Why you need to be able to trust your SD-WAN platform

Human-Machine Interaction

Imagine a scenario when an IT network manager settles into the task of remotely provisioning and configuring an SD-WAN edge router that’s located in a distant branch office. The router appliance was shipped from a supplier’s warehouse to the branch, unboxed, and plugged into power and Ethernet by a local non-technical employee.

Before this new connection to the corporate WAN can be brought online, the distant IT manager must be able to confirm that the hardware is indeed the specific unit ordered and has not been altered in any way since manufacturing, including the basic boot code and operating system. How can the unit be trusted to be secure and uncompromised by malware or back doors? This edge router will be, after all, a vital link routing sensitive information from branch to data centre and cloud applications.

If the new router appliance is white box or bare metal hardware that is shipped from a third-party manufacturer to a remote office for installation and provisioning, IT security teams should be asking:

  • Where did the networking gear actually originate?
  • Is the device genuine?
  • Has it been altered at low levels in the BIOS?
  • Is malware lurking in the startup code?

What’s the risk in relying on off-the-shelf appliances for critical networking infrastructure? Third parties can tamper with BIOS, bootloader, or ROM monitor boot code to load modified software images; bypass hardware authenticity and licensing checks; or perform additional functions with malicious intent. Tampered code can result in data manipulation, data theft, and provide a platform to launch attacks, including denial of service (DoS).

There’s no way to tell if corruption has occurred in a remotely installed appliance unless security-focused processes and technologies are built into the hardware and software across the full lifecycle of the solution. That level of engineering is difficult to accomplish on low-margin, bare metal hardware.

Build trustworthiness from design to end of life

Embedding security and resilience is essential throughout the hardware and software lifecycle from design, test, manufacturing, distribution, support, to end-of-life. A secure development lifecycle makes security a primary design consideration—never an afterthought. Edge routing solutions built with trustworthy technologies enhance security and provide verification of the authenticity and integrity of both hardware and software.

Security must be anchored in hardware

The ability to verify that a device is genuine and running uncompromised code is possible with Secure Boot and Trust Anchor module (TAm). Using digitally-signed software images, a Secure Unique Device Identifier (SUDI) to prove hardware origin, and a hardware-anchored secure boot process that prevents inauthentic or compromised code from booting on an SD-WAN router is the foundation of a secure network.

Secure Boot helps ensure that the code that executes on router platforms is genuine and untampered. Hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software at every step. The root of trust, which is protected by tamper-resistant hardware, first performs a self-check and then validates the next element in the chain before it is allowed to start, and so on.

Through the use of image signing and trusted elements, the hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.

The SUDI is an X.509v3 certificate with an associated private key protected in hardware. The public-private key pair and the SUDI certificate are inserted into the TAm during manufacturing so that the private key can never be exported. The SUDI provides a secure, unique identity for the router that is used to verify that the device is a genuine product from the manufacturer.

TAm-embedded SUDI and Secure boot are particularly important for configuring remote appliances with Zero Touch capabilities, providing assurance that both the hardware is manufacturer certified and software being loaded is uncompromised. Before a router, switch, or contoller can load the BIOS and network operating system, the unit must first prove to the network controllers that it is a verifiable hardware component by submitting the nonce signed with SUDI private key along with SUDI certificate to the network orchestrator.

After the chain of trust is ensured, then a hardware authenticity check can be performed by the trusted software. Finally, the network OS and SD-WAN software loads and the router can receive a configuration file to join the orchestration fabric. Every step of this process is protected with encrypted certificates and secure tunnels for end-to-end trusted provisioning.

Virtual network functions (VNF) for SD-WAN can be trusted as long as the appliance hardware has the proper built in security features. Whether the routing appliance is located in a secure data center, installed with zero-touch ops at a remote site, or running in a cloud colocation facility, the hardware needs to support virtual network functions with end-to-end security and trustworthiness.

With a hardware-anchored root of trust; embedded SUDI device identity; key management for code signing; plug and play zero touch installation, and custom silicon optimized for IP routing, SD-WAN is a secure and trusted platform for uniting a distributed workforce with multiple cloud platforms, SaaS applications, and enterprise data center resources. As threats evolve, Cisco continues to enhance the security and resilience of our solutions. While no vendor can guarantee complete security, we are committed to transparency and accountability and to acting as a trusted partner to our customers by addressing today’s, and tomorrow’s, security challenges.