Cisco Viptela SDWAN with Zero Trust Security Model
As per talked about Zero touch provisioning in my earlier
article, today we will talk about the Zero Trust Security model in Cisco
Viptela SDWAN solution.
As with the new way of network architecture that requires
new type of security. We know that the solutions are moving from on-prem
deployments to the cloud and the Internet, networks have become highly
distributed, creating additional attack surfaces.
Applications, users, data, and devices have moved outside of
the traditional zone of control, dissolving what was once the trusted
enterprise perimeter. As such, building and enforcing a security model that
relies on a corporate perimeter is no longer viable. A modern defense strategy
must solve for today’s distributed workloads and workforce.
What does Zero Trust Model is all about ?
A Zero Trust security model adopts the model of no one will
be trusted in the network environment and every access invitation needs
authentication and authorization. Applications and data are only delivered
after verification of device’s authenticity and even then, on a transient basis
and with limited scope. This security framework treats all applications as if
they're Internet-facing and considers the network to be compromised and aggressive.
- Security attentive on permitting or limiting access to data
- Every user, device, and app must be authenticated and authorization needs trust/risk assessed per-flow & transaction
- Policies adapt per user, device, and app context per current transaction relative to past transactions
The Cisco Viptela SD-WAN fabric integrates a zero trust
security model in its control plane, guaranteeing that all elements of the
fabric are authenticated and authorized prior to access to the network. This
model is built on the use of digital certificates to establish the identity of
each fabric element.
Fig 1.1- Exchange Keys for Zero Trust Security Model- Cisco SDWAN |
The certificates are used to establish secure Transport
Layer Security or Datagram Transport Layer Security (TLS/DTLS) control channels
between the WAN Edge routers and the controllers. Once the secure control
channels are built, these channels are used to run the protocols OMP (Overlay Management
Protocol) and NETCONF that allow the controllers to propagate configuration and
networking information inside a secure encrypted channel.
The OMP protocol ensures the propagation of the encryption
keys used by the data plane.
So each WAN Edge router creates symmetric encryption and
hash keys per WAN link for its data plane. The WAN Edge routers use the secure
off-path channel (OMP channel) to exchange their encryption and hash keys and
bring-up IPsec Security Associations (SAs) between them.
These encryption/hash keys are not stored/cached in the
vSmart controller which just acts as a reflector in reflecting the encryption
and hash keys to the remote devices which can build IPsec SAs between them. WAN
Edge device-to device communication is uniquely encrypted using IPsec SAs with
AES-256-GCM.