Hackers Say SD-WAN Isn't Secure. Now What?!?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I heard a terrible thing SD win solutions are not secure so I heard this thing that about st lan solutions all of a sudden they're not secure why because there's this report these hacker people have done things and they've scanned the internet and they found that there are SD wine boxes out there and my gosh you can identify what version of code they might be running in some cases dame in some cases OSS and then well if we know a code they're running that we know what vulnerabilities they are vulnerable to and then we can't hack them there are SD way in a brave new world for the hacker kingdom is that the case well there's a risk here so let's talk about this first up you can't think about where your SD win is placed where your SD when forwarders are placed if you are using the model where you are using internet circuits and using the internet as when that means the internet circuits which are public facing circuits connected to the big bad public internet are plugged right in to your SD win appliances making your SD win device an attack surface right think about it this way so here's your here's your SD win device and then you've got probably at least two circuits and what do they plugged into again we're going right to the Internet so where's your tax payer but your attack surface is here right at the point where those circuits enter your SD wham box that's the concern that is what we are dealing with because those ports are secured what's the necessary posture for your SD win device then it must be hardened it should be hardened against internet attack as after all there it is plugged right in well you don't want her a bunch of vulnerabilities on that SD web box whereas hackers are scanning that box they can figure out what you're vulnerable to and then begin to exploit those vulnerabilities using your SD lan device is a jumping off point to get into the rest of the network so let's say that bad traffic comes in there and now you've got some bad actor sitting on your STM device we'll give them some arms because now they can use your STM device as that jumping-off point to what well they can go this way that way any way that your SD wine box is connected to is it's probably connected to a lot of different things your SD LAN box is part of your SD when software to find wide area network fabric that should be connected to a whole lot of different offices in your environment and if it is and you get the bad guy sitting there on top of your SD wine box because he's compromised it fully and owns the box he could in theory jump off to any of these other points that you're a software defined when fabric is connected to within your environment ooh that's a bad deal nothing new here so the question maybe in your mind is well how real is this threat fair enough let's take a look here is a presentation that one of my friends on Twitter sent to me you can always tweet at me at ICI banks anything interesting like this and I'm happy to take a look and as I went through this this very Star Wars II kind of presentation the opening part of the presentation that I'm flying through here really talks about hey ASD when people said that this was safe and gosh we did some looking around and found out that it's not safe well how did we find that out and they're talking about how they were able to do some basic injection and and then make the point and this is kind of a brutal slide here this talk is not about sophisticated hacking techniques because you don't need them to hack SD Wham this isn't talked about how to find the low-hanging fruit on the internet they are saying that SD when as a whole is quote unquote low-hanging fruit ouch pretty rough let's let's move ahead to the end of this here well what did they find they found a whole bunch of SD win devices that when they did their scanning they did a mask found all these Sdn devices littered across the globe here are based on their fingerprinting of what's going on they found a whole bunch of different SD wham nodes in here they scatter around the different types in this pite right here and then the products and so on and then here's one of the big slides vulnerabilities these are everything they scanned on the public Internet were able to find and based on their fingerprinting and other information they were able to get those boxes who were sitting on the edge of the network to give up they were able to find these vulnerabilities these cve numbers are catalogs it's a known defined vulnerability here's what the problem is and if you know if you know that the device is vulnerable to this then that means oh here's my Avenue to exploit the device conclusion so we get to the conclusion in this thing many different vendors and related products have been found other words we discovered these by doing a scan across the internet and they did those pie charts earlier showed that most products are susceptible to version leakage yes version leakage being the key there because if you can tell what version of software it's running what version of code it's running then you can map that to the CVE the vulnerability there and from there you know how to exploit that device one concluding point then sure yes Sdn devices have some vulnerabilities I'm not surprised that doesn't mean Sdn is junk it does mean that a lot of dsdm products that are out there are built on Linux and some other sets of open source software that do have vulnerabilities and therefore the question you need to be putting to your SD one vendor is how are you do hardening this device how is this device secure beyond that you should also be asking how when this box needs to be upgraded to fix of all durability is my forwarding handled am I staying online or do I have to shut down and reboot this thing in order to fix the vulnerability a good Sdn vendor can answer those questions in a very straightforward way for you [Music]
Info
Channel: Packet Pushers
Views: 2,518
Rating: 4.9230771 out of 5
Keywords: sd-wan, security
Id: D93tk7H5zZE
Channel Id: undefined
Length: 6min 36sec (396 seconds)
Published: Wed Nov 21 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.