Secure Access Service Edge (SASE) With Viptela SD-WAN Design Guide

Available Languages

Download Options

  • PDF
    (29.5 MB)
    View with Adobe Reader on a variety of devices
Updated:December 4, 2021

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (29.5 MB)
    View with Adobe Reader on a variety of devices
Updated:December 4, 2021
 

Scope

In scope

Cisco SASE design guide with Viptela covers the following components:

      Cisco Viptela SD-WAN

      Cisco Umbrella Secure Internet Gateway

    DNS Security

    Secure Web Gateway

    Cloud Delivered Firewall including IPS

    Data Loss Prevention

    Remote Browser Isolation

      Cisco Secure Access by Duo

    Multi-factor authentication

    VPNless access to private applications (Duo Network Gateway)

    Single sign on

      Cisco Remote Access VPN

    Cisco AnyConnect

    Cisco Firepower Threat Defense

      Cisco Secure Endpoint

      Cisco ThousandEyes

      Cisco SecureX

    Visibility Dashboard

Out of scope

Cisco SASE design guide with Viptela does not cover the following topics:

      The Viptela scope has been limited to basic WAN connectivity and the creation of IPsec tunnels to Umbrella from a high availability pair. Capabilities such as quality of service, TCP flow optimization or service chaining have not been evaluated in this design

      Security has been assumed to exist in the Data Center, but the level of security, and the use of those tools have not been included in this design guide

      Cisco Secure Endpoint has been included in its most basic form. Creation of custom policies is out of scope for this guide

      Cisco Secure Malware Analytics, the file sandboxing engine used by Cisco Secure Endpoint, is not in scope for this design guide

      Laptops and desktop clients are the only sources of traffic. No smartphones or internet of things devices were used in the creation of this guide

Introduction

Today’s workforce expects seamless access to applications wherever they are, on any device. It is now common practice to provide remote employees with direct access to cloud applications such as Office 365 and Salesforce with additional security. The need for cloud-delivered security service expands daily as contractors, partners, IoT devices and more each require network access. IT needs to protect users and devices as if they were located at a corporate office or branch. Each requires secure access to applications and must now be treated as a ‘branch of one’.

DiagramDescription automatically generated

Figure 1.            

High level SASE Architecture

In this new paradigm, IT requires a simple and reliable approach to protect and connect with agility. This is forcing a convergence of network and security functions closer to users and devices, at the edge—and is best delivered as a cloud-based, as-a-service model called secure access service edge (SASE).

Solution Overview

Diagram, venn diagramDescription automatically generated

Figure 2.            

Three Cs for SASE

The SASE architecture has three core components:

      Connect – Unleash your workforce by delivering a seamless connection to applications in any environment from any location

      Control – Simplify security, streamline policy enforcement, and increase threat protection by combining multiple functions into a single, cloud-native service

      Converge – Unite security and networking through a flexible, integrated approach that meets multi-cloud demands at scale

For a full breakdown of the architecture, see the Cisco SASE Architecture Guide.

SASE Business Flows

In the Cisco SASE Architecture guide, the concept of SAFE business flows was introduced. Cisco SAFE uses the concept of business flows to simplify the analysis and identification of threats, risks, and policy requirements for effective security. This enables the selection of very specific capabilities necessary to secure them.

This design guide addresses the following business flows for a SASE network:

      An unmanaged device accessing business critical SaaS applications

      A managed device browsing the public Internet, such as researching product information

      An unmanaged device accessing corporate applications that are publicly accessible

      A managed device accessing corporate applications that are not publicly accessible

Related image, diagram or screenshot

Figure 3.            

SASE Business Flows

Not all business flows have the same requirements. Some use cases are subject to a smaller attack vector and therefore require less security to be applied. Some have larger and multiple vectors and require more. Evaluating the business flow by analyzing the attack surfaces provides the information needed to determine and apply the correct capabilities for flow specific and effective security. This process also allows for the application of capabilities to address risk and administrative policy requirements.

Graphical user interface, applicationDescription automatically generated

Figure 4.            

SASE Business Flows with required capabilities

SASE Design

A picture containing diagramDescription automatically generated

Figure 5.            

Cisco SASE Architecture

Connect

Viptela SD-WAN with Umbrella SIG

Software-defined WAN (SD-WAN) is a suite of features designed to allow the network to dynamically adjust to changing WAN conditions without the need for manual intervention by the network administrator. By providing granular control over how certain traffic types respond to changes in WAN availability and performance, SD-WAN can ensure optimal performance for critical applications and help to avoid disruptions of highly performance-sensitive traffic, such as VoIP. Additionally, SD-WAN can be a scalable and often much cheaper alternative to traditional WAN circuits like multiprotocol label switching (MPLS) lines. Cisco provides a flexible deployment architecture to extend SD-WAN to any environment. Whether you deploy your product in the cloud or on-premises, Cisco SD-WAN automatically discovers, authenticates, and provisions both new and existing devices.

Graphical user interface, applicationDescription automatically generated

Figure 6.            

Cisco SD-WAN

Enabling direct internet access (DIA) from the branch is simplified with Cisco SD-WAN technology. The Cisco SD-WAN and Umbrella integration enables you to infuse effective cloud security throughout your SD-WAN fabric. Cloud security can be deployed to thousands of branches in a matter of minutes, instantly gaining protection against threats on the internet.

SD-WAN diagram

Figure 7.            

Viptela/Umbrella Integration

AnyConnect

Cisco AnyConnect is unified security endpoint agent that delivers multiple security services to the roaming workforce.

Graphical user interface, applicationDescription automatically generated

Figure 8.            

Cisco AnyConnect Secure Mobility Client

Cisco AnyConnect not only provides VPN access through Secure Sockets Layer (SSL) and IPsec IKEv2 but also offers enhanced security through various built-in modules. Modules used in this guide include:

      Off-Network Protection – Cisco Umbrella Roaming module protects devices while not connected to a trusted network. This module forces all traffic through Umbrella SIG, enabling consistent policies to be applied to users on and off net

      AMP Enabler – Cisco AnyConnect AMP Enabler is used as a medium for deploying Cisco Secure Endpoint, formerly Advanced Malware Protection (AMP). This approach provides the roaming workforce with an additional security agent that detects potential malware threats, allowing for removal of said malware and the quarantine of devices from doing further harm in the network when they try to connect back to the enterprise

For information on additional AnyConnect features, such as the ability to do NetFlow analysis for the roaming workforce, see Cisco AnyConnect Secure Mobility Client.

Duo Network Gateway

Duo Network Gateway (DNG) allows users to access on-premises websites, web applications, and SSH servers without having to worry about managing VPN credentials, while also adding security with Duo MFA (discussed in the Control section below).

DiagramDescription automatically generated

Figure 9.            

Cisco Duo Network Gateway

DNG gives you granular access control per web application, set of SSH servers, and user groups. You can specify different policies to make sure only trusted users and endpoints are able to access your internal services. For example, you can require that SharePoint users complete two-factor authentication at every login, but only once every seven days when accessing Confluence. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Control

Umbrella

With the advent of the cloud era, network architectures designed to provide robust connectivity to a corporate data center is increasingly inefficient and must evolve. Most of the network traffic today occurs either within the data center itself (East-West traffic) or from an organization’s various locations to the cloud via the Internet (North-South traffic). As a result, backhauling network traffic from remote or branch locations over MPLS wide-area network (WAN) links, or roaming user traffic over virtual private network (VPN) connections, is no longer an efficient or viable option. Organizations are increasingly providing DIA broadband links for their remote, branch, and roaming users to access their SaaS applications without the slow performance and latency associated with backhauling traffic to a corporate office with a single security stack. To alleviate the inconvenience of separately managing security settings at each branch location, Umbrella Secure Internet Gateway (SIG) provides a cloud managed solution.

Cisco Umbrella SIG unifies multiple functions in a single solution that traditionally required a set of on-premises security appliances (firewalls, proxies, gateways) or single function cloud-based security solutions. Umbrella combines secure web gateway (SWG), firewall, DNS-layer security, cloud access security broker (CASB) functionality, remote browser isolation (RBI), data loss prevention (DLP), plus interactive threat intelligence in one cloud-delivered service.

Graphical user interface, applicationDescription automatically generated

Figure 10.         

Umbrella

Brief summaries of key Cisco Umbrella functions:

DNS Security

A picture containing diagramDescription automatically generated

Figure 11.         

SAFE Capability - DNS Filtering

By enforcing security at the DNS and IP layers, Umbrella blocks requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. Highlights include:

      The visibility needed to protect internet access across all network devices, office locations, and roaming users

      Detailed reporting for DNS activity by type of security threat or web content and the action taken

      Ability to retain logs of all activity for as long as needed

      Fast rollout to thousands of locations and users to provide immediate return on investment

Secure Web Gateway (SWG)

TextDescription automatically generated with low confidence

Figure 12.         

SAFE Capability – Web Security

Umbrella includes a cloud-based full proxy that can log and inspect all your web traffic for greater transparency, control, and protection. IPsec tunnels, PAC files and proxy chaining can be used to forward traffic for full visibility, URL and application-level controls, and advanced threat protection. Highlights include:

      Content filtering by category or specific URLs to block destinations that violate policies or compliance regulations

      The ability to efficiently scan all uploaded and downloaded files for malware and other threats using the Cisco Secure Endpoint (formerly Cisco AMP) engine and third-party resources

      Cisco Secure Malware Analytics (formerly Threat Grid) rapidly analyzes suspicious files

      File type blocking (e.g., block download of .exe files)

      Full or selective SSL decryption to further protect your organization from hidden attacks and time-consuming infections

      Granular app controls to block specific user activities in select apps (e.g., file uploads to Dropbox, attachments to Gmail, post/shares on Facebook)

      Detailed reporting with full URL addresses, network identity, allow or block actions, plus the external IP address

Cloud-Delivered Firewall (CDFW)

A picture containing textDescription automatically generated

Figure 13.         

Web Capability - Firewall

The Umbrella CDFW provides visibility and control for traffic that originated from requests going to the internet, across all ports and protocols. Highlights include:

      Deployment, management and reporting through the Umbrella single, unified dashboard

      Customizable policies (IP, port, protocol, application and IPS policies)

      Layer 3 / 4 firewall to log all activity and block unwanted traffic using IP, port, and protocol rules

      Layer 7 application visibility and control to identify and control access to thousands of applications

      Intrusion Prevention System (IPS) to examine network traffic flows and prevent vulnerability exploits with an added layer of threat prevention using SNORT 3 technology

      Detection and blocking of vulnerability exploitation

      Scalable cloud compute resources eliminate appliance capacity concerns Cisco Talos threat intelligence to detect and block more threats

Cloud Access Security Broker (CASB)

Graphical user interfaceDescription automatically generated

Figure 14.         

SAFE Capability – Application Visibility & Control

Umbrella helps expose shadow IT by detecting and reporting on cloud applications in use across your environment. Insights can help manage cloud adoption, reduce risk, and block the use of offensive or inappropriate cloud applications. Highlights include:

      Reports on vendor category, application name, and volume of activity for each discovered app

      App details and risk information such as web reputation score, financial viability, and relevant compliance certifications

      Cloud malware detection to detect and remove malware from cloud-based applications and ensure that applications remain malware-free

      Ability to block/allow specific apps

      Tenant restrictions to control the instance(s) of SaaS applications that all users or specific groups/individuals can access.

Data Loss Prevention (DLP)

Graphical user interface, applicationDescription automatically generated

Figure 15.         

SAFE Capability – Data Loss Prevention

As more companies move toward cloud-based services, company data becomes more vulnerable to both malicious exfiltration and unintentional misuse by inexperienced users. Umbrella DLP analyzes data in-line to provide visibility and control over sensitive data leaving your organization. Highlights include:

      Easy enablement as part of Umbrella secure web gateway

      80+ built-in content classifiers including personally identifiable information (PII), payment card industry (PCI), and personal health information (PHI)

      Content classifiers are customizable with threshold and proximity to tune and reduce false positives

      Create user-defined dictionaries with custom phrases (such as project code names)

      Detection and reporting on sensitive data usage and drill-down reports to help identify misuse

      Inspection of cloud application and web traffic content and enforcement of data policies

Remote Browser Isolation (RBI)

A screenshot of a computerDescription automatically generated with low confidence

Figure 16.         

SAFE Capability – Remote Browser Isolation as a feature of Web Security

By isolating web traffic from the user device and the threat, Umbrella Remote Browser Isolation (RBI) delivers an extra layer of protection to the Umbrella secure web gateway so that users can safely access risky websites. Highlights include:

      Isolation of web traffic between user device and browser-based threats

      No performance impact on end users

      Protection from zero-day threats

      Granular controls for different risk profiles

      Rapid deployment without changing existing browser configuration

      On-demand scale to easily protect additional users on all devices, browsers, and operating systems

Cisco Secure Access by Duo

Graphical user interfaceDescription automatically generated

Figure 17.         

SAFE Capability - Identity

Multi-factor authentication (MFA) from Cisco's Duo protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access. The modern workforce is more mobile than ever before. Users and devices can connect from anywhere — so companies must protect them everywhere. A zero-trust security model establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application.

Graphical user interface, application, WordDescription automatically generated

Figure 18.         

Cisco Secure Access by Duo

Zero trust can be summed up as “never trust; always verify.” This security approach treats every access attempt as if it originates from an untrusted network — so access won’t be allowed until trust is demonstrated. Once users and devices have been deemed trustworthy, zero trust ensures that they have access only to the resources they absolutely need, to prevent any unauthorized lateral movement through an environment. Highlights of Cisco Secure Access by Duo include:

      MFA – Enforce secure identity verification methods, like Duo Push

      User Access Policies – Options to set policies for specific user groups either globally or by application

      Cloud Based Single Sign-On (SSO) – Enable SSO for any SAML2-enabled app, to consolidate users’ login workflows under a single set of credentials protected by strong MFA

      Duo Device Health – Monitor laptop and desktop devices to ensure they have the right security protocols in place

      Secure Endpoint integration – When Duo and Cisco Secure Endpoint have shared visibility into a Windows or macOS endpoint, user access can be blocked to applications protected by Duo from endpoints deemed compromised by Cisco Secure Endpoint

Cisco Secure Endpoint with Secure Malware Analytics

A picture containing textDescription automatically generated

Figure 19.         

SAFE Capability – Client-Based Security & Network Anti-Malware

Cisco Secure Endpoint offers cloud-delivered endpoint protection and advanced endpoint detection and response across multi-domain control points. Capabilities include:

      Prevention – Block known malware automatically leveraging the best global threat intelligence and enforce Zero Trust by blocking risky endpoints from gaining access to applications

      Detection – Run complex queries and advanced investigations across all endpoints, and continuously monitor all file activity to detect stealthy malware

      Response – Rapidly contain the attack by isolating an infected endpoint and remediating malware across PCs, Macs, Linux, servers, and mobile devices (Android and iOS)

For files that have unknown disposition to Cisco Secure Endpoint, Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.

Cisco Secure Malware Analytics is out of scope for this guide. For more information, see the Cisco Breach Defense Design Guide.

Converge

Seamless integration between Umbrella and Viptela

While both products have their own separate management clouds, the integration between Umbrella (security as a service) and Cisco SD-WAN (networking as a service) is done in minutes to instantly gain protection against threats like malware, ransomware, and C2 callbacks. You gain the cost-savings and improved performance of DIA at branch offices, without sacrificing security or the burden of managing devices individually.

With this integration, tunnels are automatically created from SD-WAN routers to the Umbrella cloud, enabling administrators to create routing policies for DIA while managing security centrally for all Internet bound traffic across the full SD-WAN network.

Cisco SecureX

Cisco has been on a mission for several years to simplify security. That mission culminated in the launch of the Cisco SecureX platform, which integrates the entire Cisco security portfolio as well as additional security, networking, and IT technologies from both Cisco and third parties. It is included with all the Cisco security products, so once you have one, you can begin using SecureX.

TimelineDescription automatically generated

Figure 20.         

Cisco SecureX

Cisco SecureX brings together key security technologies considered fundamental for SASE with unified visibility and control through one console. Highlights include:

      Unified visibility – Experience simplicity with a customizable dashboard that included operational metrics, visibility into emerging threats, and access to new products in a single click

      Threat Response – Accelerate threat investigations and incident management by aggregating and correlating global intelligence and local context in one view

      Orchestration – Automate routine tasks using prebuilt workflows that align to common use cases, or build your own workflows with a no-to-low code, drag-and-drop canvas

      Ribbon and single sign-on – Use the dashboard ribbon for quick access to Cisco SecureX features. SSO helps share and maintain context around incidents in one location

      SSO across all Cisco platforms – Easily access all your Cisco Security products, with one set of credentials, from any device.

Cisco ThousandEyes

With the increased reliance on the internet and cloud services, more networks are outside your ownership or direct control. Organizations need to ensure the performance and integrity of the underlying transport, even when you don’t own the infrastructure or control how service providers route traffic.

A picture containing diagramDescription automatically generated

Figure 21.         

Cisco ThousandEyes

Cisco ThousandEyes is a network intelligence SaaS platform that allows users to run a variety of tests using global vantage points to monitor DNS resolution, browser response characteristics, detailed aspects of network pathing and connectivity, the status of network routing, and VoIP streaming connection quality. Highlights include:

      Reduce Mean Time to Identify and resolve by immediately pinpointing the source of issues across internal network, ISPs, and cloud and application providers

      Gain successful escalations with service providers based on data that can be easily shared across internal and external stakeholders

      Eliminate wasteful finger pointing and effectively manage OLAs/SLAs across internal teams and external providers

Cisco ThousandEyes Enterprise agents can be deployed natively as a container application on supported Cisco IOS XE SD-WAN devices to integrate Cisco SD-WAN with Cisco ThousandEyes. The enterprise agent can be installed and activated through vManage.

SASE Deployment

Connect – Branch Networks

Viptela SD-WAN Introduction

This design guide consists of an ISR4461 pair in the branch site and an ASR1002-X in the data center. The hardware installation for these appliances can be found in the following guides:

      Hardware Installation Guide for Cisco 4000 Series Integrated Services Routers

      Cisco ASR 1000 Series Router Hardware Installation Guide

For a full list of devices that are compatible with Cisco SD-WAN, see Cisco SD-WAN Device Compatibility.

There are multiple, flexible controller deployment options available for customers. Controllers can be deployed in a:

      Cisco-hosted cloud (recommended): Most customers opt for Cisco cloud-hosted controllers due to ease of deployment and flexibility in scaling. Cisco takes care of provisioning the controllers with certificates and meeting requirements for scale and redundancy. Cisco is responsible for backups/snapshots and disaster recovery. The customer is given access to vManage to create configuration templates and policies for their devices.

      Managed Service Provider (MSP) or partner-hosted cloud: The MSP or partner is typically responsible for provisioning the controllers and responsible for backups and disaster recovery.

      On-prem data center: The customer is responsible for provisioning the controllers and responsible for backups and disaster recovery.

For this design guide, controllers were installed in an on-prem data center that is connected to both the data center and branch over a WAN interface to mimic the scenario for cloud hosted controllers. For more information on Cisco’s cloud-hosting subscription for Cisco SD-WAN controllers, see Cisco SD-WAN CloudOps.

Note:      If you plan on using Cisco CloudOps, skip to the section titled ‘Onboard Router into SD-WAN Fabric’ as the immediate next steps will detail the deployment of the SD-WAN controllers.

SD-WAN Controller Setup (On-Prem)

This configuration example covers the process of installing the SD-WAN controller software images on a VMWare ESXI instance, establishing the transport and management networks for the three controllers to communicate, and ensuring that each controller has a valid certificate installed. This guide should be used in conjunction with the Cisco SD-WAN Design Guide, which provides an overview of the Cisco SD-WAN solution, including control plane, data plane, routing, authentication, and discusses many WAN edge deployment considerations and common scenarios.

Step 1.             Download the OVA image for vManage, vBond and vSmart.

Step 2.             In the ESXI management dashboard, navigate to Virtual Machines and click Create/Register VM.

Step 3.             Click Deploy a virtual machine from an OVF or an OVA file.

Graphical user interface, applicationDescription automatically generated

Step 4.             Starting with vManage, enter a name for the virtual instance and select the downloaded file for vManage.

Step 5.             Select the datastore where the VM is going to be stored.

Step 6.             Select the VM Network for the controller network and select Thick Provisioning for Data provisioning. Uncheck Power on automatically.

Step 7.             Click Finish.

Step 8.             In ESXI, navigate to Networking and click Add port group.

Graphical user interface, applicationDescription automatically generated

Step 9.             In the pop-up window, give a meaningful Name and click Add.

Step 10.          Navigate to Virtual Machines, right-click vManage and click Edit Settings.

Graphical user interface, applicationDescription automatically generated

Step 11.          Click Add Network Adapter and select the defined SD-WAN network for Network Adapter 2.

Step 12.          Click Add Hard Disk and select New Standard Hard Disk.

Step 13.          Update Hard disk 2 to 100GB so vManage has sufficient space to store all controller logs.

Graphical user interfaceDescription automatically generated

Step 14.          Click Save.

Step 15.          Repeat steps 2-7 for vSmart and vBond, ensuring that the first network adapter is the VM management network, and the second network adapter is the SD-WAN network.

Note:      For this design guide, the controllers were managed over the WAN interface, resulting in Network Adapter 1 being the WAN interface.

Configure Controller IP Addresses

Step 1.             Start all three VM instances for vManage, vBond, and vSmart.

Step 2.             Log in to each VM instance using the default username/password (admin/admin).

Step 3.             Using the configure terminal command, configure the system with the following:

vManage

system

host-name vManage

system-ip 1.1.1.1

organization-name sasecvd

sp-organization-name sasecvd

site-id 1

vbond <VBOND_PUBLIC_IP>

commit

end

vSmart

system

host-name vSmart

system-ip 1.1.1.2

organization-name sasecvd

sp-organization-name sasecvd

site-id 1

vbond <VBOND_PUBLIC_IP>

commit

end

vBond

system

host-name vBond

system-ip 1.1.1.3

organization-name sasecvd

sp-organization-name sasecvd

site-id 1

vbond <VBOND_PUBLIC_IP> local vbond

commit

end

 

Step 4.             Once the controllers are setup, configure the transport VPN using the following commands:

vManage & vSmart

vpn 0

interface eth0

  ip address <PUBLIC_IP>

  no shut

  tunnel-interface

    allow-service all

    commit

    exit

  exit

ip route 0.0.0.0/0 <PUBLIC_IP_GATEWAY>

commit

end

vBond

vpn 0

interface ge0/0

  ip address <PUBLIC_IP>

  no shut

  tunnel-interface

    encapsulation ipsec

    allow-service all

    commit

    exit

  exit

ip route 0.0.0.0/0 <PUBLIC_IP_GATEWAY>

commit

end

Configure Controller Certificates

Controller identity is provided by a Symantec/Digicert or Cisco-signed certificate, or alternatively, an Enterprise CA certificate. Each controller in the network must have a certificate signed and installed. In addition, the root certificate chain for the corresponding CA must also be installed on each controller before the controller certificates can be installed.

For this design guide, an Enterprise CA is used to provide controller certificate authorization. For more technical guidance on the steps needed to successfully install controller certificates, see Cisco SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide.

Step 1.             Login to the vManage dashboard by navigating to https://<VMANAGE_PUBLIC_IP>:8443 in a web browser.

Step 2.             Navigate to Administration > Settings.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Configure the Organization Name to match the one configured on each controller during setup.

Graphical user interface, text, application, TeamsDescription automatically generated

Step 4.             Enter the vBond IP address with the default port 12346 unless an alternate was configured.

Step 5.             Edit the Controller Certificate Authorization and click Enterprise to use a custom Root CA for signing controller certificates.

Graphical user interface, text, application, emailDescription automatically generated

Note:      There are many options for creating and signing certificates, and each will work with the SD-WAN controllers, however, this guide will cover how to do so using the XCA certificate-signing software as it is available for free.

Step 6.             In XCA, select File > New Database and specify a name to create a new .xdb database. Click Save.

Graphical user interface, applicationDescription automatically generated

Step 7.             In the Certificates tab, click New Certificate.

Graphical user interface, applicationDescription automatically generated

Step 8.             In the Source tab, in the Template for the new certificate field, select [default] CA. Click Apply extensions, Apply subject, and Apply all.

Graphical user interface, applicationDescription automatically generated

Step 9.             In the Subject tab, enter the name RootCA in the field for Internal Name. Fill out the remaining details in correspondence with your organization.

Graphical user interfaceDescription automatically generated

Note:      The organizationName and organizationalUnitName fields must be identical and should match the organization name configured previously in each of the controllers, as well as the vManage dashboard.

Step 10.          Click Generate a new key. Click Create and OK.

Step 11.          After the certificate has been created, select it, and click Export to save the certificate in PEM (.crt) format.

Graphical user interface, application, emailDescription automatically generated

Step 12.          Using a text editor, or terminal window, open the file and copy all the certificate text, including the Begin Certificate and End Certificate line.

Step 13.          In the vManage console, paste the contents of the root certificate into the setting for Controller Certificate Authorization. Click Import & Save.

Graphical user interface, text, applicationDescription automatically generated

Step 14.          SSH into vManage using the same IP address and credentials used to login to the vManage dashboard.

Step 15.          Enter the command vshell to enter the virtual shell on vManage.

Related image, diagram or screenshot

Step 16.          Enter the command cd /home/admin to navigate to the admin directory.

Related image, diagram or screenshot

Step 17.          Enter the command vim root.crt to enter the VIM text editor and create a new blank file titled root.crt.

Step 18.          Enter the command i to enter insert mode in VIM and paste the contents of the RootCA certificate (right clicking the console will copy the contents from the clipboard).

TextDescription automatically generated

Step 19.          Press esc to exit insert mode in VIM and enter the command to :wq to save the file and close the VIM editor.

Step 20.          Enter the command exit to exit the virtual shell.

Step 21.          Enter the command request root-cert-chain install /home/admin/root.crt to install the root certificate chain.

Related image, diagram or screenshot

Step 22.          Repeat steps 14-21 for establishing an SSH session with vSmart and vBond to install the root certificate on each controller.

Step 23.          In the vManage dashboard, navigate to Configuration > Certificates and select Controllers.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 24.          Click the three dots at the right of the vManage line to open the options menu for the vManage certificate. Click Generate CSR to generate a certificate signing request for vManage.

Related image, diagram or screenshot

Step 25.          Click Download. Rename the CSR file to match the name of the controller (i.e., vManage.csr)

Step 26.          In XCA, navigate to the Certificate Signing Requests tab and click Import to import the CSR that was downloaded from the vManage dashboard.

Step 27.          Once imported, right click the name of the CSR and click Sign.

Graphical user interface, text, applicationDescription automatically generated

Step 28.          In the Source tab, under the field Signing, ensure that the RootCA certificate that was created earlier is selected as the certificate used for signing.

Step 29.          Under Template for the new certificate, select [default] HTTPS_client then click Apply extensions, Apply subject, and Apply all.

Graphical user interface, applicationDescription automatically generated

Step 30.          In the Extensions tab, to ensure that the certificate becomes valid immediately once installed on the controller, the time displayed in the Not before window should be updated to be the current time on the respective controller (the time on the controller can be checked by typing the command show clock on the command line).

Step 31.          Click OK to sign the certificate.

Step 32.          In the Certificates tab, click the drop-down arrow to the left of the RootCA certificate generated in a previous step.

Step 33.          Right click the certificate whose name corresponds to the controller for which the certificate is being signed for and select Export > Clipboard.

Graphical user interface, applicationDescription automatically generated

Step 34.          In the vManage dashboard, return to the Configuration > Certificates page, click Controllers and click Install Certificate.

Text, chat or text messageDescription automatically generated

Step 35.          Paste the contents of the signed certificate and click Install.

Step 36.          After the certificate installation has finished, there will be a message indicating it was successful.

Step 37.          Navigate to Configuration > Devices and select the Controllers tab.

Step 38.          Click Add Controller and select vBond.

Graphical user interface, textDescription automatically generated

Step 39.          Enter the vBond public IP address and credentials for logging on to the console.

Step 40.          Ensure that the Generate CSR is NOT checked and click Add.

Step 41.          Repeat steps 37-40 to add the vSmart controller.

Step 42.          Repeat steps 23-36 to generate the CSRs, as well as sign and install the certificates for both vBond and vSmart.

Step 43.          Upon completing the controller setup and certificate installation, the vManage dashboard should indicate that each of the three controllers are up and reachable.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Onboard Router into SD-WAN Fabric

In this design guide, all routers that have been added to the fabric are running IOS-XE v17.06.01. The router’s software image version can be checked by issuing the show version command on the router’s CLI.

Related image, diagram or screenshot

This design guide makes use of an ASR1002-X at the data center and the ISR4461 platform in the branch. For image upgrade instructions see:

      Cisco 4000 Series ISRs Software Configuration Guide

      Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide

Note:      If the devices are running an older version of SD-WAN compatible software, the device can be upgraded through the vManage dashboard. For more information see Manage Software Upgrade and Repository.

There are several options available to securely onboard SD-WAN edge devices.

      Plug-and-Play (PnP): A Day-zero process that provides a simple, secure procedure to discover, install and provision Cisco IOS-XE SD-WAN edge devices.

      Zero-Touch Provisioning (ZTP): A Day-zero process that provides a simple, secure procedure to discover, install and provision vEdge devices.

      Bootstrap deployment: An alternate option to deploy IOS-XE WAN edge devices. The configuration needed to securely onboard the device is loaded into the bootflash memory (or via USB) which is then used during initial bootup.

      Manual deployment: WAN edge device is given the bare minimum configuration needed to reach the vBond SD-WAN controller using the CLI.

For this design guide, a manual deployment was chosen (steps shown below). For more deployment options see WAN Edge Onboarding.

Step 1.         Connect to the router’s console using an admin account.

Step 2.         Enter configuration mode by entering config-t and enter the following commands to establish basic connectivity to vBond

ip route 0.0.0.0 0.0.0.0 <GATEWAY IP>

interface GigabitEthernet0/0/0

ip address <WAN IP> <SUBNET MASK>

no shut

commit

end

Step 3.         Ping the vBond IP address to test connectivity can be achieved.

Step 4.         Once the route is verified, enter the configuration mode again (config-t) and enter the following command to establish control connections with the SD-WAN controllers.

hostname sasebranch_isr1

system

system-ip 3.1.1.1

site-id 3

organization-name sasecvd

vbond <VBOND PUBLIC IP>

exit

interface Tunnel 0

ip unnumbered GigabitEthernet0/0/0

tunnel source GigabitEthernet0/0/0

tunnel mode sdwan

  interface GigabitEthernet0/0/0

    tunnel-interface

    color default

    encapsulation ipsec

    commit

    end

Step 5.         Copy the Root Certificate file that was added to vManage for Controller authentication into the routers bootflash. For an example see Appendix C.

Step 6.         Once the file has transferred, issue the following command

request platform software sdwan root-cert-chain install bootflash:<ROOT CERT FILENAME>

Note:      For the edge router to appear in the devices list on vManage, a valid WAN edge device list will need to be signed and uploaded to vManage. On vManage 17.x and newer, the WAN edge serial file is a signed, binary file that can only be obtained through Cisco. These WAN edge serial files can be downloaded from the Network Plug and Play Connect portal, using a valid Cisco Smart Account. For information on connecting both the WAN edge devices and the vBond SD-WAN controller to the PnP Connect portal, see Appendix C in the Cisco SD-WAN Deployment Guide.

Step 7.         In vManage, navigate to Configuration > Devices.

Step 8.         Click Sync Smart Account.

TextDescription automatically generated

Step 9.         Enter the Username and Password for the smart account in which the WAN edge devices and appropriate vBond controller profile exist and click Sync to load the device list into vManage.

Note:      For most platforms, such as vEdge or the ISR 4000 series IOS-XE devices, no further configuration is needed to authenticate to the network. However, this design guide consists of the ASR1002-X platform which does not contain a SUDI certificate for automatic authentication by the controller network. To authenticate the ASR device, the user has the option of generating a bootstrap configuration which contains a one-time password to use at bootup, or, as this design guide will show, make use of an Enterprise CA.

Note:      The following steps are only required if using Enterprise CA for Hardware WAN Edge Certificate Authorization.

Step 1.         In vManage, navigate to Administration > Settings.

Step 2.         Next to Hardware WAN Edge Certificate Authorization click Edit.

Step 3.         Click Enterprise Certificate and paste the RootCA used to sign the Controller Certificates in the previous section.

Graphical user interface, text, applicationDescription automatically generated

Step 4.         Navigate to Configuration > Certificates.

Step 5.         Click the three dots at the right of the WAN edge device and click Generate Device CSR.

Step 6.         Download the CSR. Make sure the name matched the edge device.

Step 7.         In XCA, navigate to the Certificate Signing Requests tab and click Import to import the CSR that was downloaded from the vManage dashboard.

Step 8.         Once imported, right click the name of the CSR and click Sign.

Step 9.         In the Source tab, under the field Signing, ensure that the RootCA certificate that was created earlier is selected as the certificate used for signing.

Step 10.      Under Template for the new certificate, select [default] HTTPS_client then click Apply extensions, Apply subject, and Apply all.

Step 11.      In the Extensions tab, to ensure that the certificate becomes valid immediately once installed on the controller, the time displayed in the Not before window should be updated to be the current time on the respective controller (the time on the controller can be checked by typing the command show clock on the command line).

Step 12.      Click OK to sign the certificate.

Step 13.      In the Certificates tab, click the drop-down arrow to the left of the RootCA certificate generated in a previous step.

Step 14.      Right click the certificate whose name corresponds to the controller for which the certificate is being signed for and select Export > Clipboard.

Step 15.      In the vManage dashboard, return to the Configuration > Certificates page and click Install Certificate.

Step 16.      Paste the contents of the signed certificate and click Install.

Step 17.      After the certificate installation has finished, there will be a message indicating it was successful.

Step 18.      Repeat for all WAN edge devices.

Related image, diagram or screenshot

Verify Control Connections

Step 1.         In the vManage dashboard, navigate to Dashboard > Main Dashboard.

Step 2.         Check for information on overall fabric health such as Control Status and Site Health indicators.

Graphical user interface, applicationDescription automatically generated

Configuring Devices using vManage Templates

Device templates define a device’s complete operational configuration. A device template consists of several feature templates. Each feature template defines the configuration for a particular Viptela software feature. Some feature templates are mandatory, indicated with an asterisk (*), and some are optional. Each mandatory feature template, and some of the optional ones too, have a factory-default template. For software features that have a factory-default template, you can use either the factory-default template or you can create a custom feature template.

For this design guide, two device templates are created. One device template is used to configure the ISR 4461 pair at the branch and will be configured to connect to both the default color tunnel for controller connectivity and Data Center network access, and a SIG breakout tunnel for internet connectivity. The second device template will be configured to only connect to the default tunnel, where its connected subnets are advertised to connected sites.

DiagramDescription automatically generated

Figure 22.         

Cisco SD-WAN deployment

Configuration Template for vSmart Controller

After the Cisco vBond Orchestrator authenticates WAN edge devices, vBond provides the WAN edge devices information to connect to vSmart. A Cisco vSmart Controller controls the flow of data traffic throughout the network via data and application-route policies. For the vSmart controller to function, it must be configured by a vManage device template.

The following configuration steps is a represents the same configuration that has already been applied to the vSmart during initialization. Replace the below with the configuration applied to your vSmart.

Step 1.         In the vManage dashboard, navigate to Configuration > Templates and click Feature to navigate to feature templates.

Step 2.         Click Add Template.

TextDescription automatically generated

Step 3.         Click vSmart > VPN.

Graphical user interface, applicationDescription automatically generated

Step 4.         Give a meaningful Template Name and Description.

Step 5.         Under Basic Configuration, choose VPN 0.

Graphical user interface, applicationDescription automatically generated

Step 6.         Under IPv4 Route, click New IPv4 Route.

Step 7.         Add 0.0.0.0/0 to the Prefix and Add Next Hop gateway.

Graphical user interface, textDescription automatically generated

Step 8.         Click Save.

Step 9.         Back in the Feature templates section, click Add Template.

Step 10.      Click vSmart > VPN Interface Ethernet.

Step 11.      Give a meaningful Template Name and Description.

Step 12.      Under Basic Configuration, click No Shutdown and the Interface Name for VPN 0 is eth0.

Graphical user interface, applicationDescription automatically generated

Step 13.      Under IP Configuration click Static and enter the IPv4 Address of the vSmart Controller.

Step 14.      Under Tunnel, click On next to Tunnel Interface and leave Color as default.

Graphical user interfaceDescription automatically generated

Step 15.      Click Save.

Step 16.      Navigate to Configuration > Templates and stay on the Device tab.

Step 17.      Click Create Template > From Feature Template.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 18.      Under Device Model choose vSmart.

Step 19.      Give a meaningful Template Name and Description.

Step 20.      Under Transport & Management VPN, choose the newly created template for VPN 0.

Step 21.      Under Additional VPN 0 Templates, click + VPN Interface.

Step 22.      Add the newly created template for the VPN 0 Interface.

RectangleDescription automatically generated with medium confidence

Step 23.      Click Create.

Step 24.      Once created, click the three dots at the right of the vSmart device template and click Attach Devices.

ApplicationDescription automatically generated with low confidence

Step 25.      Choose the vSmart Controller and click Attach.

Step 26.      Enter the necessary variables and click Next.

Step 27.      Click Configure Devices.

Step 28.      After the configuration has finished, there will be a message indicating it was successful.

Basic Configuration Templates

Devices in the overlay network that are managed by Cisco vManage must be configured from Cisco vManage. Since the basic configuration procedure mimics what has already been shown for vSmart (Create feature templates > Create Device templates > Attach Device templates to individual devices), the step-by-step instructions will not be shown. Instead, the feature templates will be shown in the following tables.

Note:      Variables marked with [] are device specific variables and must be specified when being attached to the device. All other variables have been defined as global variables in the template.

ASR1002-X > Cisco VPN

Template Name

asr_vpn0

Description

VPN 0 template for ASR1002-X

Basic Configuration

 

VPN

0

DNS

 

Primary DNS Address (IPv4)

192.168.128.3

 

Secondary DNS Address (IPv4)

208.67.222.222

IPv4 Route

 

Prefix

0.0.0.0/0

 

Gateway

Next Hop

 

Next Hop

<WAN GATEWAY>

ASR1002-X > Cisco VPN Interface Ethernet

Template Name

asr_wan_interface

Description

Ethernet interface template for ASR1002-X WAN port

Basic Configuration

 

Shutdown

No

 

Interface Name

GigabitEthernet0/0/0

 

IPv4

Static

 

IPv4 Address/ prefix-length

[vpn_wan_if_ipv4_address]

Tunnel

 

Tunnel Interface

On

 

Color

default

NAT

 

NAT

On

 

NAT Type

Interface

ASR1002-X > Cisco VPN

Template Name

asr_vpn1

Description

VPN 1 template for ASR1002-X

Basic Configuration

 

 

VPN

1

Advertise OMP

 

Protocol

Connected

 

Protocol

Static

IPv4 Route

 

Prefix

0.0.0.0/0

 

Gateway

VPN

 

Enable VPN

On

ASR1002-X > Cisco VPN Interface Ethernet

Template Name

asr_lan_interface

Description

Ethernet interface template for ASR1002-X LAN port

Basic Configuration

 

Shutdown

No

 

Interface Name

GigabitEthernet0/0/1

 

IPv4

Static

 

IPv4 Address/ prefix-length

[vpn_lan_if_ipv4_address]

VRRP

 

Group ID

1

 

Priority

[vpn1_if_vrrp_priority]

 

Track OMP

On

 

IP Address

[vpn1_lan_gateway_ip]

Note:      The basic feature templates for the ISR4461 are identical to those found above. Repeat the above templates, but choose ISR4461 instead of ASR1002-X. The only change made in this design guide is the Data Center was configured to advertise static routes. Only the connected subnets are advertised in the branch network.

Verify connectivity between Branch and Data Center by pinging the private subnet of the Data Center from a device in the Branch network.

Configuration Templates for SASE

Cisco Umbrella auto tunnel support on SD-WAN-enabled WAN edge routers enables redirection of SIG traffic to the nearest Umbrella Data Center. Auto tunnel is supported on IOS-XE 17.2.1 / Viptela 20.1 or later (IOS-XE 17.4.1 / Viptela 20.4.1 or later for active/active tunnel pairs).

Step 1.         In vManage, navigate to Configuration > Templates > Feature > Add Template.

Step 2.         Select ISR4461 > Cisco Secure Internet Gateway.

Step 3.         Give a meaningful Template Name and Description.

Step 4.         If running a version with the Tracker (BETA) section, enter a Source IP Address. This will be disabled in a future step but is required for now.

Graphical user interface, text, applicationDescription automatically generated

Step 5.         Under Configuration click Add Tunnel (ensure SIG Provider set to Umbrella).

Step 6.         Next to Interface Name, type ipsec1 and choose the WAN interface as the Tunnel Source Interface. Click the Primary radio button next to Data Center.

Graphical user interface, applicationDescription automatically generated

Note:      If running a version of code that has the tracker enabled, click the Advanced Options dropdown menu and change Track this interface for SIG to Off. The tracker feature is out of scope for this design guide while undergoing beta tests.

Graphical user interfaceDescription automatically generated with medium confidence

Step 7.         Click Add.

Step 8.         Repeat steps 5-7, specifying ipsec2 and connection to the Secondary Data Center.

Step 9.         Under High Availability, enter ipsec1 as the Active tunnel and ipsec2 as the Backup tunnel.

Graphical user interface, applicationDescription automatically generated

Step 10.      Click Save.

Step 11.      In the Umbrella Dashboard, navigate to Admin > API Keys.

Graphical user interface, applicationDescription automatically generated

Step 12.      If there is no existing key for Umbrella Management, click Create.

Step 13.      Select Umbrella Management and click Create.

Step 14.      Copy both the Key and Secret. Note: make sure to store the secret somewhere secure as it will only ever be shown once.

Step 15.      In the vManage dashboard, navigate to Configuration > Templates > Feature > Add Template.

Step 16.      Select ISR4461 > Cisco SIG Credentials.

Step 17.      Enter the Organization ID along with the Registration Key and Secret for the Umbrella Management API.

Graphical user interface, applicationDescription automatically generated

Note:      To find your Organization ID from Umbrella, navigate to your Umbrella dashboard. The organization ID is part of the URL: https://dashboard.umbrella.com/o/<ORG ID>/#/

Step 18.      Click Save.

Step 19.      Navigate to Configuration > Templates > Device and edit the ISR4461 device template.

Step 20.      Under Transport & Management VPN > Additional Cisco VPN 0 Templates click + Cisco Secure Internet Gateway.

Step 21.      Add the newly attached Cisco SIG feature template.

Graphical user interface, text, applicationDescription automatically generated

Step 22.      Scroll down to Additional Templates and add the Cisco SIG Credentials feature template.

Graphical user interface, application, chat or text messageDescription automatically generated

Step 23.      Click Update and push changes to the devices.

Step 24.      In the Umbrella dashboard, navigate to Deployments > Core Identities > Network Tunnels.

Step 25.      Check the Tunnel Status is Active between the devices.

Graphical user interface, applicationDescription automatically generated

After the tunnels are established, service routes need to be configured to forward traffic through the tunnel.

Step 1.         In the vManage Dashboard, navigate to Configuration > Templates > Feature and edit the feature template for VPN 1.

Step 2.         Under IPv4 Route, delete the existing VPN route for prefix 0.0.0.0/0.

Graphical user interfaceDescription automatically generated

Step 3.         Under Service Route, click New Service Route.

Step 4.         Enter the prefix 0.0.0.0/0 and click Add.

A picture containing rectangleDescription automatically generated

Step 5.         Update the feature template and push changes to the device.

Step 6.         Validate connectivity by connecting to an Internet service from a branch side computer and checking the activity log in the Umbrella Dashboard.

Note:      If the tunnel to Umbrella is up, but the traffic is not being redirected through the Umbrella tunnel, try toggle the NAT configuration. During this lab setup, it was found that the NAT configuration got deleted unintentionally although the feature template was still configured for it. Deleting NAT and reconfiguring on VPN 0 re-created the NAT router required for Umbrella connectivity.

Connect – Roaming Workforce

This design guide makes use of Cisco Firepower Threat Defense (FTD) devices to terminate VPN connections. Other deployment options include the use of the Cisco Adaptive Security Appliance (ASA). For configuration guidance on the ASA, see Remote VPN Client Load Balancing on ASA 5500 Configuration Example.

AnyConnect

The Cisco AnyConnect Secure Mobility Client software package contains a profile editor for all operating systems. The only profile editor that will be configured for this guide is the AMP Enabler. For details on the other editors, including creating Always On VPN profiles for users in untrusted networks, see the Cisco AnyConnect Secure Mobility Client Administrator Guide.

Step 1.             Download and install the stand-alone AnyConnect Profile Editor for Windows. Note: When using a Cisco ASA as the VPN headend, the Cisco Adaptive Security Device Manager (ASDM) activates the profile editor when you load the AnyConnect client image on the ASA. This design guide is using an FTD, which has no native support for the profile editor.

Step 2.             In Secure Endpoint cloud, navigate to Management > Download Connector.

Graphical user interface, applicationDescription automatically generated

Step 3.             Select the group that this policy applies. Note: If no group exists, navigate to Management > Groups and click Create Group.

Graphical user interface, applicationDescription automatically generated

Step 4.             For both Windows and Mac, click on Show URL and copy them for use in further steps.

Graphical user interface, text, applicationDescription automatically generated

Step 5.             On the windows machine that the AnyConnect profile editors have been installed, open the AnyConnect AMP Enable Standalone profile editor.

Step 6.             Click Install AMP Enabler.

Graphical user interface, text, applicationDescription automatically generated

Step 7.             Paste the URL for both Windows and Mac from step 4. Note: Make sure to remove the Https:// from the copied URLs.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Click Save. Note: If you press Check beside each URL and Invalid entry is returned, copy and paste the link into any browser and check if the file successfully downloads. There is an error with the tool.

Duo Authentication Proxy

The Duo Authentication Proxy is an on-premises software service that receives authentication requests from local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. The Duo Authentication Proxy is used in this guide to facilitate MFA for VPN connectivity.

The configuration of the proxy may differ depending on the application you wish to protect and the environment that it is being run in. This design guide used Cisco FTD VPN with AnyConnect – Install the Duo Authentication Proxy when installing and configuring the proxy. The proxy is installed on an Ubuntu virtual machine and primary credentials are checked against Active Directory. The configuration can be seen below.

[ad_client]

host=ad.sasecampus.com

service_account_username=administrator

service_account_password=XXXXXXXXXXXXXX

search_dn=DC=sasecampus,DC=com

 

[radius_server_auto]

ikey=DIXXXXXXXXXXXXXXXXXXX

skey=zSO1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

api_host=api-aXXXXXXX.duosecurity.com

radius_ip_1=192.168.128.6

radius_secret_1=XXXXXXXXXXXXXXX

failmode=safe

client=ad_client

port=1812

Cisco Secure Firewall – Firepower Threat Defense (FTD) VPN

Cisco Firepower Management Center (FMC) provides a remote access VPN policy wizard to guide you through the required minimal steps to configure the policy. Before you start, complete the following pre-requisites to ensure the configuration elements are in place for use in the policy wizard.

AnyConnect Client Package

Step 1.             In Cisco Software Central, download the AnyConnect Headend package for Windows and Mac.

Step 2.             In FMC, navigate to Objects > Object Management > VPN > AnyConnect File.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.             Click Add AnyConnect File.

Related image, diagram or screenshot

Step 4.             Give a meaningful name to the AnyConnect File, add the headend package using the Browse button, and on the File Type dropdown menu click AnyConnect Client Image.

Graphical user interface, text, applicationDescription automatically generated

Step 5.             Repeat for all headend packages that have been downloaded.

Umbrella Roaming Security Module

Step 1.             In Umbrella, navigate to Deployments > Roaming Computers and click Roaming Client.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Under AnyConnect Umbrella Roaming Security Module, click Download Module Profile.

Graphical user interface, text, application, emailDescription automatically generated

Duo Authentication Proxy

Step 1.             In FMC, navigate to Objects > Object Management > AAA Server > RADIUS Server Group.

Graphical user interfaceDescription automatically generated with medium confidence

Step 2.             Click Add RADIUS Server Group.

Graphical user interfaceDescription automatically generated with medium confidence

Step 3.             Give a meaningful name to the server group and add the IP Address/Hostname where the Duo Authentication Proxy resides.

Graphical user interface, text, applicationDescription automatically generated

Step 4.             Click Save.

VPN Address Pool

Step 1.             In FMC, navigate to Objects > Object Management > Address Pools > IPv4 Pools.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Click Add IPv4 Pools.

Graphical user interfaceDescription automatically generated

Step 3.             Give a meaningful name to the address pool and add the IPv4 Address Range you wish to assign to VPN users.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.             Click Save.

VPN Split Tunnel List

Step 1.             In FMC, navigate to Objects > Object Management > Network.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             In the Add Network drop down, click Add Object.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Add the Network subnet that you would like roaming users to reach through the tunnel. In this design guide, roaming users will only use the VPN tunnel to access private applications, all other traffic will be sent through Umbrella.

Graphical user interfaceDescription automatically generated

Step 4.             Repeat for each subnet or host that you would like to be reachable by roaming users.

Step 5.             Navigate to Objects > Object Management > Access List > Standard.

Graphical user interface, text, application, emailDescription automatically generated

Step 6.             Click Add Standard Access List.

Related image, diagram or screenshot

Step 7.             Give a meaningful name to the split tunnel and add the network object(s) from the previous steps.

Graphical user interface, text, applicationDescription automatically generated

Step 8.             Click Save.

Remote Access VPN Policy Wizard

The Remote Access VPN Policy wizard in the Firepower Management Center can be used to quickly and easily set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration if desired and deploy it to your Firepower Threat Defense secure gateway devices. For this deployment guide, it is assumed that all the above pre-requisites have been completed before getting to this point.

Step 1.             In FMC, navigate to Devices > VPN > Remote Access.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add.

Related image, diagram or screenshot

Step 3.             Add a meaningful name and click the FTD(s) that this policy will apply. Click Next.

Graphical user interface, text, applicationDescription automatically generated

Step 4.             Under Authentication Server, choose the Duo Authentication Proxy that was configured in a previous step.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Add the IPv4 Address Pool that was created for VPN users.

Graphical user interface, text, application, emailDescription automatically generated

Step 6.             Under Group Policy, click +.

Graphical user interface, applicationDescription automatically generated

Step 7.             Give a meaningful name to the policy.

Step 8.             In the General > DNS/WINS tab, add the DNS server for the internal network. Note: If this network object does not already exist in FMC, it can be added using the + button.

Graphical user interface, text, applicationDescription automatically generated

Step 9.             In the General > Split Tunneling tab, click IPv4 Split Tunneling dropdown and choose Tunnel networks specified below. Repeat for IPv6 if applicable.

Graphical user interface, text, applicationDescription automatically generated

Step 10.          Under Standard Access List, choose the Split Tunneling list that was created in a previous step. This will ensure that only the traffic that has been specified will use the tunnel.

Graphical user interface, text, applicationDescription automatically generated

Step 11.          Under DNS Request Split Tunneling, click DNS Requests dropdown and choose Send only specified domains over tunnel.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 12.          Enter the domain list for the internal network. All other DNS requests will be sent to Umbrella (when configured).

Graphical user interface, text, applicationDescription automatically generated

Step 13.          Navigate to the AnyConnect tab.

Graphical user interface, text, applicationDescription automatically generated

Step 14.          In the Client Modules tab, click the + button.

Graphical user interface, text, applicationDescription automatically generated

Step 15.          Under Client Module, choose AMP Enabler and upload the AMP Enabler profile created in a previous step.

Graphical user interface, applicationDescription automatically generated

Step 16.          Click Enable module download and click Add.

Step 17.          In the Client Modules tab, click the + button.

Step 18.          Under Client Module, choose Umbrella Roaming Security and upload the OrgInfo.json file downloaded from Umbrella in a previous step.

Graphical user interface, applicationDescription automatically generated

Step 19.          Click Enable module download and click Add.

Step 20.          Click Save on the Group Policy.

Step 21.          Click Next on the Remote Access VPN wizard.

Graphical user interface, text, applicationDescription automatically generated

Step 22.          Select the AnyConnect Client images that were uploaded in a previous step. Click Next.

Graphical user interface, text, application, emailDescription automatically generated

Step 23.          On the Interface group/Security Zone dropdown, choose the FTD interface that users will access for VPN connections.

TextDescription automatically generated

Step 24.          In the Certificate Enrollment dropdown, choose the device certificate that will be used to authenticate the VPN gateway. Note: This design guide used a self-signed certificate that was created using the + button.

Graphical user interface, textDescription automatically generated

Step 25.          Click Next.

Step 26.          Validate the policy information and click Finish.

Step 27.          Click Deploy to send remote access policy to the FTD.

Note: While out of scope for this design guide, it is recommended to create access control rules on the firewall to limit access to VPN users. This can be achieved by using the IPv4 address pool reserved for VPN users and creating an allow list of services they should be able to reach on the network.

Duo Network Gateway

The Duo Network Gateway allows users to access internal web applications without having to join a VPN. Users will be able to access the internal web applications after verifying their identity with a first factor and Duo MFA. For installation and configuration of the DNG see Install Duo Network Gateway.

For this design guide, DNG was installed on an Ubuntu virtual machine and the primary authenticator used was Duo SSO.

Control - Deployment

Cisco Viptela SD-WAN Security Policy

Cisco SD-WAN offers integrated security, including full-stack multilayer security capabilities on IOS XE routers. This integrated security provides real-times threat protection where and when it is needed; for branches connecting to multiple SaaS or IaaS clouds, data centers, or the Internet, further accelerating the transition to a SASE-enabled architecture.

However, this design guide has made the architectural decision to route all internet bound traffic through Umbrella, and all internal traffic will be sent back to the data center. To simplify the creation and management of security policies, all internet bound security will be performed by Umbrella, and it is assumed in this guide that the data center has the necessary security to protect its network and applications.

Note: This design guide assumes the use of Umbrella as the centralized enforcement point for the branch. Cisco IOS-XE appliances also have the capability to enforce security at the branch but its usage is out of scope for this design guide, For more information see Security Policy Design Guide for Cisco IOS-XE SD-WAN Devices.

Cisco Umbrella Security Policy

DNS Policies

Domain name system (DNS) resolution is typically the first step when connecting to a service on the Internet. Thus, enforcing security at the DNS and IP layers is the first line of defense against threats and is a great way to stop attacks before users connect to bad destinations.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Management > DNS Policies.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add. Note: Your default policy in Umbrella (bottom of the list) is the catch-all for identities you haven’t defined a specific policy for. While a new policy will be created that covers all branch and roaming users, ensure that this policy is defined and enforced for all connections that have not yet been defined.

Related image, diagram or screenshot

Step 3.             Choose which type of access control or threats to block. For this design guide, since we have access to the full SIG suite of capabilities, we will only Block Threats in the DNS policy. Click Next.

Graphical user interfaceDescription automatically generated with medium confidence

Step 4.             Select the identity for Roaming Computers. This covers all identities that will be enabled through the AnyConnect Roaming Module. Branch identities will be added later after building our integration with Viptela. Click Next.

Graphical user interface, applicationDescription automatically generated

Step 5.             On the Security Settings tab, leave as default and click Next.

Graphical user interface, text, application, emailDescription automatically generated

Step 6.             Disable File Analysis (File inspection will occur in the web policies). Click Next.

Graphical user interface, text, application, emailDescription automatically generated

Step 7.             This design guide will leave the Block Page as default. To modify, see Customize Block and Warn Pages. Click Next.

Step 8.             Give a meaningful name to the policy and review the configuration. Note: Ensure the Intelligent Proxy is disabled under Advanced Settings. If there is no option to disable, edit the policy after it has been saved and the button will appear. Click Save.

Graphical user interface, text, application, emailDescription automatically generated

Integrate Cisco Umbrella & Cisco Viptela SD-WAN using API keys

The Cisco 4000 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Cisco Umbrella cloud.

Step 1.         In the Umbrella Dashboard, navigate to Admin > API Keys.

Step 2.         Copy the Legacy Network Devices token (If none exists, click Create).

Graphical user interface, text, applicationDescription automatically generated

Step 3.         In the vManage Dashboard, navigate to Configuration > Security.

Step 4.         Click Add Security Policy > Custom.

Graphical user interface, text, applicationDescription automatically generated

Step 5.         Click Next until you get to DNS Security.

Step 6.         Click Add DNS Security Policy > Create New.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 7.         Give a meaningful Policy Name.

Step 8.         Click Manage Umbrella Registration to Legacy Network Devices API next to Registration Token.

Step 9.         Next to Local Domain Bypass List, add the domain(s) to be excluded from the Umbrella tunnel.

Graphical user interface, text, applicationDescription automatically generated

Step 10.      Click Save DNS Security Policy.

Step 11.      Click Next until you get to Policy Summary.

Step 12.      Add a meaningful Security Policy Name and Description.

Step 13.      Click Save Policy.

Step 14.      Navigate to Configuration > Templates > Device and edit the device template for the ISR4461.

Step 15.      Under Additional Templates > Security Policy add the newly created DNS policy.

Graphical user interface, applicationDescription automatically generated

Step 16.      Click Update and push changes to the devices.

Step 17.      To verify connectivity, navigate to Deployments > Core Identities > Network Devices in the Umbrella dashboard. The ISR4461 will show up as a network device and can be used as an identity in DNS policies.

Graphical user interface, applicationDescription automatically generated

Add Cisco Umbrella DNS policy to Cisco SD-WAN network

At this point, DNS policies configured in Cisco Umbrella can now be applied to the WAN Edge devices.

Step 1.             In the vManage Dashboard, navigate to Policies > Management > DNS Policies.

Step 2.             Select the policy that was created in a previous section and click Edit Identity.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Scroll down to Network Devices and select the ISR4461 devices that have been added through the API.

Graphical user interface, applicationDescription automatically generated

Step 4.             Click Set & Return on the identity page and Save the policy.

Web Policies

A cloud-based web proxy or SWG provides security functions such as malware detection, file sandboxing and dynamic threat intelligence, SSL decryption, app and content filtering, and DLP.

There are two parts to configuring the web policy:

      Configuring a ruleset: enable a ruleset by selecting identities and then configuring ruleset settings to determine protection options for that ruleset.

      Add rules to a ruleset: add rules to set actions (allow, block, and warn) against individual identities and the destination those identities attempt to access.

 

Step 1.             In the Umbrella Dashboard, navigate to Policies > Management > Web Policy.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add.

Related image, diagram or screenshot

Step 3.             Expand the newly created rule set.

Step 4.             Give a meaningful name to the ruleset by clicking the Edit button in the Ruleset Name row. Click Save.

Graphical user interface, applicationDescription automatically generated

Step 5.             Click the Edit button next to Ruleset Identities.

Step 6.             Choose the Identity that this ruleset applies to. For this design guide, the identities chosen were the Network Tunnels associated with our branch and all Roaming Computers. Click Save.

Graphical user interface, tableDescription automatically generated

Step 7.             Next to File Analysis, click Edit.

Step 8.             Enable both File Inspection and Threat Grid Malware Analysis.

Graphical user interface, text, applicationDescription automatically generated

Step 9.             Next to File Type Control, click Edit.

Step 10.          Choose the file types to block for this ruleset. For validation purposes, Batch files will be blocked. For more information, see Manage File Type Control. Click Save.

Graphical user interfaceDescription automatically generated

Step 11.          Next to HTTPS Inspection, click Edit.

Step 12.          Click Enable HTTPS Inspection. Note: A root certificate is required in any circumstances where Umbrella must proxy, and decrypt HTTPS traffic intended for a website. For certificate installation see Appendix A.

Graphical user interface, text, application, emailDescription automatically generated

Step 13.          Select the Web Selective Decryption List. Note: Umbrella’s Selective Decryption List component excludes selected content categories, applications, and domains from inspection when HTTPS Inspection is enabled for a ruleset. For more information on the excluded list for this design guide, see Appendix B.

Graphical user interface, applicationDescription automatically generated

Step 14.          Click Save.

Step 15.          Scroll back to the top of the policy and click Add Rule.

Graphical user interface, applicationDescription automatically generated

Step 16.          Give a meaningful Rule Name. For this rule we will block specified content categories.

Step 17.          Under Rule Action, select Block.

Graphical user interface, text, applicationDescription automatically generated

Step 18.          Under Identities, click Add Identity and choose the option to Inherit Ruleset Identities. Click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 19.          Under Destinations, click Add Destination and choose an Application Setting to block. For validation testing, all Social Networking will be selected. Click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 20.          Rule Configurations will not be used in this design guide. For more policy options, such as enforcing during a specified time of day, see Add Rules to a Ruleset.

Step 21.          Click Save on the rule.

Step 22.          Web policies will be enforced on the first match. To allow specific social media sites, such as LinkedIn, create an Allow rule and place it above the Block rule. Note: An alternate approach is to modify the Application Settings for a web policy. This would allow a user to remove LinkedIn from the Social Media category for a given policy. For more information, see Manage Application Settings.

Graphical user interface, text, application, emailDescription automatically generated

Step 23.          At the bottom of the policy, click Close to save the policy.

Graphical user interface, application, TeamsDescription automatically generated

Cloud Firewall Policies

With Cisco Umbrella’s cloud-delivered firewall, all activity is logged, and unwanted traffic blocked using IP, port, and protocol rules. Rules are automatically applied to any tunnel connected to Umbrella. For this design guide, the firewall will be used to block any peer-to-peer (P2P) traffic such as BitTorrent. BitTorrent is a P2P protocol design to transfer files. Since these networks do not use HTTP(s), they would not fall under web traffic and therefore bypass web inspection.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Management > Firewall Policy.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add.

Related image, diagram or screenshot

Step 3.             Give a meaningful Rule Name and apply priority to the firewall rule. Note: Rules are applied sequentially, with the Default Rule always in the last position.

A picture containing textDescription automatically generated

Step 4.             Under Applications, click Specify Applications from the drop-down menu.

Step 5.             Click the + icon in the search bar and navigate down to P2P. Click to Enable.

Graphical user interface, applicationDescription automatically generated

Step 6.             Under Rule Action, click Block Traffic and ensure Logging is Enabled.

A screenshot of a computerDescription automatically generated with medium confidence

Step 7.             Click Save.

Intrusion Prevention System

IPS, based on SNORT3technology, uses signature-based detection to examine network traffic flows and take automated actions to catchand dropdangerous packets before they reach their target. AnIPScapability isonly as effective as the cyberattack dictionaries. Umbrella IPS uses extensive signatures (40,000+and growing) from Cisco Talos, the largest private securitythreat intelligenceorganization in the world.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Management > Firewall Policy.

Step 2.             Next to Umbrella’s Intrusion Protection System, click Configure.

Related image, diagram or screenshot

Step 3.             Click the Intrusion System Mode dropdown menu and choose either Detection or Protection. Detection mode will not block traffic, only alert on rules. Protection, if a rule is configured to do so, will block based on IPS detection. This design guide is configured with Detection.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.             Click the Apply to IPS Signature List dropdown menu and choose the level of protection required:

      Connectivity Over Security places emphasis on network connectivity and throughput at the possible expense of security

      Balanced Security and Connectivity attempts to balance network connectivity and security to keep users secure while being less obtrusive toward normal traffic. Note: This design guide is configured using Balanced Security and Connectivity

      Security Over Connectivity results in traffic to be inspected more deeply and more rules are evaluated

      Maximum Detection places all emphasis on security, such that network connectivity and throughput are compromised. Only select this setting when total protection is required

Step 5.             Click Save.

Graphical user interface, text, applicationDescription automatically generated

Data Loss Prevention

The DLP policy monitors content classified as personally identifiable or sensitive information. When necessary, content is blocked from an upload or a post. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications that require monitoring, and whether content should be blocked or only monitored. For example, an office may want to monitor its network for file uploads that include credit card numbers, because the uploads are a breach of company privacy and security policies. A rule designed to monitor the network and uploads to domains can block these files.

Note: HTTPS Inspection must be enabled (see Appendix A for details on the Umbrella root certificate) on the web policy ruleset where this DLP policy applies. DLP cannot be applied to encrypted traffic. For destinations that have been excluded from the decryption list, such as Office 365, it is recommended to use an API based solution such as Cisco Cloudlock or use the DLP policies included in Office 365.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Policy Components > Data Classification.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add.

Related image, diagram or screenshot

Step 3.             Give a meaningful Data Classification Name.

Step 4.             Select Built-in-Data Identifiers and choose the identifiers. For this design guide, Credit Card Number – Strict is selected. For a full list of identifiers, along with their description, see Built-In Data Identifiers. Additionally, to create custom identifiers such as classified project code names, see Create a Custom Dictionary.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Click Save.

Step 6.             Navigate to Policies > Management > Data Loss Prevention Policy.

Graphical user interface, applicationDescription automatically generated

Step 7.             Click Add Rule.

Graphical user interface, text, applicationDescription automatically generated

Step 8.             Give a meaningful Rule Name.

Step 9.             Choose an Action. This guide will Monitor traffic that matches the DLP policy.

Graphical user interface, text, application, emailDescription automatically generated

Step 10.          Under Identities, select identities that will be monitored. This design guide will monitor all Roaming Computers and the network tunnel from our Branch.

Graphical user interface, tableDescription automatically generated

Step 11.          Under Data Classifications, select the data classification that was created in the previous steps.

Graphical user interface, applicationDescription automatically generated

Step 12.          Under Destinations, select All Destinations. Note: If blocking traffic, not all destinations are supported. The level of support for each application can be found at Supported Applications.

Graphical user interface, text, application, emailDescription automatically generated

Step 13.          Click Save.

Remote Browser Isolation (RBI)

RBI protects identities from potential malware and other threats by redirecting browsing to a cloud-based host. Destinations supported by an RBI add-on can be isolated when added to a rule in a Web policy’s ruleset. When you add a rule and choose Action > Isolate, the selected destination in the rule will create a remote browser when users attempt to access those destinations. Instead of blocking identities from the destination endpoints, a cloud-based browser hosts the browsing session for that destination.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Management > Web Policy. We will modify the policy created in a previous section.

Step 2.             Click the policy in which RBI will apply.

Related image, diagram or screenshot

Step 3.             Click Add Rule.

Step 4.             Give a meaningful Rule Name.

Step 5.             Under Rule Action, select Isolate.

Graphical user interface, text, application, emailDescription automatically generated

Step 6.             Under Identities, click Add Identity and choose the option to Inherit Ruleset Identities.

Graphical user interface, applicationDescription automatically generated

Step 7.             Under Destinations, click Add Destination. For this validation, RBI will be used to access Dropbox so that if any malware is accidentally downloaded when browsing a cloud storage website, it does not get downloaded onto the client’s machine. Click Apply.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Click Save on the rule.

Related image, diagram or screenshot

Step 9.             Click Close on the policy.

Cisco Duo Network Gateway (DNG) Application protection

Since many large organizations already rely on an on-premises Active Directory (AD) server, OpenLDAP Directory, or a cloud-hosted Azure AD directory to manage their users, Duo offers tools to import users and groups from those identity stores into Duo, with the option of automatically sending an enrollment email to every user imported without an attached phone who has a valid email address.

To automatically enroll users from AD into Duo, see Synchronizing Users from Active Directory. For this design guide, a group called SASECampus was created, and an option was chosen to only synchronize users who belong within that group.

Graphical user interface, applicationDescription automatically generated

Now that a group of users has been classified, applications in Duo can be restricted to only allow members of the group to access.

Step 1.             In the Duo Dashboard, navigate to Applications.

Graphical user interface, applicationDescription automatically generated

Step 2.             Select the application used to enforce 2FA on the VPN.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Scroll down to the bottom of the page and beside Permitted Groups, click the checkbox for Only allow authentication from users in certain groups.

Step 4.             In the search bar, choose the group(s) that should have access to the VPN. All other users will be denied.

Graphical user interface, applicationDescription automatically generated

Step 5.             Click Save.

Step 6.             Repeat the process for the application protections for DNG.

Graphical user interface, text, applicationDescription automatically generated

The Global Policy in Duo applies to all applications. If certain applications require policy and controls that differ from the Global policy, you can create a Custom Policy and assign it to those applications (for example, VPN policy may allow access from non-trusted devices, but DNG may require Cisco Secure Endpoint). For this design guide, since we are already restricting policy access at a user level, the Global Policy will be configured and applied to all applications protected by Duo (i.e., remote access VPN and the Duo Network Gateway).

Step 1.             In the Duo Dashboard, navigate to Policies.

Step 2.             Click Edit Global Policy.

Graphical user interface, text, application, TeamsDescription automatically generated

Step 3.             Under New User policy, click Require enrollment (default).

Graphical user interface, text, application, emailDescription automatically generated

Step 4.             Under Authentication policy, click Enforce 2FA (default).

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Under User location, enter all countries that you expect to receive authentication from and choose No action from the dropdown list. For all other countries choose Deny access. Note: Access attempts from Internal Ips and unknown countries will default to “No action”.

Graphical user interface, text, email, websiteDescription automatically generated

Step 6.             Under Trusted Endpoints, click Require endpoints to be trusted and Allow AMP for Endpoints to block compromised endpoints. This allows Duo to block devices that have been deemed to be compromised by Cisco Secure Endpoint.

Note:      To create the integration between Duo and Cisco Secure Endpoint, see Trusted Endpoints – Cisco AMP for Endpoints.

Graphical user interface, text, application, emailDescription automatically generated

Step 7.             Under Device Health application, choose if you want your application to require the Duo Device Health application. This allows us to restrict user access for device metrics such as if the device firewall is off or if a password has not been set on the device. For this design guide, we will click Don’t require users to have the app. For more information, see Enabling the Device Health Application Policy.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Under Remembered devices, click Do not remember devices (default). Remembered devices allow users to skip subsequent 2FA requests.

Graphical user interface, text, application, emailDescription automatically generated

Step 9.             Under Operating systems, leave all settings as default. This section allows us to do version control, such as forcing users to update their operating system to a specified version or by completely blocking an operating system from the network.

Step 10.          Scroll down to Authentication methods and choose which methods to use for authentication. For this design guide, only Duo Push and SMS passcodes will be enabled.

Graphical user interface, applicationDescription automatically generated

Step 11.          The remaining policies refer to enforcement of specific smartphone features. Smartphone access is out of scope for this design guide. For more information on configuring these policies, see Policy & Control.

Step 12.          Click Save Policy.

Cisco Secure Endpoint

Cisco Secure Endpoint contains a comprehensive database of every file that has ever been seen and maintains a corresponding good or bad disposition. As a result, known malware is quickly and easily quarantined at the point of entry without any processor-intensive scanning. For this design guide, custom policies will not be created, and Secure Endpoint alerts will be triggered using the EICAR file.

NOTE: EICAR is safe to pass around because it is not a virus and does not include any fragments of viral code. It is a file that has been created for Anti-virus products to react to for test purposes. Cisco Umbrella also blocks access to this file.

For a more comprehensive analysis of both Secure Endpoint and Secure Malware Analytics, see Cisco Breach Defense Design Guide.

SaaS App protection

Cisco Duo Single Sign-On is a cloud hosted SAML identity provider that adds two-factor authentication to popular clous services like Salesforce and Microsoft 365 using SAML 2.0 federation. This design guide will use Microsoft 365 for testing and validation.

Cisco Duo authenticates your users using existing on-premises AD credentials and prompting for two-factor authentication before permitting access to Microsoft 365. The solution requires deployment of the Duo Authentication Proxy on your internal network to verify primary logon credentials against AD. End users will sign in and perform 2FA at Duo’s cloud-hosted SSO service, and do not contact the on-premises authentication proxy servers directly.

For step-by-step deployment, see Duo SSO for Microsoft 365.

Converge - Deployment

Cisco ThousandEyes

Cisco ThousandEyes’ global vantage points are Linux-based software agents that allow users to run a variety of layered monitoring tests, to gain insight into network and application performance and user experience.

Cloud and Enterprise Agents are hosts containing Cisco ThousandEyes software capable of running instant or scheduled tests and device discoveries. The main (and almost only) difference between Cloud and Enterprise Agents is who deploys and manages them. Cloud Agents are deployed by Cisco ThousandEyes, on many locations across the globe, instantly available for your new tests. Enterprise Agents, on the other hand, are deployed by you, our customer, in locations of interest (branch offices for example). For this design guide, an Enterprise Agent will be installed in the branch network.

For step-by-step installation of the ThousandEyes enterprise agent, see installing the enterprise agent. For this design guide, an enterprise agent was installed as a container on the ISR4461 in the branch network. For further details see Extended Visibility with Cisco SD-WAN and Cisco ThousandEyes.

Note: Communication between the enterprise agent and the cloud will flow through Umbrella which has been configured to proxy all web traffic. As a result, the domain for ThousandEyes should be added to the selective decryption list so communication between agents and dashboard are not proxied.

Add Cisco ThousandEyes to the Selective Decryption List in Cisco Umbrella

Step 1.         In the Umbrella Dashboard, navigate to Policies > Policy Components > Selective Decryption Lists.

Step 2.         Click the dropdown button next to the list that is attached to the web policy.

Step 3.         In the Domains tab, click Add.

Step 4.         Type thousandeyes.com and click Add.

Graphical user interface, text, applicationDescription automatically generated

Step 5.         Save the policy.

Endpoint Agents are your Windows or macOS workstations that have ThousandEyes Endpoint Agent software installed. These agents, whenever they are present in one of the defined networks, collect network and application layer performance data as your users are accessing websites or applications on configured domains. In addition to that, Endpoint Agents provide basic support for running scheduled tests. Pulse version of Endpoint Agents are also available dedicated to running scheduled tests, these can be installed on customer hosts.

For a step-by-step installation of the ThousandEyes endpoint agent, see installing the endpoint agent. For this design guide, an endpoint agent was manually installed by directly downloading the agent on to the device. To install on multiple devices, a group policy can be created in Active Directory.

Cisco ThousandEyes Tests

ThousandEyes tests are classified into categories based on layers of operation:

      Routing Layer tests provide methods for collecting internet routing-related information.

      Network Layer tests measures network performance and path between agent and a target device.

      DNS Layer tests provide record validation and service performance metrics.

      Web Layer tests touch on various web technologies starting from the most basic measurement of availability of web server all the way up to performing precision transactions on a target.

      Voice Layer tests look at whether a connection can be established, as well as testing the exchange of packets after the connection is made.

This design guide will focus attention on  DNS and Web layer testing.

Step 1.             In the ThousandEyes Dashboard, navigate to Cloud & Enterprise Agents > Test Settings.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Click Add New Test.

Step 3.             Using the default Web > HTTP Server test, add the URL for Salesforce.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.             In the Agents drop-down menu, click the Enterprise label and select the ISR4461 installed in the branch network.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Additionally, add some Cloud Agent connections for latency comparisons with the branch.

Graphical user interfaceDescription automatically generated

Step 6.             In the Advanced Settings tab, click the checkbox next to Verify Content.

Graphical user interface, text, application, emailDescription automatically generated

Step 7.             In the textbox, enter the value www.salesforce.com. Note: This extra validation is added when sending tests through the Umbrella web proxy. When content is blocked, Umbrella returns a blocked content page which results in a 200-status code which would normally indicate to the client that the connectivity has succeeded. We want the ThousandEyes test to fail on policy block, therefore we must check that the content is valid.

Step 8.             Click Create New Test.

Step 9.             Repeat for each test. For this design guide, the following additional tests were created

      https://office.com

      https://facebook.com

      https://linkedin.com

      http://app.cvdtest.net:3000 (private application in the data center)

Step 10.          To create a DNS test, navigate to Cloud & Enterprise Agents > Test Settings and click Add New Test.

Step 11.          Click the DNS Layer and choose DNS Server as the Test Type.

 

Graphical user interface, text, application, emailDescription automatically generated

Step 12.          Under Basic Configuration, choose a Domain that is commonly accessed by the organization.

Graphical user interface, applicationDescription automatically generated

Step 13.          In the Agents drop-down menu, choose the ISR4461 located in the branch network.

Step 14.          Enter the DNS Server IP address for the private network.

Graphical user interfaceDescription automatically generated

Step 15.          Click Create New Test.

Step 16.          Click Add New Test, but this time choose the Cloud Agent(s) for your region and enter the DNS Server addresses for Umbrella. This allows us to check the availability of Umbrella outside the local network in the case that the DNS is failing internally.

Graphical user interface, applicationDescription automatically generated

Note: All tests can be repeated for the endpoint agents located in the network.

Cisco SecureX

This deployment guide will primarily focus on the unified visibility and SSO capabilities of Cisco SecureX, by demonstrating the integrations it has with other products in the Cisco security portfolio. Other capabilities of SecureX, such as threat response and the dashboard ribbon can be explored further in the Cisco Breach Defense Design guide.

Cisco Umbrella

Step 1.             In the Umbrella Dashboard, navigate to Investigate > API Keys.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Create New Token.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Enter a meaningful Title and click Create.

Graphical user interface, applicationDescription automatically generated

Step 4.             Take note of the Investigate API Token.

A picture containing graphical user interfaceDescription automatically generated

Step 5.             In the Umbrella Dashboard, navigate to Admin > API Keys.

Graphical user interface, applicationDescription automatically generated

Step 6.             If an Umbrella Reporting API Key does not already exist, click Create. Note: Only one instance of the API Key can exist for each function.

Related image, diagram or screenshot

Step 7.              Under What should this API do? click the Umbrella Reporting audio button and click Create.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Take note of both the Reporting API Key and API Secret. Note: The secret will only be shown once. Make sure to store it in a secure location for future use.

Graphical user interface, text, application, emailDescription automatically generated

Step 9.             In the Umbrella Dashboard, navigate to Policies > Policy Components > Integrations.

Graphical user interface, applicationDescription automatically generated

Step 10.          Click Add.

Related image, diagram or screenshot

Step 11.          Give a meaningful Integration Name and click Create.

Related image, diagram or screenshot

Step 12.          Click the newly created integration, check the Enable box and click Save.

Graphical user interface, text, applicationDescription automatically generated

Step 13.          Click the integration to display the Custom Umbrella Integration URL.

Step 14.          In the SecureX Dashboard, navigate to Integration Modules > Available Integration Modules.

TimelineDescription automatically generated with low confidence

Step 15.          Under Cisco Products, search for Umbrella and click + New Module.

Graphical user interface, text, applicationDescription automatically generated

Step 16.          Enter a meaningful Integration Module Name.

Step 17.          Using the values generated in the previous steps, enter the required fields in the Investigate, Enforcement and Reporting forms.

Graphical user interface, text, application, emailDescription automatically generated

Step 18.          Click Save.

To enable SSO with SecureX in Umbrella, make sure the SecureX account is the same across all environments. If the user is not in the Umbrella organization, please add it under Admin > Accounts. Once completed, follow these deployment steps to enable SSO:

Step 1.             In the Umbrella Dashboard, navigate to Admin > Authentication.

Graphical user interface, applicationDescription automatically generated

Step 2.             Under SAML Dashboard User Configuration, click Configure.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.             Select Cisco SecureX sign-on and click Next.

Graphical user interface, text, applicationDescription automatically generated

Step 4.             Click Test Configuration to verify the setup and click Next.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Agree to the conditions and click Save and Notify Users.

Graphical user interface, text, application, emailDescription automatically generated

Cisco Secure Endpoint

Step 1.             In the Cisco Secure Endpoint Dashboard, navigate to Accounts > API Credentials.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click New API Credential.

Graphical user interface, application, websiteDescription automatically generated

Step 3.             Enter a meaningful Application name and choose the desired Scope. Note: This design guide will only require the Read-only scope, however, the Read & Write scope has been chosen for readers who will also be using the Breach Defense guide and would like to take response actions with Secure Endpoint. Click Create.

Graphical user interface, textDescription automatically generated

Step 4.             From the API Key Details page, copy both the 3rd Party API Client ID and the API Key. Note: Do not close the tab without retrieving these values. The API key is not retrievable once the tab is closed.

Graphical user interface, textDescription automatically generated

Step 5.             In the SecureX Dashboard, navigate to Integration Modules > Available Integration Modules.

TimelineDescription automatically generated with low confidence

Step 6.             Under Cisco Products, search for AMP for Endpoints (former name to Secure Endpoint) and click + New Module.

Graphical user interface, application, TeamsDescription automatically generated

Step 7.             Add the 3rd Party API Client ID and the API Key from the previous steps.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Click Save.

Note: SecureX SSO was enabled by default for the organization used in validating this design. If SSO is not enabled under Accounts > Organization Settings in the Secure Endpoint Dashboard, see Enabling Cisco SecureX Sign-On for Secure Endpoint.

SecureX Dashboard

Step 1.             In the SecureX Dashboard, click Customize.

Related image, diagram or screenshot

Step 2.             Give a meaningful Dashboard Name.

Graphical user interface, text, application, emailDescription automatically generated

Step 3.             Under Available Tiles, expand both AMP for Endpoints and Umbrella.

Step 4.             Choose the tiles that you would like to add to the SecureX Dashboard and click Save.

Graphical user interface, applicationDescription automatically generated

Validation Tests

Remote Worker to Public Application (SaaS)

A picture containing timelineDescription automatically generated

Figure 23.         

Roaming User to SaaS application through Umbrella

Validation Test #1 – Umbrella Roaming Client successfully installed with AnyConnect

Step 1.             On a roaming device from the AnyConnect installation steps, open AnyConnect Secure Mobility Client.

Graphical user interface, text, application, websiteDescription automatically generated

Step 2.             When on a network other than the office network, verify that Umbrella Roaming is active.

Graphical user interface, applicationDescription automatically generated

Step 3.             Also verify that Cisco Secure Endpoint (AMP Enabler) has been installed as part of AnyConnect.

Step 4.             In any browser, navigate to https://welcome.umbrella.com to verify that you are using Umbrella DNS.

Graphical user interface, application, websiteDescription automatically generated

Validation Test #2 – Umbrella Content Filtering is being applied

Step 1.             In any browser, navigate to https://facebook.com. The Umbrella block page should be returned.

Graphical user interface, applicationDescription automatically generated

Step 2.             In any browser, navigate to https://linkedin.com. Access to the site should be granted.

Graphical user interfaceDescription automatically generated with low confidence

Step 3.             In the Umbrella Dashboard, navigate to Reporting > Core Reports > Activity Search.

Graphical user interface, applicationDescription automatically generated

Step 4.             In the Filters tab, check the Blocked box under Response and click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 5.             Verify the entry for Facebook has been logged.

Related image, diagram or screenshot

Validation Test #3 – Umbrella DLP Policies have been triggered

Step 1.             In any browser, navigate to any cloud storage site. This design guide will use Box.

Graphical user interface, applicationDescription automatically generated

Step 2.             Upload a file containing random US credit card numbers. Example below.

6011 1834 5527 3209

Discover

6011 2150 2716 5024

Discover

4328 1373 5449 1554

Visa

5430 3563 9033 0772

MasterCard

6011 0430 8746 4644

Discover

6011 6766 2381 3665

Discover

Graphical user interface, application, TeamsDescription automatically generated

Step 3.             In the Umbrella Dashboard, navigate to Reporting > Additional Reports > Data Loss Prevention.

Graphical user interface, applicationDescription automatically generated

Step 4.             An event will be created for the file that was uploaded.

Graphical user interface, text, applicationDescription automatically generated

Validation Test #4 – Umbrella Remote Browser Isolation

Step 1.             In any browser, navigate to https://dropbox.com (the site chosen for our DLP policy).

Graphical user interface, text, application, TeamsDescription automatically generated

Step 2.             Download any file.

Step 3.             The file will download and open in a remote browser, which can be confirmed by looking at the URL of the opened file.

Graphical user interface, applicationDescription automatically generated

Step 4.             In the Umbrella Dashboard, navigate to Reporting > Core Reports > Activity Search.

Step 5.             In the Filters tab, check the Isolated box under Isolate and click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 6.             Verify that the session to Dropbox has been logged.

Graphical user interface, application, TeamsDescription automatically generated

Validation Test #5 – Intrusion Prevention System

Step 1.             Open a command prompt and type the following:

curl http://3.25.228.160/test.emf

Step 2.             In the Cisco Umbrella dashboard, navigate to Reporting > Core Reports > Activity Search.

Step 3.             Under IPS Signature filters, click Select All and then Apply.

Graphical user interface, applicationDescription automatically generated

Step 4.             The activity log should show an IPS log that triggered based on a Microsoft emf file download request.

Related image, diagram or screenshot

Validation Test #6 – Duo SSO for SaaS Applications

Step 1.             In any browser, navigate to https://login.microsoftonline.com and sign into your Microsoft 365 domain.

Graphical user interface, application, TeamsDescription automatically generated

Step 2.             Verify that the sign-on process is routed to Cisco Duo SSO.

Graphical user interface, applicationDescription automatically generated

Step 3.             Verify your identity with Cisco Duo MFA.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 4.             In the Duo Dashboard, navigate to Reports > Authentication Log and verify an SSO event was logged.

Related image, diagram or screenshot

Remote Worker to Private Application (VPNless)

A picture containing diagramDescription automatically generated

Figure 24.         

Roaming User to Private Application through Duo Network Gateway

Validation Test #1 – Verify Private Application can be reached from Public Internet

Step 1.             Using any browser on a client off network, navigate to the URL that was assigned to your application in the DNG installation.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Sign into Cisco Duo SSO.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Verify your identity with Cisco Duo MFA.

Graphical user interface, applicationDescription automatically generated

Step 4.             The HTTPS should be proxied to the private application.

Graphical user interface, text, applicationDescription automatically generated

Step 5.             In the Duo Dashboard, navigate to Reports > Authentication Log.

Step 6.             Verify that the user connection has been logged.

Related image, diagram or screenshot

Validation Test #2 – Verify Application is restricted by User

Step 1.             Using any browser on a client off network, navigate to the URL that was assigned to your application in the DNG installation.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Sign into Cisco Duo SSO using an account that was not added to the Duo Group Policy.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Duo will return a page to show that access has been denied.

Graphical user interface, text, applicationDescription automatically generated

Validation Test #3 – Verify Application is restricted by User location

Step 1.             On the client machine, use a VPN to connect to a location outside of the allowed locations. For this design guide, only devices in the United States are allowed access.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             Using any browser, navigate to the URL that was assigned to your application in the DNG installation.

Step 3.             Sign into Duo SSO.

Step 4.             Duo will return Login request denied.

Graphical user interface, text, applicationDescription automatically generated

Step 5.             In the Duo Dashboard, navigate to Reports > Denied Authentications.

Step 6.             Scroll down to Result Reasons and a Location restricted reason will be present.

Graphical user interface, applicationDescription automatically generated

Validation Test #4 – Verify Application is restricted by Device Health

Step 1.             On a trusted device, trigger a Cisco Secure Endpoint alarm. Example below.

Netsh interface portproxy add v4tov4 listenport-8001 connectport=80 connectaddress=127.0.0.1

TextDescription automatically generated

Step 2.             In Cisco Secure Endpoint Dashboard, navigate to Events.

Graphical user interface, applicationDescription automatically generated

Step 3.             Verify that an Indicator of Compromise (IoC) has occurred on the machine.

A screenshot of a computerDescription automatically generated with medium confidence

Step 4.             Using any browser on the trusted endpoint, navigate to the URL that was assigned to your application in the DNG installation. Duo prompt should return “We’re sorry. Access is not allowed.”.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Remote Worker to Private Application (VPN)

A picture containing graphical user interfaceDescription automatically generated

Figure 25.         

Roaming User to Private Application through VPN

Validation Test #1 – Verify User can connect to VPN

Step 1.             Using AnyConnect, connect to the IP/FQDN of the VPN firewall in the data center.

Graphical user interface, applicationDescription automatically generated

Step 2.             Verify your identity with Cisco Duo MFA.

TextDescription automatically generated

Step 3.             Once connected to VPN, navigate to an application on the internal network.

Graphical user interface, text, applicationDescription automatically generated

Validation Test #2 – Verify VPN access is restricted by Duo Policy

Step 1.             Using AnyConnect, connect to the IP/FQDN of the VPN firewall in the data center.

Step 2.             Use log-on credentials for a user who is not part of the VPN user group, as per policies created in the deployment steps.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             AnyConnect should return a failed login attempt.

Graphical user interface, text, applicationDescription automatically generated

Step 4.             In the Duo Dashboard, navigate to Reports > Authentication Log.

Step 5.             The Denied attempt should be logged for the user.

Related image, diagram or screenshot

Note: All other Duo policy tests work for the private application as they have in the public application validation tests.


 

Branch DIA

DiagramDescription automatically generated with medium confidence

Figure 26.         

Branch User to SaaS Application through Umbrella

Validation Test #1 – Verify Internet traffic flows through Umbrella

Step 1.             On a device in the branch network, navigate to any website.

A screenshot of a computerDescription automatically generated with medium confidence

Step 2.             In Umbrella, navigate to Reporting > Core Reports > Activity Search.

Step 3.             Verify there is an activity record to the chosen site with the identity of the network tunnel present.

Graphical user interface, applicationDescription automatically generated

Step 4.             Since the WAN edge devices are in a HA pair, disconnect the WAN connection of the primary device in the branch.

Step 5.             On the same branch device, generate more internet traffic.

Step 6.             In the Umbrella Dashboard, in the Reporting > Core Reports > Activity Search section, there should be activity records from the backup network device.

Related image, diagram or screenshot

Validation Test #2 – Umbrella Content Filtering is being applied

Step 1.             In any browser, navigate to https://facebook.com. The Umbrella block page should be returned.

Graphical user interface, applicationDescription automatically generated

Step 2.             In any browser, navigate to https://linkedin.com. Access to the site should be granted.

Graphical user interfaceDescription automatically generated with low confidence

Step 3.             In the Umbrella Dashboard, navigate to Reporting > Core Reports > Activity Search.

Graphical user interface, applicationDescription automatically generated

Step 4.             In the Filters tab, check the Blocked box under Response and click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 5.             Verify the entry for Facebook has been logged.

Related image, diagram or screenshot

Validation Test #3 – Umbrella Firewall policies are being triggered

Step 1.             Download and install the BitTorrent application onto the client machine.

Graphical user interface, text, applicationDescription automatically generated

Step 1.             In any browser, navigate to https://now.bt.co.

A screenshot of a computerDescription automatically generated with medium confidence

Step 2.             Download any file from the site.

Graphical user interface, applicationDescription automatically generated

Step 3.             Open the file on the client machine. This will attempt to download the file from a P2P network.

Graphical user interface, application, TeamsDescription automatically generated

A screenshot of a computerDescription automatically generated with medium confidence

Note: There is a chance that some files will make it into the network. In this case, Cisco Secure Endpoint will analyze any malicious files and block accordingly. Nevertheless, it was validated that no data was seeded to other clients, meaning 100% of outbound activity was blocked by Umbrella policy.

Step 4.             In the Umbrella Dashboard, navigate to Reporting > Core Reports > Activity Search.

Step 5.             In the Filters tab, check the Blocked box under Response and click Apply.

Step 6.             Verify the P2P activity has been logged.

TableDescription automatically generated

Validation Test #4 – Umbrella DLP Policies have been triggered

Step 1.             In any browser, navigate to any cloud storage site. This design guide will use Box.

Graphical user interface, applicationDescription automatically generated

Step 2.             Upload a file containing random US credit card numbers. Example below.

6011 1834 5527 3209

Discover

6011 2150 2716 5024

Discover

4328 1373 5449 1554

Visa

5430 3563 9033 0772

MasterCard

6011 0430 8746 4644

Discover

6011 6766 2381 3665

Discover

Graphical user interface, application, TeamsDescription automatically generated

Step 3.             In the Umbrella Dashboard, navigate to Reporting > Additional Reports > Data Loss Prevention.

Graphical user interface, applicationDescription automatically generated

Step 4.             An event will be created for the file that was uploaded.

Graphical user interface, text, applicationDescription automatically generated

Validation Test #5 – Umbrella Remote Browser Isolation

Step 1.             In any browser, navigate to https://dropbox.com (the site chosen for our DLP policy).

Graphical user interface, text, application, TeamsDescription automatically generated

Step 2.             Download any file.

Step 3.             The file will download and open in a remote browser, which can be confirmed by looking at the URL of the opened file.

Graphical user interface, applicationDescription automatically generated

Step 4.             In the Umbrella Dashboard, navigate to Reporting > Core Reports > Activity Search.

Step 5.             In the Filters tab, check the Isolated box under Isolate and click Apply.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 6.             Verify that the session to Dropbox has been logged.

Graphical user interface, application, TeamsDescription automatically generated

Validation Test #6 – Intrusion Prevention System

Step 1.             Open a command prompt and type the following:

curl http://3.25.228.160/test.emf

Step 2.             In the Cisco Umbrella dashboard, navigate to Reporting > Core Reports > Activity Search.

Step 3.             Under IPS Signature filters, click Select All and then Apply.

Graphical user interface, applicationDescription automatically generated

Step 4.             The activity log should show an IPS log that triggered based on a Microsoft emf file download request.

Related image, diagram or screenshot

Validation Test #7 – Duo SSO for SaaS Applications

Step 1.             In any browser, navigate to https://login.microsoftonline.com and sign into your Microsoft 365 domain.

Graphical user interface, application, TeamsDescription automatically generated

Step 2.             Verify that the sign-on process is routed to Cisco Duo SSO.

Graphical user interface, applicationDescription automatically generated

Step 3.             Verify your identity with Cisco Duo MFA.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 4.             In the Duo Dashboard, navigate to Reports > Authentication Log and verify an SSO event was logged.

Related image, diagram or screenshot

Validation Test #8 – ThousandEyes Observability matches desired outcomes

Step 1.             In the ThousandEyes dashboard, navigate to Dashboards.

Graphical user interface, applicationDescription automatically generated

Step 2.             Under Tests, verify that the blocked websites (Facebook and TikTok) are running at 0% availability.

Graphical user interface, textDescription automatically generated

Step 3.             Under Tests, verify that LinkedIn is running closer to 100% availability.

Graphical user interface, text, applicationDescription automatically generated

Step 4.             Under Tests, click Salesforce.

Graphical user interface, text, applicationDescription automatically generated

Step 5.             Under Views > Network click on Path Visualization.

Graphical user interface, applicationDescription automatically generated

Step 6.             To check the latency through Umbrella, highlight the branch node. In this case, latency is 7ms.

Graphical user interfaceDescription automatically generated with medium confidence

Step 7.             Hover over a cloud agent node and check the latency. A Cloud agent in the AT&T network has a  180ms latency to Salesforce.

Graphical user interfaceDescription automatically generated with low confidence

Branch to Data Center

DiagramDescription automatically generated with medium confidence

Figure 27.         

Branch User to Private Application in Data Center

Validation Test #1 – Private domain access does not flow through Umbrella

Step 1.         Using any browser while on a client in the branch network, navigate to a private application located in the Data Center. Internal traffic should be routed in the SD-WAN network, and not through Umbrella, where the internal domain would not be resolvable.

Graphical user interface, text, applicationDescription automatically generated

Note: This Design Guide is limited in scope, and therefore does not include security that would exist within the Data Center. An assumption has been made that the appropriate protections will be in place within the Data Center to protect private application access from users in the branch network.

Validation Test #2 – ThousandEyes Observability matches desired outcomes

Step 1.         In the ThousandEyes dashboard, navigate to Dashboards.

Graphical user interface, applicationDescription automatically generated

Step 2.         Under Tests, verify that the private application(s) is running near 100% availability.

Related image, diagram or screenshot

Appendix

Appendix A – Install the Cisco Umbrella Root Certificate

Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed. Typical errors include “The security certificate presented by this website was not issued by a trusted certificate authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google Chrome) or “This Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing. The example below shows how to install the root certificate to an Active Directory Network. For more examples see Install Cisco Umbrella Root Certificate.

Step 1.         In the Umbrella Dashboard, navigate to Deployments > Configuration > Root Certificate and download the Cisco Root Certificate Authority.

Graphical user interface, text, applicationDescription automatically generated

Step 2.             In the Active Directory server for your network, open Group Policy Management.

Graphical user interface, text, applicationDescription automatically generated

Step 3.             Right-click your domain root Organizational Unit (OU), which is displayed as your domain name, and select Create a GPO in this domain, and Link it here from the context menu.

Graphical user interface, text, application, emailDescription automatically generated

Step 4.             In the Name field of the New GPO dialog box, enter a meaningful name for the policy object.

Graphical user interface, text, application, emailDescription automatically generated

Step 5.             Right-click on the new Group Policy Object that was created in the previous step and click Edit.

Graphical user interface, applicationDescription automatically generated

Step 6.             Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and right-click Trusted Root Certification Authorities. Click Import.

Graphical user interface, textDescription automatically generated

Step 7.             In the Certificate Import Wizard click Browse and add the certificate downloaded from Umbrella in step 1. Click Next.

Graphical user interface, text, application, emailDescription automatically generated

Step 8.             Accept all default options until the final windows and click Finish.

Graphical user interfaceDescription automatically generated

Appendix B – Umbrella Web Selective Decryption List

For this design guide, Office 365 will be excluded from decryption through Umbrella. There are several known compatibility issues with Office 365 and web proxies and exempting Office 365 traffic authentication. Decryption can help with some of these issues.

Step 1.             In the Umbrella Dashboard, navigate to Policies > Policy Components > Selective Decryption Lists.

Graphical user interface, applicationDescription automatically generated

Step 2.             Click Add.

Related image, diagram or screenshot

Step 3.             Give a meaningful List Name to the decryption list.

Step 4.             Beside Applications Selected, click Add.

Graphical user interface, applicationDescription automatically generated

Step 5.             Search for Office 365 and click the checkbox to enable. Click Close.

Graphical user interface, text, applicationDescription automatically generated

Step 6.             Click Save.

To add more content that should bypass decryption, continue to add to this list using either a content category, application, or domain.

Appendix C – Using FTP to transfer files to IOS-XE

Step 1.         Connect to the IOS-XE router via console.

Step 2.         Enter configuration mode by typing the command config-t.

Step 3.         Enter the following commands to assign a private IP to an interface on the router and choose that interface as the source for FTP traffic:

interface GigabitEthernet0/0/1

  ip address 192.168.1.1 255.255.255.0

  no shut

  exit

ip ftp source-interface GigabitEthernet0/0/1

Step 4.         Connect a PC running an FTP server to port GigabitEthernet0/0/1 and assign it an IP in the 192.168.1.0/24 range.

Step 5.         Load the necessary file on the FTP server.

Step 6.         On the IOS-XE device, type the following command to copy the file to bootflash

copy ftp://user:pass@192.168.1.2/<filename> bootflash:

Appendix D - Acronyms Defined

Acronym

Definition

AMP

Advanced Malware Protection

ASA

Adaptive Security Appliance

ASDM

Adaptive Security Device Manager

CA

Certificate Authority

CASB

Cloud Access Security Broker

CDFW

Cloud Delivered Firewall

DIA

Direct Internet Access

DLP

Data Loss Prevention

DNG

Duo Network Gateway

DNS

Domain Name System

FMC

Firewall Management Center

FTD

Firepower Threat Defense

IoC

Indicator of Compromise

IPS

Intrusion Prevention System

MFA

Multi-Factor Authentication

MPLS

Multiprotocol Label Switching

MSP

Managed Service Provider

OU

Organizational Unit

P2P

Peer-to-Peer

PHI

Personal Health Information

PII

Personally Identifiable Information

RBI

Remote Browser Isolation

SaaS

Software as a Service

SASE

Secure Access Service Edge

SD-WAN

Software Defined Wide Area Network

SSL

Secure Sockets Layer

SSO

Single Sign-On

SWG

Secure Web Gateway

VPN

Virtual Private Network

Appendix E - References

      Cisco Breach Defense Design Guide

      Cisco SAFE

      Cisco SASE

      Cisco SD-WAN powered by Viptela

      Cisco SD-WAN Deployment Guide

      Cisco SD-WAN Design Guide

      Cisco SD-WAN Controller Setup Guide (On-Prem, Non-Cloud-Managed)

      Cisco SD-WAN How to Onboard a Remote Router into an Existing SD-WAN Fabric

      Cisco Secure Access by Duo

      Cisco ThousandEyes User Documentation

      Cisco Umbrella

      Cisco Umbrella User Documentation

      SASE for Dummies

Appendix F - Feedback

If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to ask-security-cvd@cisco.com.


 

Learn more