SD-WAN: What they are, what to look for, and how to build one.

Step 1: The Basics

If your company has more than one building and you want the networks within those buildings to be able to talk to one another reliably, rapidly, and securely, you have 5 choices on what you can do.

1) You can lay cables between the buildings. This is called an “air-gapped” connection.

2) You can lease space on a quasi-dedicated cable from the telecom providers that sit between your buildings. For reasons explained shortly, this method is called MPLS.

3) Provided they are close enough, you can beam data between your buildings using electromagnetic waves. There are a number of different commercial implementations of this, each vying for a dominant vocabulary word. For the purposes of this paper, we’ll refer to all of them as Wireless Bridges.

4) You can lease space on a low earth orbit, “LEO”, satellite constellation.

5) You can use the Public Internet and create an encrypted network flowing through shared cables and routers. This is known as making a Software Defined-Wide Area Network, or “SD-WAN”.

Not all of the above are equally priced, secure, fast, scaleable, or easy to manage. Since price will always be fickle, we will focus, for the most part, on the other aspects.

Airgapped Connections
If you have the budget and wherewithal to go into work tomorrow and say, “screw the Internet’s hackers and reliability problems, just run some fiber between our buildings,” you should probably go ahead and do that. Airgapped connections are dedicated cables strung between facilities. Why the name? They do not intersect with other cables. Done right, this is the fastest, largest connection you can get between your buildings. Keeping them safe, and stable, is a matter of guards, guns, excellent hardware, and good maintenance crews. If you are not sure (tip: you are not) you can keep the cables from being tapped, you are going to want to send the data in an encrypted state. 

MPLS
If you don’t want to build and maintain cables between your buildings, you can always pay your telecom provider to do it for you. Typically, telecom providers render this service by leasing you space on a quasi-dedicated network of physical cables linking your buildings, as well as those of the other parties leasing space on the line. If you need to add another building to the network, the telecom provider will, for a fee, dig a trench and run a cable out to it. Since there are usually only a few dozen connection points on such a physical network, these systems can use a simplified packet transmission technique relative to that employed for sending data across the Internet. The term MPLS stands for “Multiprotocol Label Switching”, which is in reference to the simplified transmission technique such networks use. MPLS systems often offer higher packet delivery reliability rates than straight transmissions over the Internet, and they are assuredly cheaper than airgapped lines hauled over long distances. But do not be lulled by the telecom vendors into thinking they are safe. The only firms using MPLS have considerable treasure running across those lines. However, unlike an airgapped network guarded by a team under your employ, MPLS cables are rarely guarded by anyone. Take the hit on transmission speed and encrypt your data before you send it across the line.

Wireless Bridges
Wireless Bridges can be quite effective if your buildings are close enough together, you don’t have a large bird population, and you don’t mind zapping your employees (never mind whether it is actually harmful, it will unnerve anyone who gets wind of it).

LEO Satellites
Low Earth Orbit Satellite Constellations promise pretty good speeds and a way to pull data out of tricky parts of the world. If you want to send your transmissions over one, expect to be leasing bandwidth alongside a relatively small number of other firms. Think of this as a space-based version of MPLS, but with compromises in speed and security in exchange for access to far off parts of the globe. There are no commercially available LEO systems presently available. That should change by 2020. Unfortunately, unless you have extremely well-tuned hardware on the ground, LEO is not a secure means of sending data. Civilian antennas tend to broadcast in a general direction, on the basis that at least one of the satellites in the communications array will receive the signal. This means any satellites passing through a several thousand square mile area receive the signal, not just the intended satellite. In contrast, proper military uplinks use narrow beams, tracking motors, and timers to ensure that the signal reaches one, and only one, satellite. Rule of thumb: if you are wealthy enough to buy satellites, you have enemies wealthy enough to buy the feeds off of the other satellites flying around in the area and then run pattern analyses on the encrypted packets to figure out what you are up to. In short, pay for the requisite ground-based systems.

SD-WAN
Software Defined-Wide Area Networks use the Public Internet as the means of connecting geographically distinct networks. That’s it. Everything else you see is smoke blown by marketing departments. 

The reason why “Software-Defined” is part of the moniker is that, once you start traversing the Internet, you need to start defining what is part of your network using more than “whatever is connecting to the router” as your descriptor.  Done properly, SD-WAN can balance tremendous loads and can be more secure, reliable, and versatile than the other options presented above. The “done properly” part is hard. What follows is an explanation of how to do it.

 

Step 2: What makes an excellent SD-WAN?

Most of you are reading this as a primer to learn what to buy. Let’s start, then, with a few basic questions that you should ask.

Does it have redundancy?
An SD-WAN should actually be at least 2 networks, not one. The Internet can be fickle, and uptime matters. Every facility should be connected through at least one load balancer with forward error correction connected to at least two independent networks that link together the other facilities within your organization. If one network fails, a load balancer will see that all of the data from the facility flows through the backup without a hitch. Forward error correction (FEC) improves the likelihood that the packets which compose your transmission actually make it to their intended destination (in layman’s terms: FEC sends two identical packets via different routes).  

Does it self-heal?
If an SD-WAN breaks, is there an automated system in place that repairs it?

Is it encrypted?
You would think everyone would know how to do this these days. They do not. If crypto isn’t your thing, make sure the SD-WAN uses two layers of high-end crypto (AES-256 with independent 4096-bit keys is fine). An equally acceptable alternative is if they are using two different forms of crypto at least in the ballpark of AES-256.

Can it be traced?
The greatest weakness of most SD-WANs is that they are easy to detect. The thing to watch out for are vendors selling boxes that connect into SD-WANs through IP addresses that rarely, if ever, change. If an opponent can inexpensively develop a map of your network, they are likely to start poking around for weaknesses. The basic question to ask is, “are the entry points into the SD-WAN you are trying to sell me static?"

Does it segment both cryptographically and topologically?
Big words, simple problem. Let’s say you have a bunch of air conditioning units in your buildings that need to communicate with one another but you, reasonably, suspect they can easily be hacked. If a vendor tells you “oh, don’t worry, the communications amongst the A/C units are cryptographically segmented from the rest of the network”, what that vendor is saying is that the data being sent amongst the air conditioning units is encrypted using a different key than the rest of the data being sent between the buildings. That means than any baddie who breaks into your A/C unit will be able to see the rest of the network, but won’t immediately be able to read the data passing through it. Depending upon what the baddie’s objectives are, you may have just thwarted them. It would be far safer, however, if the A/C units sent their data through an entirely different network. By this, we mean different wires and different servers. To be sure, this isn’t always practically possible within your buildings, but it certainly is when transiting the Internet. The implication of segmenting a network both at the cryptographic and topological levels is that your SD-WAN shouldn’t really be one network, it should be several. 

Can it be easily managed?
This is where most vendors make their money, so pay attention. If a company charges a fee for network management, they are inherently disincentivized to make the system easy for the end-user to run on their own. The demo gimmick we have seen a lot of recently is a slick user interface with two to four local area networks connected together and a salesperson connecting another one via drag-and-drop. Part of the demonstration should be giving you ten minutes with the mouse and keyboard and letting you create and connect several dozen local area networks, each with their own unique set of devices/users. Think that’s crazy? Look at how big your company is now. Imagine how many changes will be taking place on a daily basis in practice.

Can it be set up in under an hour?
This question falls into the same bucket as management. If the SD-WAN is well built, hardware installations aside, the setup of the actual networks should take under an hour. If this requirement causes a salesperson to start stammering, just walk away.  

 

Step 3: How to do it.

You need 5 things to build a proper SD-WAN. 

1: You will want load balancers: at least one per building. Your call on how much redundancy you need.

2: You will need hardware or software that provides forward error correction.

3: You are going to need some computers. Processors running Linux that can spin up virtual machines which can broker connections to multiple different networks. These processors will need to be sitting on boards with ports capable of handling the throughput you desire.

4: You will need software which can launch, monitor, maintain, and amend the cryptographically and topologically distinct networks to which the boxes will be brokering connections.

5: You will need a user interface which can manage the connections being made into said networks.

 

Step 4: Putting this into practice.

This is engineering—if you dedicate time and money to it, you can get one up and running. If you are sitting in a lab reading this, we’d place high odds on you being able to jerry rig a decent SD-WAN in a matter of weeks. Alternatively, you can buy an SD-WAN. 

What tends to surprise people who purchase SD-WANs is the human element: Manually maintained, high-quality SD-WANs require three to four people per SD-WAN to keep them afloat and, because they will have access to the pipes that channel your most valuable data, you cannot offshore these jobs safely. Note also that even an SD-WAN that automatically maintains itself will need a person to manage what things are allowed to access the SD-WAN. 

 

Step 5: Guessing how much this will cost.

Start off by eliminating the jackasses from the field. No self-respecting person will charge you a fee for providing technical support. Moreover, that technical support had better be based in the United States.

You should expect to be charged based upon the number of buildings you have connected to the SD-WAN, both because of the need for multiple pieces of physical hardware at each facility, and because there are some networking charges that cannot be avoided once you get into physical space.  

Minus the hardware and, if it isn’t automated, the people, a secure, cloaked, redundant SD-WAN should not cost you more than $12k/year, plus about $3k/year per facility you bring into the network. Remember when coming up with your estimates, however, that your security department will probably require the things you care about most to travel on different networks from the things you care about least, so multiplication may come into play. 

 

Step 6: Go for it.

Good luck!

 

 

 

 

Disclaimer: Why we bothered to write this article

SD-WANs are a large part of our business and, given we hold the patents on making cryptographically and topologically segmented SD-WANs that operate automatically, we think we offer the best product on the market today. You can check out our SD-WAN page at https://dispel.io/use-cases/sd-wan, or can contact us directly at enterprise@dispel.io. 

Is Cyber Resiliency Going Mainstream?

The Gartner Risk conference was the first commercial conference of the more than dozen I have attended this year where resiliency was a core focus, from the opening keynote onwards. Perhaps the event’s proximity to DC was a factor, since in the Defense Community cyber resiliency has almost replaced cyber security as the core mission focus.

The agenda at Gartner included multiple sessions on resiliency[1] and came on the heels of a series of notes[2] published on the topic. NIST also released a draft of their new guidelines for cyber resiliency (800-160 Vol 2.) earlier this spring. It is one of the most forward-thinking documents on both the strategy and implementation of cyber resiliency. At over 150 pages, the NIST guide can be a bit much to take down in one sitting, but I would highlight in particular the 14 specific tactics for adding resiliency to computer systems[BB1] 

 Can we make cyber systems as resilient as cockroaches?   "Cockroaches"  by   Rick_C  licensed under  CC BY-SA 2.0

Can we make cyber systems as resilient as cockroaches?

"Cockroaches" by  Rick_C licensed under CC BY-SA 2.0

So why resiliency now?

Resiliency can, at its most basic, be defined as “hard to kill.” Whereas security tries to stop anything bad from happening, resiliency focuses on how quickly a system can respond to bad things happening and assure survival and success even in the toughest circumstances.

As modern cyber systems begin to rival biological systems in complexity, it is not surprising then that strategies for defending cyber environments are evolving to follow the methods nature has used to defend biological ones.

Living organisms, like their silicon counterparts are often individually very fragile, but when viewed at an ecosystem level are incredibly resilient. That resiliency relies on a number of factors which can and should be replicated in cyber systems.

A few strategies to aid resiliency:

1.     Be Dynamic.

Living things virtually never stop moving, on both a micro and macro level. Computer systems, until only recently, have been static systems using static defenses. Attackers on the other hand have been dynamic changing methods and means to penetrate and compromise systems. The balance is now beginning to shift with forward looking system architects embracing dynamism to create more adaptive and resilient systems. The tools to do this are multiple. Virtualization in particular offering some of the most promising areas to create systems that shift and change constantly.

To give a practical example, VPNs are fairly ubiquitous in enterprise environments. And yet, they create a static profile, a known point to attack. We’ve heard from customers that using their corporate VPN on untrusted networks paints a target on their back rather than protect their transmissions. Why not introduce dynamism into that VPN access point? Instead of connecting to a single point, connect to a new one each day.

2.     Plan for regeneration

A single organism in an ecosystem may be vulnerable and fragile, but a species does not depend on a single organism to survive. Species rely on constant death and rebirth to protect themselves, with death used as a means to isolate diseases that might threaten the overall health of a population. In cyber systems, automation coupled with virtualization is unlocking the ability to have computer systems that are constantly refreshing, rebuilding themselves on a regular schedule or when triggered by an event.

One area we’ve seen advancements in this theory is virtual desktops. Security conscious companies are purposefully destroying virtual desktops every evening and providing fresh, updated instances for their employees in the morning.

iStock-615407718.jpg

 

3.     Create diversity.

Biological systems are remarkably diverse both within and across species. These differences allow for life to survive a wide range of circumstances from the freezing depths of the oceans to the arid heat of the desert. In engineering systems, there is a strong desire to standardize processes and elements to produce economies of scale and process improvement. Yet now we need to construct more complex systems which need to survive in uncertain and hostile conditions. Incorporating diversity creates systems that are both more resilient to attack, and more easily able to adapt to changing circumstances. Some of the best designed systems provide for multiple means to accomplish a task.

One simple way to implement diversity is to wrap unpatched or legacy systems. For example, if you are concerned with how best to protect that Windows 2003 server in your environment, start by inserting an access layer between it and the rest of the world. Even better, make that layer use a Unix operating system. Now to penetrate that 2003 server your attacker needs to first break through an entirely different operating system, which has the latest patches and security updates.

 Is your systems designed to survive in tough conditions?

Is your systems designed to survive in tough conditions?

Does resiliency improve security?

Yes. The hardest things to kill are those that are proactive in their defensive posture. They exist where you do not expect them to, and shift without hindering their ability to function at an optimal level. Moreover, a resilient system is often micro-segmented such that when issues arise, they only concern a small part of the whole, and do not have the ability to spread laterally.

Making Cyber Resiliency a Reality

Theory is great, but how can organizations implement these strategies in practice? It’s easier than you think, and the team at Dispel has been helping organizations around the world become more resilient to survive and thrive in these challenging times. If you’re ready to start, give us a call or shoot us an email.

[1] Scaling Trust and Resilience-Cut the Noise and Enable Action, Ramon Krikken, Craig Lawson, & Katell Thielmann, State of Organizational Resilience 2018 Mark Thomas Jaggers & Roberta Witty

[2] Organizational Resilience Is More Than Just the Latest Trends Roberta Witty & Mark Thomas Jaggers, Delivering Resilience and Recoverability for Distributed Transactions Poses a Whole New Challenge Andy Kyte, Rick Greenwald, Stefan Van Der Zijden and Deacon D.K. Wan

 

NIST 800-160 Vol 2: Moving Target Defense for the world.

Moving target defense (MTD) has gained more and more prominence in the cyber defense realm in the last few years, and for good reason: it works. In very simple terms, MTD is the act of constantly moving your system so it becomes harder to target. Because the converse is true: the longer your system stays in one place, the easier it is to target. Picture an old-school shooting gallery: the ducks and rabbits are constantly in motion, making them harder to target. It's that simple.

But moving target defense goes beyond just being harder to target by moving - it actually turns the tables on traditional network defense strategy. In the past, the CISO and her/his team anticipated threats and put a system of detection and defenses in place. This involved constant monitoring and reacting. MTD, however, flips this. While not ignoring threats, MTD uses defense almost as a weapon by making everything harder to attack. Returning to the shooting gallery analogy: the gallery is now painted black in a completely dark room the size of planet Earth and constantly in motion - and all your potential attacker is wearing a blindfold and earplugs. Now, you're fully seeing the beauty of moving target defense!

Looking at the NIST 800-160 report Systems Security Engineering, you'll realize how much MTD aligns with NIST's recommendations for system resiliency. Important techniques to build a resilient system framework include: adaptive response, deception, diversity, dynamic repositioning, dynamic representation, non-persistence, privilege restriction, redundancy, redundancy (that was a joke), segmentation, and unpredictability. A good MTD system will have all these aspects. It will be dynamic, ever-changing, unpredictable, adaptive, and all those other words.

Imagine working in an environment where you know you aren't just waiting for an adversary to strike but are instead always nimbly moving out of the adversary's crosshairs. Imagine not having to pour as much time and resources into threat detection, as the balance shifts as threats struggle to find you. Imagine never having to use the term "sitting duck" to describe your system ever again. 

Transitioning from a regular network security plan to a MTD plan is a big undertaking, if you go it alone. It might even seem hopeless, but it's not - and this is where Dispel can help. Dispel allows your network to switch to MTD-protection without altering your internal network setup. That's because Dispel creates an Enclave of safety around your current network and resources. A Dispel-created Enclave is ever-shifting, spread out across multiple major cloud providers (in pieces which work as a whole), and is fully capable of avoiding malicious attacks.

Enclaves cycle their cloud components randomly, self-heal when a server within them goes down, and are indistinguishable from other virtual machines in the cloud. This dissociates your metadata (i.e., the data that shows who you are, where you are, and what you are doing), allowing your Enclave (and, by extension, your network) to disappear amongst the noise of the internet. Your network is now protected with a shifting shield of moving target defense.

Our analogous shooting gallery is now pitch dark, split into many pieces spread out over a world-sized room, and in motion. And the potential attacker? Well, they're beyond blindfolded and earplugged. Now, that person doesn't know the shooting gallery even exists.