1. @arafkarsh arafkarsh
ARAF KARSH HAMID
Co-Founder / CTO
MetaMagic Global Inc., NJ, USA
@arafkarsh
arafkarsh
8 Years
Network &
Security
6+ Years
Cloud
Native Apps
8 Years
Cloud
Computing
8 Years
Distributed
Computing
Architecting
& Building Apps
Microservice
Architecture Series
Building Cloud Native Apps
Zero Trust / SASE
Network / Security
Cisco SD-WAN / SD-Access
Cisco Secure Cloud Insights / Jupiter One
GRC / DevSecOps
Part 12 of 12
2. @arafkarsh arafkarsh 2
Slides are color coded based on the topic colors.
VXLAN / GRE /
DMVPN / LISP / MPLS
SDN / SD-WAN
Service Mesh
2
Network / Security
SD-WAN / SWG
DNA / ISE / SD-Access
Secure Cloud Insights
JupiterOne
3
Cisco Solutions
Perimeter Security
Zero Trust / NIST 800-207
Beyond Corp / SDP
ZTX / CARTA / SASE
1
Zero Trust
DevOps
DevSecOps
Playbook
4
Operations
3. @arafkarsh arafkarsh
0
Setting up the Context
o Developer Journey
o US DoD: Maturation of SDLC Best Practices
o SANS: Cloud Security Architecture
3
DoD = Department of Defense
This is the final Part (12) of the
Cloud Native App Architecture
Series focused on Software
Developers.
The objective of this Chapter is to
give a good overview of the
Networking and Security Landscape
to the developers and how they can
contribute (Code / Service Mesh)
towards the Security Measures
handled by the Security Team.
This Section sets up the context to
Networking / Security and
Operations (DevSecOps)
4. @arafkarsh arafkarsh
Agile
Scrum (4-6 Weeks)
Developer Journey
Monolithic
Domain Driven Design
Event Sourcing and CQRS
Waterfall
Optional
Design
Patterns
Continuous Integration (CI)
6/12 Months
Enterprise Service Bus
Relational Database [SQL] / NoSQL
Development QA / QC Ops
4
Microservices
Domain Driven Design
Event Sourcing and CQRS
Scrum / Kanban (1-5 Days)
Mandatory
Design
Patterns
Infrastructure Design Patterns
CI
DevOps
Event Streaming / Replicated Logs
SQL NoSQL
CD
Container Orchestrator Service Mesh
6. @arafkarsh arafkarsh
SecOps / DevOps
6
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
While SecOps starts on the left with security posture and attack surface
management as its entry point, DevOps start at the far right with
continuous integration and continuous delivery (CI/CD) pipeline and
application/API security as their main care about.
As SecOps moves right and begins to influence the other
stakeholders within a mature organization, DevOps shifts
left to include pre-deploy checks by using runtime security
inputs.
7. @arafkarsh arafkarsh
SANS Cloud Security Architecture Principles
7
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
Design for
Failure
Always
Think of
Feedback Loops
Use Different
Storages
Options
Built-In
Security
at every Layer
CENTRALIZATION
Focus on
Centralization
Standards & Automation
Design for
Elasticity
8. @arafkarsh arafkarsh
1
Zero Trust
o Perimeter Security Vs. Zero Trust
o Google Beyond Corp
o NIST 800-207
o Forrester Zero Trust Extended
o Software Defined Perimeter
o Secure Access Service Edge
8
o Understand the Origin of
Zero Trust
o Issues with Perimeter
Security
o Zero Trust Concept based
on NIST Standards
o Implementing Zero Trust
using Software Defined
Perimeter
o Understanding SASE
Objectives
9. @arafkarsh arafkarsh
History: Evolution of Security & Threat
9
Time Technology / Threats
1 Early 1990s Anti Viruses / Viruses
2 Mid 1990s Wardialing
Testing an organization's list of phone numbers for the presence of modems.
After the Telecommunications Consumer Protection Act of 2003 made it
illegal to "dial for tone" war dialling died off.
3 Late 1990s Firewalls Deep Packet Inspection
4 Early 2000s PKI
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption
5 Mid 2000s Deperimeterization Jericho Forum
6 Late 2000s Next Gen Firewalls
7 Early 2010s Defense in Depth & APTs
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-
sponsored group, which gains unauthorized access to a computer network and remains
undetected for an extended period
8 Mid 2010s AI & Big Data
9 Late 2010s Zero Trust
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
10. @arafkarsh arafkarsh
What Zero Trust is
10
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• NOT A Next Generation Firewall / Security Device
• NOT A Next Generation Perimeter
• NOT A Next Gen VPN Solution
• NOT a Security Product
• NOT an IT Project
• NOT Eliminating your Intranet
• AND NOT About “Trusting No One”
11. @arafkarsh arafkarsh
How ZERO TRUST should Help Organization
11
• Business Focused (Enables Business)
• A (Architectural) State of Mind
• Same Security Principles for Internet & Intranet
• A Combination of Process and Technologies
• Reduced Complexity
• Better User Experience for SecOps and Partners
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
12. @arafkarsh arafkarsh
Perimeter Security Vs. Zero Trust
12
Classic Security Model
Perimeter Security
• Location Based (External /
Internal)
• Anyone inside the network is
always trusted.
• Based on Layered Security
Never Trust,
Always Verify 1
Implement
Least Privilege 2
(Always)
Assume Breach 3
Forrester's John Kindervag 2010: No More Chewy Centers: Introducing
The Zero Trust Model Of Information Security
Inspired from Jericho Forum Commandments v1.2 May 2007
Source: Microsoft: Jericho & Modern Security
Restrict everything to a secure Network
Zero Trust
Protect Assets
anywhere with
Central Policy
13. @arafkarsh arafkarsh
Zero Trust: Access Management
13
• Least Privilege
• Every Access is limited to a
specific user, device, and
app or resource only
• Centralized
• Policies are centralized
across common IT Systems
• Policies are defined by
Business Team (Support
from IT)
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• Dynamic
• Access Decisions are made
in real-time
• Context of the Access
influence the Decision
• Adaptive
• Open to Support new Auth
Protocols
• Constantly Evolving System
(Machine Learning, AI)
14. @arafkarsh arafkarsh
Zero Trust: Data
14
• Adopt the Principle of Least Privilege
• Access to the Data MUST be limited to a Specific user, device
and App or Resource Only
• Identify the User Persona and limit the access based on that
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
• Contextual Access Control
• Data Access Policies must be defined by the Business with the support of IT
• Access decisions must be made in real-time – as and when its required.
• Operate Outside your Control
• Business needs to interact with the outside world
15. @arafkarsh arafkarsh
Zero Trust: Network
15
• It’s Application and User Centric and not Infra or Technology Centric
• No DMZ or VPN anymore: No Security Perimeter
• All Network Sessions MUST have Authentication and Authorization
• Only Secure (Encrypted) Protocols allowed on Network
• More than One way to Implement Zero Trust Network
• Network Micro Segmentation (Lots of Tiny Firewalls)
• Software Defined Perimeter (Lots of Tiny VPN)
• Identity Aware Proxy (Next Gen Web Access Management)
• All of the Above
Source: RSA Conference. Mar 17, 2019: Fallacy of Zero Trust Network By Paul Simmonds
16. @arafkarsh arafkarsh
Jericho: Zero Trust Fundamentals
16
JFC
#4
Devices and applications must communicate using open, secure
protocols.
JFC
#5
All devices must be capable of maintaining their security policy
on an un-trusted network. Designed for Internet
JFC
#6
All people, processes, and technology must have declared and
transparent levels of trust for any transaction to take place.
Multiple trust attributes (user, device, location, app etc)
JFC
#11
By default, Data must be appropriately secured when stored, in
transit, and in use.
Source: Jericho Forum Commandments v1.2 May 2007: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
18. @arafkarsh arafkarsh
Google Beyond Corp: A New Approach to Enterprise Security
18
Source: 2014: Google BeyondCorp: A New Approach to Enterprise Security https://research.google/pubs/pub43231/
19. @arafkarsh arafkarsh
Google Beyond Corp: Design to Deploy
19
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Management
Agents
Certificate
Authorities
Asset
Inventories
Exceptions
Others
Trust Inferer
Device Inventory
Service
Access Control
Engine
Access Policy
Interactive Login
Network Switch
Web Proxy
Gateways
Code Repository
Network VLAN
Bug Tracker
Resources
Data Sources Access Intelligence Gateways Resources
1
2
3
4
20. @arafkarsh arafkarsh
Google Beyond Corp: Design to Deploy
20
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Access requirements are organized into Trust Tiers representing levels of increasing sensitivity.
• Resources are an enumeration of all the applications, services, and infrastructure that are subject to access
control. Resources might include anything from online knowledge bases, to financial databases, to link-layer
connectivity, to lab networks. Each resource is associated with a minimum trust tier required for access.
• The Trust Inferer is a system that continuously analyses and annotates device state. The system sets the
maximum trust tier accessible by the device and assigns the VLAN to be used by the device on the corporate
network. These data are recorded in the Device Inventory Service. Re-evaluations are triggered either by state
changes or by a failure to receive updates from a device.
• The Access Policy is a programmatic representation of the Resources, Trust Tiers, and other predicates that
must be satisfied for successful authorization.
• The Access Control Engine is a centralized policy enforcement service referenced by each gateway that
provides a binary authorization decision based on the access policy, output of the Trust Inferer, the resources
requested, and real-time credentials.
At the heart of this system, the Device Inventory Service continuously collects, processes, and publishes changes
about the state of known devices.
Resources are accessed via Gateways, such as SSH servers, Web proxies, or 802.1x-enabled networks. Gateways
perform authorization actions, such as enforcing a minimum trust tier or assigning a VLAN.
21. @arafkarsh arafkarsh
NIST 800-207: Zero Trust Architecture
21
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
A User, An Application, or a Device – Operating on (or with) a Computer System which has access to an
Enterprise Resource
Subject
Is an Application, Document, Data, Database, Workload that’s under the Enterprise Control protected
by the Zero Trust System
Resource
Policy Enforcement Point
Policy Engine Policy Administrator
Policy Decision Point
Control
Plane
Data Plane Resource
Subject
User
App Device
UnTrusted Trusted
CDM
System
GRC
System
Threat
Intelligence
Activity
Logs
Data
Access
Policy
PKI
IAM
SIEM
1 2
3
22. @arafkarsh arafkarsh
NIST 800-207: Zero Trust Architecture
22
PE – Policy
Engine
PA – Policy
Administrator
PEP – Policy
Enforcement
Point
Policy Decision Point PE is responsible to grant access to a resource for a given subject. The PE uses
enterprise policy as well as input from external sources (e.g., CDM systems,
threat intelligence, etc) as input to a trust algorithm to grant, deny, or revoke
access to the resource.
Source: NIST 800-207 https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
PA is responsible for establishing and/or shutting down the communication. It
would generate any session-specific auth and auth token, or credential used by
a client to access an enterprise resource. PA configures the PEP to allow the
session to start. If the session is denied the PA signals to the PEP to shut down
the connection.
PEP is responsible for enabling, monitoring, and eventually terminating
connections between a subject and an enterprise resource. The PEP
communicates with the PA to forward requests and/or receive policy updates
from the PA.
23. @arafkarsh arafkarsh
Google Beyond Corp: with NIST 800-207
23
Source: 2016: Google BeyondCorp 2: Design to Deployment at Google https://research.google/pubs/pub44860/
Management
Agents
Certificate
Authorities
Asset
Inventories
Exceptions
Others
Trust Inferer
Device Inventory
Service
Access Policy
Interactive Login
Network Switch
Web Proxy
Gateways
Code Repository
Network VLAN
Bug Tracker
Resources
Data Sources Access Intelligence
Network PEP
(Access Proxy) Application PEP
1
2
4
Policy Decision Point
Access Control
Engine
Gateways Resources
3
24. @arafkarsh arafkarsh
3 Types of PEP: Policy Enforcement Points
24
User Agent PEP runs on the user device (laptops, smart devices, desktops etc.) and provides
secure connections to the resource, introspect the device to provide input into Policies like
device configuration, security posture, geo location etc. PEP can also interact with User if it
requires additional authentication.
User Agent
PEP
NIST 800-207 Zero Trust Architecture
There are 2 types of Application PEPs – External and Internal. Internal one will be running
along with the workload based on sidecar pattern. Internal PEP focuses on Application access
based on User/Service Authentication and Authorization. External PEPs will be linked to
systems like PAM or DLP.
Application
PEP
Network PEP are the simplest among the three category of Policy Enforcement Points.
Network PEP are already in place in any classic setup to some extend, For Ex Devices like
enterprise firewalls (Next Gen Firewalls). These PEPs operate at the network layer enforcing
traffic policies. It can also inspect the data or meta to enforce the policy.
Network
PEP
25. @arafkarsh arafkarsh
NIST 800-207: Deployment Models
25
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
1. Resource Based Deployment Model
2. Enclave Based Deployment Model
3. Cloud Routed Deployment Model
4. Micro Segmented Deployment Model
26. @arafkarsh arafkarsh
NIST 800-207: Resource Based
26
Device
Agent
PEP
Policy Engine
Policy Administrator
Policy Decision Point
Control Plane
Data Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Resource Based
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• End to End Control of App
and Network Traffic
• Trust Zone behind Gateway
Cons
• PEP need to be deployed for
Device and Resource
• Push back from App
Resource Owners
• Requires 1:1 Relationship
with Subject and Resource
• Need to deployable for
Legacy Apps Resource
Resource = Data, Documents, Apps, Services, Files etc.
27. @arafkarsh arafkarsh
NIST 800-207: Enclave Based
27
Device
Agent
PEP
Policy Engine
Policy Administrator
Policy Decision Point
Control Plane
Data Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Enclave Based
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Easy to Deploy for Resources
• Fewer PEPs deployed
• PEPs can run at the Edge of
the network
Cons
• Large and Opaque Resource
Zones
• PEPs represent a new type
of Ingress point into the
enterprise Network
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
28. @arafkarsh arafkarsh
NIST 800-207: Cloud Routed
28
Device
Agent
PEP
PEP
Policy Decision Point Control
Plane
Data
Plane
User
App
Policy
Enforcement
Point
Gateway
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Cloud Routed
Deployment
Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Easy to setup for Enterprises
• Reduces the Operational
overhead
• Secure Web Gateway
enables Multi-Cloud or
Hybrid Cloud Environments
Cons
• Adds Latency to user Traffic
• Limited Network Protocols
support
• Large and Opaque Trust
Zones.
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject
29. @arafkarsh arafkarsh
NIST 800-207: Micro Segmentation
29
Policy Decision Point
Control Plane
Data Plane
Source: NIST SP 800-207:Zero Trust Architecture https://csrc.nist.gov/publications/detail/sp/800-207/final
Micro Segmentation
Deployment Model
Zero Trust Deployment Models
Control Messages
Data
Implicit Trust Zone
Pros
• Small Implicit Trust Zone
• Bi-Directional, Good for
Microservices Implementation
Cons
• Large PEP deployment
• Potential Conflicts
• Direct access to PEPs by
Subjects
• Potential for push back from
App Owners
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject Resource
Device
Agent
PEP
User
App
PEP
Subject Resource
PEP
Subject Resource
30. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
30
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
An access control method were
• subject requests to perform operations on objects
are granted or denied
• based on assigned attributes of the subject,
• assigned attributes of the object,
• environment conditions,
• and a set of policies that are specified in terms of
those attributes and conditions.
31. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
31
Source: Page 18 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
1. Subject requests access to object
2. Access Control Mechanism
evaluates
a) Rules,
b) Subject Attributes,
c) Object Attributes,
d) Environment Conditions to
compute a decision
3. Subject is given access to object if
authorized
32. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
32
A subject is a human user or NPE, such as a device that issues
access requests to perform operations on objects. Subjects are
assigned one or more attributes.
An object is a system resource for which access is managed by
the ABAC system, such as devices, files, records, tables,
processes, programs, networks, or domains containing or
receiving information. It can be the resource or requested
entity, as well as anything upon which an operation may be
performed by a subject including data, applications, services,
devices, and networks.
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
33. @arafkarsh arafkarsh
NIST 800-162: Attribute Based Access Control
33
• An operation is the execution of a function at the request of a subject
upon an object. Operations include read, write, edit, delete, copy,
execute, and modify.
• Policy is the representation of rules or relationships that makes it
possible to determine if a requested access should be allowed, given the
values of the attributes of the subject, object, and possibly environment
conditions.
• Environment conditions: operational or situational context in which
access requests occur. Environment conditions are detectable
environmental characteristics. Environment characteristics are
independent of subject or object, and may include the current time, day
of the week, location of a user, or the current threat level.
Source: Page 17 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
34. @arafkarsh arafkarsh
NIST 800-162: ABAC in Action
34
Source: Page 19 NIST 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
• Each object within the system must be assigned specific
object attributes that characterize the object.
• Some attributes pertain to the entire instance of an
object, such as the owner.
• Other attributes may only apply
to parts of the object. For
example,
• a document object could be
owned by organization A,
• have a section with
intellectual property from
organization B,
• and be part of a program run
by organization C.
38. @arafkarsh arafkarsh
Forrester: Zero Trust eXtended (ZTX)
38
Forrester Zero Trust extended Ecosystem: Aug 11, 2020
Zero Trust
Strategy
Zero Trust
Capability
Zero Trust
Technology
Zero Trust
Feature
Goal is to evolve towards a
Zero Trust Architecture or
Encrypt all Sensitive Data
For Ex. Data Security
Security teams need the ability
to inventory, classify, obfuscate,
archive, or delete data
according to policy
Ask
“What capabilities does this
technology support and where
does it specifically plug into my
team’s Zero Trust strategy?”
39. @arafkarsh arafkarsh
Gartner: CARTA: 7 Core Areas
39
Continuous Adaptive Risk and Trust Assessment approach
Source: Gartner 2018
Replace one-time security gates with Context Aware, Adaptive & Programmable
Security Platforms
1
Continuously Discover, Monitor, Assess and Prioritize Risk – Proactively and Reactively
2
Perform Risk and Trust Assessment Early in Digital Business Initiatives
3
Instrument Infrastructure for Comprehensive, full stack Risk Visibility, Including
Sensitive Data Handling
4
Use Analytics, AI, Automation and Orchestration to speed the time to detect and
respond to scale
5
Architect Security as an Integrated, Adaptable Programmable System, and not Silos
6
Put Continuous Data Driven Risk Decision making and Risk Ownership into BU’s and
product owners
7
40. @arafkarsh arafkarsh
Software Defined Perimeter – Context
40
o Classic Network Design creates fixed Perimeter to divide the External
Network with Internal Network
o Using Routers, Firewalls, and other access control devices.
o The concept of Classic Network is based on visibility and accessibility.
1. Today’s network is fluid with Hybrid clouds, IaaS, PaaS, SaaS, IoT, etc.,
all with multiple entry points.
2. This is further complicated by Contractors, Remote/Mobile Users,
BYOD etc.
These conditions gives rise to Software Defined Perimeter instead of a
traditional Fixed Perimeter
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
41. @arafkarsh arafkarsh
Software Defined Perimeter
41
• SDP abstracts and hides internet connected infrastructure (Routers,
Servers etc.) irrespective of infra is On-Premise or Cloud.
• SDP Secures the user, application and the connectivity.
• Instead of traditional hardware-based perimeter setup, SDP is
completely software driven.
• VPN Connects the users to the Network using a simple
authentication
• While SDP allows the users to connect to the required resource using
real-time contextual risk assessment to determine user access.
According to Gartner more than 60% of Enterprises moved away from VPN by 2021
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
42. @arafkarsh arafkarsh
Software Defined Perimeter – Principles
42
1. Separation of Control Plane and Data Plane. User, Devices etc
access is controlled using Control Plane. SDP Controller handles the
control plane.
2. Separation of logical and physical Components. The Connection
between hosts are virtualized using overlay tunnels.
3. Authenticating the Hosts. Only authorized systems/services allowed
to communicate.
4. Validating the Hosts against a set of policies. Checking for absence
of Malwares, allowed applications, business policies such as time of
the day, checking external Threat Intelligence Database.
Source: IEEE Software-Defined Perimeters: An Architectural View of SDP
SDP is not a replacement for existing solutions, it augments the existing solutions such as SDN.
43. @arafkarsh arafkarsh
Software Defined Perimeter: Architecture
43
Cloud Security Alliance: May 27, 2020: SDP and Zero Trust
Policy
Enforcement Point
SDP Gateway
SDP Controller
Policy Decision Point
Control Plane
Data Plane
Resource
Subject
User
App
Device
SDP
Client
Source: https://cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2/
IH: Initiating Host
Control Messages
Data
SDP requires
2 Security
modules
1. mTLS
2. SPA
AH
AH: Accepting Host
The model depicted below is Similar to Enclave Resource model from NIST 800-207 Architecture. NIST team
defined that based on Cloud Security Alliance SDP Architecture.
44. @arafkarsh arafkarsh
SDP – Secure Communications
44
mTLS – Mutual
Transport Layer Security
SPA – Single Packet
Authorization
• Both Client and Server need to
validate the certificate
• Expect Mutual Root
Certificates for Client & Server
• Avoids Man in the Middle
Attack
HOTP: An HMAC-Based One-Time Password Algorithm
Authenticate before Connect
• Default Policy in SDP Gateway is
Drop All Packets
• Based on RFC 4226: HOTP
• SPA happens before TLS Connection
• For Valid Connections Firewall rule
is created for mTLS connection
45. @arafkarsh arafkarsh
Deployment modes of Software Defined Perimeter
45
• Client-Gateway – SDP uses a proxy that arbitrates
connections between clients and a set of protected servers.
A client connects to a gateway which in turn provides access
to hosts that provide services.
• Client-Server – there is no gateway proxy sitting between the
client and server. The clients directly connect to the hosts.
• Server to Server – used for servers offering services (via REST
APIs) to applications.
• Client to Server to Client – peer to peer connections between
clients. Source: IEEE Software-Defined Perimeters: An Architectural View of SDP
As defined by Cloud Security Alliance
47. @arafkarsh arafkarsh
SASE: Secure Access Service Edge
47
Created by Gartner: Six Core Technologies of SASE
Network
Security
SASE
SD-WAN
ZTNA
Zero Trust Network Access
SWG
Secure Web Gateway
CASB
Cloud Access Security Broker
FWaaS
Firewall as a Service
DNS
Security
48. @arafkarsh arafkarsh
SASE: Overview
48
o Users
o Devices
o Locations
o Public Cloud
o Data Center
o Edge
Identity Context
Consistent Network & Security Policy
SASE Cloud Infrastructure
WAN Edge
Infrastructure
/ Services
Security
Services
Edge
Threat
Awareness
Sensitive Data
Awareness
Entities Anywhere Resources Everywhere
Zero Trust Access
Consistent User Experience
Source: Gartner 2021 Strategic
Roadmap for SASE Convergence,
March 25, 2021By Neil
MacDonald, Nat Smith, Lawrence
Orans, Joe Skorupa
49. @arafkarsh arafkarsh
SASE: Detailed View
49
o Employees
o Contractors
o Partners
o Devices
o Distributed Apps
o Remote
o Mobile
o Offices
o Edge
o Applications
o APIs
o Data
o Devices
o SaaS
o IaaS
o Data Center
o Branch
o Edge
User / Device Identity Context
Consistent Network & Security Policy
SASE Cloud Infrastructure
WAN Edge Services
• SD-WAN
• WAN Optimization
• QoS
• Routing
• SaaS Acceleration
• Content Delivery /
Caching
• …
Security Services Edge
• Secure Web GW
• CASB
• ZTNA / VPN
• FWaaS
• Remote Browser
Isolation
• Encryption /
Decryption
• …
Threat
Awareness
Sensitive Data
Awareness
Entities Anywhere Resources Everywhere
Zero Trust Access
Consistent User Experience
Source: Gartner 2021 Strategic
Roadmap for SASE Convergence,
March 25, 2021By Neil
MacDonald, Nat Smith, Lawrence
Orans, Joe Skorupa
52. @arafkarsh arafkarsh
SASE: Reference Architecture
52
SASE Reference Architecture
based on Network as a
Service Model
Source: Cisco: SASE with Savvy The Keys to an Effective Secure Access Service Edge Solution
As the workloads are
becoming Cloud Native in a
Hybrid, Multi Cloud
Environment, Cisco Umbrella
and Cisco SD-WAN is an
implementation SASE
Framework.
53. @arafkarsh arafkarsh
SASE Framework: Summary
53
Source: July 21, 2021: Steve Murphy SASE and Secure Web Gateway
Secure Access Framework to Manage
• Cloud Environment (Hybrid, Multi Cloud)
• Distributed Workforce (Remote, WFH)
Focuses on Delivery Adaptive Access & Security to Users
• Direct Access to Cloud (SD-WAN)
• Eliminate backhaul to Security Stack
Users can access Apps/Data from Any Device from Any Location
• Security is Applied based on Context
54. @arafkarsh arafkarsh
2
Network / Security
o VXLAN / GRE / DMVPN / MPLS / LISP
o SDN / SD-WAN
o Zero Trust / VPN
o Service Mesh
54
o Understanding of Overlay
Networking
o Understanding of GRE /
DM VPN / LISP / MPLS
o Understanding of Software
Defined Networking
o Understanding of SD-WAN
o Understanding of Service
Mesh
Objectives
55. @arafkarsh arafkarsh
Networking
o Overlay Network VXLAN
o GRE / mGRE / DM VPN / IPSec /
o LISP : Location ID Separation Protocol
o MPLS : Multi Protocol Label Switching
o SDN : Software Defined Networking
o SD-WAN : Software Defined – WAN
o SD-WAN : Zero Touch Provisioning
o SD-WAN : Public / Private WAN
55
57. @arafkarsh arafkarsh
Networking Glossary Netfilter – Packet Filtering in Linux
Software that does packet filtering, NAT and other
Packet mangling
IP Tables
It allows Admin to configure the netfilter for managing
IP traffic.
ConnTrack
Conntrack is built on top of netfilter to handle
connection tracking..
IPVS – IP Virtual Server
Implements a transport layer load balancing as part of
the Linux Kernel. It’s similar to IP Tables and based on
netfilter hook function and uses hash table for the
lookup.
Border Gateway Protocol
BGP is a standardized exterior gateway protocol
designed to exchange routing and reachability
information among autonomous systems (AS) on the
Internet. The protocol is often classified as a path vector
protocol but is sometimes also classed as a distance-
vector routing protocol. Some of the well known &
mandatory attributes are AS Path, Next Hop Origin.
L2 Bridge (Software Switch)
Network devices, called switches (or bridges) are
responsible for connecting several network links to each
other, creating a LAN. Major components of a network
switch are a set of network ports, a control plane, a
forwarding plane, and a MAC learning database. The set
of ports are used to forward traffic between other
switches and end-hosts in the network. The control
plane of a switch is typically used to run the Spanning
Tree Protocol, that calculates a minimum spanning tree
for the LAN, preventing physical loops from crashing the
network. The forwarding plane is responsible for
processing input frames from the network ports and
making a forwarding decision on which network port or
ports the input frame is forwarded to.
57
58. @arafkarsh arafkarsh
Networking Glossary
Layer 2 Networking
Layer 2 is the Data Link Layer (OSI Mode) providing Node to
Node Data Transfer. Layer 2 deals with delivery of frames
between 2 adjacent nodes on a network. Ethernet is an Ex.
Of Layer 2 networking with MAC represented as a Sub Layer.
Flannel uses L3 with VXLAN (L2) networking.
Layer 4 Networking
Transport layer controls the reliability of a given link through
flow control.
Layer 7 Networking
Application layer networking (HTTP, FTP etc.,) This is the
closet layer to the end user. Kubernetes Ingress Controller is
a L7 Load Balancer.
Layer 3 Networking
Layer 3’s primary concern involves routing packets between
hosts on top of the layer 2 connections. IPv4, IPv6, and ICMP
are examples of Layer 3 networking protocols. Calico uses L3
networking.
VXLAN Networking
Virtual Extensible LAN used to help large cloud deployments
by encapsulating L2 Frames within UDP Datagrams. VXLAN is
similar to VLAN (which has a limitation of 4K network IDs).
VXLAN is an encapsulation and overlay protocol that runs on
top of existing Underlay networks. VXLAN can have 16
million Network IDs.
Overlay Networking
An overlay network is a virtual, logical network built on top
of an existing network. Overlay networks are often used to
provide useful abstractions on top of existing networks and
to separate and secure different logical networks.
Source Network Address Translation
SNAT refers to a NAT procedure that modifies the source
address of an IP Packet.
Destination Network Address Translation
DNAT refers to a NAT procedure that modifies the
Destination address of an IP Packet.
58
62. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
Src: 10.130.1.102
Dst: 10.130.2.187
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 100
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
Src: 172.17.4.1
Src: B1 – MAC
Dst: 172.17.5.1
Dst: B2 - MAC
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
62
63. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 10.130.2.187
Dst: 10.130.1.102
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 100
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
Src: 172.17.5.1
Src: B2 - MAC
Dst: 172.17.4.1
Dst: B1 – MAC
63
64. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
Src: 10.130.1.102
Dst: 10.130.2.187
Src UDP Port: Dynamic
Dst UDP Port: 4789
VNI: 200
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
Src: 172.17.4.1
Src: Y1 – MAC
Dst: 172.17.5.1
Dst: Y2 - MAC
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
64
65. @arafkarsh arafkarsh
eth0 10.130.1.102
Node / Server 1
172.17.4.1
B1 – MAC
VSWITCH
VTEP
172.17.4.1
Y1 – MAC
Customer 1
Customer 2
eth0 10.130.2.187
Node / Server 2
172.17.5.1
B2 – MAC
VSWITCH
VTEP
172.17.5.1
Y2 – MAC
Customer 1
Customer 2
VXLAN Encapsulation
Overlay Network
VNI: 100
VNI: 200
VSWITCH: Virtual Switch. | VTEP : Virtual Tunnel End Point | VNI : Virtual Network Identifier
65
66. @arafkarsh arafkarsh
GRE: Generic Routing Encapsulation
66
Created By Cisco RFC 2784 & updated by RFC 2890
GRE is used to create a tunnel between 2 network over public network. It can carry any OSI L3 protocol over an
IP Protocol. GRE creates a Point-2-Point connection like VPN by encapsulating the (original) payload.
GRE Tunnels are not secured as the data is un-encrypted. For Secure tunnel use IPSec.
202.1.2.1 204.1.2.1
Public IP Public IP
Branch 1 Branch 2
Internet
192.168.1.1/24 192.168.1.2/24
$ Interface tunnel0
ip address 192.168.1.1
255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 202.1.2.1
tunnel destination 204.1.2.1
$ Interface tunnel0
ip address 192.168.1.2
255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 204.1.2.1
tunnel destination 202.1.2.1
VTI VTI
Underlay
New IP Header GRE Header
Original IP
Header
Data
4 – 16 Bytes
20 Bytes
24 – 36 Bytes Overhead
Data (Payload)
Source: RedHat Introduction to Linux IP Tunnels
67. @arafkarsh arafkarsh
GRE: Packet Headers & Data Transfer
67
Created By Cisco RFC 2784 & updated by RFC 2890
202.1.2.1 204.1.2.1
Public IP Public IP
Branch 1
Router
Branch 2
Router
172.17.4.1
172.17.4.2
172.17.5.1
172.17.5.2
Internet
192.168.1.1/24 192.168.1.2/24
VTI VTI
Underlay
New IP Header GRE Header
Original IP
Header
Data
Src = 172.17.4.1
Dst = 172.17.5.2
Src = 202.1.2.1
Dst = 204.1.2.1
1. Packet reaches Branch 1 Router
2. New IP Header and GRE Header added
3. Packets Reaches Branch 2 Router
4. New IP Header and GRE Header Removed
LAN LAN
Routes
All traffic to 172.17.5.1/24
will be forwarded
to Tunnel 0 or
192.168.1.1
Route
All traffic to 172.17.4.1/24
will be forwarded to
Tunnel 0 or 192.168.1.2
68. @arafkarsh arafkarsh
DM VPN: Dynamic Multipoint VPN
68
o GRE is a Point-2-Point VPN Tunnel.
o DM VPN helps to create VPN to multiple sites.
o It’s a Hub & Spoke Design and yet spoke will
be able to talk to each other.
o Encryption is supported using IPSec.
o Its a great alternative to MPLS VPN.
4 Critical Elements for DM VPN
1. Multipoint GRE
2. NHRP (Next Hop Resolution Protocol)
3. Routing (RIP, EIGRP, OSPF, BGP etc.)
4. IPSec (optional)
Branch 1
B2
B3 B4
Head
Quarter
Branch 1
B2
B3 B4
HQ
Ex. Organization with
1 HQ and 4 branches
Point 2 Point GRE Tunnels
are complex and doesn’t
scale well.
Internet
Requirements
1. All branches linked to HQ
2. Branch B1 & B3 linked
3. Branch B2 & B4 linked
Source: Cisco DM VPN
69. @arafkarsh arafkarsh
NHRP: Next Hop Resolution Protocol
69
o It’s a protocol to discover the best path (Next Hop) in a multiple wide area
network with lot of subnets.
o WAN typically blocks broadcast requests and it’s called Non-Broadcast
Multiple Access (NBMA) network.
o NHRP is similar to ARP (Address Resolution Protocol).
o NHRP provides Next Hop Servers (NHSes) to register and provide routing
information to Next Hop Clients (NHCs). NHS is the hub and NHC the spoke.
o Each NHC registers its physical IP and its logical local IP to the NHS.
o When an NHC wants to discover the Route to another NHC it sends the
request to NHS and NHS returns the target NHC details.
NHRP was developed by Internet Engineering Task Force: RFC 2332
70. @arafkarsh arafkarsh
Multipoint GRE
70
B1 B2
B3 B4
HQ
Requirements
1. All branches linked to HQ
2. Branch B1 & B3 linked
3. Branch B2 & B4 linked
This is not an ideal Solution as we need to
setup multiple tunnel interfaces at each
router, its messy and not scalable.
In Multipoint GRE, there will be ONLY 1 tunnel interface on
each router & Hub interface don’t have tunnel destination.
B1 B2
B3 B4
Head
Quarter
NHC NHC
NHC NHC
NHS
Hub & Spoke
Topology
B1 B2
B3 B4
Head
Quarter
NHC NHC
NHC NHC
NHS
192.168.1.0/24
NHC registers
with NHS
B1 & B2 sends NHRP
request to NHS to get
the route details
Based on the Route
details dynamic
tunnels are built.
Dynamic
On Demand
Tunnels
71. @arafkarsh arafkarsh
DM VPN: Phases
71
Phase 1
All the spokes are registered with the Hub. All traffic goes thru Hub. Each Spoke
uses regular Point-2-Point GRE Tunnel.
Phase 2
Allows Spoke-2-Spoke communication using Multipoint GRE tunnels. Spoke-2-
Spoke tunnels are on-demand based on traffic. Data need not go to the Hub for
communication.
Phase 3
Improves the Phase 2 with NHRP request to create the Spoke-2-Spoke Tunnels on-
Demand. This improves the scalability from Phase 2 where the routes are pre-
defined.
Source: Tech Target: DM VPN:
Phase 1 Phase 2 Phase 3
Key
Feature
Spokes Dynamically
register with Hub
Spoke Communicates
directly with other Spokes
Allows route
summarization
Tunnel
Type
Hub: mGRE
Spoke: GRE
All use mGRE All use mGRE
72. @arafkarsh arafkarsh 72
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
$ interface Tunnel0
ip address 192.168.1.99 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel mode gre multipoint
tunnel key 11
Hub Configuration P-2-M
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel destination 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp nhs 192.168.1.99
ip nhrp map 192.168.1.99
1.1.1.1
B1 Spoke Configuration P-2-P
DM VPN Phase 1
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
DM VPN: Multipoint GRE
Adjusted for 40-byte GRE Header
Tunnel Source Public (NBMA) IP Address
NHRP Network ID (Domain) – Hub will be NH Server
No Destination is assigned for mGRE
Optional – Used for authentication. If set, is in the
GRE header. It must match for the tunnel to form.
In Phase 1 – Spoke work in GRE mode. So, destination
IP (NBMA) is given of the Hub Router
Next Hop Server is the Hub Router. This needs to
be statically configured
Map the Tunnel to the NBMA IP address (Hub)
$ ip nhrp nhs 192.168.1.99 nbma 1.1.1.1 multicast
Repeat the B1 Spoke Config for other Branches also
73. @arafkarsh arafkarsh 73
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
DM VPN: Multipoint GRE
Adjusted for 40-byte GRE Header
Tunnel Source Public (NBMA) IP Address
NHRP Network ID (Domain) – Hub will be NH Server
Statically configured destination for Spoke is gone
mGRE is introduced for Spoke also
Optional – Used for authentication. If set, is in the
GRE header. It must match for the tunnel to form.
Hub informs Spoke about a better route for the spoke
This allows the Spoke to accept the redirect
message and create a short cut route.
DM VPN Phase 2
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp map multicast
1.1.1.1
B1 Spoke Configuration P-2-M
DM VPN Phase 3
$ interface Tunnel0
ip nhrp shortcut
B1 Spoke Configuration – Routes
$ interface Tunnel0
ip nhrp redirect
Hub Configuration P-2-M
Use Hub Config from Phase 1
No Static destination, so manually map the
multicast to NHS
74. @arafkarsh arafkarsh
DM VPN: Multipoint GRE – Summary
74
B1
B2
B3 B4
Head
Quarter
NHC
NHC
NHC NHC
NHS
Dynamic
On Demand
Tunnels
.99
192.168.1.0/24
9.9.9.9
2.2.2.2
1.1.1.1
3.3.3.3 4.4.4.4
LAN
172.99.1.1
LAN
172.4.1.1
LAN
172.3.1.1
LAN
172.2.1.1
LAN
172.1.1.1
1. All branches are connected to HQ
2. Branch B1 & B3 are connected
3. Branch B2 & B4 are connected
Specs
$ interface Tunnel0
ip address 192.168.1.99 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel mode gre multipoint
tunnel key 11
Hub Configuration P-2-M
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel destination 9.9.9.9
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp nhs 192.168.1.99
ip nhrp map 192.168.1.99 1.1.1.1
B1 Spoke Configuration P-2-P
DM VPN Phase 1 DM VPN Phase 2
$ interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1476
ip tcp adjust-mss 1436
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp authentication NHRPKEY
ip nhrp network-id 1
tunnel key 11
ip nhrp map multicast 1.1.1.1
B1 Spoke Configuration P-2-M
DM VPN Phase 3
$ interface Tunnel0
ip nhrp shortcut
B1 Spoke Configuration – Routes
$ interface Tunnel0
ip nhrp redirect
Hub Configuration P-2-M
172.99.1.1 172.4.1.1 Data
Src Dst
172.99.1.1 172.2.1.1 Data
172.3.1.1 172.99.1.1 Data
1
172.1.1.1 172.3.1.1 Data
172.2.1.1 172.4.1.1 Data
2
3
75. @arafkarsh arafkarsh
IPSec
75
RFC 6071
o Creates an encrypted tunnel over an IP Network
o Authentication and Encryption prevents eavesdropping
and data modification
o GRE can be combined with IPSec to support Multiple
protocols over IP Network
New IP
Header
IPSec
Header
Original IP
Header
Data
50 – 57 Bytes Overhead
IPSec
Trailer
IPSec
Auth Trailer
76. @arafkarsh arafkarsh
VRF: Virtual Routing & Forwarding
76
172.17.4.1 172.17.5.1
Internet
Customer A Customer B
Before VRF
ISP
Router
172.17.4.1 172.17.5.1
Internet
Customer A Customer B
After VRF
ISP
Router
VRF-A VRF-B
o It Allows to have multiple instances
of routing table in a Virtual Router.
o VRF increases the security as traffic
is separated.
o Network Path is segmented without
using multiple hardware’s.
o A VRF Instance uses a Single Routing table.
o VRF requires a forwarding table for the
next Hop of the packet.
o Traditional VRF is done on ISP MPLS-VPN
and VRF Lite is without MPLS-VPN.
o VRF uses the same methods of Virtualization as VLANs. They are equivalent to the L3 version of a
TCP/IP Layer of VLAN. VLAN makes a single switch appear as multiple switches while VRF makes a
single Router appear as multiple routers.
77. @arafkarsh arafkarsh
MPLS: Multi Protocol Label Switching
77
Jointly developed by Cisco, Ipsilon & IBM in 1996. First working group formed in 1997 and first deployment in 1999.
• MPLS supports transport over IP, Ethernet, asynchronous transfer mode (ATM) and frame relay.
• MPLS allows most data packets to be forwarded at Layer 2 - switching (Data Link) layer of OSI instead of
Layer 3 the routing (Network) Layer.
• MPLS is an alternative to traditional routing based on destination IP address of the packet which requires
each router to inspect packets destination IP address in every hop before consulting its own routing table.
This is a time-consuming process especially for Voice and Video calls.
• First router in the MPLS network will determine the entire route upfront the identity of which is quickly
conveyed to subsequent routers using a label in the packet header.
MPLS labels consist of 4
parts:
1. Label value: 20 bits
2. Experimental: 3 bits
3. Bottom of stack: 1 bit
4. Time to live: 8 bits
Source: Tech Target – Multi Protocol Label Switching
Label Edge
Router
1. Each packet get labelled on
entry by ISPs LER.
2. This router (LER) decides Label
Switch Path (LSP) the path it
will take until it reaches the
destination.
3. All subsequent LSR will forward
the packet based on the Label.
78. @arafkarsh arafkarsh
LISP: Location Identifier Separation Protocol
78
LISP creates 2 addresses for each network node:
1. One for its Identity (Endpoint Identifiers – EID).
Assigned to hosts like Computers, Laptops, Printers, etc
2. Second for its Routing Location (RLOC) in the
network. Assigned to routers, use RLOC to reach EIDs.
LISP is a tunnelling Protocol that uses DNS like system to
figure out which router the they should send packets.
Created by Cisco and transferred to IETF – RFC 6830 : https://datatracker.ietf.org/doc/html/rfc6830
Source: Cisco LISP – IP Routing Guide
Internet Routing Tables has grown exponentially high resulting in close to 900K prefixes putting
huge burden on the BGP routers.
• Multihoming: Customers Connect 2 different ISPs and advertise their PI (Provider Independent)
IP Address to both ISPs.
• Traffic Engineering: By advertising Specific Route increases size of the Internet Routing Table.
WHY
3 Environments in a LISP Network
1. LISP Site: EID Namespace
2. Non-LISP Site: RLOC
Namespace where you find
RLOC
3. LISP Mapping Service: EID-to-
RLOC Mapping Service
79. @arafkarsh arafkarsh
LISP: Control / Data Plane
79
172.17.4.2 DNS Server
DNS Request
DNS Response
google.com ?
142.250.77.110
LISP
R1
EID: 172.17.5.2 ?
EID: 172.17.5.0/24
RLOC: 204.1.2.1
Map Request
Map Response
• DNS resolves a Hostname
to IP Address
• LISP resolves an EID to
RLOC
LISP Data Plane
LISP Control Plane
Source: https://networklessons.com/cisco/ccnp-encor-350-401/cisco-locator-id-separation-protocol-lisp
80. @arafkarsh arafkarsh
LISP: Location Identifier Separation Protocol
80
LISP is a Map and
Encapsulation Protocol
LISP
R1
202.1.2.1
204.1.2.1
172.17.5.0/24 EID
RLOC
202.3.2.1
172.17.4.2
Map Cache
202.1.2.1
172.17.4.0/24 EID
RLOC
Map Cache
172.17.4.2
172.17.5.2
Data
Src
Dst
IP Data
172.17.4.2
172.17.5.2
Data
Src
Dst
IP Data
Where is
EID: 172.17.5.2 ?
EID: 172.17.5.0/24
RLOC: 204.1.2.1
R2
204.1.2.1
New IP Header LISP Header Original IP Header Data
Src: 202.1.2.1
Dst: 204.1.2.1
Src: 172.17.4.2
Dst: 172.17.5.2
204.1.2.1
172.17.5.0/24 EID
RLOC
Map Database
1
2
3
4 5
6
RLOC
Space
LISP Site 1
172.17.5.2
LISP Site 2
Host 1 Host 2
ITR ETR
Router R1 = Ingres Tunneling Router
Router R2 = Egress Tunneling Router
LISP Stores all the EID-RLOC Maps
1. Host 1 sends data to Host 2 thru
R1
2. R1 Router Sends Map Request to
LISP Server with EID
3. LISP Server Responds with RLOC
4. R1 encapsulates the Packet with
R1 Source and R2 Destination
5. R2 Router receives the LISP
encapsulated packet and de-
encapsulate
6. R2 Send the Original Packet to
Host 2
81. @arafkarsh arafkarsh
Software Defined Network
81
Challenges
1. Explosion of Devices
2. Cost of Human Error
3. Lack of Visibility
4. Security Challenges
1. Central Intelligence
2. Intent Based Networking
Control
Plane
Data
Plane
Tradition Router has both
Control and Data Planes
Data Plane:
Responsible for Packet Forwarding
Control Plane:
Responsible for Device Network
Communication and How to
forward packets
Control Plane
Central Intelligence
Control Plane moved out and
router contains only the Data Plane
Forwarding Rules Packet Forwarding
2 Fundamental Tenets of SDN
Control
Plane
Application
Plane
Data
Plane
Southbound APIs
Northbound APIs
Security
Network OS
QoS
MPLS…
Routing
SDN Architecture
82. @arafkarsh arafkarsh
SDN Architecture
Software Defined Network
82
Control
Plane
Management
Plane
Data
Plane
Southbound APIs
Northbound APIs
Security
Controller
QoS
MPLS…
Routing
• OpenFlow
• SNMP
• NetConf
RESTful or Java APIs
Business Applications
Network Elements
Controller
Application
Layer
Control
Layer
Infrastructure
Layer
East – West APIs
Multiple Controllers to avoid
Single Point of Failure
vRouter vSwitch vFirewall SDN Appliance – vEdge.
vController
vManage
83. @arafkarsh arafkarsh
Benefits of the SDN Controller
83
1. Virtualization
1. Virtualizes the Network
2. Separate the Network Function from
the hardware – (NFV) Network
Function Virtualization
3. VNF = Virtual Network Functions
vRouter vSwitch vFirewall
Cisco SD-WAN vEdge 1000 Router
2. Automation
1. ZTP = Zero Touch Provisioning
2. Use Template to automatically
deploy the hardware into your
network
3. Visibility
1. Single Controller to see the
entire network
2. Configure and Monitor from a
Single Glass of Pane
84. @arafkarsh arafkarsh
SDN – Use Cases
84
• SD-DC Software Defined Data
Center
• SD-WAN Software Defined WAN
• SD-LAN Software Defined LAN
• SDX Software Defined X
85. @arafkarsh arafkarsh
Software Defined – WAN
85
Uses a combination of technologies
to create the next generation WAN
• Encrypted Tunnels: IPSec /
GRE
• Routing Protocols: OSPF and
BGP, MPLS
• Supports various Network
Topologies
Features
1. Transport
Independent
2. Cloud Friendly
3. Simple and
Secure
86. @arafkarsh arafkarsh
Software Defined – WAN: Architecture
86
New York
SD-WAN Edge
Appliance
San Jose
SD-WAN Edge
Appliance
Internet
MPLS
SD-WAN
Fabric
1 Gb DIA
100 M MPLS
SD-WAN Controller
Cloud Hosted / On-Premise
100 M MPLS
1 Gb DIA
Circuits
Underlay
IP, MPLS, 4G/5G…
Overlay
Tunnels
Benefits of SD-WAN
1. Active-Active Design
Some vendors support up
to 8 active connections
1. Intelligent Traffic Routing
2. Better User Experience
87. @arafkarsh arafkarsh
Software Defined – WAN: Zero Touch Provisioning
87
New York
SD-WAN Edge
Appliance
Internet
MPLS
SD-WAN
Fabric
1 Gb DIA
SD-WAN Controller
Cloud Hosted / On-Premise
100 M MPLS
Circuits
Underlay
IP, MPLS, 4G/5G…
1 Unbox & Connect
to the network
2
SD-WAN Appliance
Calls Home to talk
the controller
3
SD-WAN Controller
pushes the configuration
to the SD-WAN
Appliance
4
SD-WAN Appliance
joins the SD-WAN
Fabric
88. @arafkarsh arafkarsh
Software Defined – WAN: Security
88
New York
SD-WAN Edge
Appliance SD-WAN
Fabric
SD-WAN Controller
Cloud Hosted / On-Premise
1
Localized Security Policy
to handle a specific
Branch Specs
2
Centralized Security Deployed
Through Service Chaining By
Redirecting Internet Traffic To
a Cloud Firewall or Secure
Web Gateway
3
Consistent Security Policy
regardless of Local or a
Central Security Policy
89. @arafkarsh arafkarsh
Public
WAN
Private
WAN Software Defined – WAN: Private / Public
89
New York
SD-WAN Edge
Appliance
San Jose
SD-WAN Edge
Appliance
Layer 1 – Dark Fiber Circuit
Layer 2 – Virtual Private LAN Service - Circuit
Layer 3 – Multi Protocol Label Switching- Circuit
MPLS
VPLS
Layer 3 – Dedicated Internet Access Circuit
Layer 3 – Broadband (DSL/Cable/4G/5G) Circuit Shared
Source: Juniper: Understand the VPLS
Source: Juniper: Understanding MPLS VPN Circuits
90. @arafkarsh arafkarsh
Modern WAN Architecture: SD-WAN
Software Defined – WAN: Cloud Friendly
90
Traditional / Legacy WAN Architecture
MPLS
Branches
Users Data Center
Users
DIA /
Broadband
MPLS
Branches
Data Center
SaaS
Multi
Cloud
Internet
Internet
Choke Point
91. @arafkarsh arafkarsh
Software Defined – WAN: Benefits
91
1. Create a Secure and Open Network than a closed
one.
2. Utilizes all your Bandwidth (across multiple
providers / protocols) instead of master / slave
3. Support smooth transition Cloud Native Apps
(cloud Workloads)
4. Simplified Management using Single Glass of Pane
5. Consolidate Edge Appliances, rather than dedicated
appliances from different vendor.
92. @arafkarsh arafkarsh
Software Defined – WAN: Summary
92
A Cloud
Delivered,
Centralized,
Single Solution
for Management
of Configurations
for WAN, Cloud &
Security with low
Cost.
Single Pane of Glass – SPoG: Cisco SD-WAN Dashboard
95. @arafkarsh arafkarsh
SANS Cloud Security Architecture Principles
95
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
Design for
Failure
Always
Think of
Feedback Loops
Use Different
Storages
Options
Built-In
Security
at every Layer
CENTRALIZATION
Focus on
Centralization
Standards & Automation
Design for
Elasticity
96. @arafkarsh arafkarsh
Built-In Security At Every Layer
96
Built-In
Security
at every Layer
• Cloud Architecture is composed of Multiple
Layers. From a Cloud Native App perspective
Each Microservice is specific layer in the
Application Stack.
• Each Layer must be self defending.
• Each Layer Must have a Security Layer to be part
of Defense in Depth.
• Depends on the Security Guidelines / Policies
some of the security measures will be internal
some external.
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
97. @arafkarsh arafkarsh
Built-In Security At Every Layer
97
Stack Layer Controls
1 Data
Backup, Data Leak Prevention, Encryption in Transit
and Rest.
2
Application Logic +
Presentation
Web App Firewall, Secure Web Gateway, Identity &
Access Management, Scans / Pen Tests, Service Mesh
Policies
3 Network
Access Controls, Firewalls, Service Mesh, Routing,
DDoS Defense
4 Operating Systems
Backups, Configuration, Vulnerability Scanning, User /
Privilege Management
5 Hypervisor
Configuration, Access Controls, User / Privilege
Management
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Built-In
Security
at every Layer
98. @arafkarsh arafkarsh
Built-In Security At Every Layer
98
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Built-In
Security
at every Layer
o Cloud introduced very frequent changes to the environment
(Infrastructure / Software)
o Security Measures must be embedded for these Rapid changes.
1. Defining Security in the Code (Functional Code, Security
Policies)
2. Include Security Configuration Params for the Container /
Virtual Machines
3. Automating Security Processes & Activities
4. Building Continuously Monitored Environments
o Many of these are realized through Sound DevSecOps Practices.
99. @arafkarsh arafkarsh
Think ”Components”
99
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Think
Components
o From Systems to Component based thinking is a Major shift
for Security Professionals
o Cloud is more oriented towards component-based model
and linked together based on Business requirements
o Key aspects of Component is – Reusability
o Network Policies
o Security Policies
The above can be applied across multiple clouds
Ex. Terraform, Kubernetes, Service Mesh
100. @arafkarsh arafkarsh
Design for Failure
100
Design for
Failure
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o In the Cloud Failure is common
o Elasticity Issues
o Configuration Issues
o Cloud Provider Issues
o Chaos Engineering plays a big Role in Preparing for this
o Product ion – Network Testing
o Production – Security Testing
o Production – Performance Testing
Minimize
Blast Radius
Chaos Engineering
Principle
101. @arafkarsh arafkarsh
Design for Elasticity
101
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o Microservices, Containers and Kubernetes brought automated dynamic
scaling up and down of the systems (containers)
o This is a new environment from Security Perspective compared with old
Static environment (Changes are periodic and planned).
o Designing Elasticity from Security Perspective
o Vertical or Horizontal Scaling
o What thresholds are appropriate for scaling up & down
o How will inventory management adjust to system volume changes
o Images new systems are spawned from
o Where are new systems located in the network
o Host Based Security + Licensing
Design for
Elasticity
102. @arafkarsh arafkarsh
Make use of Different Storage Options
102
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
Use Different
Storages
Options
o There are many types of Storage options available in Cloud and
each has its own security features.
o Design the Data Security based on the storage options.
o Things to consider and evaluate
o Storage have appropriate SLA
o Storage options for Dev and Ops
o Storage have adequate Redundancy & Archival
o Storage have native encryption capabilities
o Storage have adequate logging and event generation
103. @arafkarsh arafkarsh
Always think of Feedback Loops
103
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o One of the most critical Principle is Feedback Loops
o One of the critical aspect of Feedback loops is Logging
o Enable Logging everywhere you can
o Within the entire cloud environment (Cloud Trail –Azure,
Cloud Watch – AWS, Stack Driver – Google)
o OS Types, Network Platforms
o For All Identity & Access Management
o For all Interconnected services and their activity
o Feedback Loops = Logging
o Secure Log Access
Always
Think of
Feedback Loops
104. @arafkarsh arafkarsh
Focus on Centralization, Standards, Automation
104
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o Centralization – Having a Single Glass of Pane to see all the things
happening in the cloud.
o Using the Same vendor Products across all the environments (Cloud,
On-Premise) – If Possible
o Standardization – Go with well known standards
o SAML and OpenID – Connect for IAM
o YAML for Configs / Infra as Code
o AES-256+ for Crypto
o Automation – Is the Key for DevOps and DevSecOps. Manual efforts
are doomed to fail due to rapid changes.
CENTRALIZATION
Focus on
Centralization
Standards & Automation
105. @arafkarsh arafkarsh
Blast Radius
105
Source: RSA Conference 2019 – A Cloud Security Architecture workshop. Dave Shackleford Sr. Instructor SANS Institute
o One of the Core Security Concepts in the world of DevOps & Cloud
Computing is the Blast Radius
o It’s the amount of damage that could be caused if something goes
wrong
o An Account or Server gets hacked
o A Component Fails
o Design the Security Model in such a way that the damage is limited
to that area or Service.
o In Microservices architecture link this concept with Circuit Breakers,
Bulkhead Design Patterns.
106. @arafkarsh arafkarsh
Security
o 802.1x EAP Security
o Port Knocking & SPA – Single Packet Authorization
o Micro Segmentation / Software Defined Firewall
o Zero Trust and VPNs
o Service Mesh
106
107. @arafkarsh arafkarsh
IEEE 802.1x Wired / Wireless
107
Source: What is 802.1X? How Does it Work? https://www.securew2.com/solutions/802-1x
https://standards.ieee.org/ieee/802.1X/7345/
• 802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.
• 802.1X and RADIUS based security is considered the gold standard to secure wireless and wired networks.
An 802.1X network is different from home networks in one major way;
1. it has an authentication server called a RADIUS Server.
2. It checks a user's credentials to see if they are an active member of the organization &
3. depending on the network policies, grants users varying levels of access to the network.
This allows unique credentials or certificates to be used per user, eliminating the reliance
on a single network password that can be easily stolen
108. @arafkarsh arafkarsh
802.1x EAP Security
108
• Standard Authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP).
• 802.1X is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN).
• It provides an encrypted EAP tunnel that prevents outside users from intercepting information.
The EAP protocol can be configured
1. Credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and
2. Digital Certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication
process.
Source: What is 802.1X? How Does it Work? https://www.securew2.com/solutions/802-1x
802.1X only includes 4
major components:
1. Client
2. Access-point/switch
3. RADIUS Server
4. Identity provider
109. @arafkarsh arafkarsh
Port Knocking
109
• Port knocking is a simple method to grant remote access without leaving a port
constantly open.
• In the following config of KnockD – the Port (8888) will be open for 10 seconds
based on the correct sequence of access on ports – 7000, 8000, 9000.
Source: Ubuntu Port Knocking Manual: https://help.ubuntu.com/community/PortKnocking
Security by Obscurity
110. @arafkarsh arafkarsh
32 Bit
64 Bit
32 Bit
Single Packet Authorization
110
UID OTP
Counter GMAC
128 Bit
SPA = UID, CTR OTP, GMAC
UID Universal ID of SDP Client
CTR Hashed with seed to Create OTP
OTP One Time Password: HTOP
GMAC Signature of UID, CTR, OTP
Seed Shared Secret for OTP
Encryption
Key
Shared Key for GMAC
(AES-256)
OTP HMAC [Seed + CTR]
GMAC E-Key [UID + OTP + CTR]
CTR
Is incremented to mitigate
playback attacks
= 256
SPA addresses all the limitations of Port Knocking
By Default, SPA Gateway Drops All the Packets
1. Client Sends a SPA Packet
2. Gateway Receives the Packet and Decrypts Packet
3. Validates the Credentials based on protocol / port
4. If Valid, then Adds a Firewall rule to open an mTLS
Connection
5. Once the Connection is established the Gateway
removes the firewall rule making the service go Dark
Again.
o The established mTLS session will not be affected by
removing the firewall rule.
111. @arafkarsh arafkarsh
Single Packet Authorization: Benefits
111
SPA Blackens the Gateway and all the services Behind
the Gateway are invisible to the world.
SPA also mitigates DDoS attacks on TLS. SDP Gateway
discards the TLS DoS attack before it gets into the
handshake.
The First packet to the Gateway must be a SPA
Packet. Any other packet will be viewed as an Attack
this helps in attack detection.
Source: https://network-insight.net/2019/06/zero-trust-single-packet-authorization-passive-authorization/
112. @arafkarsh arafkarsh
Zero Trust: Micro Segmentation
112
Source: Cisco: What is Micro Segmentation?
How does it work?
• Secures App by allowing specific Application Traffic and Deny All other Traffic
• Micro Segmentation is the foundation of Zero Trust Security Model
Challenges in Implementing Micro Segmentation
• Implement Granular Firewall Policy using Host workload Firewall
• Policy Life Cycle Management
• Begin at Macro Level and refine using Policy Automation
Why can’t Classic Firewalls do the job?
• Granular East-West Policy Controls provides Workload Perimeter
• Implemented at Workload Level
• Scalable across workloads
• Enhances the visibility and control from workload perspective
113. @arafkarsh arafkarsh
Zero Trust: Micro Segmentation: Benefits
113
Source: Cisco: What is Micro Segmentation?
Reduce Attack Surface
Uses an allow-list model to significantly reduce this attack surface across different
workload types and environments.
Protect Critical Applications
Gain better threat visibility and enforcement for critical workloads and applications
across different platforms and environments, limiting lateral movement of a
security incident from one compromised VM, service, or container to another.
Achieve Regulatory Compliance
Granular visibility and control over sensitive workloads demonstrate proper
security and data separation to simplify audits and document compliance.
114. @arafkarsh arafkarsh
Software Defined Firewall: Network / Micro Segmentation
114
Network Segmentation using Software Defined Firewall Micro Segmentation using Software Defined Firewall
Source: https://www.vmware.com/topics/glossary/content/network-segmentation.html
115. @arafkarsh arafkarsh
Traditional VPN Vs. Zero Trust
115
Enterprise
VPN
User System
VPN
Client
User
App
VPN
Server IAM
WAN
WAN
Split
Tunnel
Optional
Resource = Data, Documents, Apps, Services, Files etc.
Relies on Shared secret
and/or Shared root of Trust
If Split tunneling is enabled
only traffic to Enterprise
will be tunneled.
Zero Trust
User System
Agent
PEP
User
App
PEP
Encrypted Tunnel
Normal Traffic
LAN
IAM
PDP
PEP PEP
• Dynamically adjust the Context
• Multiple Entry Points
• Support Remote and On Premise
Resource
Resource Resource
Resource
116. @arafkarsh arafkarsh
Zero Trust – Security: Resource Based
116
Device
Agent
PEP
Policy Decision Point
ZT Aware
Network IDS/IPS
Control Plane
Data Plane
User
App
PEP
Gateway
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
Resource Based
Deployment
Model
Zero Trust Deployment Models
Encrypted Tunnel
Data
Implicit Trust Zone
Zero Trust will bring changes to
network segmentation and
network traffic encryption
patterns.
Resource
Resource = Data, Documents, Apps, Services, Files etc.
Host IDS/IPS
Host IDS/IPS
ZT Aware
IDS/IPS
117. @arafkarsh arafkarsh
Zero Trust – Security: Enclave Based
117
Device
Agent
PEP
Policy Decision Point
ZT Aware
Network IDS/IPS
Control Plane
Data Plane
User
App
PEP
Gateway
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
Enclave Based
Deployment
Model
Zero Trust Deployment Models
Encrypted Tunnel
Data
Implicit Trust Zone
Zero Trust will bring changes to
network segmentation and
network traffic encryption
patterns.
Resource Enclave
Resource = Data, Documents, Apps, Services, Files etc.
Host IDS/IPS
ZT Aware
IDS/IPS
Host IDS/IPS
Host IDS/IPS
NIDPS
118. @arafkarsh arafkarsh
Zero Trust – Security: Cloud Routed
118
Device
PEP
Policy Decision Point
Control
Plane
Data
Plane
User
App
Cloud Routed
Deployment
Model
Zero Trust Deployment Models
Resource = Data, Documents, Apps, Services, Files etc.
PEP
Subject
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
ZT Aware
Network IDS/IPS
Agent
PEP
Host IDS/IPS
PEP
Gateway
Resource Enclave
Host IDS/IPS
Host IDS/IPS
NIDPS
Encrypted Tunnel
Data
Implicit Trust Zone
119. @arafkarsh arafkarsh
Zero Trust – Security: Micro Segmentation
119
Micro Segmentation
Deployment
Model
Zero Trust Deployment Models
Resource = Data, Documents, Apps, Services, Files etc.
Source: Page 183: Zero Trust Security: An Enterprise Guide by Jason Garbis, Jerry W Chapman
PEP
Subject Resource
Host IDS/IPS
PEP
Subject Resource
Host IDS/IPS
ZT Aware
Network IDS/IPS
120. @arafkarsh arafkarsh
Secure Web Gateway
120
Content Filtering
Filter Content by specific URL or category to ensure internet access is based
on corporate policies.
Scan Docs Scan all the uploaded and downloaded files for malware and other threats.
File Types Block Files based on File Types Example .exe files.
App Controls
User access to Web Apps are controlled. For example, Uploading fille to Drop
Box, Google Drive etc. Attaching file to Gmail and Posting to Social Media
sites.
Metrics
Detailed Reporting on User, Device, URLs accessed, network Identity and
Allow or Block Actions.
121. @arafkarsh arafkarsh
Cloud Access Security Broker (CASB)
121
o CASB is the bridge between Cloud
Service Consumers and Cloud
Service Providers to combine and
interject enterprise security Policies
as the cloud-based resources are
consumed.
o They combine multiple types of
Security Policy Enforcement
Systems like Authentication, Single
Sign-On, Authorization, Credential
Mapping, Device Profiling,
Encryption, Tokenization, Malware
detection / prevention etc.
Visibility Compliance
Threat
Prevention
Data
Security
Source: Garnet CASB Definition
122. @arafkarsh arafkarsh
Service Mesh: Istio Security
Source: https://istio.io/docs/concepts/security/
It provide strong identity, powerful policy, transparent TLS encryption, and authentication,
authorization and audit (AAA) tools to protect your services and data. The goals of Istio
security are
• Security by default: no changes
needed for application code
and infrastructure
• Defense in Depth: integrate
with existing security systems to
provide multiple layers of
Defense
• Zero-trust network: build
security solutions on untrusted
networks
122
124. @arafkarsh arafkarsh
Service Mesh: Micro Segmentation
124
Source: Istio: Micro-Segmentation with Istio Authorization https://istio.io/latest/blog/2018/istio-authorization/
• Authorization at different levels of granularity, including
namespace level, service level, and method level.
• Service-to-service and end-user-to-service authorization.
• High performance, as it is enforced natively on Envoy.
• Role-based semantics, which makes it easy to use.
• High flexibility as it allows users to define conditions
using combinations of attributes.
125. @arafkarsh arafkarsh
3
Cisco
SASE / Zero Trust
o Cisco Software Defined – WAN
o Cisco Software Defined – Access
o Cisco Secure Cloud Insights
125
o Understand Cisco Umbrella
o Understand Cisco DNA
o Understand Cisco SD-WAN
o Understand Cisco SD-
Access
o Understand Jupiter One
Objectives
127. @arafkarsh arafkarsh
Cisco Viptela
SD-WAN
o Architecture
o Controllers
o Overlay Management Protocol
o Zero Touch Provisioning
o Transport Tunnels & Topologies
o Traffic Routing
o Bootup Sequence
127
Cisco SD-WAN Solution
represents an evolution of
networking from an older,
hardware-based model to a
secure, software-based, virtual
IP fabric. Cisco SD-WAN fabric,
also called an overlay network,
forms a software overlay that
runs over standard network
transport services, including
the public Internet, MPLS, and
broadband.
Source: Cisco SD-WAN Getting started Guide. Page 5
128. @arafkarsh arafkarsh 128
Mana
SD-WAN
Edge
Appliances
Routers
MPLS
DIA
DSL
4G/5G
Branch Remote Data Center Branch Cloud Branch
• Zero Touch Provisioning
• On-Premise or Cloud
• Physical or Virtual
Data Plane
vSmart Controllers
• Routing and Security Policies
• Horizontal Scaling
Control Plane
vManage
• Single Pane of Glass
• RBAC and APIs
• Monitoring / Troubleshooting
Management Plane
Cisco
SD-WAN
(Viptela)
Architecture
vEdge
vEdge
vAnalytics
• Carrier Performance
• Bandwidth Forecasting
• Machine Learning
Analytics Plane
SD-WAN
Fabric
vEdge Cloud
Overlay
Network
Source: Cisco SD-WAN
Getting Started Guide
Cloud /
On-Premise
vBond
130. @arafkarsh arafkarsh
OMP – Overlay Management Protocol
130
o OMP Provides Centralized Control
1. Orchestration of
1. Routing & Secure Connectivity between Sites
2. Service Chaining like Firewalls, Routers
3. VPN Topologies
2. Distribution of
1. Traffic Routing Rules
2. Security Policies
3. Security
1. Establishes Secure Connection between vSmart to
vSmart, vSmart to vEdge
2. Uses DTLS (UDP), AES 256 Key Encryption
o Three Types of OMP Routes
1. OMP Routes (vRoutes)
2. TLOC: Transport Location (ties to a Physical Location)
3. Service Routes (Firewalls, IDS, etc.) vEdge vEdge
vSmart vSmart
vSmart
Patent: Overlay Management Protocol for Secure Routing based on an Overlay Network
Source: SD-WAN OMP
131. @arafkarsh arafkarsh
Cisco SD-WAN Controllers
131
vSmart
vManage
vBond
vManage Cisco vManage is a centralized network management
system that lets you configure and manage the entire
overlay network from a simple graphical dashboard.
vSmart & vBond
talks to vManage
vSmart The Cisco vSmart Controller is the centralized brain of
the Cisco SD-WAN solution, controlling the flow of data
traffic throughout the network. The vSmart works with
the vBond Orchestrator to authenticate vEdge devices as
they join the network and to orchestrate connectivity
among the edge routers.
Read this article to setup Cisco
SD-WAN: Basic Configuration Lab
by Jedadiah Casey
Source: Cisco SD-WAN Getting Started Page 13
vBond The Cisco vBond Orchestrator automatically orchestrates
connectivity between edge routers and vSmart.
Controllers. If any edge router or Cisco vSmart Controller
is behind a NAT, the Cisco vBond Orchestrator also
serves as an initial NAT-traversal orchestrator.
132. @arafkarsh arafkarsh
Cisco SD-WAN Components
132
vSmart
vManage
vBond
vAnalytics Cisco vAnalytics platform is a SaaS service hosted by
Cisco SD-WAN as part of the solution. vAnalytics
platform provides graphical representations of the
performance of your entire overlay network over
time and lets you drill down to the characteristics of
a single carrier, tunnel, or application at a particular
time.
Read this article to setup Cisco SD-WAN: Basic Configuration Lab by Jedadiah Casey
Source: Cisco SD-WAN Getting Started Page 13, 18
The edge routers sit at the perimeter of a site (such
as remote offices, branches, campuses, data centres)
and provide connectivity among the sites. They are
either hardware devices or software (Cloud router),
that runs as a virtual machine. The edge routers
handle the transmission of data traffic.
vEdge
vAnalytics
vEdge Routers
133. @arafkarsh arafkarsh
Cisco SD-WAN Controllers Deployment Models
133
Source: Cisco SD-WAN Getting Started
vSmart
vManage
vBond
On - Premise
Private
Cloud
Cisco
Cloud
Preferred Deployment Model
Cloud Delivered
134. @arafkarsh arafkarsh
Cisco SD-WAN Zero Touch Provisioning
134
Send New Router
(vEdge) Details
DTLS
DTLS
vBond
vSmart
vEdge
vManage
Send IP
Addresses
of vManage
& vSmart
to vEdge
Authentication
DTLS /
TLS
Authentication
vEdge
vManage
Send Full
Configuration
file for vEdge
1 2
Authentication
vSmart
OMP Session Established
between vEdge & vSmart
to exchange routes
3
vEdge
Authentication
vEdge
BFD Session Established.
Helps to quickly switch
over when a path fails
4
vEdge
vBond Checks.
Digital Certificate
and Serial No.
Reject if it
Doesn’t
Match.
Bidirectional
Forwarding
Detection
Source:
Cisco
SD-WAN
Getting
Started
Page
28
135. @arafkarsh arafkarsh
SD-WAN Transport Tunnels & Topologies
135
Mana
Mana
Full Mesh
Mana
Partial Mesh
Mana
Hub & Spoke
Mana
Point 2 Point
MPLS
DIA
DSL
4G/5G
vSmart
vEdge vEdge
OMP Route
tables
Site 1 Site 2
o No Reliance on Underlay Transport
o Each VPN can have a separate topology
o vEdge Routers maintain per VPN routing info.
Overlay VPNs
Single Tunnel Per Transport
Source: Intro to Cisco SD-WAN | Viptela
136. @arafkarsh arafkarsh
Edge Router: Traffic Routing
136
MPLS
DIA
Source: Intro to Cisco SD-WAN | Viptela
Active / Active
Load Sharing Per Session
(Default)
vEdge
MPLS
DIA
Active / Active
Weighted Per Session
vEdge
MPLS
DIA
Active / Standby
Application Pinning
vEdge
Ex. Voice App
MPLS
DIA
Active / Standby
Application Aware Routing
(Policy Enforced)
vEdge
SLA SLA
137. @arafkarsh arafkarsh
SD-WAN: Key Attributes
137
Source: Cisco SD-WAN Getting Started Page 24 - 25
vSmart
vEdge - 1 vEdge - 2
Router 1
IPSec
Domain ID: 1
Site ID: 1
System IP: 10.0.0.1
Domain ID: 1
Site ID: 100
System IP: 1.0.0.100
Domain ID: 1
Site ID: 200
System IP: 2.0.0.200
Domain ID
• Logical grouping of Edge Routers and vSmart Controllers
• Each Domain is identified by a unique Integer
• Currently only 1 Domain is allowed in an Overlay network
• vBond Orchestrator is not part of a Domain
Site ID
• Physical Location of an Edge Router within an Overlay Network
• Each Site ID is a Unique Integer
• If a Site contain 2 Edge Routers (for Backup) the 2nd one will have
the same Site ID
System IP Address
• Each Edge Router and vSmart is assigned with an IP
Address which identifies the physical system
independent of interfaces.
• Similar to Router ID on a regular Router
• Permanent network Overlay Address
TLOC
• Identifies the physical interface where a edge router connects to
the WAN transport network or to a NAT gateway
138. @arafkarsh arafkarsh
Cisco SD-WAN: Boot Sequence
138
Source: Cisco SD-WAN Getting Started Page 95
vSmart
vManage vEdge
vBond
OFF ON
OFF ON
OFF ON
OFF ON
1
2
3
4
4.1 4.2
4.3
Authenticate
Sends Config
6
5.1
5.2
Start
Start
Start
Start
7 Authenticate
Sends Config
7.1
7.2
7.3
139. @arafkarsh arafkarsh
Cisco SD-WAN Summary
139
o Utilization of multiple underlay transport protocols at the
same time.
o Single Window into the Entire Network Fabric for
Management and Monitoring.
o Low-Cost solution with Bandwidth forecasting and Carrier
Performance
o Zero Touch Provisioning
o Separation of Data Plane and Control Plane and virtualizing
the routing instead of dedicated hardware.
143. @arafkarsh arafkarsh
Cisco DNA Center Platform
143
Automation:
o To transform the network Admin’s Business Intent into device
specific Network Configs.
o Consists of Network Info Database, Policy Engines & Network
Programmer
o Controller has the ability to discover the network
infrastructure and periodically scan the network to Create a
Single Source of Truth.
o Policy Engine Provisions various Policies across the enterprise
network
o It also provides topology Info that maps network devices to
physical topology and detailed devices data.
Analytics & Assurance
o Built-in Data Collector Framework. Network Infrastructure data
obtained via streaming telemetry mechanisms. It also collects
data from contextual systems like Cisco ISE, IPAM, ITSM etc.
o Data is processed in real-time using time-series analysis,
Complex Event Processing and Machine Learning Algorithms.
o Output is stored and visualized using DNA Center UI.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 112
Policy:
o Define and Deploy Network wide Policies
End-2-End.
o Policies like QoS, Security Policies, Policies
on Metrics etc.
144. @arafkarsh arafkarsh
Cisco DNA Center Overview
144
Digital Network Architecture
• Using Intuitive workflows
• Import Existing Designs
• User Access
Design
• User & Device Profiles
• Virtual Networks
• ISE, AAA, Radius
• Group Policies
Policy
• Zero Touch Provisioning
• Policy Based Automation
• Provisions Network Elements
to send NetFlow Data
Provision
• Network health
• Fabric Health
• 3600 View
• Path Trace, Sensor
Assurance
Source: Cisco DNA 2.2.3.0 Cisco DNA – Plan, Design & Implement Services
148. @arafkarsh arafkarsh
Cisco ISE: How ISE enforces Zero Trust
148
Connecting trusted users and endpoints with trusted resources
Endpoint Request Access
• Endpoint is identified and trust is
established
• Posture of endpoint verified to meet
compliance
1
Endpoint authorized access based
on least privilege
• Access Granted
• Network segmentation
achieved
3
Endpoint classified, and profiled into
groups
• Endpoints are tagged w/SGTs
• Policy applied to profiled groups
based on least privilege
2
Trust continually verified
• Continually monitors and verifies
endpoint trust level
• Vulnerability assessments to identify
indicators of compromise
• Automatically Updates access policy
4
Source: Cisco – Implement Zero Trust and regain Control with Cisco Identity Services Engine
151. @arafkarsh arafkarsh
Cisco: Software Defined Access
151
Why Cisco SD-Access for Zero-Trust Workplace?
• Identify and verify all endpoints and users, including IoT
endpoints, that connect to your network
• Establish policy and segmentation to help ensure least
privilege access based on endpoint and user type
• Continually monitor endpoint behaviour, including
encrypted traffic, to help ensure compliance
• Stop threat propagation, including ransomware, by
quarantining any endpoint that exhibits malicious or out-of-
compliance behaviour
Source: Cisco Software-Defined Access for Zero-Trust Workplace At-a-Glance
152. @arafkarsh arafkarsh
Cisco SD-Access
152
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 20
o Software- Defined Ac cess is the industry’s first intent- based net working.
o An intent- based network treats the network as a single system that provides
the translation and validation of the business intent (or goals) into the network
and returns actionable insights.
154. @arafkarsh arafkarsh
Cisco SD-Access Layers
154
SDA Fabric Physical and logical network for warding infrastructure
DNA Center
Automation, Policy, Assurance and Integration
Infrastructure
Digital Network Architecture
o Cisco’s SD-Access solution is a programmable network architecture that
provides software-based policy and segmentation from the edge of the
network to the applications.
o SD-Access is implemented via Cisco Digital Network Architecture Center (Cisco
DNA Center) which provides design settings, policy definition and automated
provisioning of the network elements, as well as assurance analytics for an
intelligent wired and wire less net work.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 32
155. @arafkarsh arafkarsh
Cisco SD-Access Fabric
155
An SD-Access network underlay is comprised of the physical network devices, such as routers,
switches, and wireless LAN controllers (WLCs) plus a traditional Layer 3 routing protocol.
SD-Access Fabric Overlay has 3 Components
Fabric Data Plane
Logical Overlay is created by using VXLAN.
Fabric Control Plane
Logical Mapping & resolving of users and devices (associated with
VXLAN) is performed by Locator/ID Separation Protocol (LISP)
Fabric Policy Plane
Where the Business Intent is translated into a network Policy using
Address-Agnostic Scalable Group Tags (SGT) and group-based policies.
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 36
156. @arafkarsh arafkarsh
Cisco SD-Access Architecture Overview
156
Source: Cisco SDA Enabling Intent based Networking, 2nd Edition – Page 36, 50
DNA – Digital Network Architecture
• Automation: Intent Based Automation for
wired and wireless Fabric Devices / users
• Assurance: Collectors Analyze Endpoint to
Application flows and monitor Fabric Device Status.
• Policy: Based on Cisco ISE for Dynamic
Endpoint to Group Mapping & Policy definition
• Control Plane: Central DB to track all
users & devices attached to Fabric.
• Border: Connects the traditional L2,
L3 Networks to the SD-Access Fabric
• Fabric Edge: Responsible to
connecting endpoints to the Fabric
& operates at the perimeter and 1st
point of attachment of users and
implementation of policy.
• WLC: Connects the APs and wireless
Endpoints to the SD-Access Fabric
168. @arafkarsh arafkarsh
Cisco: Secure Cloud Insights
o Apps / Policies / Alerts / Compliance
o Graph Viewer / Insights / Query Library
o JupiterOne Query Language
o JupiterOne Platform
168
169. @arafkarsh arafkarsh
Cisco Secure Cloud Insights – Eye in the Sky
169
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
While SecOps starts on the left with security posture and attack surface
management as its entry point, DevOps start at the far right with
continuous integration and continuous delivery (CI/CD) pipeline and
application/API security as their main care about.
As SecOps moves right and begins to influence the other
stakeholders within a mature organization, DevOps shifts
left to include pre-deploy checks by using runtime security
inputs.
170. @arafkarsh arafkarsh
Cisco SecureX & Secure Cloud Insights
170
Source: SCI – Your Eyes in the Sky By AI Huger, Nov 15, 2021
o Integrated Secure Cloud
Insights with Cisco’s security
platform SecureX and intend
to have it play a bigger role
as a context wrapper for
numerous other Cisco
security services.
o While Secure Cloud Insights
connects the dots, Secure
Cloud Analytics baselines
behaviour by analysing
traffic flowing between
those dots.
171. @arafkarsh arafkarsh
Cisco Secure Cloud Insights
171
Source: Cisco Secure Cloud Insights
Benefits
o Gain complete visibility and
understanding of your cloud security
posture across multiple clouds
o Continuously monitor cloud
environments to detect policy violations
or misconfigurations
o Understand your entire attack surface by
mapping relationships between assets
o Quickly investigate and remediate
impacted assets by pinpointing your
blast radius
172. @arafkarsh arafkarsh
Secure Cloud Insights: Apps
172
Assets
o Gives the Complete Inventory of your
Assets.
o You can analyze and visualize your
assets.
o It also gives you the type and class of
the assets and its relationships.
Source: Cisco Secure Cloud Insights Getting Started Guide Page 5
173. @arafkarsh arafkarsh
Secure Cloud Insights: Policies
173
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Policies
o Helps you to articulate your organization
Policies.
o And associate them to your compliance
requirements.
o Each Policy and Procedure is written down
in its own Markup file.
o And the policies can be linked together.
o Policy Templates are open source.
o 120+ Policy and Procedure Templates are
available.
174. @arafkarsh arafkarsh
Secure Cloud Insights: Alerts
174
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Alerts
o Alerts can be created using any Query
for Continuous Auditing and Threat
Monitoring.
o You must have at least one Active Rule
to create an Alert.
o You can import rules from Rule Pack
o You can create Custom Rules
175. @arafkarsh arafkarsh
Secure Cloud Insights: Compliance
175
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Manage any Compliance standards or
frameworks as a set of Controls or
requirements
o Import a compliance standard or security
questionnaire
o Map policy procedures to each control or
requirement
o Map data-driven compliance evidence by
query questions
o Perform automated gap analysis based on
query results
o Export compliance artifacts (summary or
full evidence package)
176. @arafkarsh arafkarsh
Secure Cloud Insights: Graph Viewer
176
Source: Cisco Secure Cloud Insights Getting Started Guide Page 6
Graph Viewer
It’s a data driven Graph Platform
o Jupiter One Query Language (J1QL)
is used to traverse the Graph Data –
Entities and Edges (Relationships).
o You can view and interact with the
Query Result.
177. @arafkarsh arafkarsh
Secure Cloud Insights: Insights
177
Source: Cisco Secure Cloud Insights Getting Started Guide Page 7
Insights
o Helps you build Reporting
Dashboards using J1QL Queries.
o You can create a Team Board shared
across accounts and individual
Dashboards.
o Layouts are saved for Each User.
o Admins can create default Layouts.
o You can create your own custom
Dashboards.
178. @arafkarsh arafkarsh
Secure Cloud Insights: Query Library
178
Source: Cisco Secure Cloud Insights Getting Started Guide Page 7
Query Library
o Has 100s of built-in and categorized Queries
for accessing the current state of your assets.
o You can clone existing queries
o You can create Custom Queries
Ask Anything Search Bar
o You can type any query in the search bar.
o Autocomplete is available
179. @arafkarsh arafkarsh
Getting Started with Search
179
1. Ask questions by typing in any keywords
to search across all packaged/saved
questions
2. Full text search across all entities based
on their property values
3. JupiterOne Query Language (J1QL) for
precise querying of entities and
Source: Cisco Secure Cloud Insights Getting Started Guide Page 10
Results can be toggled in four different display modes:
Table, Graph, Raw JSON, or Pretty JSON. Results are
limited to return 250 items.
Ask Questions
Just start typing any keyword (or combination
of keywords) such as these (without quotes):
o compliance
o access
o traffic
o ssh
o data encrypted
o production
Or ask a question like:
o Who are my vendors?
o What lambda functions do I have in AWS?
o What is connected to the Internet?
o Who has access to ...?
181. @arafkarsh arafkarsh
Jupiter 1 Query Language
181
FIND {class or type of Entity1} AS {alias1}
WITH
{property}={value} AND|OR
{property}={value}
THAT
{relationship_verb}
{class or type of Entity2} AS {alias2}
WHERE
{alias1}.{property} = {alias2}.{property}
o Seamlessly blend full-text search and graph queries
o Language keywords are case-insensitive
o Inspired by SQL and Cypher and aspires to be as close
to natural language as possible
o Support for variable placeholders
o Return entities, relationships, and/or traversal tree
o Support for sorting via ORDER BY clause (currently
only applies to the starting entities of traversal)
o Support for pagination via SKIP and LIMIT clauses
(currently only applies to the starting entities of
traversal)
o Multi-step graph traversals through relationships via
THAT clause
o Aliasing of selectors via AS keyword
o Pre-traversal filtering using property
values via WITH clause
o Post-traversal filtering using property
values or union comparison via
WHERE clause
o Support aggregates including
COUNT, MIN, MAX, AVG and SUM.
Source: Jupiter One Documentation – Page 81
182. @arafkarsh arafkarsh
Jupiter 1 Query Language
182
FIND {class or type of an Entity}
Start with an Entity
WITH {property}={value} AND|OR
{property}={value}
Optionally add some property filters
THAT {relationship_verb}|RELATES
TO {class/type of another Entity}
Get its relationships
Source: Cisco Secure Cloud Insights Getting Started Guide Page 11
Examples
FIND * WITH tag.Production='true'
FIND User THAT IS Person
FIND User THAT RELATES TO Person
FIND Firewall AS fw
THAT ALLOWS AS rule (Network|Host) AS n
WHERE
rule.ingress=true AND rule.fromPort=22
RETURN
fw._type, fw.displayName, fw.tag.AccountName,
n._type, n.displayName, n.tag.AccountName
WHERE {alias1.property}={value}
AND|OR {alias2.property}={value}
Optionally add some property filters
Editor's Notes
Built-In Security at Every Layer
Think ”Components”
Design for Failure
Design for Elasticity
Make use of different Storage options
Always think of Feedback Loops
Focus on CSA: Centralization, Standardization, Automation
Unique IP Address of the Pod: https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/
Unique IP Address of the Pod: https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/
MPLS supports transport over IP, Ethernet, asynchronous transfer mode (ATM) and frame relay.
MPLS allows most data packets to be forwarded at Layer 2 - switching (Data Link) layer of OSI instead of Layer 3 the routing (Network) Layer.
MPLS is an alternative to traditional routing based on destination IP address of the packet which requires each router to inspect packets destination IP address in every hop before consulting its own routing table. This is a time-consuming process especially for Voice and Video calls.
First router in the MPLS network will determine the entire route upfront the identity of which is quickly conveyed to subsequent routers using a label in the packet header.
Built-In Security at Every Layer
Think ”Components”
Design for Failure
Design for Elasticity
Make use of different Storage options
Always think of Feedback Loops
Focus on CSA: Centralization, Standardization, Automation
https://www.youtube.com/watch?v=wuM5AyJZK2M
Fab ric in ter me di ate nodes are the sim plest de vices in the
SD- Access fab ric ar chi tec ture. In ter me di ate nodes act as pure Layer 3 for warders that
con nect the fab ric edge, bor der, and con trol plane nodes and pro vide the Layer 3 under
lay for fab ric over lay traf fic.