back

SD-WAN a New Hop

How to hack software defined network and keep your sanity?

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:49:03
Language
English
Abstract
The software defined wide-area network is technology based on SDN approach applied to branch office connections in Enterprises. According to Gartner's predictions, more than 50% of routers will be replaced with SD-WAN Solutions by 2020.

The SD-WAN can have firewalls and other perimeter security features on board which makes them attractive targets for attackers. Vendors promise "on-the-fly agility, security" and many other benefits. But what does "security" really mean from a hand-on perspective? Most of SD-WAN solutions are distributed as Linux-based Virtual Appliances or a Cloud-centric service which can make them low-hanging fruit even for script kiddie.

Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce practical analysis of different SD-WAN solutions from the attacker perspective. Attack surface, threat model and real-world vulnerabilities in SD-WAN solutions will be presented.

Detailed Outline:

1. SD-WAN overview

a. SD-WAN in a nutshell
b. Typical SD-WAN design overview
c. Cloud, on premise, hybrid architecture
d. Common technology stack (netconf, strongswan, DPDK, etc.)
e. Customization, vCPE and VNF
f. Security features

Basic terminology, the essentials of SD-WAN architecture: declared advantages and implementation options. Customization approaches via tailored and 3rd party VNF and uCPE/vCPE. Overview of built-it and additional security features.


2. SD-WAN attack surface
a. Management interfaces
b. Local shells and OS
c. Control plane and data plane separation
d. Analytics-Controller-vCPE/uCPE-VNF communications
e. Hypervisor and virtualization (VNF) separation
f. Routing, IPSec Overlay
g. Updates and Cloud features

Technical analysis of data and control flow between major components in typical SD-WAN architecture (Orchestration – Controller – vCPE – VNF [and back]). Attack vectors, vertical and horizontal (for multi-tenant/managed service) privilege escalation scenarios.

3. Security Assessment

a. SD-WAN as a (virtual) appliance
b. Rooting the "box"
c. Old school *nix tricks
d. How I Learned to Stop Worrying and Love the Node.js
e. Built-in security features
f. Post-deploy "Forensics"
g. SD-WAN Managed Services
h. Top down, bottom up and lateral movement

Practical SD-WAN security assessment cases, vulnerabilities (next summarized in "SD-WAN vulnerabilities" section), tips and tricks.

4. SD-WAN Offensive and Defensive toolkit

a. Internet census
b. SD-WAN vulnerabilities
c. Attacks cases
d. SD-WAN threat model
e. Pentester and hardening checklists
f. Buyer guide

SD-WAN Internet census, Google/Shodan SD-WAN Cheat Sheet. Issues with cloud deployment and support (AWS, Azure). Publically know attack cases.
Vulnerabilities in top 5 SD-WAN (depends on fixes, responsible disclosure in progress).

5. Conclusion/ Takeaways

Talk ID
9446
Event:
35c3
Day
1
Room
Eliza
Start
11:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Sergey Gordeychik
Talk Slug & media link
35c3-9446-sd-wan_a_new_hop
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
18.0% Transcribing done18.0%
82.0% Nothing done yet82.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 10 months ago