Skip to main content

An overview of Software Defined Wide Area Networking (SDWAN) Security

This article is about software defined wide area network (SD-WAN) and specifically related to the context of information security.

Encrypting communications

Much has been said lately about end to end encryption in the context of online communications such as those associated with zoom. The expectation with SD-WAN is that it fulfill these requirements and it holds true for Fusion.

It is possible to configure Wireshark to capture traffic from Linux nodes and this includes SD-WAN nodes. This is a great means of troubleshooting problems and it also highlights some of the cases where missing encryption can be exploited. Often the last mile is established across fibre or wireless operator networks. When troubleshooting why a last mile wasn't provisioned I captured traffic on the last mile using Wireshark. It turned out the operator has made a mistake and allocated the last mile on the wrong port. I was able to access the unencrypted traffic of a state operated enterprise (SOE). Clearly, there is a problem!

One of the primary features of X86 platforms and especially those white boxes based on the technology is Intel's Advanced Encryption Standard instruction set (AES). This feature allows a SD-WAN node to encrypt communications with negligible impact to the performance of forwarded traffic. Applying this feature, the SD-WAN solution as implemented by Fusion is able to provide not only private networks but also secure it from eavesdropping as described above. 

Road warriors

Software Defined Wide Area Networking (SD-WAN) provides an excellent platform for reliable communications for a small business. Once such service is remote access, also known as the road warrior. This is either a person who is on the road or tele-commuting while accessing office resources. An example is an office accounting server such as a Windows Pastel server. There are many solutions using commercial products such as firewalls and routers (an example using Mikrotik) but a solution that is easy to deploy and reliable will be described in this article. This issue is of importance it today's world where more people require the option to work from home or alternative locations.

Many business in the example above of the Windows Pastel server, enable RDP on the server then create a port forward rule on a broadband firewall/router to access the application. This is vulnerable to being hacked, so a more secure solution is necessary.

Although there are two generic solutions using 3rd party VPN concentrators provided by either Softether and Strongswan, we have concentrated on using Softether. The main differential of Softether is its ability to integrate into a legacy on-prem solution. This is achieved by installing a SBC such as a Raspberry Pi on-prem. This remote hub acts exactly the same as an on-prem PC. Additionally, this remote hub can be attached and cascaded to a VPS that serves as the central access point. The solution supports all operating systems and protocols and can be configured for secure communications. The solution can be rolled out in a relatively short time period.

Softether virtual hub

Many VPN concentrator solutions are based on Linux but Softether also supports Windows and other operating systems making it a more versatile product.

The solution can be optionally integrated into a SD-WAN service chain which will improve the reliability and up time of the last mile. The solution can initially be installed without the SD-WAN connection and integrated later as more last mile links are aggregated.

The benefit of the SD-WAN service chaining is that because a private network is possible due to the deployment architecture, it negates the requirement for an on-prem VPN hub as described previously.

Fusion Broadband architecture

This use case showcases one of the benefits of SD-WAN which always multiple service chains, that previously operated independently to converge under a single umbrella.

VPN concentrators also have a separate function in providing secure management planes.

Visibility and transparency

Dealing with infosec by burying your head in the sand

The worst possible way to deal with information security is like an ostrich by putting your head in the sand. It is important to have visibility and transparency in the environment, all via a suitable heads up display.

It is important to know what is happening within the SD-WAN. This includes basic network visibility using the built-in network performance management function of the SD-WAN as well as including some traffic analysis tools such as ntopng. Additionally, you can use a tool like NMIS to track and monitor hosts via a virtual private server (VPS). A tool such as NeDi will create a network inventory and high problems associated with SNMP-capable devices. These tools highlight what traffic should or crucially shouldn't be on a network!

Finally, enter the veritable Swiss Army knife of Information Security, nmap. This tool can be side loaded onto a SD-WAN solution such as Fusion. It supports a number of scripts where some will report on the vulnerability of network attached systems. Two of these are vulners and vulscan. These can be used to proactively address and fix vulnerable systems before an exploit is attempted and thus forms an important part in a multi-layered information security strategy! 

Creating a separate management plane

The next important aspect tho discuss is the management of network devices especially servers and important network infrastructure such as SD-WAN nodes. At one of the GP NOGs I gave a presentation on the topic. It is crucial to create a management plane that is separate from the data being transmitted across the network.

An example of the management plane and data plane not being partitioned is the wide spread use of the remote desktop protocol (RDP) exposed to the Internet. This is typically done by doing a port forward to the Windows server from a Internet gateway. Even if an alternative port is used, this is rapidly discovered by a port scan using such basic tools as nmap. In Linux environment the ssh port is often protected using a tool known as fail2ban. Although there are Windows equivalence for RDP, as an example EvlWatcher, they are not always implemented. This mitigation is one step better than doing nothing but the better method is to implement a management plane.

A management plane is achieved using a overlay virtual private network (VPN) that is dedicated exclusively to network management. To access this management plane an administrator needs to authenticate via a VPN concentrator. Additionally all the network kit that has management requirements has access rules configured to only allow the network address of the VPN concentrator rights to log on. The VPN used for the management plane also needs to be setup to use certificates as well as usernames and passwords.

When selecting a platform it is important to consider that it is sandboxed/partitioned. A solution that is integrated together with other information security results in contamination. Examples are the recent exploits with both Cisco and Fortinet gear!

Some reasonable solutions exist. These include softether and StrongSwan. There are also numerous other 3rd party solutions that can be used to fulfill the requirement.

The architecture described here needs to be a fundamental to how the SDWAN is secured, else the overall solution will be vulnerable.

Configuring network device security

Information security is a multi-layered approach and requires different functions to be secured. Previously I wrote about using threat intelligence, and in this article I'll focus on using name resolution and how to use it for information security strategies.

There have been many newsworthy hacks that have impacted businesses and governments. The above mentioned hack could have been stopped by some as simple as implementing Quad9. Quad9 blocks against known malicious domains, preventing devices from connecting to malware or phishing sites. The below shows how it works:

No alt text provided for this image

The probability of compromise is constantly increasing. Recently there has been an increase as a result of COVID-19 associated attacks. The CTI League has created a threat intelligence list that can be used as mitigation. This can be assimilated into some of the methods described in this article.

The CTI League mentions a tool namely pi-hole. Pi-hole is a tool primarily used by home users to protect home networks and ironically provides better protection than a significant number of tools implemented in business networks. As mentioned, the pi-hole can protect against COVID-19 related threats.

Within a software defined wide area network, the above methods can be implemented using standard Linux based utilities and functions. A tool that does the same on Linux network nodes as pi-hole, is hblock. The script can be modified to include COVID-19 threat intelligence and remove some lists to improve performance. With hblock installed additionally filtering can also be achieved using block lists from Steven Black. The lists from Steven Black provide content management in the categories of malware, adware, social, porn, gambling and fake news. These are implemented on a Linux node using DNSMASQ with the hosts file downloaded to the node and the following line added to the DNSMASQ custom configuration:

addn-hosts=/etc/ipset-blacklist/sbhostsf

The Quad9 protection (with a failover to Cloudflare) is implemented as follows:

server=9.9.9.9

server=149.112.112.112

server=1.1.1.2

It is also recommended to implement DNSSEC as follows:

dnssec

dnssec-check-unsigned

trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

A good method to test DNS and its performance is to use the tool DNSbench.

The practical methods described here are implemented by Fusion Broadband on their nodes. A network device that is attached using one of the nodes that has been configured as described above will never be able to resolved the name of a domain or host that has been listed as a risk. As an example, it operates as a kill switch for ransomware.

Threat intelligence

Software defined wide area networking (SD-WAN) has some default security strategies. It integrates well into network security functions and as such it becomes a prerequisite. Here are some of security abilities of SD-WAN:

  • Encrypt the data from the customer premise (CPE) to the aggregator located in the data centre;
  • White list SDWAN management IPs *;
  • Implement firewalls either at the edge or centrally in the cloud;
  • Content filtering mechanisms;
  • Integrate secure VPNs for road warriors to connect;
  • Implement a secure management overlay with management servers protecting the configuration for zero touch; and
  • Perform vulnerability scans and regular software patching.

All these strategies can be discussed in detail separately, which we will do in follow up articles. But one of the strategies that provides significant mitigation is oft overlooked, and that is threat intelligence. Threat intelligence is a mechanism to use 3rd party information about threat vectors and prevent traffic from transversing your network and more specifically, the SD-WAN. It is used together with the other security measures listed above and in itself is not a silver bullet! This is a multi-layer methodology to secure an environment, which places less reliance on singular systems to prevent a breach. As an example, many of the latest breaches are those that have been experienced again Citrix servers. These breaches have occurred even though the servers have been protected by a range of expensive enterprise firewalls from a variety of vendors. The reasons vary from a lack of process management to implement and identify the correct mitigation strategies to many of these firewalls actually lacking suitable 3rd party threat intelligence features.

One of the big security mistakes perpetrated by companies is to install a firewall and assume that the rules will protect their assets. These rules are effectively an unguarded perimeter and if this is the security the company will eventually be klapped. Similar weaknesses exist in VPNs. A VPN created using SSL with only a user name and password as authentication is an open barn door. Even with certificates you need to also monitor and review the logs for attempted breaches. However, companies poorly implement VPNs and as a result have a false sense of comfort.

Technically, threat intelligence is implemented by curating threats from known IPs that have participated in abuse, then dropping packets from these IPs within the SDWAN operating system kernel. This mechanism has a negligible impact on network performance. In the Linux kernel the mechanism used is IP sets.

IP sets are a framework inside the Linux kernel, which can be administered by the IPSET utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.

This allows you to store multiple IP addresses or port numbers and match against the collection by iptables at one swoop; dynamically update iptables rules against IP addresses or ports without performance penalty; express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets.

IP sets was written by Jozsef Kadlecsik and it is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson *.

The mechanism to implement 3rd party threat intelligence can thus be programmed into the SDWAN software. The next step is to identify sources of 3rd party threat intelligence information. By default, these are the ones integrated by ourselves:

  • FireHOL level 1. This blocklist immediately takes out of the equation 6 million abuse IPs. This is a large number and these are IPs would previously have been attacking you with limited mitigation in place. The key attribute of this list is to have no false positives. These IPs listed are bad and should be blocked, without exceptions. This list includes bogons (which are unroutable IPs), spamhaus drop and edrop (Don't Route Or Peer IPs), dshield (the top 20 attacking class-Cs) and malware lists (the Command and Control IPs);
  • The top 200 abuse IPs as identified by Talos;
  • The Project Honeypot list of attacking IPs;
  • The Tor network which is a favourite of hackers;
  • Maxmind list of anonymous proxies;
  • All so-called "research" insitutes, e.g. Shodan, scanning IP ranges for vulnerabilities; and
  • Additional lists from FireHOL, blocklist.de and Greensnow.

Bonus: The exact some mechanism can be used to provide a mitigation against voice hacking using a VoIP blocklist.*

The aggregated impact of these blocklists can't be underestimated. Practically as an example, it mitigates threats by dropping a couple of hundred million packets per day over a dozen co-location working locations.

Many legacy network installations implement a firewall at each location in a mesh topology which has a fatal flaw that they are thrown to the wolves to survive individually. These locations are typically installed using entry level hardware that is pap innie broek. The hub and spoke method deployed by Fusion Broadband is able to implement threat intelligence in a dramatic and viable manner than has immediately information security benefits!

Ronald Bartels provides solutions to networking and last mile reliability problems. The solution from Fusion Broadband allows a business to stay 100% connected, avoid downtime and keep working.


Labels:
Location: Johannesburg, South Africa

Comments

Post a Comment

Popular posts from this blog

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall
Post a Comment
Read more

Why Madge Networks, the token-ring company, went titsup

There I was shooting the breeze with an old mate. The conversation turned to why Madge Networks which I wrote about here went titsup. My analysis is that Madge Networks had a solution and decided to go out and find a problem. They deferred to more incorrect strategic technology choices. The truth of the matter is that when something goes titsup, its not because of one reason only, but a myriad of them all contributing to the negative consequence. There are the immediate or visual ones, which are underpinned by intermediate ones and finally after digging right down, there are the root causes. There is never a singular root cause for anything but I'll present my opinion and encourage everyone else to chip in. All of them together are more likely the reason the company went titsup. As far as technology brainfarts go there is no better example than Kodak . They invented the digital camera that killed them. However, they were so focused on milking people in their leg
Post a Comment
Read more

Flawed "ITIL aligned"​ Incident Management

Many "ITIL aligned" service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. Here is a fictitious log of an incident at PFS, a financial services company, which uses CGTSD, an “ITIL-aligned” service desk tool. Here is the log of an incident record from this system: Monday, 12 August: 09:03am (Bob, the service desk guy): Alice (customer in retail banking) phoned in. Logged an issue. Unable to assist over the phone (there goes our FCR), will escalate to second line. 09:04am (Bob, the service desk guy): Escalate the incident to Charles in second line support. 09:05am (Charles, technical support): Open incident. 09:05am (Charles, technical support): Delayed incident by 1 day. Tuesday, 13 August: 10:11am (Charles, technical support): Phoned Alice.
Post a Comment
Read more