通過安全防火墻威脅防御實施直接互聯網訪問.pdf

1、#CiscoLive#CiscoLiveAlejandra Pez CastroSecurity Technical Leader,CX AmericasBRKSEC-2086Implement Direct Internet Access with Secure Firewall Threat Defense 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWith Secure Firewall,Traffic can be steered through multiple active

2、WAN links based on applications ensuring a better user application experience while keeping the network secure4BRKSEC-2086 Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicDirect Internet Access(DIA)ComponentsConfiguration WalkthroughPBR with Path MonitoringConfiguration Walkt

3、hroughDemoConclusionBRKSEC-2086 5 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 6Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”

4、Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12346https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2086 2023 Cisco and/or its affiliates.All rights r

5、eserved.Cisco Public#CiscoLiveKnow your PresenterAlejandra Pez CastroBRKSEC-2086 7Venezuela/MexicoTelecommunications Engineer6 years as Technical ConsultingEngineer in Firewall TAC2 years+as Security TechnicalLeader in CXPassionate about NGFW SecurityappliancesDirect Internet Access Introduction 202

6、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTraditional WAN ArchitectureTraditional WAN topology backhauls all internet traffic to the enterprise Data center,resulting in poor application experience,Packet Latency,drops and Jitter.9BRKSEC-2086 VTI TunnelInternetCorporate

7、FirewallBranch FirewallBranch FirewallBottleneck 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimplified Branch RequirementsBRKSEC-2086 10VTI Enhancement:Active Standby Backup VTI Tunnel configuration with SLA Monitoring7.07.0ECMP Support from FMC UIECMP Support for VTI

8、PBR using Application PBR using Application as Matching Criteria as Matching Criteria(DIA)(DIA)7.17.1Adaptive traffic Adaptive traffic steering based on steering based on Path MonitoringPath Monitoring7.27.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDirect Internet A

9、ccess(DIA)DIA gives branches the capability to send traffic directly to theinternet link instead of carrying it all the way back to the centralizeddata center for internet accessBRKSEC-2086 11VTI TunnelVTI TunnelDirect Internet AccessCloud ApplicationsCorporate FirewallBranch FirewallI Internalntern

10、al-LANLANWAN1WAN1DIA Components 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVulnerability Database(VDB)VDB supplies the list of domains for application detection used by applications for DIAKeep the VDB version updated13BRKSEC-2086 firepower#show object network-service

11、object network-service Cisco dynamicdescription Official website for Cisco.app-id 2655domain (bid=1851027941)ip(hitcnt=0)object network-service Duo Security dynamicdescription A user-centric access security platform that provides two-factor authentication,endpoint security,remote access solutions an

12、d a subsidiary of Cisco.app-id 4648domain (bid=-2050678515)ip(hitcnt=0)domain (bid=-2050510683)ip(hitcnt=0)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrusted DNS ServerApplication-based Policy Based Routing(PBR)uses DNS Snooping to map the application domains to IP ad

13、dressesEnsure DNS traffic passes through Firewall in clear text format14BRKSEC-2086 firepower#show runn dnsdns domain-lookup anyDNS server-group DNS-Groupname-server 10.10.10.10 domain-name DNS server-group DefaultDNSdns-group DNS-Groupdns trusted-source 10.10.10.10 2023 Cisco and/or its affiliates.

14、All rights reserved.Cisco Public#CiscoLiveNetwork Service Object(NSO)Object associated with a particular applicationNSOs are predefined and deployed to FTD from the FMC15BRKSEC-2086 firepower#show object id Webex Teamsobject network-service Webex Teams dynamicapp-id 4080domain code.s4d.io(bid=839581

15、615)ip(hitcnt=0)domain huron-(bid=839671741)ip(hitcnt=0)domain (bid=839793477)ip(hitcnt=0)domain (bid=839938715)ip(hitcnt=0)domain (bid=840165323)ip(hitcnt=0)domain (bid=840285097)ip(hitcnt=0)domain (bid=840320705)ip(hitcnt=0)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv

16、eNetwork Service Group(NSG)FMC auto-generates NSG based on the Extended Access Listsconfigured for PBRMultiple NSOs can be part of a single NSG16BRKSEC-2086 firepower#show runn access-list SocialMediaTrafficaccess-list SocialMediaTraffic extended permit ip any object-group-network-service FMC_NSG_30

17、064774581 firepower#show runn object-group network-service object-group network-service FMC_NSG_30064774581network-service-member Facebooknetwork-service-member Instagramnetwork-service-member TikTokDIA Configuration Walkthrough 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco

18、LiveConfigure interfacesDefine and configure interfaces to be used as ingress and egressAssuming the PBR is going to allow access to resources behind a secure tunnel,set up Static VTIsThese will be used as egress interfaces18BRKSEC-2086 Direct Internet AccessCloud ApplicationsCorporate FirewallBranc

19、h FirewallI Internalnternal-LANLANWAN1WAN1WAN2WAN2VTI Tunnels 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure the Extended Access-listConfigure Extended Access List with ApplicationsThe selected applications(NSOs)in each of the Access Control entries form an NSGT

20、his NSG is used in DIA to classify traffic based on the match criteria19BRKSEC-2086 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure Policy-Based Routing PBR can be used to classify the network traffic based on applicationsPBR policy enables you to securely breako

21、ut traffic for specific applications20BRKSEC-2086 Define Ingress interface 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure Policy-Based Routing Traffic will be forwarded through the Egress interface based on the Interface Ordering Interface Ordering attributes:St

22、atic attributes:Order,Interface PriorityDynamic attributes:Round Trip Time(RTT),Jitter,Mean Opinion Score(MOS)or Packet Loss21BRKSEC-2086 Match Traffic Criteria and Egress Interface 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface PriorityTraffic is routed to the

23、interface with the least priority firstIf the priority value is the same for a group of interfaces,then traffic is load balanced among themThere are 2 ways to configure interface priority:22BRKSEC-2086 1 12 2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure Policy

24、-Based Routing Multiple PBR Rules configured on different set of ingress interfaces23BRKSEC-2086 Match Traffic Criteria and Egress InterfaceInterface Ordering By PriorityBy PriorityInterface Ordering By OrderBy Order 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDIA Conf

25、iguration Flow24BRKSEC-2086 InterfacesInterfacesConfigurationConfiguration Define egress interfaces prioritiesApplication Application DetectionDetection VDB updated Trusted DNS Extended ACLs with Applications definitionForwarding Forwarding ActionsActions Egress Interface Selection by:Static attribu

26、tes Dynamic attributesPBR with Path Monitoring 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePBR with Path MonitoringPBR with Path Monitoring steers traffic based on dynamicallymonitored interface statistics such as RTT,Jitter,MOS,and packetlossThese metrics are collecte

27、d dynamically using ICMP Probe Messages26BRKSEC-2086 WAN1-RTT=1.6 msecWAN2-RTT=1.5 msecWan3 0 RTT=2.0 msecISP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePBR with Path Monitoring27BRKSEC-2086 ComponentsPath Monitoring ModulePath Monitoring Module(PMM)(PMM)Responsible t

28、o collect theLink metric statistics usingICMP probesPolicyPolicy-Based RoutingBased Routing(PBR(PBR)Responsible to route the traffic using the egress interface as per the best metric reported by the PMM 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive28BRKSEC-2086 PBR Path

29、 MonitoringData Flow1.PMM sends ICMP probes to Monitored destinations2.PMM computes and stores interface metrics3.PMM pushes a list of interfaces that have updates to PBR4.PBR fetches the latest available metrics from PMM internal DB5.PBR pushes the routing updatesPMMPMMPBRPBRMetric DB for each Metr

30、ic DB for each monitored interfacemonitored interfaceUpdate Update Data PathData PathpingpingMonitored Destinations12354Interface:WAN1RTT average:1474 microsecond(s)Jitter:261 microsecond(s)Jitter:261 microsecond(s)Packet loss:0%MOS:4.40Last updated:10 second(s)agoInterface:WAN2RTT average:883 micro

31、second(s)Jitter:158 microsecond(s)Jitter:158 microsecond(s)Packet loss:0%MOS:4.40Last updated:10 second(s)ago 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePBR Path Monitoring29BRKSEC-2086 Packet flowPBR is part of L3 Routing,it takes precedence over route lookupExisting

32、ConnUN-NATEgressEgressInterfaceInterfaceLookupLookupGlobalACLPDTS,PDTS,DAQDAQApplicationLayerGatewayNAT IPHeaderL3RouteL2AddressEgress interfaceIngress interfaceData Plane(Lina)Data Plane(Lina)YES Fast PathNOPrefilter Fastpath orTop L3/L4 Trust Allow RuleIngressQoSRule Action:Deny(DROP)Egress QoSDet

33、ection Engine(Snort)PBR with Path Monitoring Configuration Walkthrough 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface Path Monitoring Configuration31BRKSEC-2086 Enable Path Monitoring at the interface levelLink metrics determined using ICMP to either Next Hop(au

34、to,auto4,auto6)or to the explicit IP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePBR Policy Configuration32BRKSEC-2086 PBR Interface Ordering enhanced to adaptively steer traffic based on the dynamically monitored metrics of the interfacesDemoDemo 1:DIA configuration 2

35、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn this Demo we will35BRKSEC-2086 Configure Trusted DNS serverConfigure ECMP for both VTI and WAN interfacesConfigure Extended Access List with ApplicationsConfigure PBR with ApplicationsInitiate traffic from end-user machine

36、to both WAN links and VTI tunnels based on applications 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDIA Demo Topology36BRKSEC-2086 Cloud ApplicationsCorporate FirewallRemote Branch FirewallRemoteRemoteNetworkNetworkCorporateCorporateNetworkNetworkISP1VTI1ISP2VTI2Demo 2

37、:PBR with Path Monitoring 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn this Demo we will56BRKSEC-2086 Configure Interface Path MonitoringConfigure PBR with flexible metric Jitter to steer Video Streaming traffic based on the link with Minimum Jitter 2023 Cisco and/or

38、 its affiliates.All rights reserved.Cisco Public#CiscoLiveDIA Demo Topology57BRKSEC-2086 Cloud ApplicationsCorporate FirewallRemote Branch FirewallRemoteRemoteNetworkNetworkCorporateCorporateNetworkNetworkISP1VTI1ISP2VTI2Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

39、scoLiveWith Secure Firewall,Traffic can be steered through multiple active WAN links based on applications ensuring a better user application experience,while keeping the network secure67BRKSEC-2086 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surv

40、eys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!68BRKSEC-2086These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in

41、 the Cisco Live Game for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive70Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123470 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2086Thank you#CiscoLive#CiscoLive