All communication between Cisco Defense Orchestrator (CDO) and the devices it manages passes through Secure Device Connector (SDC). CDO and the devices it manages do not communicate directly.
An SDC can be deployed “in the cloud” by the CDO team or you can deploy the SDC “on-premise.” To identify the deployment model your tenant uses, navigate to the Secure Device Connector page from the User menu.
- Cloud Secure Device Connector. All cloud SDCs are provisioned and managed by the CDO team. See Connect to Cisco Defense Orchestrator using Secure Device Connector for establishing communication with the remote device or service.
- On-Premise Secure Device Connector. The on-premise SDC is a virtual appliance installed on a hypervisor in your network. You can create your on-premise SDC by using an image provided by Cisco or you can create your own VM and install the SDC on it. The on-premise SDC virtual appliance includes a CentOS operating system and runs on a Docker container. We recommended that you have 8GB memory and 10GB disk space assigned for the SDC virtual appliance.
Both SDC deployment models use secure communication messages signed and encrypted using AES-128-GCM over HTTPS (TLS 1.2) to communicate with CDO. All credentials for onboarded devices and services are encrypted directly from the browser to the device connector as well as encrypted at rest using AES-128-GCM. Only the SDC, whether cloud or on-premise, has access to the device credentials. No other CDO service has access to the credentials.
At any time, customers can choose to leverage either the Cisco-managed cloud deployed SDC or the customer-managed, on-premise, SDC. All requests can be completed by contacting your Cisco account manager, filing a support ticket within the CDO application, or emailing email@example.com.
For desired CDO-managed devices that are non-perimeter based, do not have a public IP address, or an open port to the outside interface, we recommended you use the on-premise SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.