Optimizing Enterprise Networks through SD-AVC (Software Define Application Visibility and Control)

BRKCRS-2502 Optimizing Enterprise Networks through SD-AVC (Software Define Application Visibility and Control) Guy Keinan

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda Introduction Why? NBAR2 SD-AVC Q&A Homework Wrap up

Unprecedented Demands on the Network Digital Disruption Complexity Security 63 million new devices online every second by 2020 1 3X spend on network operations vs network 2 6 months to detect breach 3 Lack of Business and IT Insights Slow and Error Prone Operations Unconstrained Attack Surface 1: Gartner Report - Gartner s 2017 Strategic Roadmap for Networking 2. McKinsey Study of Network Operations for Cisco 2016 3. Ponemon Research Institute Study on Malware Detection, Mar 2016 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Main Operational Challenges 95% 70% 75% Network Changes Performed Manually Policy Violations Due to Human Error OpEx spent on Network Visibility and Troubleshooting Source: 2016 Cisco Study Traditional Networking CANNOT Keep Pace with the Demands of Digital Business 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Application Recognition SD-AVC/NBAR2 Application Recognition Fuels several core solutions: Cisco SD-WAN Cisco EasyQoS Assurance Security The Network. Intuitive. BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

NBAR2

Cisco Application Recognition NBAR2 is a powerful Network Based Application Recognition Engine A complete remake Variety of features: Pack hitless upgrade, attributes, sub-cls & more... Wide Cross pin support (same code everywhere): Routers: ISR4K, ASR1K, CSR1K, ISRv, ISR1100, ISRG2 Switches: Cat3K, Cat9K Wireless: AireOS WLC, IOS Aps 5520/8540, NG Aps 3800/1850 NAM BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

NBAR2 Classification Main things to keep in mind Stateful classification per session (5 tuple flow) Not only Deep Packet Inspection (DPI) but a combination of different techniques: - DNS snooping - Statistical classification (Machine Learning) - Behavioral classification - Learning of main services and servers - Customization Slow-Path and Fast-Path Model BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

The Cisco Live US 2017 Challenge

Cisco Application Recognition CLUS 17 Less than 1% unknown Less than 1% unclassified encrypted traffic 10G of traffic in less than 14% CPU utilization (ASR1002-HX) Very good classification for encrypted traffic, in pretty good performance BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

NBAR2 Classification A bit terminology Flow == A session. Identified by 5 tuple (src IP, src Port, dst IP, dst Port, vrf) Socket == Identified by 3 tuple (dst IP, dst Port, vrf). Usually a server FIF == First packet In the Flow Bypass == No processing, just quick forwarding BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

NBAR2 Classification HL overview Slow Path: Classifies the flow, based on packet processing Potentially first packet (First In Flow FIF classification) Programs the Fast Path with classification result Fast Path: Completely bypasses NBAR2 processing Uses the programmed classification Slow Path (NBAR2) ~5% Fast Path (Flow Table) ~95% BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

NBAR2 Classification Simplified (Slow Path) FIF Payload Advanced Cache Provisioned L3/4 SD-AVC More than 80% of the flows BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

NBAR2 Classification Detailed FIF only (1) L3/L4 Custom IP Cache Socket cache Pre-Flow Cross flow Look- Up Table Flow Table NBAR bypass mng App tracker listener Multiprotocol Multiprotocol Text Parser (MTP) multi-packet (3) Multi-Packet Engine (MPE) (MPE) statistical IANA or VM first payload Only (2) Custom WKPpayload WKP Entry Heuristic logic Single-Packet Single-Packet Engine (SPE) (SPE) on fail success success/fail engine helper WKP = Well Known Packet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

NBAR2 Classification Detailed Flow FiF FIF only (1) L3/L4 DNS-AS Socket cache L3 LUT Cache Bundle Payload packets Flow Table NBAR bypass mng App tracker Store Set for for current next packets flow multi-packet (3) listner MTP MPE Processing Store for future flows statistical IANA Cross flow LUT or VM first payload Only (2) Custom WKPpayload WKP Heuristic logic SPE on fail success success/fail engine helper BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

NBAR2 Socket Cache Classification - Example Full classification + Learning the socket MySQL 10.10.10.1:3306 MySQL server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

NBAR2 Socket Cache Classification - Example Full classification + Learning the socket MySQL 10.10.10.1:3306 MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

NBAR2 Socket Cache Classification - Example Cache in Socket-Cache Full classification + Learning the socket MySQL 10.10.10.1:3306 Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

NBAR2 Socket Cache Classification - Example No Processing. Using Cache! MySQL 10.10.10.1:3306 Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

NBAR2 Socket Cache Classification - Example Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 Re-validate the socket every time interval BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

NBAR2/SD-AVC Encrypted traffic techniques Outside the organization (usually non collaborative): SSL handshake analysis certificate, Server Name Indication (SNI) DNS traffic analysis Machine learning/statistical classification Inside the organization (usually collaborative): Customization of SSL certificates and DNS domains Server and client discovery based on NBAR2 SD-AVC External Sources (more on this later ) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

NBAR2 Encryption Classification Automatic (Signature) Custom "(.*[.])?((youtube(-nocookie)? ytimg googlevideo)[.]com) youtu[.]be" cisco(config)#ip nbar custom CCSOC composite server-name "*ccsocdev.net" BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

NBAR2 DNS Classification - Example DNS Response [10.10.10.1] IP Cache IP Application 10.10.10.1 webex Webex 10.10.10.1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

NBAR2 DNS Classification - Example First Packet webex 10.10.10.1 IP Application 10.10.10.1 webex Encrypted Webex 10.10.10.1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

NBAR2 Encrypted Traffic Classification Summary Most of the traffic is encrypted traffic and is SSL/TLS Testing shows more than 80% of SSL traffic is classified by NBAR2 All major internet/cloud applications are supported Hundreds of applications NBAR2 classifies both cloud and local encrypted traffic NBAR2/SD-AVC use a variety of techniques to classify encrypted traffic BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

NBAR2 Performance Optimization Techniques Optimized C code engines Optimized processing skips most of the traffic Wise caching techniques we ve added many of these NBAR2 Default (Performance-Optimized) Mode: Application Classification Supported on all platforms NBAR2 Fine-Grain Mode: Analytics (Deep DPI) Supported on routers-only BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

NBAR2 Performance Testing Results Fast Path Validated in real live networks and Tested on Enterprise Traffic Mix (EMIX) benchmark BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

NBAR2 Performance Ongoing Improvements 40% Improvement in just 2 releases Based on a generic Enterprise Traffic Mix (EMIX) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

NBAR2 Protocol Discovery Performance Most XE routers: Line rate in working point of 70% CPU utilization 9300: 2000 CPS, 10,000 b-directional flows for each 24 ports. CPU at ~50% (HTTP profile) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

No. of Apps/Domains Recognized Application Recognition: NBAR Evolution Network Level Analytics External Sources ~1500 Apps ~150 Encrypted Apps DPI, Signatures, Custom Apps Heuristic, Statistical+Behaviorial Standard Port based 100s of Apps DPI, Signatures, Custom Apps Pre-NBAR NBAR Version 1 NBAR Version 2 SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Application Recognition at Network Level SD-AVC

Why SD-AVC? Useful and easy Application BW monitoring at a network level Better application recognition in asymmetric environments Better application recognition for encrypted applications Better first packet classification for path selection and marking policies Improved performance Automatic protocol pack deployment at a network level Serviceability and troubleshooting tools for application recognition issues Key for Cisco solutions such as SD-WAN, EasyQoS, Assurance. BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

What is SD-AVC? A network service which ensures Application recognition for visibility, Analytics and application based policy solutions. Analytics processing at a network level Synchronizing application state between network nodes Serves as a gateway for external sources, provisioning into Cisco Network Auto-learning and auto-signature algorithms Provides pack update capability at a network level for thousands of devices BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

What is SD-AVC? Current form factor Hosted on IOS-XE devices using Linux container (LXC) as a virtual-service (Future: DNA-C) 3G RAM and 4 CPUs Serve more than 6K devices BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

How Does SD-AVC work? (Basics) SD-AVC defines Sensors and Consumers in the network data plane Sensors are network devices (with NBAR2) that produce classification information and export it to the SD-AVC network service Up to 2Kbps for a small branch router Consumers are network devices that consume classification information from the SD-AVC network service A network device can be a sensor, a consumer or both BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

How Does SD-AVC work? (Basics) Sensors with NBAR2, classify traffic & cache results in the form of Application Rules Application Rule is defined as an L3/L4 to App-ID mapping Application Rule Example: id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name #hits black weight rating ============================================================================================================================== 0 64.103.117.145 5902 TCP 0 global 100 13 100 vnc 1 no 69 1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

How SD-AVC works? (Basics) cont. The SD-AVC service compiles application rules received from the different network sensors (as well as external authoritative sources) The service generates an Application Rules Pack Consumers pull the application rules pack from the SD-AVC service and install the application rules in their data-plane On-device classification is enhanced with the newly installed SD-AVC application rules This process is periodic BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

SD-AVC Asymmteric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Exported sockets: ================= SD-AVC Asymmteric Webex example id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== NBAR2 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc Classify first flow upstream as no branch MPLS Webex (based on Certificate) hub 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 NBAR2 TCP 2 Mgt 1306 13 414 webex-meeting no Classify first flow Webex br1 as Webex (based on Certificate) rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

SD-AVC Asymmetric Webex example Imported sockets: ================= branch NBAR2 Classify first flow br0 MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black as Webex ========================================================================================== (based on = Certificate) 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no Webex br1 br2 hub rtr mc SD- AVC Corporate Servers 176.70.168.183 Path Policy: Webex => MPLS Webex DNS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

SD-AVC Asymmetric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet Imported sockets: ================= id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Asymmetric Fixed Webex example - with SD-AVC branch MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) hub NBAR2 Classify first flow as Webex (based on Certificate) Webex br1 rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc SD- AVC Path Policy: Webex => MPLS br2 Internet Imported sockets: ================= id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no Webex Downstream Is routed via MPLS NBAR2 Classify Webex Downstream (based on SD-AVC) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

SD-AVC and External sources The SD-AVC service connects with external authoritative sources to enrich application classification dynamically and seamlessly Enables us to: Connect Cisco Security databases Provide real-time Cloud/SaaS information Provision Home-grown Applications Example use cases are: Automatic Enrichment of Cloud/SaaS applications (MS RSS, CASI) Automatic Learning of Enterprise Local or Private apps (Infoblox/ACI/CUCM) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

SD-AVC Operation (Data Flow) CloudLock 2 Application Rules Pack Generation Network Service SD-AVC 4 MS RSS Infoblox Controller 5 Network Layer 3 Application Rules pack Cached application rules (JSON) Application Rules Pack 3 1 Consumer Sensor & Consumer BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

SD-AVC Connectors Microsoft Office 365 contains geolocation and world wide FQDN and URL information (PoC) CASI contains 10,000 applications with domain and certificate information - Provides DNS information for home grown applications (PoC) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

SD-AVC and Microsoft Office365

Using Microsoft RSS How does it work? Office 365 URLs and IP address ranges Requires connectivity to the internet (from the SD-AVC service) XML format Huge list of IP addresses and ranges Much more robust list of domains BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Using Microsoft RSS How does it work? Imported Data from Microsoft Cisco Protocol Pack Application Data New Domain Information from Microsoft Example: jpn.delve.office.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Using Microsoft RSS How does it work? Imported Data from Microsoft Cisco Protocol Pack Application Data New Domain Information from Microsoft jpn.delve.office.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Using Microsoft RSS How does it work? (Second step) 1. Find the correct application for the new domains 2. Using machine learning based on the previous learning set of Office 365 and existing host mappings supplied by Cisco NBAR2 Protocol Pack Algorithm: Given a the previous learning set and a new domain that we want to map it to an application: host1 host2 host3 app1 app2 app3 jpn.delve.office.com ms-office365??? BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Using Microsoft RSS How does it work? (Third Step) Compile a new pack with the new signature and make it available for the devices The secondary pack is installed along side with Cisco NBAR2 protocol-pack New domains are now supported automatically SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Demo

What we ll show in the Demo We will demonstrate how complete asymmetric devices can teach each other with classification information, using SD-AVC. We will show how external sources can enhance application recognition We will show these new automatic signatures help the application recognition in an asymmetric scenario with SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Microsoft Office365 RSS SD-AVC Pull Application Rules Data Analytics (JSON) Pull Application Rules Data Analytics (JSON) CSR1Kv CSR-Demoupstream Down Stream Down Stream CSR1Kv csr-demodownstream Upstream Trex Traffic Generator Upstream BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Demo Script Note: We expedited some of the timers, this may lead to skew in status indications 1. Downstream Setup Not connected to SD-AVC 2. Connect Downstream to the SD-AVC Network Service First level of Asymmetry fix 3. Enrich the devices with a Secondary Pack based on MS Office365 Cloud Info 4. Downstream Setup classifies based on the MS Info using SD-AVC Second level of Asymmetry fix BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

SD-AVC and Cloudlock CASI

SD-AVC and Cloudlock CASI Why? Database synchronization between Cloudlock SaaS Security Index and SD-AVC/NBAR Better SaaS application recognition leveraging on Cloudlock Security Cloud infrastructure Better response time to the application and domain changes Cloudlock Shadow IT visibility leveraging SD-AVC on Cisco enterprise network BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

SD-AVC and Cloudlock Self-Learning Network Application database & Shadow-IT Cloudlock Analysis & Feedback SD-AVC Learning Network Device BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

How it works #2? Cloudlock CASI 2 Enterprise Network SD-AVC 1 Update CASI with offline application information from NBAR/CASI R&D BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

SD-AVC Delivery Plan

SD-AVC Delivery plan Phase 1 (FCS- Oct 2017) IWAN 2.2.1: SD-AVC hosted on XE Container Improved application recognition in Hub Asymmetric Routing environment Improved first packet classification decision Application recognition function serviceability Protocol Pack automatic update Phase 2 (FCS Jan 2018) Cloud/SaaS automatic signatures push (MS RSS) High scale of SD-AVC sensors (6K) support asymmetrical routing in branch routers Support IWAN 2.3 DCA (Direct Cloud Access) FCS March 2018 Furture Unknown and Generic Traffic Discovery High scale custom application support (1000+) Viptela vmanage integration DNA-C App-Policy/EasyQoS use cases Wireless & Switching BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Q&A

Homework

What you can do? - Use Application Visibility on WebUI (Device level visibility) - XE routers supported 3.16 and up - Cat3K/9K supported 16.6.1 and up - Download and install SD-AVC on a router (network level visibilty) - Enlist to NBAR2/SD-AVC announcements send an email with SUBSCRIBE to cisco-nbar2-pp-announcement@cisco.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Wrap up - NBAR2 has evolved and matured to tackle today s networks challenges - SD-AVC introduces new innovation and advances to network level using analytics and external sources - The evolution Cisco application recognition technology unleashes great capabilities both in the device side and controller side, to provide application based solutions like SD-WAN, EasyQoS, Assurance and Security BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Thank you