Extending Public Cloud Security beyond SD-WAN

The rise of software-defined WAN (SD-WAN) has enabled public cloud adoption by extending connectivity from on-premise to cloud applications. A recent CSO article discusses how security is a key inhibitor towards rapid migration to the public cloud, especially when workloads need to access cloud services on demand. Although SD-WAN secures your connectivity to the cloud, ensuring you are secure within your public cloud infrastructure is still the customer’s responsibility. 

In this blog we will discuss how a Cloud Security Posture Management solution like Dome9 used in conjunction with an SD-WAN technology extends network level security and provides end-to-end protection from the data center into the public cloud.

What is SD-WAN?

SD-WAN has allowed customers to access cloud applications seamlessly and securely from their branch offices, campus or datacenters, all connecting over the enterprise WAN. By utilizing a multitude of viable options (MPLS, Internet, metro-ethernet, LTE) enterprises can now burst into the cloud with high availability and secure transit links. SD-WAN solutions offer on demand IPSec encrypted tunnels that provide security for data in transit from branch/DC to the cloud. You can also use transit VPC architectures to centralize entry points and reduce multiple peerings.


Image from Viptela’s SD-WAN framework


SD-WAN and Public Cloud: Security Architecture Challenges

Gartner predicts that, through 2020, 95% of cloud security failures will be the customer’s fault. Hence a sanitized security posture of your cloud infrastructure that extends beyond SD-WAN connectivity is essential.

Challenge 1: Network disaggregation breaks visibility into misconfigurations

Security Group Level: In a typical SD-WAN solution, Gateway VPCs provide the connection between the overlay network and apps running on instances inside host VPCs. Via an overlay protocol, the edge routers in the Gateway VPC learn the routes from the SD-WAN controller. The Gateway VPC also has a BGP peering with the Host VPC router to advertise summary routes into each host VPC’s route table. The traffic can then flow between DC/branch and web apps running on EC2 instances. Yet, this design breaks down when cloud misconfigurations occur in the Security Groups that protect the instances.



If a too permissive SG is applied, not only will traffic drop occur, but now the instance is wide open. Once your tunnel is decrypted at the edge, SD-WAN virtual appliances have no visibility into the existing SG configuration and traffic flow behind the edge. Only when a ping test is done to troubleshoot after an application starts to suffer/timeout, will this issue be revealed.  

Routing Level: In AWS, a summary or default route is advertised by the SD-WAN router to the host VPC routing table with the next hop as the VGW.



If an admin adds a more specific route that takes the IGW instead of the VGW, then your enterprise traffic is now going over the public internet. This can be a potential security vulnerability as sensitive information is going over a non encrypted link.



Solution: Dome9 can help detect network misconfigurations

Security Group Level: Dome9 can also help you create custom rules to check whether a SG allows the appropriate DC/branch prefixes to access your web applications in your host VPC. If an admin accidentally changes the subnet or associates a wrong SG to an app that is receiving traffic over the SD-WAN tunnel, Dome9 can detect and alert the IT team immediately.

GSL code:

SecurityGroup should have inboundRules contain [ port=80 and scope='']

Routing Level: Dome9 can also help you create rules that check if there are any routing misconfigurations that can lead to public exposure of your cloud environment by bypassing the VPN tunnel.  After you setup your routing policy in AWS, you can create a simple rule in Dome9 to ensure all RFC 1918 traffic from host VPC is going over encrypted SD-WAN tunnel.

GSL code:

VPC should not have routeTables with [ routes contain [ destinationCidrBlock isPrivate() and gatewayId='igw-c2ba8ba7'] ]

With a single and easy rule you can detect if an admin changes the route that routes traffic destined to your datacenter/branch over the IGW instead of the VGW, and Dome9 will alert you.

Challenge 2: IT maintenance windows can open up security holes

 Typically, if IT operations want to access cloud services for maintenance or investigation of data source, they need to turn off encryption services over the tunnel. This leaves the organization wide open to attacks by hackers. The situation is worsened if these ports and services are not turned off after the maintenance window.

Solution: Dome9 enables on-demand access to cloud servers

Dome9 provides just in time access that lets you lock down servers and ports by default. You can set a lease for a specific IP (i.e. the web app IP) and for a specific time period for the investigation/maintenance, after which the ports are automatically closed.



With Dome9 you can gain visibility into your cloud-native services including lambda functions and S3 buckets and assess the security controls of your infrastructure, catch configuration drift, and spot firewall misconfigurations quickly. This is especially important when you’re scaling your cloud deploying with multiple cloud accounts and large number of assets.



Beyond network visibility, Dome9 provides continuous compliance assessment, active protection and cloud intrusion detection for your public cloud infrastructure. Sign up for a free trial @dome9.com