SD-WAN a New Hop

How to hack software defined network and keep your sanity?

Sergey Gordeychik

Playlists: '35c3' videos starting here / audio / related events

The software defined wide-area network is technology based on SDN approach applied to branch office connections in Enterprises. According to Gartner's predictions, more than 50% of routers will be replaced with SD-WAN Solutions by 2020.

The SD-WAN can have firewalls and other perimeter security features on board which makes them attractive targets for attackers. Vendors promise "on-the-fly agility, security" and many other benefits. But what does "security" really mean from a hand-on perspective? Most of SD-WAN solutions are distributed as Linux-based Virtual Appliances or a Cloud-centric service which can make them low-hanging fruit even for script kiddie.

Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce practical analysis of different SD-WAN solutions from the attacker perspective. Attack surface, threat model and real-world vulnerabilities in SD-WAN solutions will be presented.

Detailed Outline:

1. SD-WAN overview

a. SD-WAN in a nutshell
b. Typical SD-WAN design overview
c. Cloud, on premise, hybrid architecture
d. Common technology stack (netconf, strongswan, DPDK, etc.)
e. Customization, vCPE and VNF
f. Security features

Basic terminology, the essentials of SD-WAN architecture: declared advantages and implementation options. Customization approaches via tailored and 3rd party VNF and uCPE/vCPE. Overview of built-it and additional security features.

2. SD-WAN attack surface
a. Management interfaces
b. Local shells and OS
c. Control plane and data plane separation
d. Analytics-Controller-vCPE/uCPE-VNF communications
e. Hypervisor and virtualization (VNF) separation
f. Routing, IPSec Overlay
g. Updates and Cloud features

Technical analysis of data and control flow between major components in typical SD-WAN architecture (Orchestration – Controller – vCPE – VNF [and back]). Attack vectors, vertical and horizontal (for multi-tenant/managed service) privilege escalation scenarios.

3. Security Assessment

a. SD-WAN as a (virtual) appliance
b. Rooting the "box"
c. Old school *nix tricks
d. How I Learned to Stop Worrying and Love the Node.js
e. Built-in security features
f. Post-deploy "Forensics"
g. SD-WAN Managed Services
h. Top down, bottom up and lateral movement

Practical SD-WAN security assessment cases, vulnerabilities (next summarized in "SD-WAN vulnerabilities" section), tips and tricks.

4. SD-WAN Offensive and Defensive toolkit

a. Internet census
b. SD-WAN vulnerabilities
c. Attacks cases
d. SD-WAN threat model
e. Pentester and hardening checklists
f. Buyer guide

SD-WAN Internet census, Google/Shodan SD-WAN Cheat Sheet. Issues with cloud deployment and support (AWS, Azure). Publically know attack cases.
Vulnerabilities in top 5 SD-WAN (depends on fixes, responsible disclosure in progress).

5. Conclusion/ Takeaways


These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.