CSR * • CSR * • CSR *
• ASR
* CSR – Only on AWS & KVM
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-WAN Security IOS-XE Routers

Ent FW
DNS/web-
Platforms/Feat with App URL
IPS/IDS layer
ures Awarene Filtering
Monitoring *
ss
Cisco - CSR
Y Y Y Y
Cisco – ENCS (ISRv)
Y Y N Y
Cisco – ISR4K (4461,4451
4431, 4351, 4331, 4321, Y Y N Y
4221-X)
Cisco – ISR1K (1111X-8P)
Y Y N Y
Cisco - ASR1K 1001-HX,
1002-HX, 1001-X, 1002-X) Y N/A N/A Y

FW App Aware and Umbrella Integration security will work with default 4 GB DRAM

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Security Features on XE SD-WAN Routers – 16.10.1
Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Ent FW
DNS/web-
Platforms/Feat with App URL
IPS/IDS AMP ** TG ** layer
ures Awarene Filtering
Monitoring *
ss
Cisco - CSR
Y Y Y Y Y Y
Cisco – ENCS (ISRv)
Y Y Y Y Y Y
Cisco – ISR4K (4461,4451
4431, 4351, 4331, 4321, Y Y Y Y Y Y
4221-X)
Cisco – ISR1K (1111X-8P)
Y Y Y Y N Y
Cisco - ASR1K 1001-HX,
1002-HX, 1001-X, 1002-X) Y N/A N/A N/A N/A Y

* Need Umbrella Subscription for enforcement


** XE SD-WAN 16.11.1a and vManage 19.1

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
IOS-XE VS XE SD-WAN
Feature IOS-XE XE SD-WAN
Ent. Firewall App Custom zone Y Y
Aware
Self Zone Y Coming in 16.12.1
default Zone Y N
Resource Management Y N
SYN Cookie Protection Y N
Multi Tenancy Y Y
IPV6 Y N
L7 Inspection Y N
SGT Y N
High Availability Y N

HSL Logging Y Coming in 16.12.1


IPS Y Y
URL Filtering Y Y
DNS Layer Security Y Y
AMP & TG N Y
ETA Y N
#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
IOS-XE VS XE SD-WAN

Feature IOS-XE XE SD-WAN


Control Plane Protection Y N
Management Plane Protection Y road-map
Default WAN interface protection Y (only allow known
N tunnel end points to
send traffic)

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
IOS-XE Security Features – Order of Operation
LAN to WAN
G0/0 – LAN facing
Ingress G0/0 G0/1 – WAN facing
IP Dest DNS
Lookup NBAR 2 Security VFR 4 CEF 5
1 3

2
DNS
FW 1 IPS URL-F NBAR 3 NAT 4 Security
5

Egress G0/1
UTD – Unified Threat Defense

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
IOS-XE Security Features – Order of Operation
WAN to LAN
G0/0 – LAN facing
Ingress G0/1 G0/1 – WAN facing
DNS
VFR 2 NAT 3 CEF 4
Layer 1

2
DNS NBAR 4
FW 1 IPS URL-F
Layer 3

Egress G0/0
UTD (Unified Threat Defense)

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
XE SD-WAN: From LAN to WAN

Lookup
SDWAN App- DNS-
IP Dest Data Process Go to
Interface NBAR FNF First Route Redir
Lookup Policy ect & OCE Output
ACL Policy
Walk

IPSEC
MPLS Encrypt
Tunnel Pre- Layer 2 DNS FNF
FW UTD Label FW UTD NAT (Transp ACL TX
Encap Route Encap Crypt LAST
Add ort
mode)

UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface

OCE – Output Chain Element


#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
XE SD-WAN: From WAN to LAN

SDWAN SDWAN Lookup


IP Dest SDWAN IPSEC Go to
WAN interface NAT Process &
lookup For-us Decrypt Output
Filter ACL OCE walk

Lookup
MPLS MPLS IP Dst App-
Data Process Go to
Label transition lookup in NBAR FNF first route
Policy & OCE Output
Lookup to IP vrf Policy
walk

L2 FNF
FW UTD ACL TX
Encap Last

UTD: IPS->URL-F->AMP/TG Color Coding: LAN Interface Tunnel Interface WAN Interface

OCE – Output Chain Element


#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Management
IOS-XE Routers using WebUI

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
XE SD-WAN Routers using vManage

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
WebUI VS vManage – Security Configuration

Ent. FW AMP &


DNS Layer
App IPS URL-F Threat ETA
Security
Aware Grid

WebUI - Y (FW
Y Y Y N Y
onbox only)

vManage -
Y Y Y Y Y N
offbox

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
WebUI VS vManage – Manage, Monitoring, Reporting, Troubleshoot

Device
Packet Network Real
Events Alerts Logs specific
Captures wide view Time
view
WebUI -
N N N Y N N N
onbox
vManage –
Y Y Y N Y Y Y
offbox

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Summary
Feature Description
ZBF Build a comprehensive, scalable security solution to protect user services. Provides stateful firewall and segmentation.
Supports VRF and SGT.

Snort IPS Snort IPS is the most widely deployed Intrusion Prevention System in the world with more than 4 million downloads.
The Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices
on ISR 4K, ISRv and CSR routers. Snort monitors network traffic and analyzes against a defined rule set. Supports VRF.
URL Filtering This on-box feature enables content filtering based on 82 different categories as well as web reputation score using
Brightcloud database.
Cisco Umbrella Cisco Umbrella Integration offers easy-to-manage DNS-layer content filtering based on categories as well as
reputation. It prevents branch users and guests from accessing inappropriate content and known malicious sites that
might contain malware and other security risks. Supports VRF.
AMP & TG File Reputation – Once enabled, router computes SHA 256 for files uploaded to the internet or downloaded from the
internet and reaches out to AMP cloud for file reputation. If AMP cloud has no knowledge of the computed SHA, then if
ThreatGrid is enabled the entire file is sent for sandboxing. Upon using AI and machine learning algorithms TG
determines if the file is malicious or not and the verdict is sent to AMP cloud for future reference. Supports VRF.
Firepower Firepower Threat Defense offers IPS/AVC, URL Filtering and AMP (Advanced Malware Protection). This is a one box
solution that is supported on both ISR G2 as well as ISR 4K routers. Intrusion Detection is accomplished using AppNav
redirection/replication and Intrusion Prevention is accomplished either via front panel port on the UCS-E or using vrf
method.
ETA Detecting malicious content in encrypted packets without having to decrypt them and well as Crypto Audit for
enterprises.

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Demo
FC

SD-WAN
Topology
Internet

192.168.1.1 1.1.1.1
10.118.34.9
admin/admin

Mgmt
1.1.1.2

N/W 1.1.1.3

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
WebUI Demo Topology
Internet

192.168.1.0/24

192.168.40.0/24

WebUI-Ubuntu

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer


Related sessions
1:1 meetings

#CLUS BRKSEC-2342 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Thank you

#CLUS
#CLUS

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy