Software Defined Wide Area Networking (SD-WAN) is quickly becoming an enterprise staple to help control costs, reduce application latency, and reduce network downtime.
However, with all of those benefits come with new cybersecurity threats and risks that should be considered and evaluated prior to deployment.
SD-WAN has no inherent defenses and security controls against advanced threats. Depending on the vendor you select, this can vary significantly. Enter into your new SD-WAN solution with your eyes wide open and don’t assume any inherent security controls and benefits.
Based on the sales pitches of SD-WAN service providers, it is easy for non-technical people to assume SD-WAN has significant security controls by default. The way that encryption works in an SD-WAN environment is not a magic security silver bullet. For example, encrypting data conceals viruses that can bypass your AV check.
Get My Free Cloud Security Journal
SD-WAN THREAT LANDSCAPE
Within the last couple of months, VMware (VeloCloud) released security patches for six major vulnerabilities in their SD-WAN Orchestrator product that included flaws that can be chained by an attacker to steer traffic and even shut down an enterprise network. More information is available on the VMware Security Advisory Portal.
Three of these vulnerabilities were reported by a security research firm and these were linked to high-severity SQL injection bugs that allowed for unauthorized access to data. Other bugs discovered allowed for arbitrary code execution and default password compromise. Security researchers were able to change the password for the default super-admin accounts.
The same security researchers also found serious remote code execution vulnerabilities with other manufacturer’s, illustrating the evolving and ever-changing threat landscape targeting SD-WAN.
VMware created security updates for the above mentioned vulnerabilities and according to their security patch documentation, they also provided a patch for a high-severity vulnerability that allowed privilege escalation via a call to a vulnerable API that was previously undetected or reported in the wild.
SD-WAN THREAT CHECKLIST
Some of the items in this checklist seem obvious to cybersecurity professionals, but yet they continue to be a source of attacks and unauthorized breaches. Don’t overlook the fundamentals when it comes to assessing your SD-WAN deployment and ultimately improving your security posture.
THREAT # 1: OUTDATED/UNPATCHED SOFTWARE
The majority of SD-WAN systems use Linux-based operating systems and are frequently deployed with open source tools. Depending on your SLA (Service Level Agreement) and roles and responsibilities agreement with your SD-WAN provider, it is very important to understand the full technology stack and each party’s responsibility for keeping the full suite of software and utilities up to date.
Common Threats Include:
- Insecure Web Management Interfaces
- Insecure Crypto (MD5, SHA1, etc.)
- Using Outdated Software
- Insecure Software Update Methods
The web management interface threats are particularly worrisome based on the avalanche of confirmed web application attacks that have resulted in serious and damaging breaches.
The cyber risk community has identified several vulnerabilities across SD-WAN providers that are widespread and more common than you might think. Previously identified vulnerabilities include: Password brute-force attacks, HTTP Slow DoS attacks, XSS, RCE and command injection, CSRF, IDOR, and others.
Threat modeling and misuse case development on the front side of the system definition and design will go a long way to closing these types of gaps that can lead to highly undesirable outcomes.
THREAT # 2: MULTI-TENANCY
Many SD-WAN systems are multi-tenant systems because they are based on logical isolation of shared resources hosted by the provider. In the provider environment, they provide web management interfaces based on a common Web UI. There has been several reports of security vulnerabilities specific to multi-tenant web interfaces relating to access controls. Because access controls are part of the attack surface from a provider and client perspective, mis-use cases need to be developed during the design phase to account for these scenarios. One area to focus on are weaknesses in the password recovery system which is problematic because it can lead to horizontal privilege escalation.
Common Multi-Tenancy Threats:
- Unauthorized access to provider data
- Unauthorized access to tenant data
- Unauthorized access to tenant VNF (Virtual Network Functions)
- Unauthorized access to the tenant stored flow data
- Denial of Service
THREAT # 3: CRYPTOGRAPHY
SD-WAN management planes as well as data, control, and orchestration are all based on cryptographic mechanisms.
Cryptography protocols for SD-WAN are rapidly evolving and being actively developed because of this new technology. Most providers adopt IPSec and so this should be a focus in your mis-use case development.
Common Cryptographic Provisioning Threats:
- Use of hardcoded public-key cryptography key pairs and corresponding certificates that are the same for all customers and can not be replaced
- Use of self-signed certificates for generated public-key cryptography key pairs issued by the SD-WAN product
- Manual installation of self-signed certificates on SD-WAN nodes without certification revocation features
THREAT # 4: ZERO-TOUCH PROVISIONING
Zero Touch Provisioning (ZTP) is an SD-WAN mechanism that allows nodes to be provisioned and configured automatically. At this time, all of the major SD-WAN products support ZTP which means the ZTP server by design has to accept requests from unidentified and unauthorized devices coming from the Internet. This significantly increases the attack surface and attacker capabilities.
Common ZTP Threats:
- ZTP server or/and client spoofing
- Unauthorized access to ZTP service and data in the cloud
- Exhaustive Denial of Service on ZTP service
- Privilege escalation on ZTP server
- Insufficient access control on multi-tenant ZTP service
Get My Free Cloud Security Journal
COMMON SENSE SD-WAN SECURITY GUIDE
Before deploying your SD-WAN solution, review the basic SD-WAN Security Guide below to ensure these items have been considered and implemented based on your own risk assessment and risk appetite. This is not an exhaustive list, so be sure to do your own research and due diligence.
- Review ZTP design, architecture, and deployment because ZTP is at the root of trust in SD-WAN. a.) verify the edge router gets its initial configuration using a secure protocol b.) confirm the edge router discovers a controller, orchestrator and other entities using a secure protocol c.) confirmall SD-WAN entities (i.e,, edge routers, controllers, orchestrators) authenticate using secure cryptographic protocols d.) review and verify the trust bootstrapping mechanism e.) confirm identities are stored in secure storage systems (e.g., TPM, HSM) or short-lived and can be revoked easily.
- Verify all relevant SD-WAN software libraries and components are fully functional and up to date.
- Verify the operating systems and kernels are hardened to industry guidelines at a minimum.
- Research industry vulnerability databases for the relevant technology components and ensure all patches have been deployed and tested.
- Verify known host-based vulnerability scanners, web vulnerability scanners, and specialized scanners do not detect high risk vulnerabilities on the corresponding components and interfaces. If vulnerabilities are discovered, fully resolve them before deployment.
- Verify if a vendor-controlled cloud management interface is used within the architecture.
- Cryptographic mechanisms are key in SD-WAN technologies and based on the provider selected and their implementation of cryptography, a comprehensive review and assessment should be performed. SD-WAN providers are known to create self-invented distributed protocols for control planes and numerous vulnerabilities for secure provisioning have been identified by several manufacturers.
Tim Layton specializes in demystifying the complexities and technical jargon associated with cloud computing security and risk management for business stakeholders across the enterprise. Tim is a cloud security thought leader defining actionable and defensible strategies to help enterprise stakeholders make risk-based decisions and prioritize investments in the new digital frontier.
Stay Connected With Tim Layton
Get My Free Cloud Security Journal
COMMON CYBERSECURITY RISK TERMS DEFINED
Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. (NIST 800–30)
Threat: potential cause of an unwanted incident, which can result in harm to a system or organization. (ISO 27001)
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (NIST 800–30)
Vulnerability: weakness of an asset or control that can be exploited by one or more threats. (ISO 27001)
Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. (NIST 800–30)
Likelihood: chance of something happening. (ISO 27001)
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST 800–30)
Risk: effect of uncertainty on objectives. (ISO 27001)
Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. (NIST 800–30)
Compensating Security Control: A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. (NIST 800–30)
Impact Level: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (NIST 800–30)
Residual Risk: Portion of risk remaining after security measures have been applied. (NIST 800–30)
Security Posture: The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST 800–30)
Get My Free Cloud Security Journal