From Firewall Rules to Router Hardening: 3 Steps to Solidify SD-WAN Security
Software-defined wide access networks (SD WANs) are becoming widespread, and for good reason. SD WAN products are cheaper than standard network equipment, as are the operational costs associated with adding new sites to the network. In addition, the benefits of intelligently managed traffic also increase both business operational efficiency and user experience.
However, as onsite IT infrastructure becomes a thing of the past, business owners and CTOs still need to stay on top of their game when it comes to security issues. Although SD-WANs use 256-bit encryption as a standard (i.e. protecting data with a key that would be too long for hackers to crack, even with the most powerful computer), they are not immune to being breached by sophisticated cyberattacks.
If you haven’t already, you should speak to your SD WAN provider to find out what specific security is in place on your network. Keep in mind, different vendors will provide slightly different security technologies.
It should go without saying that your network protection will include the following, but always ask your SD WAN consultants to confirm them anyway (even if you don’t know what they are):
- Dynamic IPSec tunneling.
- Secure key management.
- Dynamic rekeying.
- Stateful firewall and/or application firewall.
- Malware inline detection and protection.
- DDoS protection and detection.
- End-to-end event correlation (including all users, apps, devices, locations, networks and security events).
- Tools for analyzing and reacting to security events.
Once you’re confident that the basics are in place, you should run through the following three steps. And if you’re not an IT expert yourself, it’s a good idea to have someone with you who is.
1) Set your firewall rules
Many external malware attacks begin by making a connection to your network. The firewall’s job is to choose which connections to allow and which to deny. To provide maximum protection, your firewalls need to be configured rather than left with their default settings.
Whether you are running a traditional hardware firewall or a virtual firewall (a piece of software carrying out the same functions), the most secure way you can control traffic is by setting it up to only accept connections from IP addresses you have vetted.
To do this, you will need to create a set of trusted address groups from which connections will be accepted. You should also define exactly how your router will respond to connection requests from outside of this ‘white list.’
It seems pretty straightforward that simply rejecting a connection request would be an adequate defense against malware, but in truth, it won’t prevent your network from being profiled by attackers (termed ‘fingerprinting’). Instead, you should program your firewall to drop these connection requests. This will render your network’s existence invisible in a similar way to which a cloaking device would prevent an aircraft from showing up on radar.
The less your potential attackers know about your network configuration, the more protected it will be. In addition, some information security standards (e.g. PCI DSS) require you to take this measure to protect clients’ sensitive data.
To ramp up your defensive capabilities further, you may even be able to set up your firewall to recognize fingerprinting attempts and actually log the fingerprint of the attacker.
- Harden routers/SD WAN appliances
Your firewall should sit behind your SD WAN edge appliance (or router if you are still using one), mopping up any threats that have made it through your perimeter.
By fine-tuning your edge appliance, you can reduce further exposure. For example, you can shut down unused interfaces and set rules by which only certain types of connections are permitted on certain ports.
Let’s say your edge device is connected to a WAN, LAN and management system. By setting an interface to only listen for connections from the management system, that interface becomes hardened against any attempts to infiltrate it. Likewise, you can force all WAN and LAN connections through separate interfaces and shut down all others.
Other recommendations include disallowing insecure HTTP configuration (this will stop most external attempts to configure your router), disabling IP directed-broadcasts (which can be abused in DDoS attacks) and blocking ICMP ping requests (hiding your activity status and affording some protection from random attacks). You should also probably disable IP source routing for the same reason, although remember to enable it again if you need to troubleshoot your network.
While hardening your appliances, you should ensure that interfaces are labeled clearly, as this will help with analyzing your network traffic.
One critical step to take in hardening a physical router is to set a username and strong password combination. The default passwords of your router will be a cakewalk for a hacker or even an automated bot to track down, and you may also be in breach of certain information security standards (e.g. PCI DSS, HIPAA, etc.).
- Revisit security procedures
Remember that gameshow from the early 2000’s where the whacky female host would always say to defeated contestants, “You are the weakest link. Goodbye!” Well, the same concept pertains to SD WAN security as well. Even the most secure SD WAN network in the world is only as strong as its weakest link. And in the majority of successful cyberattacks, human error or negligence are the root cause.
After undergoing a fundamental upgrade to your IT infrastructure, it makes sense to overhaul your existing security procedures and re-educate your entire staff on the vital importance of tight information security. You might even want to create a new cyber security training package or bring in an outside training company to do the educating for you.
Although an SD WAN can segment workflows by device and department, allowing needs-based system access to remote workers or specific departments, it is every staff member’s responsibility to secure the devices they are using. This includes both physical security (logging out after each session, setting screen locks, storing devices securely, etc.) and digital security (setting strong passwords, recognizing phishing attacks, keeping security details private, etc.).
To summarize, SD WAN security is not something that can be taken for granted. When deploying this network technology in your business, you should check that adequate security software is included; set rules for your firewalls (virtual or physical); harden your routers or SD WAN edge devices and, just as importantly, ensure your security procedures are up-to-date and all staff properly trained.
If you’re looking to strengthen you SD WAN security, Shamrock Consulting Group can help. Our experts are highly trained in SD WAN security features and protocols, and we’ll connect you with the top SD WAN providers in the industry to protect your network now and in the future.
Don’t be the weakest link in your company’s SD WAN security. Schedule your free consultation with Shamrock today.
[su_box title=”About Paul Cooney” style=”noise” box_color=”#336588″][short_info id=’104828′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.