Presented at ekoparty 14 (2018)
Sept. 26, 2018, noon
Nowadays software designed networks, especially SD-WAN (software defined wide-area network) becomes "solution of choice" in new deployments for traditional and cloud branch office and data-center connectivity infrastructure. The SD-WAN can replace firewalls and other perimeter security tools which makes them attractive targets for attackers. Vendors promises "on-the-fly agility, security", and many other benefits. But what does "security" really mean from hand-on perspective? Traditional network appliances are well-researched while SD-WAN is a "black box" from security perspective. Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce SD-WAN design internals, major components, data and control flow. We will discuss typical vulnerabilities, possible attacks on SD-WAN-based Enterprise Networks.
A. SD-WAN in a nutshell.
B. Typical SD-WAN design overview.
C. Cloud, on premise, hybrid architecture.
D. Common technology stack (netconf, strongswan, DPDK, etc.).
E. Customization, vCPE and VNF.
F. Security features.
Basic terminology, the essentials of SD-WAN architecture: declared advantages and implementation options. Customization approaches via tailored and 3rd party VNF and uCPE/vCPE. Overview of built-it and additional security features.
SD-WAN attack Surface:
A. Management interfaces.
B. Local shells and OS.
C. Control plane and data plane separation.
D. Analytics-Controller-vCPE/uCPE-VNF communications.
E. Hypervisor and virtualization (VNF) separation.
F. Routing, IPSec Overlay.
G. Updates and Cloud features.
Technical analysis of data and control flow between major components in typical SD-WAN architecture (Orchestration - Controller - vCPE - VNF [and back]). Attack vectors, vertical and horizontal (for multi-tenant/managed service) privilege escalation scenarios.
A. SD-WAN as a (virtual) appliance.
B. Rooting the "box".
C. Old school *nix tricks.
D. How I Learned to Stop Worrying and Love the Node.js.
E. Built-in security features.
F- post-implementación "forense"
G. SD-WAN Managed Services.
H. Top down, bottom up and lateral movement.
Practical SD-WAN security assessment cases, vulnerabilities (next summarized in "SD-WAN vulnerabilities" section), tips and tricks.
SD-WAN Offensive and Defensive toolkit
A. Internet census.
B. SD-WAN vulnerabilities.
C. Attacks cases.
D. SD-WAN threat model.
E. Pentester and hardening checklists.
F. Buyer guide.
SD-WAN Internet census, Google/Shodan SD-WAN Cheat Sheet. Issues with cloud deployment and support (AWS, Azure). Publically know attack cases. Vulnerabilities in top 5 SD-WAN (depends on fixes, responsible disclosure in progress).
Sergey Gordeychik has been doing security research, products and services for the last 15 years. Being Deputy CTO at Kaspersky Lab he was responsible for establishing the vision and leading the technological development for threat intelligence, cyber threat hunting, security assessment, incident response and vulnerability research. As CTO at Positive Technologies he led the development of Gartner recognized enterprise security products such as MaxPatorl, PT Application Inspector and PT Application Firewall. Sergey is architect, director and script writer of Positive Hack Days Forum, largest and most influent cybersecurity event in Eastern Europe. From 2012 he is leading SCADA StrangeLove industrial cybersecurity research team. Sergey is Cybersecurity MS programme supervisor and visiting professor of Harbour.Space University in Barcelona and has developed a number of training courses, including "Critical Information Infrastructure Cyber Resilience", "Wireless Networks Security" and "Security Assessment of Web Applications," published several dozens of articles in various titles and a book called "Wireless Networks Security". He is a popular speaker on internationals security conferences such as CCC, S4, PacSec, CodeBlue, Area41, POC, Zeronights. MCSE since NT 4.0, MCT, MVP: Enterprise Security R & D, CWNA, CISSP.