Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON 2020) Adventures In SDN Security

498 views

Published on

(SACON 2020) Adventures In SDN Security

Published in: Technology
  • Be the first to comment

(SACON 2020) Adventures In SDN Security

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Gregory Pickett Adventures In SDN Security
  2. 2. SACON BRIEF OVERVIEW  Current Trend  SDN  SDWAN  SDDC  What’s next  Some Predictions
  3. 3. SACON SOFTWARE DEFINED NETWORKS  Influencers  Market Segments  Realized Benefits
  4. 4. SACON INFLUENCERS  Academics  Vendors  Big Switch Networks  VMWare  Cisco  Practitioners
  5. 5. SACON MARKET SEGMENTS  SDDC  First Products Seen  Not Widespread  SDWAN  Recent Addition  Spreading Rapidly  SDP
  6. 6. SACON REALIZED BENEFITS  Integrated Approach  Orchestration is Baked In  Moves Toward Composable Infrastructure  Optimized Operations  Reduced Complexity  Faster Application Development  Reduced Provisioning  Improved Bandwidth
  7. 7. SACON REALIZED BENEFITS  Optimized Operations  Improved Uptime  Shorter Return on Investment  Dynamic and Flexible Security
  8. 8. SACON SDWAN  The Risks  The Threats  Securing It!
  9. 9. SACON THE RISKS  Operational  Opaque Operations  Security  Introduces Attack Surfaces - Device - Cloud  Limits detection of and response to threats
  10. 10. SACON VULNERABILITIES  Weak Encryption  Weak Authentication  Insecure Applications
  11. 11. SACON WEAK ENCRYPTION  Bad Certificates  Poor Key Management  No Encryption
  12. 12. SACON WEAK AUTHENTICATION  Client-Side Logic  Default Passwords  Hardcoded Credentials  Hardcoded Certificates  Route Spoofing  No Authentication
  13. 13. SACON INSECURE APPLICATIONS  Host Header Attacks  Cross-Site Scripting  Cross-Site Request Forgery  Cross-Site Socket Hijacking  Directory Traversal  SQL Injection  Command Injection  Improper Access Control
  14. 14. SACON INSECURE APPLICATIONS  Remote Code Execution  Privilege Escalation  Slow HTTP DoS
  15. 15. SACON Attacks  Viprinet  Citrix  Viptela  SilverPeak  Riverbed  Versa  Arista  Verocloud  Talari  Brain4Net
  16. 16. SACON VIPRINET  Cross-Site Scripting  CLI  Delivers Private Key
  17. 17. SACON CITRIX APPLIANCE  Hardcoded Certificates (Controller)  Cross-Site Scripting (Console)  Cross-Site Request Forgery (Console)  Directory Traversal (Console)  SQL Injection (Console)  Command Injection (Console)  Improper Access Control (Console)  Remote Code Execution (Console)  Privilege Escalation (Console)
  18. 18. SACON CITRIX CENTER  Cross-Site Scripting (Console)  Cross-Site Request Forgery (Console)  Directory Traversal (Console)  Command Injection (Console)  Improper Access Control (Console)  Remote Code Execution (Console)  Slow HTTPS DoS (Console)
  19. 19. SACON VIPTELA  Cross-Site Request Forgery  API
  20. 20. SACON SILVERPEAK  Poor Key Management (Key Distribution)  Default Passwords (Console)  Hard Coded Credentials  API  Tunnel Keys  Cross-Site Request Forgery (API)
  21. 21. SACON RIVERBED  Host Header  Console  Password Reset
  22. 22. SACON VERSA  No Encryption (Analytics)  Hardcoded Credentials  ZTP  API
  23. 23. SACON ARISTA  No Encryption  ZTP
  24. 24. SACON VEROCLOUD  Bad Certificates (Activation)  Command Injection (Activation)
  25. 25. SACON TALARI  Route Spoofing  Uses SNMP  Default Community String
  26. 26. SACON BRAIN4NET  No Encryption  GRPC  API  Openflow  Mongo  No Authentication (Monitoring)  Cross-Site Scripting (Console)  Cross-Site Socket Hijacking (Console)
  27. 27. SACON SECURING IT  General Approaches  Case Study
  28. 28. SACON GENERAL APPROACHES  Backhaul Encryption  Second Line of Defense  Inspection  Firewalling  Logging  Monitoring
  29. 29. SACON CASE STUDIES  Many, many case studies available on the Internet  Most DO NOT mention security  Most rely on the SD-WAN device  Those that don’t have opted for one of these  Service Chaining  WAN traffic encryption
  30. 30. SACON SDDC  The Risks  The Threats  Securing It!
  31. 31. SACON THE RISKS  Operational  Large Failure Domain  Security  Introduces Attack Surfaces - Forwarding Elements - Controllers  Limits detection of and response to threats
  32. 32. SACON VULNERABILITIES  Weak Encryption  Denial of Service  Weak Authentication  Insecure Session  Insecure Installation  Insecure Boot  Insecure Applications  Others
  33. 33. SACON WEAK ENCRYPTION  Outdated OpenSSL  Insufficient Entropy  Hardcoded Certificate  No Encryption
  34. 34. SACON WEAK AUTHENTICATION  Default Password  Hardcoded Credentials  Weak Passwords  No Authentication
  35. 35. SACON INSECURE SESSION  Stale Tokens  No Expiration  Not Invalidated
  36. 36. SACON INSECURE APPLICATIONS  XXE Injection  Command Injection  SQL Injection  Directory Traversal  Cross-Site Scripting
  37. 37. SACON OTHERS  Improper Access Controls  Shell Bypass  Privilege Escalation
  38. 38. SACON Attacks  Floodlight  Open Daylight  Cisco APIC  ONOS  Openflow  Protocol  Agents  ONIE  Cumulus Linux  MLNX-OS  Switch Light
  39. 39. SACON FLOODLIGHT  Open Source  No Encryption (Openflow, Console)  Denial of Service (Controller)  No Authentication (Console)  Atlassian  Denial of Service (Forwarding Module)  Cross-Site Scripting (Console)
  40. 40. SACON FLOODLIGHT  Big Cloud Fabric  No Encryption (ZTN, ONIE, Sync)  No Authentication (ZTN, ONIE)  Weak Password (API)  Token Stale, Doesn’t Expire, and Doesn’t Invalidate (API)
  41. 41. SACON BIG CLOUD FABRIC (Architecture)  Storage  Structure  Partitions  Hosts  Services  Authentication  Users  Services  Management  SSH  Console  API
  42. 42. SACON BIG CLOUD FABRIC (Services)  Shell  Mail  DNS  Proxy  Web (Console/API/ONIE/ZTN)  Queues  Database  Sync (Cluster)  OpenFlow  Others
  43. 43. SACON BIG CLOUD FABRIC (Backdoor)  It’s not magic!  It’s built-in  Just enter “debug bash”  From there, “sudo” anything that you want
  44. 44. SACON BIG CLOUD FABRIC (No Encryption)
  45. 45. SACON BIG CLOUD FABRIC (No Encryption)
  46. 46. SACON BIG CLOUD FABRIC (No Encryption)
  47. 47. SACON BIG CLOUD FABRIC (No Authentication)
  48. 48. SACON BIG CLOUD FABRIC (Weak Password)
  49. 49. SACON BIG CLOUD FABRIC (Weak Password)
  50. 50. SACON BIG CLOUD FABRIC (Stale Token)
  51. 51. SACON BIG CLOUD FABRIC (Stale Token)
  52. 52. SACON BIG CLOUD FABRIC (Stale Token) Was it based on the password? No. I changed that on the 27th!
  53. 53. SACON BIG CLOUD FABRIC (Stale Token) It still works after the password changed. Most of these are used across the loopback. One is used for controller to controller communication. Does it check certificates?
  54. 54. SACON BIG CLOUD FABRIC (Remaining)  API  OpenFlow  Sync (with working client)
  55. 55. SACON OPEN DAYLIGHT  No Encryption (Openflow)  Denial of Service (TSDR Module)  Default Password (Console)  XXE Injection (Netconf)  SQL Injection (SDNInterfaceapp)
  56. 56. SACON CISCO APIC  Hardcoded Certificate (csync, ifc)  No Authentication (HMS)  Weak Password (Console)  Token Not Invalidated (Console)  Improper Access Controls (HMS)
  57. 57. SACON CISCO APIC (Architecture)  Storage  Structure  Partitions  Snapshots  Hosts  Services  Authentication  Users  Services  Management  SSH  Console  API
  58. 58. SACON CISCO APIC (Services)  Shell  Web (Console/API/HMS)  DFS  Sync (Files)  Sync (Config)  Proxy  Database  Sync (Cluster)  DNS  OpFlex  RPC  Others (30+)
  59. 59. SACON CISCO APIC (Backdoor)  This was a little more difficult  However, everything that you need is still there!  Offline mount HDD  Add “backdoor.service” to root “snapshot”  Loads netcat listener at boot
  60. 60. SACON CISCO APIC (Hardcoded Certificate)
  61. 61. SACON CISCO APIC (Hardcoded Certificate)
  62. 62. SACON CISCO APIC (Hardcoded Certificate)
  63. 63. SACON CISCO APIC (Hardcoded Certificate) Another hardcoded certificate? I wonder what uses that ….
  64. 64. SACON CISCO APIC (Hardcoded Certificate) This library does! And, it looks important!
  65. 65. SACON CISCO APIC (Improper Access Controls)
  66. 66. SACON CISCO APIC (Improper Access Control)
  67. 67. SACON CISCO APIC (Improper Access Control) Delete everything? Hey! Aren’t you multi-tenant?
  68. 68. SACON CISCO APIC (Remaining)  API  HMS (with working network)  30+ services (based on those binaries)  Opflex  Others
  69. 69. SACON ONOS  Denial of Service (OVSDB Component)  XXE Injection (Notification, XMLCONFIGPARSER)  Command Injection (YangWebResource)  Directory Traversal (Console)
  70. 70. SACON Openflow  Protocol  Denial of Service  Agents  Arista, Dell, HP, Huawei, IBM, Juniper, Netgear Pronto, OVS, Switch Light, and eSwitch  No Encryption  Debug Port?
  71. 71. SACON ONIE  Insecure Installation  Predictable Search Order  HTTP, TFTP  Insecure Boot  Firmware  Partition  Insufficient Entropy (SSH)  No Encryption (Telnet)
  72. 72. SACON ONIE  No Authentication (Install)  Default Password
  73. 73. SACON CUMULUS LINUX  Outdated OpenSSL  Shell Bypass? What Shell!  Privilege Escalation  Command Injection (clcmd_server)
  74. 74. SACON MLNX-OS  Outdated OpenSSL  Hardcoded Credentials  Shell Bypass  Privilege Escalation
  75. 75. SACON SWITCH LIGHT  Outdated OpenSSL  Hardcoded Credentials  Shell Bypass  Privilege Escalation
  76. 76. SACON SECURING IT  General Approaches  Case Study
  77. 77. SACON GENERAL APPROACHES  Switches  Controllers  Control Plane  Management Plane  Architecture  Applications  Operations
  78. 78. SACON SWITCHES  Secure Boot  TPM  Signed Firmware  Install Environment  Remove Telnet  Increase Key Entropy  Force Password Changes  Remove TFTP waterfall  Encrypted Install  Authenticated Install
  79. 79. SACON SWITCHES  TLS  Between forwarding element and controllers  Using Updated libraries  Add Mutual Authentication  DevSecOps or SDN to coordinate certificate and key distribution
  80. 80. SACON SWITCHES  Hardening  Install Environment (Above)  Operating System - Changeable names - Forced password changes - Remove uid 0 from admin - 2FA for shell? - Remove unnecessary tools … Etc.
  81. 81. SACON CONTROLLERS  TLS (Between controllers and users)  Hardening  Code Review  Testing
  82. 82. SACON MANAGEMENT PLANE  VLAN  Jump Boxes!
  83. 83. SACON ARCHITECTURE  Network Partitioning  Controller Clusters  Static Flow Entries  Web Application Firewalls and API proxies
  84. 84. SACON APPLICATIONS  Traffic Counters  Other Telemetry
  85. 85. SACON OPERATIONS  Flow Verification  Change Management (Configuration Changes)  Monitoring (Configuration Deviations, Flow Deviations)  Audit Switches (Switch Configuration, Password Changes, ONIE Partition Hashes)
  86. 86. SACON CASE STUDY  Cisco Systems (2018)  Traditional Network  NetFlow  IPS  Firewalling  Software Defined Network  Switches and Controllers are black boxes  Management plane relies on the existing traditional network
  87. 87. SACON CASE STUDY  Software Defined Network  Architecture - Default behaviors - Includes partitioning - Web application firewalls are used  Applications and Operations - Not Available - Closed System
  88. 88. SACON SDN IN YOUR ENTERPRISE  Plans for SDN  Concerns Regarding SDN  Addressing Those Concerns  Need  Practical
  89. 89. SACON 5G  What will it look like?  How will we use it?  What will the risks be?
  90. 90. SACON WHAT WILL IT LOOK LIKE  Public and private infrastructure  Coupled and Decoupled data/control planes  Managed and Unmanaged nodes  Lots of Different Architecture  Traditional Hub/Spoke  Mesh Networks  Cloud Distributed  Hybrid Deployments
  91. 91. SACON WHAT WILL IT LOOK LIKE  Homogenous and Heterogenous Environments
  92. 92. SACON HOW WILL WE USE IT  Autonomous/Connected Vehicles  Sensor/Actuator Networks  Smart Grid  Robots and Drones  Personal Health  Augmented Reality
  93. 93. SACON THE RISKS  Operational  Different (Incompatible) Implementations  Managing and Keeping Nodes Updated  Complying with Legal and Regulatory Frameworks
  94. 94. SACON THE RISKS  Security  Introduces Attack Surfaces - Supply Chain - Underlay Network Small Cells Backbone Network Signaling Protocols Legacy Integrations Multiparty Involvement
  95. 95. SACON THE RISKS  Security  Introduces Attack Surfaces - Devices - Controllers - Management Platforms - Cloud  Limits detection of and responses to threats
  96. 96. SACON VULNERABILITIES  Weak Encryption  Denial of Service  Weak Authentication  Information Disclosure  Parameter Manipulation  Others
  97. 97. SACON WEAK ENCRYPTION  Poor Key Management (Radio Interface key exchange)  Forced Downgrades (3G/Weaker Encryption)  Differing Standards  In Transit  Multiparty Involvement  No Encryption (Backhaul Network)
  98. 98. SACON DENIAL OF SERVICE  Flash Network Traffic (Nodes)  Jamming Transmission  Entire Spectrum  Certain Frequencies (Lowering Performance)  Signaling Storm (Underlay Network)  Floods  SDN or Forwarding Elements  Cloud
  99. 99. SACON WEAK AUTHENTICATION  Differing Standards  In Transit  Multiparty Involvement
  100. 100. SACON INFORMATION DISCLOSURE  Timing/Boundary/Caching Attacks (User Location)  Differing Standards  At Rest  Multiparty Involvement  Shared Resources (Cloud)
  101. 101. SACON PARAMETER MANIPULATION  Model  Poisoning  User to Platform  User  Cross-Over  User to User
  102. 102. SACON OTHERS  Spoofing Base Stations  User Security Update Failures (Multiparty Involvement)  Access Control Bypass  VM Escape  Cloud
  103. 103. SACON SECURING IT  General Approaches  New Approaches
  104. 104. SACON GENERAL APPROACHES  Backhaul Encryption  Second Line of Defense  Product/Service appropriate add-ins  Work with Providers
  105. 105. SACON BACKHAUL ENCRYPTION  Don’t rely on the provider  Encrypt your traffic
  106. 106. SACON SECOND LINE OF DEFENSE  Inspection  Firewalling  Logging  Monitoring
  107. 107. SACON PRODUCT/SERVICES  Zero Trust  Proxies and Gateways
  108. 108. SACON WORK WITH PROVIDERS  Additional Physical Layer Security  Radio-Frequency (RF) Fingerprinting  Asymmetric Security Schemes  Dynamic Changing Security  Host Identity Protocol (HIP) for radio interface key exchange  Backhaul encryption (Native)  Adoption of fiber ring network protection
  109. 109. SACON WORK WITH PROVIDERS  More use of the cloud for C-RAN operations  Better compartmentalization within the cloud  Use of the above SDN countermeasures  More comprehensive data classification policies
  110. 110. SACON NEW APPROACHES  SDN  Regulation of Traffic (Flash Network Traffic)  Facilitating NFV  Machine Learning  Within NFV  Both provider and customer use
  111. 111. SACON 5G IN YOUR ENTERPRISE  Plans for 5G  Concerns regarding 5G  Addressing those concerns  Need  Pratical
  112. 112. SACON SOME PREDICTIONS  Lots of Holes  Supply Chain Attacks  Mismatches Everywhere  Privacy Nightmare  Vulnerabilities in individual components will roll in …  Regulations will make it worse  Those building on top of what is offered will do the best!
  113. 113. SACON Questions?

×