SCAZT: SD-WAN Security

Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.

What You’ll Learn

Cisco Catalyst Software-Defined WAN (SD-WAN) integrated security overview
Implementing an application-aware enterprise firewall
Filtering applications
Managing policies

What You’ll Need

Cisco Catalyst SD-WAN with SD-WAN Manager

With business applications moving to the cloud and the increased use of direct internet access, branch locations require a wide range of security services. Protecting branch offices with the appropriate security capabilities is critical in today’s shifting IT landscape. Cisco Catalyst SD-WAN (formerly Cisco SD-WAN) brings the necessary security capabilities natively across the Catalyst SD-WAN solution with the well-established single pane of glass management for both the Catalyst SD-WAN and security services.

overview

Catalyst SD-WAN offers these integrated security services:

Application-aware enterprise firewall
Intrusion detection and prevention based on the Snort processing engine and backed by Cisco Talos signature updates
Cisco URL filtering with Webroot BrightCloud and URL categorization and reputation
Domain Name System (DNS) and web-layer security with Cisco Umbrella
Cisco Secure Endpoint (formerly Cisco Advanced Malware Protection [AMP]) with Secure Malware Analytics (formerly Threat Grid) and Malware Analytics Cloud
Transport Layer Security (TLS) decryption with TLS proxy

In addition to the integrated security services, Catalyst SD-WAN supports Cisco Umbrella integration for cloud-delivered enterprise network security, thanks to the Cisco Umbrella Secure Internet Gateway (SIG).

Intrusion Detection and Prevention

The intrusion detection and prevention in Catalyst SD-WAN is based on a well-proven Snort engine and backed by Cisco Talos signatures. Talos signatures update automatically.

SD-WAN IPS

The intrusion detection and prevention systems work in either the detection or prevention mode, based on the configured policy.

The intrusion prevention system (IPS) engine performs these tasks:

It monitors the network traffic and performs analysis based on a defined IPS signature set.
It performs attack classification.
It performs actions based on the matched policy rules.

When you enable Snort in the intrusion detection system (IDS) mode, it monitors the traffic and generates alerts. It does not take any action to prevent attacks. In IPS mode, in addition to the detection, the Snort engine enforces actions to prevent attacks.

The IDS or IPS system will analyze the traffic and report events to Cisco Catalyst SD-WAN Manager (formerly Cisco vManage) or an external log server. You can use external third-party monitoring tools supporting Snort logs for log collection and analysis.

IPS Snort Engine Architecture

The IPS engine is deployed by using a security virtual image, and only Cisco IOS XE SD-WAN devices support the feature. The Snort engine runs on a Linux container (LXC) by using control plane resources. Using the virtual port group (VPG) interfaces, the IPS engine redirects the traffic that you want to inspect to the container.

SD-WAN Snort

There are two types of VPG interfaces:

Management VPG: Used for logging and downloading signature updates from Cisco.com
Traffic VPG: Used for data traffic between the data plane and the Snort virtual container

By using Cisco Catalyst SD-WAN 17.5 or 20.5 and onward, you can enable multiple instances of the Snort engine to provide reduced latency and improved performance.

Note: The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference. Feel free to follow along with the provided outputs.

In this tutorial, you will design and deploy an interzone firewall policy for Direct Internet Access (DIA). You will use a classic security policy by using the Custom workflow. You will ensure that any internal traffic is not inspected by the firewall, and you will only inspect HTTP or HTTPS internet traffic. The firewall should also allow any DNS traffic and block any other internet-bound traffic from leaving branch sites. Based on company policy, social networking websites—including Facebook and Instagram—should be blocked at all branch sites.

Note: Although Cisco vManage is now called Cisco Catalyst SD-WAN Manager, the screenshots shown in this tutorial still display the previous name.

From the jump host, access SD-WAN Manager and start the wizard to add a classic security policy by using the Custom policy workflow.

In SD-WAN Manager, navigate to Configuration > Security.

wan dashboard

Click the Add Security Policy button to start configuring the firewall policy by using the classic security policy wizard.

add policy

Choose a Custom policy set, where you can build your own security policy by using a variety of policy building blocks.

custom policy

Click the Proceed button to continue.

Create a new firewall policy within your new security policy. Provide a name and description for the new firewall policy (example: Lab1_Task2_Branch_DIA_FW_v1).

Click the Add Firewall Policy button and choose Create New.

add policy new

Enter the name and description of the new firewall policy. Both Name and Description are mandatory fields and must be provided (example: Lab1_Task2_Branch_DIA_FW_v1).

enter name policy

Create a new firewall rule by using rule sets. Rule sets are used to group similar rules with the same action to optimize the firewall policy.

Click Add Rule/Rule Set Rule and choose Add Rule with Rule Sets.

add rule sets

Provide a name for the rule, and set the Action field to Inspect to enable stateful packet inspection. The default name is Rule 1. Click (+) Rule Sets to add a rule set to your firewall rule.

rule sets inspect

Rule sets can be created independently and assigned to a rule, or they can be created through the workflow. There are no existing rule sets available. Click (+) New Rule List to create a new rule set.

new rule set

Provide a name for the new rule set (example: DIA_WEB_DNS).

name rule set

Create two rules within the rule set, and add the rule set to your firewall rule. The first rule in the rule set should include HTTP and HTTPS, and the second rule should include DNS traffic.

Click (+) Protocol to assign protocol lists or specific protocols to the rule match condition.

add rule protocol

Use the search box under Protocol Names to find http, and choose both http and https.

choose http option

Click the Save button to save your selection.

save selection

Click the Save Rule button to save the first rule for web traffic.

save rule

Proceed to add the second rule for DNS traffic. Click (+) Protocol to assign protocol lists or specific protocols to the rule match condition.

second rule DNS

Use the search box under Protocol Names to find dns, and add it to the rule.

DNS Protocol Name

Click the Save button to save your selection.

Save protocol name

Click the Save Rule button to save the first rule for web traffic.

web traffic rule

Click the Save Rule Set button to save the newly created rule set.

save rule set

You have created a new rule set with multiple match conditions. Keep in mind that the rule set uses a common action for all the match conditions that are configured within the rule set.

Choose the newly created rule set to add it to the firewall rule, and click the Save button.

add to firewall rule

You have now configured the match conditions for the firewall rule by using a rule set and have set the Action field to Inspect.

action to inspect

The requirements also stated that social networking should be blocked at branch offices. Create an application list to filter the applications that you wish to block.

Click (+) Application List To Drop to assign an application list to the rule.

application list drop

You must create a new application list for this rule. Click (+) New Application List to create one.

new list

Provide a name for the new application list (example: Social_Networking), and add all Facebook and Instagram applications to the list.

list name

Click the Save button to save the new application list.

save list

Choose the newly created application list, and click the Save button to assign it to the firewall rule.

assign firewall

Click the Save button to save the firewall rule that you have created.

save firewall

The firewall rule contains a rule set and an application list under its match conditions, and it is configured for stateful packet inspection.

Now that the firewall rule is created, you must apply a zone pair. You must create two VPN-based zones, INSIDE (VPN 100) and OUTSIDE (VPN 0), and apply them to the traffic flows from the INSIDE to the OUTSIDE zone.

Click the Apply Zone-Pairs button to assign the firewall rules to VPN-based zone pairs.

apply zone

Click the Source Zone search box. Notice that only the Self Zone option is available. Click the New Zone List button to create a new zone.

source zone

Provide a name for the new zone (example: INSIDE), choose the Zone Type as VPN, and enter 100 in the Add VPN text box. Click the Save button to save the new zone.

zone name

Choose the INSIDE zone as the source zone of the zone pair.

inside zone

Click the Destination Zone search box. Notice that you can see the Self Zone and the INSIDE zone. Click the New Zone List button to create a new zone.

destination zone

Provide a name for the new zone (example: OUTSIDE), choose the Zone Type as VPN, and enter 0 in the Add VPN text box. Click the Save button to save the new zone.

outside zone

Choose the OUTSIDE zone as the destination zone of the zone pair.

choose outside

Click the Save button to apply the zone pair to the firewall policy.

save zone pair

Verify the zone pair and rule configuration. You will notice that the INSIDE zone is configured as the source, and the OUTSIDE zone is configured as the destination. Under the rules section, you will notice a single rule containing the rule set that you created. Although the rule set has multiple entries, it is treated as a single rule within the firewall policy.

Click the Save Firewall Policy button to save the changes to the newly created firewall policy.

save firewall policy

Do not add any other policies to the security policy. Provide a name for the security policy, enable the firewall policy, and save the security policy.

Click the Next button a few times to reach the Policy Summary page.

policy summary

On the Policy Summary page, provide a name and description for the security policy (example: Lab1_Security_Policy_v1), enable Audit Trail for the firewall policy, and click the Save Policy button to save the security policy.

audit trail

You have now created a classic security policy with an application-aware firewall.

classic policy

The next step is to attach the newly created security policy to a device template and deploy the policy to the Catalyst SD-WAN Edge devices.

Attach the created security policy to the device templates for branch sites. There are multiple device templates for branch sites, based on specific site requirements. You must attach the new security policy to all branch device templates. Analyze the configuration changes to the device before deploying.
In SD-WAN Manager, navigate to Configuration > Templates.

vManage Templates

You will notice that there are multiple device templates created. Look at the template names and descriptions. You will modify the branch templates and assign the newly created security policy to all of them.

modify branch

Use the more options (…) button for the SDWSCS1.0_EDGE_Branch_DualRouter template, and choose Edit to modify the template.

Dual Router Edit

Navigate to the Additional Templates section within the device template.

Additional Templates

Under the Additional Templates section, find the Security Policy field and choose the policy that you created.

Security Policy Field

Click the Update button to save the changes. Remember, once you modify a device template, the next step is to deploy the changes.

Update button

There is no need to modify any variable values. Click the Next button to proceed.

Next button

Click one of the devices to preview the configuration.

Preview Configuration

Click the Config Diff button to display the configuration difference between the current running configuration and what you are about to deploy.

Configuration Diff

Click the Side By Side Diff button to display the differences side by side.

Side by Side Diff

Scroll down and look for the differences highlighted in green.

Green Color Diff

Additions to the configuration are colored in green, and any removals are colored in red. Look at the class maps and policy maps configured based on the created firewall policy.
Click the Configure Devices button to deploy the configuration.

Deploy Configuration

Mark the Confirm configuration changes on 2 devices check box, and click the OK button to deploy.

Confirm Configuration

Monitor the deployment progress.

Note: Cisco Catalyst SD-WAN Manager can run multiple jobs in parallel. You do not have to wait for this deployment to complete. You can proceed to update the remaining branch device templates and attach the security policy while this deployment is in progress.

Monitor progress

Once the deployment is done, verify that the status of the deployment is Success.

Success Status

Navigate back to Configuration > Templates.

Navigate Templates

Repeat the same procedure and attach the security policy to the rest of the branch device templates.

Repeat Process

Once all three branch device templates have been updated, proceed to the next step to verify firewall functionality.

Verify that the firewall policy is functioning as expected. You can try accessing the internet from a branch PC. Verify that social networking sites in your application list are blocked. Also verify that only DNS, HTTP, and HTTPS traffic is allowed. Other traffic, such as FTP, is blocked.

From SD-WAN Manager, verify that the firewall enforcement inspection and drop statistics are showing both inspected and dropped connections within the last 1 hour.
Access Windows PC1 (Win-PC1) from the lab portal.
Open a web browser and browse a couple of social network sites, such as Facebook or Instagram. Access to Facebook and Instagram should be blocked.
Try another website, something not in the Social_Networking application list (example: www.ietf.org). Accessing any other website that is not on the blocked applications list should be allowed.

websites displayed

Open the Microsoft Edge web browser (because it works better with FTP) and try to access a public FTP server (example: ftp://ftp.mirror.nl). This should be blocked from the branch sites.

blocked from branch

In SD-WAN Manager, navigate to Monitor > Security.

monitor security

Under the Firewall Enforcement section, change the time to **1 Hour. Look at the Inspection and Drop statistics.

It is important to note that it takes 10 to 15 minutes for the statistics monitoring pane to be populated after creating and deploying the policy.

monitoring pane

This completes the interzone firewall policy deployment for securing DIA with the application-aware enterprise firewall.

You’ve completed this tutorial, advancing in your CCNP journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.

Why Create a Free Cisco U. Account?

A Cisco U. account helps you:

Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.

Further Learning Resources

Inside Cisco U.: Step-by-Step Guide to Learning Paths, Courses, Labs, and Tutorials
Explore more on Cisco U.:

Training Resources

• Designing and Implementing Secure Cloud Access for Users and Endpoints v1.0 (SCAZT 300-740) is a 90-minute exam associated with the CCNP Security Certification.

Need Help or Want to Engage?

To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.

Finishing Up

Don’t forget to click Exit Tutorial to log your completed content.