GradeZero Music Band

Saturday, September 29, 2018

How To Hack SD-WAN And Keep Your Sanity?

Talk by Sergey Gordeychik as presented at Ekoparty Security Conference, Buenos Aries, Argentina, September 2018.

Nowadays software designed networks, especially SD-WAN (software defined wide-area network) becomes “solution of choice” in new deployments for traditional and cloud branch office and data-center connectivity infrastructure. The SD-WAN can replace firewalls and other perimeter security tools which makes them attractive targets for attackers. Vendors promises “on-the-fly agility, security”, and many other benefits. But what does “security” really mean from hand-on perspective? Traditional network appliances are well-researched while SD-WAN is a “black box” from security perspective. Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce SD-WAN design internals, major components, data and control flow. We will discuss typical vulnerabilities, possible attacks on SD-WAN-based Enterprise Networks.

SD-WAN overview
A. SD-WAN in a nutshell.
B. Typical SD-WAN design overview.
C. Cloud, on premise, hybrid architecture.
D. Common technology stack (netconf, strongswan, DPDK, etc.).
E. Customization, vCPE and VNF.
F. Security features.
Basic terminology, the essentials of SD-WAN architecture: declared advantages and implementation options. Customization approaches via tailored and 3rd party VNF and uCPE/vCPE. Overview of built-it and additional security features.

SD-WAN attack Surface:
A. Management interfaces.
B. Local shells and OS.
C. Control plane and data plane separation.
D. Analytics-Controller-vCPE/uCPE-VNF communications.
E. Hypervisor and virtualization (VNF) separation.
F. Routing, IPSec Overlay.
G. Updates and Cloud features.
Technical analysis of data and control flow between major components in typical SD-WAN architecture (Orchestration – Controller – vCPE – VNF [and back]). Attack vectors, vertical and horizontal (for multi-tenant/managed service) privilege escalation scenarios.

Security Assessment
A. SD-WAN as a (virtual) appliance.
B. Rooting the “box”.
C. Old school *nix tricks.
D. How I Learned to Stop Worrying and Love the Node.js.
E. Built-in security features.
F- post-implementaciĆ³n "forense"
G. SD-WAN Managed Services.
H. Top down, bottom up and lateral movement.
Practical SD-WAN security assessment cases, vulnerabilities (next summarized in “SD-WAN vulnerabilities” section), tips and tricks.

SD-WAN Offensive and Defensive toolkit
A. Internet census.
B. SD-WAN vulnerabilities.
C. Attacks cases.
D. SD-WAN threat model.
E. Pentester and hardening checklists.
F. Buyer guide.
SD-WAN Internet census, Google/Shodan SD-WAN Cheat Sheet. Issues with cloud deployment and support (AWS, Azure). Publically know attack cases. Vulnerabilities in top 5 SD-WAN (depends on fixes, responsible disclosure in progress).


No comments:

Post a Comment