Cisco Viptela SDWAN with Zero Trust Security Model

As per talked about Zero touch provisioning in my earlier article, today we will talk about the Zero Trust Security model in Cisco Viptela SDWAN solution.

As with the new way of network architecture that requires new type of security. We know that the solutions are moving from on-prem deployments to the cloud and the Internet, networks have become highly distributed, creating additional attack surfaces.

Applications, users, data, and devices have moved outside of the traditional zone of control, dissolving what was once the trusted enterprise perimeter. As such, building and enforcing a security model that relies on a corporate perimeter is no longer viable. A modern defense strategy must solve for today’s distributed workloads and workforce.

What does Zero Trust Model is all about ?
A Zero Trust security model adopts the model of no one will be trusted in the network environment and every access invitation needs authentication and authorization. Applications and data are only delivered after verification of device’s authenticity and even then, on a transient basis and with limited scope. This security framework treats all applications as if they're Internet-facing and considers the network to be compromised and aggressive. 

So Zero Trust Security be like 

  • Security attentive on permitting or limiting access to data
  • Every user, device, and app must be authenticated and authorization needs trust/risk assessed per-flow & transaction
  • Policies adapt per user, device, and app context per current transaction relative to past transactions
Cisco Viptela SDWAN and Zero Trust Security Model
The Cisco Viptela SD-WAN fabric integrates a zero trust security model in its control plane, guaranteeing that all elements of the fabric are authenticated and authorized prior to access to the network. This model is built on the use of digital certificates to establish the identity of each fabric element.

Fig 1.1- Exchange Keys for Zero Trust Security Model- Cisco SDWAN

The certificates are used to establish secure Transport Layer Security or Datagram Transport Layer Security (TLS/DTLS) control channels between the WAN Edge routers and the controllers. Once the secure control channels are built, these channels are used to run the protocols OMP (Overlay Management Protocol) and NETCONF that allow the controllers to propagate configuration and networking information inside a secure encrypted channel.

The OMP protocol ensures the propagation of the encryption keys used by the data plane.

So each WAN Edge router creates symmetric encryption and hash keys per WAN link for its data plane. The WAN Edge routers use the secure off-path channel (OMP channel) to exchange their encryption and hash keys and bring-up IPsec Security Associations (SAs) between them.

These encryption/hash keys are not stored/cached in the vSmart controller which just acts as a reflector in reflecting the encryption and hash keys to the remote devices which can build IPsec SAs between them. WAN Edge device-to device communication is uniquely encrypted using IPsec SAs with AES-256-GCM.