ngena's platform security - ngena – the shared network · 2019-05-29 · 2 ngena's...
TRANSCRIPT
ngena's Platform Security A whitepaper about ngena’s secure network architecture
2 ngena's Platform Security ngena's Platform Security 3
ngena – the Next Generation Enterprise
Network Alliance – offers a completely
new business model by connecting global
businesses with hybrid VPN services. ngena
uses innovative NFV/SDN technology to
provide a global SD-WAN platform de-
livering VPN overlay networks on top of
an underlay network infrastructure which
leverages network assets of trusted service
providers.
Introduction
The ngena digital solution is highly secure
and protects its customers’ data. The solu-
tion is designed by keeping in mind core
principles of security like authentication,
encryption and data integrity. The security
guidelines are implemented globally for all
components of the SD-WAN platform: data
plane, control plane and management plane
using encryption, security policies, automa-
tion and orchestration.
End-to-End Managed Services with SLA
Internet Public Line
Ethernet Private Line
ngena CPE
4 ngena's Platform Security ngena's Platform Security 5
uted branch offices of enterprises. Moreover,
it enables several cloud based connectivity
options to services like SaaS ERP, Office or
storage applications. In addition, the hybrid
VPN service offers features such as multiple
VPNs per site, Quality of Service (QoS) and
inter-region connectivity over ngena’s inter-
national private transport network. All sites
are connected with an end-to-end encryp-
tion via secure IPSec tunnels.
ngena has built a global network with control
and data plane managed via a central platform.
The physical and virtual network assets are
managed through data center hubs in Europe,
America, Africa and Asia. ngena offers several
access designs with automated service provi-
sioning, supported over ordinary IP transport.
Central orchestration facilitates quicker global
service delivery and agile network service.
The hybrid VPN service uses a transport
agnostic overlay architecture providing a
true any-to-any global VPN. It addresses
challenges like high cost and provisioning
complexity when connecting globally distrib-
ngena's Secure Network Architecture
ngena's Secure Regional Internet Access
No Internet access service is deployed at the ngena hub as no VPNs are allowed to
have Internet access.
Internet access is blocked as the sub-VPN is not allowed
to have Internet access.
Regional InternetAccess
Regional InternetAccess
A secure regional Internet access can be
added to the enterprise VPN service, allow-
ing users to access the Internet through a
fully managed, enterprise class firewall with
optional web security. The secure regional
Internet access service is provided via a fully
orchestrated service chain of Virtualized
Network Functions (VNF), e.g. firewall or web
security services, provisioned in a regional
ngena hub. These service chains are fully
integrated into the customer's VPN and pro-
vide resiliency and traffic load sharing across
multiple availability zones.
As an enhancement to the secure regional In-
ternet access service, ngena offers the capa-
bility to advertise publically routable IPv4 and
IPv6 addresses from an enterprise VPN. This
will leverage the same VNF service chain with
enhancements to routing policies to ensure
symmetric traffic flows through the perimeter
firewall. Individual firewall rules can be defined
in order to secure access to the enterprise
network from the public Internet.
Multiple types of accesses are supported,
including both Internet Public Line (IPL)
and Ethernet Private Line (EPL) using Met-
ro Ethernet or Layer-2 VPN technologies.
Several different customer access designs
are available to connect a customer site
via single or redundant Internet or Ether-
net links, or a combination of both. The
access designs can be chosen based
on bandwidth and SLA requirements as
well as consideration of costs. The VPN
overlay and encryption are common to all
access designs.
Highly Secure Regional Internet Accesses
Internet
Secure Regional Internet Access – Service Chain
Security Appliances(Firewall, Web Security)
vRouterAccess
Gateway
ngena Hub
VPN Encrypted Traffic
Unencrypted Traffic
6 ngena's Platform Security ngena's Platform Security 7
In order to join the control plane, every de-
vice in the network must have its own digital
certificate issued by a Root or Intermediate
Certificate Authority (CA) that is trusted by all
other devices in the overlay. Each network
controller generates its private/public keys
and Certificate Signing Request (CSR), which
are required to be signed by an external CA.
All the control plane communication is trans-
ported over DTLS/TLS tunnels. These tunnels
have the following characteristics:
• Version: TLS v1.2
• Authentication: Mutual, based on digital
certificates
• Encryption: AES256
• Message Integrity: SHA1 or SHA2 algorithms
DDoS Protection for Edge Routers
Management Controller
AuthenticatedSources
Implicitly TrustedSources
Explicitly DefinedSources
UnknownSources
Edge Router
TLS/DTLS
SD-WAN IPSec
IPSec/GRE
Any
Cloud Security
Other
Deny except:1. Return packets matching flow entry (DIA enabled)2. DHCP, DNS, ICMP
* Can manually enable: SSH, NETCONF, NTP, OSPF, BGP, STUN
Control Plane Policing: • 300pps per flow• 5,000pps
PacketForwarding
CPU
The edge routers are authenticated by
controllers during a connection request with
the certificate exchange. An OMP (Overlay
Management Protocol) similar to BGP (Border
Gateway Protocol) runs inside the DTLS (Data-
gram Transport Layer Security) control plane
connections and carries the routes, next hops,
keys, and policy information needed to estab-
lish and maintain the overlay network.
Specific network policies and rules are imple-
mented for several device identities, i.e. from
trusted devices to unknown sources, in order
to provide protection against DDoS attacks.
With robust traffic policies defined for each
source device, it’s easier to avoid network
flooding and to quickly neutralize any security
threat.
The data plane is based on point-to-point
IPSec tunnels established between the
vEdge routers and has the following security
characteristics:
• IPSec Mode: Tunnel with support for NAT-
traversal
• Authentication: Certificate-based device
authentication performed via control plane
tunnel
• ESP Encryption: AES-GCM-256 encryp-
tion algorithm for unicast traffic
• ESP Authentication & Integrity algorithm:
AH-SHA1 HMAC and ESP HMAC-SHA1
• Key Exchange Encryption: AES-256 cipher
• Anti-replay-window: max 4096 packets
Data plane encryption and key generation
are done by AES-256, a symmetric-key
algorithm that uses the same key to encrypt
outgoing packets and to decrypt incoming
packets. Each router periodically generates
an AES key for its data path and transmits
this key to the controller which sends these
packets to recipient routers in the network.
In this way, the AES keys for all the routers
are distributed across the network. To further
strengthen data plane authentication and en-
cryption, routers regenerate their AES keys
every 24 hours locally without dropping any
data traffic. The key exchange happens over
a secure control plane.
For the management plane, only encrypted
protocols are used to ensure that manage-
ment traffic is encrypted. A secure protocol
includes the use of SSHv2 instead of Telnet
so that both the authentication data and
management information are encrypted.
Moreover, encrypting the management traf-
fic allows a secure remote access connec-
tion to the device. If the traffic for a manage-
ment session would be sent over to the
network with insecure protocol, an attacker
could obtain sensitive information about the
device and the network.
8 ngena's Platform Security ngena's Platform Security 9
ngena’s global platform has three major
components:
a) a redundant CSFA (Central System Func-
tion Area) provides end-to-end service
awareness and control
b) a number of regional hubs (“ngena hubs”)
host the virtualized service platform and
several Virtual Network Functions (VNFs)
to deliver the ordered services and
c) a private backbone connects the ngena
hubs.
Regional hubs contain two SPAN (Service
Provider Application Nodes) for redundancy.
They consist of Service End-To-End Control
Function, Span Plane Function and Net-
work Plane Function deployed globally for
domain specific service management and
ngena's Secure Platform Architecture
Central Systems Function Area (central)
All components which are deployed only once (or twice for redundancy)
Central System BSS (Business Support Systems)C
en
tra
l Syst
em
Se
cu
rity
Ce
ntr
al S
yst
em
Da
ta
Co
llec
tio
n A
gg
reg
ati
on
a
nd
Sto
rag
e
Lic
en
se M
an
ag
em
en
t
OO
B M
an
ag
em
en
t
delivery, connecting customer sites through
local service provider access networks.
In addition, the ngena platform provides
an aggregation and backbone transport
network that connects all services globally
from the central hub to regional hubs and
also between regional hubs. The breakout
to the public Internet will always be “per
region”. This means that the data traffic from
one region is transmitted to the Internet via
a regional hub.
ngena's platform implements Authentica-
tion, Authorization, and Accounting (AAA)
framework to secure network devices. The
AAA framework provides authentication
of management sessions, limits users to
specific administrator-defined commands,
and logs all commands entered by all users.
Edge routers in the ngena network commu-
nicate with the remote AAA server using the
TACACS+ protocol which allows authoriza-
tion and encryption of payload providing
higher security then RADIUS.
A stateless Access Control List (ACL) is ap-
plied in both inbound and outbound direc-
tion to the Internet interface of the access
gateway to filter out any private or internal
addresses from leaking out to the Internet
and prevent IP spoofing. The ACL protects
the internal infrastructure subnets such as
the backbone range and other administra-
tive networks from being accessed and
difficult to be discovered from outside the
network.
Functional View of ngena's Platform for Hybrid VPN Services
ngena Node (decentral)
Network – Plane Function
Platform Security (IDS/IPS)
Gateway Access Backbonengena Admin LAN
(incl. OOB)
Service E2E Control Function
Decentral Service Provisioning
Decentral Node Management
Decentral Assurance Collection
Software Functions Control
All components which are deployed on each hub
Ce
ntr
al S
yst
em
A
ssu
ran
ce
Ce
ntr
al S
yst
em
P
rovis
ion
ing
SPAN – Plane Function
Software Functions Data Plane Compute & Storage SPAN – Switches Infra
10 ngena's Platform Security ngena's Platform Security 11
Security and Data Privacy activities are man-
aged based on Information Security Man-
agement System guidelines which provide
a holistic view of running an enterprise with
best practices and are compliant to global
standards. This helps to make all the secu-
rity operations as transparent as needed.
ngena regularly conducts penetration test-
ing and vulnerability assessment, refer-
encing to OWASP methodology, as well
as Governance and IT Risk Management
based on ISO/IEC 27001, ISO/IEC 30001
(Risk Management) and ISO 22031 (Business
Continuity) to ensure proactive system hard-
ening and to act on any threat or vulner-
ability detected. The technology partners
are periodically reviewed against security
and data privacy compliances. There is an
internal security organization which plans for
information security, business continuity and
risk management.
Altogether, ngena has implemented an
extensive set of security and data privacy
measures to fulfill global security standards
for its network and platform to create a truly
global network secured with best practices
which can cater to evolving business needs,
network requirements and technological
trends to promote global business with local
care.
ngena follows the European General Data
Protection Regulation (EU-GDPR) along with
worldwide recognised standards as ISO
2700x (Information Security Management
System – ISMS) and security framework from
NIST (National Institute of Science and Tech-
nology), while being compliant for security
frameworks from OWASP (Open Web Appli-
cation Security Project) and ISECOM (Institute
for Security and Open Methodologies).
Data Privacy Security Governance &
Compliance
12 ngena's Platform Security ngena's Platform Security 13
AAA Authentication, Authorization, and Accounting
ACL Access Control List
AES Advanced Encryption Standard
BGP Border Gateway Protocol
BSS Business Support System
CA Certificate Authority
CPU Central Processing Unit
CSR Certificate Signing Request
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DIA Direct Internet Access
DNS Domain Name System
DTLS Datagram Transport Layer Security
E2E End-2-End
EPL Ethernet Private Line
ERP Enterprise Resource Planning
ESP Encapsulating Security Payload
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IEC International Electrotechnical Commission
ISMS Information Security Management System
IPL Internet Public Line
IPS Intrusion Prevention System
IPSec Internet Protocol Security
ISECOM Institute for Security and Open Methodologies
ISO International Organization for Standardization
NETCONF Network Configuration Protocol
NIST National Institute of Science and Technology
NFV Network Function Virtualization
NTP Network Time Protocol
OMP Overlay Management Protocol
OOB Out-of-band
OSPF Open Shortest Path First protocol
OWASP Open Web Application Security Project
PPS Packets Per Second
QoS Quality of Service
RADIUS Remote Authentication Dial-In User Service protocol
SaaS Software as a Service
SDN Software-Defined Networking
SD-WAN Software-Defined Wide Area Network
SHA Secure Hash Algorithm
SLA Service Level Agreement
SPAN Service Provider Application Node
SSH Secure Shell
STUN Session Traversal of UDP through NAT
TACACS+ Terminal Access Controller Access-Control System Plus
TLS Transport Layer Security
VNF Virtual Network Function
VPN Virtual Private Network
Abbreviations used in this Security Whitepaper
Follow us
linkedin.com/company/ngena
bit.ly/ngena_on_youtube
twitter.com/ngenagmbh
xing.com/companies/ngenagmbh
ngena.net
ngena.net/infokit
Contact us
ngena GmbH
Hahnstrasse 40
60528 Frankfurt
Germany
www.ngena.net
Managing Directors
Dr. Marcus Hacke, Alessandro Adriani
Head of Supervisory Board
Patrick Molck-Ude
Commercial register
Amtsgericht Bonn HRB 20074 May 2018