How To Hack SD-WAN And Keep Your Sanity? presented at ekopartySecurityConference 2018

by Sergei Gordeichik,

Summary : Nowadays software designed networks, especially SD-WAN (software defined wide-area network) becomes “solution of choice” in new deployments for traditional and cloud branch office and data-center connectivity infrastructure. The SD-WAN can replace firewalls and other perimeter security tools which makes them attractive targets for attackers. Vendors promises “on-the-fly agility, security”, and many other benefits. But what does “security” really mean from hand-on perspective? Traditional network appliances are well-researched while SD-WAN is a “black box” from security perspective. Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce SD-WAN design internals, major components, data and control flow. We will discuss typical vulnerabilities, possible attacks on SD-WAN-based Enterprise Networks.SD-WAN overviewA. SD-WAN in a nutshell.B. Typical SD-WAN design overview.C. Cloud, on premise, hybrid architecture.D. Common technology stack (netconf, strongswan, DPDK, etc.).E. Customization, vCPE and VNF.F. Security features.Basic terminology, the essentials of SD-WAN architecture: declared advantages and implementation options. Customization approaches via tailored and 3rd party VNF and uCPE/vCPE. Overview of built-it and additional security features.SD-WAN attack Surface:A. Management interfaces.B. Local shells and OS.C. Control plane and data plane separation.D. Analytics-Controller-vCPE/uCPE-VNF communications.E. Hypervisor and virtualization (VNF) separation.F. Routing, IPSec Overlay.G. Updates and Cloud features.Technical analysis of data and control flow between major components in typical SD-WAN architecture (Orchestration – Controller – vCPE – VNF [and back]). Attack vectors, vertical and horizontal (for multi-tenant/managed service) privilege escalation scenarios.Security AssessmentA. SD-WAN as a (virtual) appliance.B. Rooting the “box”.C. Old school *nix tricks.D. How I Learned to Stop Worrying and Love the Node.js.E. Built-in security features.F- post-implementación "forense"G. SD-WAN Managed Services.H. Top down, bottom up and lateral movement.Practical SD-WAN security assessment cases, vulnerabilities (next summarized in “SD-WAN vulnerabilities” section), tips and tricks.SD-WAN Offensive and Defensive toolkitA. Internet census.B. SD-WAN vulnerabilities.C. Attacks cases.D. SD-WAN threat model.E. Pentester and hardening checklists.F. Buyer guide.SD-WAN Internet census, Google/Shodan SD-WAN Cheat Sheet. Issues with cloud deployment and support (AWS, Azure). Publically know attack cases. Vulnerabilities in top 5 SD-WAN (depends on fixes, responsible disclosure in progress).