Security is a critical element of today's networking infrastructure. Network administrators and security officers are hard pressed to defend their network against attacks and breaches. As a result of hybrid clouds and remote employee connectivity, the security perimeter around networks is disappearing.

FedRAMP, the Federal Risk and Authorization Management Program, is a U.S.-government program that establishes a standardized approach for assessing, authorizing, and monitoring cloud service providers.

Cisco Catalyst SD-WAN for government incorporates encryption and security at its core:

• Creates a restricted space called the federal boundary within the AWS GovCloud (U.S.).

• Restricts access to federally cleared personnel.

• Runs in Federal Information Processing Standard (FIPS) mode for all controllers.

• Ensures that all data and control connections are Secure Hash Algorithm 2 (SHA-2) compliant.

• Provides enhanced user session management.

• Performs a real-time audit at the controller level.

• Provides an automated Plan of Actions and Milestones (POA&M) report.

• Enables customers to have their own dedicated Amazon Virtual Private Cloud (Amazon VPC) that automatically denies all HTTP requests unless specifically authorized.

• Ensures protection by AWS services such as AWS Application Load Balancer (ALB), AWS Web Application Firewall (WAF), and AWS Shield. All the web services are behind the ALB and WAF for protection. They are also protected from distributed denial of service (DDoS) attacks by the AWS Shield.

• Uses a role-based access without local users for Cisco Federal Operations, a Cisco team that maintains and monitors the environment.

Cisco Catalyst SD-WAN for government conducts annual penetration testing through Third-Party Assessment Organizations (3PAOs). In addition to testing, Tenable Security Center performs daily penetration scanning. Tenable Security Center is a component of the management Amazon VPC. For more information, see Cisco Catalyst SD-WAN components.

For more information on the general Cisco Catalyst SD-WAN security configuration, see the Security Configuration Guide, Cisco IOS XE Release 17.x.

For a complete list of the supported platforms for Cisco Catalyst SD-WAN for government, see the Supported Devices section of the Release Notes document for Cisco IOS XE Catalyst SD-WAN devices.

To be FedRAMP-compliant, ensure that you run Cisco vManage Release 20.9.1.1 and Cisco IOS XE Catalyst SD-WAN Release 17.9.1a or later releases. Upgrade to major releases as they become available.

Note	If you are using a hardware router, your device must be TAA-compliant. When ordering a device, ensure that the device's SKU is appended with ++. This indicates that the device is TAA-compliant. For more information, contact your Cisco sales representative.

There are two types of users for Cisco Catalyst SD-WAN for government:

• Customers, such as service providers, partners, and other end users.

• Cisco Federal Operations (FedOps): A Cisco team that maintains and monitors Cisco Catalyst SD-WAN for government.

  Note	Cisco FedOps cannot access the customers' Amazon VPCs.

The Cisco Catalyst SD-WAN for government cloud boundary has a customer Amazon VPC and a management Amazon VPC. Individual customers have their own exclusive Amazon customer VPCs.

In addition to the components listed in the table, to assist with the flow of data, the Cisco Catalyst SD-WAN for government solution uses Amazon Web Services' (AWS) Simple Queue Service (SQS), AWS Application Load Balancer (ALB), AWS Web Application Firewall (WAF), and the Amazon Aurora MySQL database. The network access control list (ACL) of the management Amazon VPC is managed using a Cisco Catalyst SD-WAN for government-approved instance of Okta.

In the Cisco Catalyst SD-WAN for government solution, Cisco vMonitor collects data and logs from a variety of systems to check the health of the system and identify issues. Cisco vMonitor uses the following sources:

• Cisco Data Collection Agents (DCA): These agents are used to collect health data from Cisco Catalyst SD-WAN for government. Data from all these Cisco DCAs is then sent to the Cisco Data Collection Service (DCS).

• Wazuh server: Monitors data from the Wazuh File Integrity Monitoring (FIM) server client. The controllers for the Cisco Catalyst SD-WAN for government solution have a built-in FIM server that collects audit logs and syslog changes. These changes are monitored by the Wazuh server for vulnerability vectors. All the data that is collected by the Cisco vMonitor server, and the vulnerabilities, are tagged and provided as POA&M reports.

• Okta: Cisco vMonitor polls the external Okta server that is used for MFA for Okta's logs on authentication and access attempts.

• Tenable Security Center: Performs vulnerability and compliance scans. This scanning is done on all the data in the customer Amazon VPC, and on every component in the management Amazon VPC, on a daily basis. The results of the scans are recorded in the Cisco vMonitor database.

Every connection, the location where data is stored, and file incident management events are pushed to the Cisco vMonitor database. If a critical issue is detected, the Cisco vMonitor database files a JIRA ticket and a POA&M alert. For more information on the JIRA tickets and POA&M alerts, see Plan of Action and Milestones.

To ensure that data is secure, it is stored in AWS GovCloud. All the data (at rest and in transit) and control connections are SHA-2 compliant. The following types of data are stored:

• Domains accessed

• Private IP addresses

• Customers that have accessed the solution

• Any sniffing that occurs on the network

The Cisco DCA is an agent that runs inside Cisco SD-WAN Manager, which can be hosted either on-premises or in the cloud. This Cisco DCA agent is used to report statistics, monitor, and provide telemetry data to Cisco Catalyst SD-WAN as long as the appropriate configurations are enabled.

To achieve this, the Cisco DCA contacts a service known as the Cisco DMS, which has relevant information regarding a customer’s overlay network, for example, which region the network is located in, what are the data storage preferences, and so on. The Cisco DCA authenticates itself with the Cisco DMS using the custom oAuth credentials that are generated per customer overlay network (and communicated out of band to the customer). If the Cisco DMS is able to authenticate the Cisco DCA, the former gives the latter an authentication token and redirects the Cisco DCA to the appropriate Cisco DCS.

The Cisco DCS is the entry point for all telemetry data to get into Cisco Catalyst SD-WAN. There may be many instances of the Cisco DCS service depending on the public cloud, region, and so on. The Cisco DCA uses the token obtained in the prior flow to authenticate itself with the Cisco DCS and exchanges it for a regional Cisco DCS token. Thereafter, this token is used by the Cisco DCA when pushing all kinds of data to the Cisco DCS.

The Cisco DCA periodically collects data from its Cisco Catalyst SD-WAN localhost and pushes that data to the Cisco DCS. The Cisco DCS in turn, saves the data as JSON files in the S3 bucket. For every new JSON file that the S3 bucket receives, a new-object-created event is sent to an AWS Simple Notification Service (SNS) topic. Since Cisco vMonitor has already subscribed the topic with an HTTPS endpoint, Cisco vMonitor servers receive HTTPS requests from an AWS SNS for all the S3 new-object-created events. Cisco vMonitor servers validate the HTTPS request and use the metadata inside to fetch the actual files on S3 and update the database.

Incident response provides a consistently effective means of responding to and reporting on security incidents of the system. It encompasses all the actions taken to quickly restore normal information technology (IT) services and to minimize adverse impacts on business operations. Cisco Catalyst SD-WAN follows the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Rev 2 definitions of an incident in determining when to activate the incident response team. The incident response plan coordinates with Cisco resources on an ongoing basis to remain prepared to identify, contain, eradicate, and recover from any incidents, if any, to the offering.

Responding to a security incident is not a single action, but an entire approach. This approach ensures that issues are detected and mitigated. The approach also has a step to recover from issues, if any, that were detected. It encompasses the following phases:

To use Cisco Catalyst SD-WAN for government, you must do the following:

1. Log in to the Cisco Catalyst SD-WAN Portal.

2. Create a Cisco Catalyst SD-WAN Cloud Hosted Fabric

3. Configure Cisco SD-WAN Manager.

4. Set up additional security features.

5. Monitor and manage your environment.