Putting the “Trust” in Trustworthy SD-WAN
Organizations are implementing SD-WAN to bring secure, cost-effective, and efficient connectivity to distributed branches, retail outlets, and an increasingly distributed workforce. Top of mind for IT when expanding remote connectivity is ensuring the security and integrity of remote network appliances that are no longer under lock and key in the data center. Therefore, one of the advantages of adopting a software-defined network architecture is the plug-and-play, zero touch installation and configuration of remote SD-WAN branch routers and compute platforms. These Cisco-engineered appliances can be shipped directly to a remote site, powered on by a non-technical employee, and remotely configured by an IT expert from anywhere in the World Wide Web. For budget-constrained IT departments, remote provisioning, configuration, and management of network components, both hardware and software, provides significant time and cost savings.
But there’s also continuous pressure to decrease IT CapEx spending, as reflected in a recent trend to run Virtualized Network Functions (VNF) on white-label or bare-metal hardware. Budget-minded IT purchasers hope to save money by opting for less-expensive, generic versions of x86 hardware to run routing and security VNFs. However, security-minded IT professionals have a different perspective of using off-the-shelf compute hardware to process business-sensitive and personal data—the increase in risk.
Let’s look at an example of white box hardware that is shipped from a third-party manufacturer to a remote office for installation and provisioning. In today’s security environment, IT professionals should be asking:
- Where did my networking gear actually originate?
- Is the device genuine?
- Has it been altered at low levels in the BIOS?
- Is malware lurking in the bootstrap code?
- Can corrupted software with backdoors be installed without warning?
For scenarios like these, there’s no way to tell if corruption has occurred unless security-focused processes and technologies are built into the hardware and software across the full lifecycle of the solution. That level of engineering is difficult to accomplish on low-margin, bare metal hardware. Even when running VNFs on a public cloud, the same bare metal risk is mitigated only by the guarantees of the colocation or IaaS provider. If the choice comes down to savings from slightly less costly hardware versus increase in risk, its worthwhile remembering the average cost of stolen data from security breaches is $148 per record, while the cost of the loss of customer trust and theft of intellectual property is incalculable.
The Risky Business of Trusting Generic Hardware
With the daily onslaught of ever-more sophisticated threats, we all recognize that security for networks and applications has to be built into the foundation of every networking device. Network operators must be able to verify whether the hardware and software that comprise their infrastructure are genuine, uncompromised, and operating as intended. No matter how many functions are added to the security stack, the weakest link can cause all the other layers to fail. From hardware, to OS, to VNFs, every layer needs to be secure and work interdependently with the other layers for a complete defensive posture of the attack surface.
Building in Trust from Design through Deployment
Cisco embeds security and resilience throughout the lifecycle of our solutions including design, test, manufacturing, distribution, support, and end of life. We use a secure development lifecycle to make security a primary design consideration—never an afterthought. We design our solutions with trustworthy technologies to enhance security and provide verification of the authenticity and integrity of Cisco hardware and software. And we work with our partner ecosystem to implement a comprehensive Value Chain Security program to mitigate supply chain risks such as counterfeit and taint.
Security and Resilience Anchored in Hardware
The ability to verify that a Cisco device is genuine and running uncompromised code is possible with Cisco Secure Boot and Trust Anchor module (TAm). Cisco uses digitally-signed software images, a Secure Unique Device Identifier (SUDI) to prove hardware origin, and a hardware-anchored secure boot process to prevent inauthentic or compromised code from booting on a Cisco platform.
Cisco Secure Boot helps ensure that the code that executes on Cisco hardware platforms is genuine and untampered. Using a hardware-anchored root of trust and digitally-signed software images, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software at every step. The root of trust, which is protected by tamper-resistant hardware, first performs a self-check and then validates the next element in the chain before it is allowed to start, and so on. Through the use of image signing and trusted elements, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.
Trust Anchor Module
The TAm is a proprietary, tamper-resistant chip that features non-volatile secure storage for the Secure Unique Device Identifier (SUDI), as well as secure generation and storage of key pairs with cryptographic services including random number generation (RNG).
Secure Unique Device Identifier (SUDI)
The SUDI is an X.509v3 certificate with an associated key-pair that is protected in hardware. The SUDI certificate contains the product identifier and serial number and is rooted to the Cisco’s Public Key Infrastructure. This identity can be either RSA- or ECDSA-based. The key pair and the SUDI certificate are inserted into the TAm during manufacturing so that the private key can never be exported. The SUDI provides an immutable identity for the router that is used to verify that the device is a genuine Cisco product.
TAm-embedded SUDI and Secure boot are particularly important for configuring remote appliances with Zero Touch capabilities, providing assurance that both the hardware is Cisco certified and software being loaded is uncompromised. Before a router, switch, or AP can load the BIOS and network operating system, the unit must first prove to the network controllers that it is a verifiable Cisco hardware component by submitting the encrypted SUDI to the orchestrator in Cisco DNA Center or Cisco vManage. Once the hardware’s certificate is validated, the BIOS and network OS load, each verified by additional encrypted certificates to ensure the code is untampered before running. Finally, the IOS-XE and SD-WAN software loads and the router can receive a configuration file to join the orchestration fabric. Every step of this process is protected with encrypted certificates and secure tunnels for end-to-end trusted provisioning.
Cisco Secure Development Lifecycle is a Holistic Approach to Trustworthiness
The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness. The combination of tools, processes, and awareness training introduced throughout the development lifecycle enhances security, provides a holistic approach to product resiliency, and establishes a culture of security awareness. Cisco SDL development process includes:
- Product security requirements
- Management of third-party code
- Secure design processes
- Secure coding practices and common libraries
- Static analysis
- Vulnerability testing
In addition, Cisco IT is “Customer Zero” for many of our own products, so that ordering, implementation, and production are robustly tested even before Customer Early Field Trials.
Enforcing Trust in Virtualized Network Functions
Virtual Network Functions for SD-WAN can be trusted as long as the appliance hardware has the proper built-in security features, such as a TAm, to enforce hardware-anchored secure boot. Whether the routing appliance is located in a secure data center, installed with zero-touch ops at a remote site, or running in a cloud colocation facility, Cisco hardware supports VNF routing with end-to-end security and trustworthiness.
When selecting the appropriate hardware to run critical virtualized functions such as routing and security, it’s also important that the entire hardware ecosystem is optimized to achieve the levels of performance required to support SLAs and the expected application Quality of Experience (QoE). When it comes to high-speed gigabit routing and real-time analysis of encrypted traffic, performance is more than processing horsepower. By designing custom ASICs for complex routing functions and including Field Programmable Devices (FPD) to support in-field updates, Cisco hardware is fine-tuned for network workloads, security analytics, and remote orchestration.
Trust and Security Built-in from Design to Deployment
With a hardware-anchored root of trust; embedded SUDI device identity; encryption key management for code signing; plug and play zero touch installation, and custom silicon optimized for IP routing, Cisco provides a secure and trusted platform for enterprises of all sizes.