Security

Multapplied SD-WAN: Simplifying Network Security

Architecture for Security

Multapplied SD-WAN secures customer data through encryption and architecture. Aggregating multiple circuits into a single tunnel means that data is transported across multiple circuits and transported across multiple carrier networks and circuit types. Packet sniffing techniques are less successful in this environment.

Encryption

Multapplied SD-WAN offers perfect forward secrecy with three ciphers. Perfect forward secrecy is the property that encrypted traffic cannot be decrypted at a later time even if the private key is compromised. Encryption is performed using private keys generated when the Aggregator and CPE were provisioned, and hosts are authenticated with x.509 certificates signed by certificate authority on the management server.

Encryption Ciphers

HMAC (Hash-Based Message Authentication Codes)

Three ciphers are available:

  • AES 128, the default due to being accelerated on many CPUs
    (requires 64-bit operating system)
  • AES 256
  • Salsa20 256
Security

Firewall Management & Behaviour

CPE and aggregators use the Linux Iptables firewall to protect against unauthorized access. This firewall can be customized to add special entries, rules, routes, or other special features required by a particular bonder or aggregator.

Multi-tenant SD-WAN Spaces

Customers and users (customer employees) are assigned to a specific space and are managed through delegated administration. Attributes can be global or defined on a per-space basis.

Spaces allow SD-WAN resources to be placed into distinct groups. Multi-tenant Spaces have their own public IP subnet assignments, user interface branding options, and private WAN settings. Multi-tenant Spaces are arranged in a hierarchy, similar to a directory structure, where one root space can have multiple child spaces, each child space can have their own child spaces and so on.

Multitenant

Multi-site Private WAN Space configurations will typically use private IP blocks routed to each site. As a result, every Space can re-use these private IP’s as they are translated to the Public IP/s dedicated to the Space.

Aggregators and Private WAN Routers can route traffic for any number of spaces.

Multi-tenant Spaces are hierarchical for organization and access control in the management application, however they’re not hierarchical for routing purposes. Instead, each Private WAN space is completely isolated from other spaces, even if they have a parent-child relationship in the management application.

Physical and Encryption

Multapplied SD-WAN provides both a physical form of security and encryption for customer data. Aggregating multiple circuits into a single tunnel means that data is transported across multiple circuits of different types and multiple carrier networks. Packet sniffing techniques are less successful in this environment as packets need to be intercepted from multiple carrier circuits.

Encryption

Multapplied SD-WAN offers perfect forward secrecy with all ciphers. Perfect forward secrecy is the property that encrypted traffic cannot be decrypted at a later time even if the private key is compromised. Encryption is performed using private keys generated when the Aggregator and CPE were provisioned, and hosts are authenticated with x.509 certificates signed by certificate authority on the management server.

Encryption Ciphers

HMAC (Hash-Based Message Authentication Codes)

Three ciphers are available:

  • AES 128, the default due to being accelerated on some CPUs
    (requires 64-bit operating system)
  • AES 256
  • Salsa20 256
Security

Customizing Firewall Management and Behaviour

Bonders and aggregators use the Linux Iptables firewall to protect against unauthorized access. This firewall can be customized to add special entries, rules, routes, or other special features required by a particular bonder or aggregator.

To customize firewall behaviour, create a new script in /etc/firewall.d/

When the script /etc/init.d/firewall is run, your script will be called with the same argument as the argument to /etc/init.d/firewall:

  • Start, to add the required behaviour
  • Stop, to remove the installed behaviour
  • Restart, to remove and add the required behaviour
  • Force-reload, to reload the behaviour without restarting services, if possible • Status, to display a short message describing the current status of the behaviour

These arguments match the arguments to standard Debian init scripts. Hooks are called with the argument “start” at system boot and “stop” at shutdown.

Running the Firewall Script

The firewall script is executed with the service command. For example,

Service Firewall Restart
The firewall is controlled with the script /etc/init.d/firewall. This script runs each executable file in the directory /etc/firewall.d. The following arguments are supported:

  • Start: enables the firewall
  • Stop: disables the firewall
  • Restart: disables, then enables the firewall
  • Force-reload: disables, then enables the firewall
  • Status: shows status information about the firewall

The firewall is automatically started when the system boots and stopped when the system shuts down.

Multapplied SD-WAN Multi-tenant Spaces

Customers and users (customer employees) are assigned to a specific space and are managed through delegated administration. Attributes can be defined globally or on a per-space basis.

Spaces allow aggregated links, Aggregators, users, and other resources to be placed into distinct groups. Multi-tenant Spaces can have their own IP subnet assignments, user interface branding options, and private WAN settings. Multi-tenant Spaces are arranged in a hierarchy, similar to a directory structure, where one root space can have multiple child spaces, and each child space can have their own child spaces, and so on.

Multi-tenant Spaces using Private WAN will typically use private networks for connected IPs and routes, rather than public networks as are usually used for non-Private WAN spaces.

Aggregators and Private WAN Routers can route traffic for any number of spaces.

Though Multi-tenant Spaces are hierarchical for organization and access control in the management application, they’re not hierarchical for routing purposes. Instead, each Private WAN space is completely isolated from other spaces, even if they have a parent-child relationship in the management application.

Multitenant

Feature Briefs

Achieve the perfect network with SD-WAN

Understand your networking challenge and discover not only the benefits of SD-WAN but how you can achieve the perfect network with it. This brief goes through the reliability, productivity, optimal bandwidth and much more!

Download Now

Thanks!



Thanks!