SD-WAN Threat Landscape
Authors:
Sergey Gordeychik,
Denis Kolegov
Abstract:
Software Defined Wide Area Network (SD-WAN or SDWAN) is a modern conception and an attractive trend in network technologies. SD-WAN is defined as a specific application of software-defined networking (SDN) to WAN connections. There is growing recognition that SDN and SD-WAN technologies not only expand features, but also expose new vulnerabilities. Unfortunately, at the present time, most vendors…
▽ More
Software Defined Wide Area Network (SD-WAN or SDWAN) is a modern conception and an attractive trend in network technologies. SD-WAN is defined as a specific application of software-defined networking (SDN) to WAN connections. There is growing recognition that SDN and SD-WAN technologies not only expand features, but also expose new vulnerabilities. Unfortunately, at the present time, most vendors say that SD-WAN are perfectly safe, hardened, and fully protected. The goal of this paper is to understand SD-WAN threats using practical approach. We describe basic SD-WAN features and components, investigate an attack surface, explore various vendor features and their security, explain threats and vulnerabilities found in SD-WAN products. We also extend existing SDN threat models by describing new potential threats and attack vectors, provide examples, and consider high-level approaches for their mitigations. The provided results may be used by SD-WAN developers as a part of Secure Software Development Life Cycle (SSDLC), security researchers for penetration testing and vulnerability assessment, system integrators for secure design of SD-WAN solutions, and finally customers for secure deployment operations and configurations of SD-WAN enabled network. The main idea of this work is that SD-WAN threat model involves all traditional network and SDN threats, as well as new product-specific threats, appended by vendors which reinvent or introduce proprietary technologies immature from a security perspective.
△ Less
Submitted 12 November, 2018;
originally announced November 2018.
SD-WAN Internet Census
Authors:
Sergey Gordeychik,
Denis Kolegov,
Antony Nikolaev
Abstract:
The concept of software defined wide area network (SD-WAN or SDWAN) is central to modern computer networking, particularly in enterprise networks. By definition, these systems form network perimeter and connect Internet, WAN, extranet, and branches that makes them crucial from cybersecurity point of view. The goal of this paper is to provide the results of passive and active fingerprinting for SD-…
▽ More
The concept of software defined wide area network (SD-WAN or SDWAN) is central to modern computer networking, particularly in enterprise networks. By definition, these systems form network perimeter and connect Internet, WAN, extranet, and branches that makes them crucial from cybersecurity point of view. The goal of this paper is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using well-known Shodan and Censys search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.
△ Less
Submitted 29 October, 2018; v1 submitted 27 August, 2018;
originally announced August 2018.