🙃 In my last post I demonstrated how to configre BGP peering with other WAN Edge devices in Service Side VPN.

http://jaychou.co.uk/?page_id=591

🐶 That was using the traditional method with Templates. In this example, I will configure the same however, I will be using Configuration Groups. Configuration Groups is fairly new and with SD-WAN, there are different methods to utilise to acheive the same outcome. I have attached screenshots to hopefully help you with configuring this.

🤹‍♀️ Configuration Groups allows you to deploy devices in a faster, simpler and more streamlined way compared to using Templates!

Hope this helps! 😁

Templates
In this example, I will demonstrate how to configure BGP on the Overlay. Some use cases require organisations to have their own router running OSPF,EIGRP an BGP (sorry, RIP is not available). And in turn would like to peer with the SD-WAN Edge device.

I have created 3 Loopback’s and will peer with my SD-WAN Edge device to be advertised across the Service VPN (Overlay). I have included screenshots so hopefully this will help! 😁

🎆 Remember to redistribute from BGP to OMP so other devices are able to see those specific routes!

🙃 Disclaimer – In this example, I am using Templates and in my next post I will use Configuration Groups to give you an idea and difference between them both.

What is it⁉️

It is designed to help Organisations from potentially losing, leaking sensitive or extremely important data. As well as avoiding any Security/Data breaches.

Acknowledging Data🛡️
Before lighting up DLP, you must know what data you have and what is important to the point where you cannot afford to lose this. It’s a case of identifying what type of data organisations have whether it be:

Servers
DB
Endpoints
SANs

DLP then scans and identify by creating an inventory of the data.

Types of Data🪟
Not all data is equivalent to the same importance, an example could be a user’s local storage (downloads) which isn’t backed up, but financial or company inside information with extreme importance. Based on the type of data, DLP will assign tags/labels to determine the level of importance .

Inspection 👽
DLP can implement different types of inspection such as data in transit, or currently being in use. DLP can utilise keyword analysis or patterns to identify if the data is sensitive or not.

Policies 🚔
Using predefined policies set by the Organisation, this allows how sensitive data will be treated, and example could be data A from being deleted, downloaded or forwarded. The Network Administrator would then receive an alert to notify whether sensitive data is against any rules or policies.

Encryption 🤖
DLP can also implement encryption, should sensitive data get leaked, it will be encrypted so even in the wrong hands of someone it cannot be read.

Monitoring 🚨
DLP continuously monitors the types of data and how it is being utilised, or even where it is traversing to. Should there be an attempt of policy violation, alerts will be sent out to the Network Admin/Engineer.

Hope this helps! 😁

Another post about SASE!🔥

This time it’s about CASB, so what is CASB exactly⁉️

In a nutshell, it is to help organisations that rely or connect to other third party Cloud Applications to have visibility and make sure it is secure even though you don’t control the Application itself.

Traditionally, organisations will have their applications on premise or DC which they can then control what is being allowed access to etc.

🪟With applications being SaaS based it can become a challenge in managing visibility, compliance and security altogether.

👻CASB acts as the middleman (broker) extending your policies to the cloud, a good example could be when users have access to Dropbox, with CASB the ability to allow a user to only upload files however without permission to download files. CASB with Data Loss Prevention (I will include more details in another post) can stop users from deleting any files.

Hope this helps! 😁

Traditionally AMP is able to detect for any malicious activity by using signature based detection, what this means is AMP will download the database which then uses this to compare with any well known malicious files against the database. This allows Organisations to protect against malware infection. This solution worked against the common threats, however it’s unable to detect any new threats that have been flagged as malicious yet.

With Next Generation AMP and tied to SASE is that regardless of where the network/user is, it will be protected. This is due to the fact SASE model means all security services are in the cloud without physical hardware limitations. So you can incorporate flexibility and scalability.

Another advantage is that should there be an incident, using SASE would allow other services to mitigate or protect the network without delay. An example could be using IPS in conjunction with AMP or SWG .

Alerts and logging is also centralised without the need to go through different appliances for logs.

Behavioural Detection/NG-AMP

Instead of relying on traditional signature based detection, behavioural detection essentially looks at the files or applications for any suspicious activity. An example could be a file attempting to change the registry of the OS. Another example could be attempting to use tools to hide any malware. All this is done with the help of AI and ML.

Compared to signature based detection, it is able to detect zero day threats.

One thing to be aware of is using this technique because it will be resource intensive as well as false positives could occur.

Ideally if possible, maybe using both techniques would give organisations the best of both worlds!

I will lab up Cisco’s built in Security for Catalyst SD-WAN with demonstration for my next post!

I hope this helps! 😁

I have included a link in how to configure AMP in Cisco SD-WAN.

http://jaychou.co.uk/?p=1264

Continuing with my SASE journey, I wanted to talk a little bit about SWG.

A SWG is essentially a ‘Man in the Middle’ security perimeter hosted in the Cloud. Or you could call it the ‘Gatekeeper’, its primary goal is to make sure the traffic flow from your Corporate network is safe and allowed to leave to the Internet, vice versa any external traffic from the Internet is also permitted (based on your allowed policies).

The reason why we need a SWG is due to the fact most applications are now hosted in the Cloud with most traffic destined for the Internet.

Features of a SWG:

URL/DNS Filtering
Malware Detection
L7 Application Control
Sandboxing

One of the most common use cases of a SWG is to decrypt SSL/TLS traffic, as most Web traffic is now HTTPS, the SWG needs to be able to inspect this traffic. Decrypting TLS traffic can be extremely resource intensive and this is done by:

SWG intercepts the TLS handshake between the client and server, the SWG then creates its own TLS connection with the client and another one with the Server. This allows the SWG to be able to decrypt and encrypt the original traffic.

As mentioned before, this is extremely resource intensive so latency could be introduced.

AI/ML with SWG

With AI and ML being used more often with SWG, this provides a perfect combination in detecting any unusual activity/traffic that differs from the usual day to day anomaly. Or any behaviour that could be a threat to the organisation.

Cisco – Cisco Secure Access/Cisco+ Secure Connect
Fortinet – FortiProxy
Palo Alto Networks – Cloud SWG
Cato Networks – Cato SWG

Hope this helps! 😁

What is IPS?
IPS in a nutshell is designed to monitor your network for any malicious activity or traffic, which in turn blocks this.

Utilising IPS in conjunction with SASE framework/architecture allows Enterprise’s to secure the network using the Cloud infrastructure.

IPS as part of SASE provides security no matter where you are working from, such as office locations, home worker or HQ.

Signature based IPS 😎

Signature based IPS relies on database with well known malicious activities, the signatures are always being updated, so should there be a match with the specific signature IPS will attempt to block this type of activity. Signature IPS has its limitations when dealing with sophisticated attacks.

Network Anomaly IPS 👨‍💻

Anomaly IPS helps solve signature based IPS by essentially measuring the network and analysing what a day to day ‘normal’ network looks like. Creating a baseline of what is expected, this then allows anomaly IPS to detect any malicious activity.

Behaviour Based IPS

Behaviour IPS looks at the network traffic to see if there are any potential possibilities of security threats, whether it’s a file or application attempting to communicate with any well known IP addresses that can cause security threats.

The advantage of using IPS with SASE, this allows Enterprise’s to view and detect any threats in the Cloud without relying on physical boxes terminated at the network perimeter.

I have a post in how to configure IPS/IDS, link below:

http://jaychou.co.uk/?p=1252

🦊Securing a network or SD-WAN isn’t just about placing a firewall or firewalls within your network. Traditionally Enterprises would do this at the perimeter edge before breaking out to the Internet.

With Cloud and Mobility thrown into the mix, traditional network security isn’t going to quite cut it.

What is ZTNA and why do you care?

Zero Trust, essentially operates under the meaning of ‘never trust and to always verify who you say you are’. Once you have verified who you are, there will always be a continuous check to make sure everything is secure without any changes, such as disabling your local firewall as an example.

How does ZTNA work?

Authentication – Making sure you are who you say you are! Usually you would implement MFA.

Authorisation – You are allowed to access ONLY what you need and nothing more.

Micro-Segmentation – The application you access will be within a contained perimeter so should there be a breach, then it is only affecting a smaller area of the network instead of the whole network.

Privilege – Provide you with the least privileged access, so only utilising and accessing information relevant to do your job and nothing more. Essentially this stops granting you information or applications you don’t need.

Posture – Continiously checking the device to determine if it meets the requirements, an example could be a user disabling their firewall or security updates of the device. The device must meet the ZTNA requirements otherwise access will be denied. The Profile of the ZTNA Posture is defined by the Organisation. Examples of Posture checking can be:

Type of OS
Firewall enabled
Endpoint installed
System Password
Encryption of the storage

This is not to suggest that ZTNA will replace your traditional security solutions, such as firewalls, end point protection. They all complement each other and adding ZTNA will only help!

I have included Cisco’s SSE/ZTNA Secure Access as an example.

I’d love to hear how other vendors approach ZTNA so please let me know!

Hope this helps! 😁

🍋SASE (Secure Access Service Edge)

I know folks who read my posts are probably sick of me talking about SD-WAN, so I’ll move onto SASE (even though SD-WAN is an element of SASE 😃 ).

🍉SASE is a framework that includes Network as well as Security pieced together, as well as other components.

🍙Network and Security – Traditionally we would have two sepearate teams that manage the network element and security team managing the security of an Enterprise. SASE, in a nutshell combines the two together to simplify network security!

🥙Cloud Architecture – The traditional network (WAN) where you would have a private network centralise with a Firewall within a DC for security permiter edge isn’t sufficient. In todays network, most Enterprises’s host applications within the cloud. SASE is designed to utilise the scalability and flexibiity of the cloud.

🍯Zero Trust Network Access (ZTNA) – Knowing who is accessing the network and applications, identifying the correct person/user before providing access to only what they need.

I am sure there are other components I haven’t mentioned.

I’ll attach a couple of Cisco slides as I don’t have other vendor information in how they approach SASE. Welcome to send me some!

I hope this helps! 😁