1 HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by Hughes to meet the needs of the enterprise customer. FEB 2009
2 White Paper HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R Introduction Hughes provides HughesNet managed broadband network services to enterprise customers. As part of the managed services umbrella, Hughes maintains a high level of end-to-end security. From a Hughes perspective, end-to-end is defined as the remote CPE demarcation point through the Hughes NOC to the backhaul terminating at the customer data center. Hughes is very aware of the importance of both data and network security and has designed a robust architecture that addresses the needs of its customers. This paper describes the various security functions, features, and safeguards throughout each point in the customer s network. In addition, this paper provides detailed information on the CPE, Network Operations Center (NOC) and backhaul. Figure 1 illustrates the end-to-end architecture for an enterprise private network. Figure 1. Enterprise Network FEB 2009
3 White Paper Customer Premise Equipment (CPE) The HN7700S-R CPE is a custom-designed platform, using Hughes-developed proprietary hardware and software to deliver private WAN networking using a wide range of connectivity options. The router may be deployed behind any IP WAN access, including private or public (Internet) connections to a Hughes Network Operations Center (NOC), where it communicates with an IP Gateway another Hughes-developed proprietary platform which connects to the customer s data center network. Hughes uses the HN7700S-R to manage the HughesNet broadband VPN service. The HN7700S-R router connects to a modem (not shown in any diagram) in order to transmit/receive traffic over the broadband access network (for example, DSL, cable, wireless, etc.). The modem serves as a Layer 2 bridge and has no routing functionality. The HN7700S-R provides all the Layer 3 routing, security, and management functions. Refer to Figure 2 to see the HN7700S-R. Figure 2. Hughes Enterprise Access Network It is important to understand that the HN7700S-R is not an Internet access router. Rather, it is a secure tunneling router that uses the Internet as a transport. The router s ACL enforces the rule that all traffic is sent over the AES IPSec tunnel. The HN7700S-R must always interoperate with and connect to a Hughes IP Gateway hosted at the Hughes NOC. Between both devices, Hughes establishes, maintains, and monitors an AES IPSec tunnel. Within the AES IPSec tunnel, Hughes establishes, maintains, and monitors a Performance Enhancement Proxy (PEP) tunnel. The PEP tunnel is used to accelerate the traffic from the CPE to the Hughes NOC and is part of the Hughes WAN Optimization feature. Also, all management traffic is transmitted within the AES IPSec tunnel (inclusive of ICMP pings which are used to determine up/down status of the remote site). This ensures that there is no out-of-band attack vector through which an attacker could compromise the network via the CPE s WAN connection. Only packets which are successfully decrypted and authenticated may be consumed by the management software. In addition, a Hughes-proprietary SDL protocol is used to communicate configuration information.
4 The AES IPSec tunnel provides security and encryption functionality protecting all data traffic from the remote site to the Hughes NOC and return. Hughes has both Layer 2 and Layer 3 broadband access architectures. For either option, the network only provides connectivity between the remote site and the Hughes NOC. There is no other connectivity allowed since these are private connections. With Layer 3, the Internet is used as a transport network and the AES IPSec VPN tunnel is administered to maintain security. With the HN7700S-R, however, the same AES IPSec VPN tunnel used in the Layer 3 case is used in the Layer 2 case. The HN7700S-R has many built-in security safeguards. First, the HN7700S-R is designed to transmit/receive traffic with the AES IPSec tunnel established. If the tunnel is not functioning correctly, then the data will not be sent. Also, if there is a security misconfiguration, the router will not transmit. The Hughes router cannot send traffic to the open Internet and over the AES IPSec tunnel simultaneously as it does not have split tunnel functionality. The IPSec tunnel uses the Internet Key Exchange (IKE) protocol between the HN7700S-R and the IP Gateway to dynamically negotiate random encryption keys which are periodically refreshed. The initial pre-shared key is a strong key generated and stored in an encrypted format in a central database, and downloaded to the remote sites via a secure management communications channel. IPSec packets are encapsulated over UDP on a Hughes-assigned port for transport over the WAN network. Only packets, which are addressed to the HN7700S-R on the appropriate port from the configured IP Gateway s IP address, are consumed by the IPSec stack. Therefore, only packets which can be properly decrypted and authenticated are processed by the software. In addition, the IPSec tunnel is only initiated from the HN7700S-R. Again, the software has no provisions for accepting an incoming IPSec request, which precludes an attack by an imposter IP Gateway. Second, the HN7700S-R does not respond with its public IP address to any third-party destination on the Internet (even if a third party would try to hack the site). The public IP address is known only by the Hughes NOC. Even if a third party were to perform a port scan on the HN7700S-R (not even possible in the Layer 2 scenario since it is a private connection), no address would be sent back to the third party as the router only responds to ICMP echo. Third, the HN7700S-R can establish a connection only with the Hughes IP Gateway hosted in the Hughes NOC. Even if a third party were to attempt to access the HN7700S-R (notwithstanding the previous paragraph), it would not be able to communicate unless there was a properly configured Hughes IP Gateway on the opposite side. Since the connection between the HN7700S-R and the Hughes IP Gateway is proprietary, it is not feasible to replicate this function with a phony Hughes IP Gateway. Although there is no current logging functionality available with the HN7700S-R, any such logging is of limited value from a security standpoint, since the only destination where the data traffic can be sent is to the Hughes IP Gateway at the NOC. Fourth, there is no local (LAN) access to the HN7700S-R to view or modify the configuration. Hence, there is no unauthorized way to alter the configuration for access to the network.
5 Figure 3 shows at a high level, the protocol stack and packet flow for user traffic coming into the HN7700S-R from the WAN. No Other Services ICMP WAN Network Layer IP PPPoE (optional) WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX IPSec HTTP Acceleration (TurboPage) Transport Layer UDP TCP Spoofer (PEP) Services Web Server, DNS Proxy, DCHP Server, etc. NAT (optional) LAN Network Layer IP LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX WAN LAN Figure 3. HN7700S-R Stack Architecture, Data Plane The most important element of this diagram regarding security is the red box on top. As a purpose-built router, the HN7700S-R has no services which are accessible from the WAN interface, other than the encapsulated IPSec tunnel which is initiated by the router itself. This is different from an off-the-shelf router with an ACL. With a commercial router, there are a number of services running on the router, which must be explicitly blocked via configuration to close off possible attack vectors. This is because, as routers they are designed to accept and transmit packets on all interfaces, and their IP stack is common for both the WAN and LAN side. That is, all packets are received and routed according to a common set of instructions. This allows a WAN interface and a LAN interface to operate in the same way, with the same functionality. While this provides flexibility, it also necessitates a complex set of ACLs which must be managed to allow only the desired access from the WAN interface. Figure 4 shows a simplified example of an off-theshelf router. Services Web Server, Telnet, DNS Proxy, DHCP Server, etc. TCP Stack ACL List IP Stack WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX WAN LAN Services TFTP, SNTP, etc. UDP Stack LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX Figure 4. Off-the-shelf Router Stack Architecture, Data Plane
6 With the HN7700S-R, the protocol stacks are separate all the way through not just to the jacks themselves. This provides the unique advantage of seamlessly protecting all access to the device from the WAN interface. With the exception of encrypted IPSec packets, no traffic is accepted from the WAN interface. Hence, the HN7700S-R does not require specific configuration to block access to services which might have exploitable security vulnerabilities. For example, there is no risk of an attacker exploiting a buffer overrun in an on-board web server, since there is no innate capability of processing Internet-sourced packets by any software in the device. The following output of an exhaustive nmap probe shows that there are no services listening on the WAN interface of the HN7700S-R. That is, the device cannot process or respond to any ports or protocols. Starting Nmap 4.62 ( ) at :42 EST Initiating ARP Ping Scan at 09:42 Scanning [1 port] Completed ARP Ping Scan at 09:42, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:42 Completed Parallel DNS resolution of 1 host. at 09:42, 0.70s elapsed Initiating SYN Stealth Scan at 09:42 Scanning [65536 ports] SYN Stealth Scan Timing: About 2.14% done; ETC: 10:05 (0:22:53 remaining) Completed SYN Stealth Scan at 10:05, s elapsed (65536 total ports) Host appears to be up... good. All scanned ports on are filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in seconds Raw packets sent: (5.767MB) Rcvd: 1 (42B) Starting Nmap 4.62 ( ) at :43 EST Initiating ARP Ping Scan at 09:43 Scanning [1 port] Completed ARP Ping Scan at 09:43, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:43 Completed Parallel DNS resolution of 1 host. at 09:43, 0.78s elapsed Initiating UDP Scan at 09:43 Scanning [65536 ports] UDP Scan Timing: About 2.14% done; ETC: 10:07 (0:22:53 remaining) Completed UDP Scan at 10:06, s elapsed (65536 total ports) Host appears to be up... good. All scanned ports on are open filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in seconds Raw packets sent: (3.670MB) Rcvd: 1 (42B) The only response received was to the initial ping. Even the ability to respond to ICMP Echo Requests (Pings) could be disabled, if it were not needed. To date, there has never been a successful penetration of a HughesNet customer network from the outside world.
7 White Paper Network Operations Center (NOC) In the Hughes NOC, many devices are deployed to provide a high level of service functionality, as well as to maintain and enforce robust security. The Hughes NOC has several functions. First, the Hughes NOC aggregates traffic from the remote sites regardless of the access transport used. Second, it provides connectivity to third-party entities such as credit processors. Third, it hosts the functionality to perform the HughesNet proactive monitoring service. Fourth, it provides connectivity to the data center(s) via a backhaul. All these functions are supported and maintained in a highly secure environment. Figure 5 shows the Hughes NOC architecture. All NOC equipment requires SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. This is a standard Hughes security practice to ensure only authorized personnel have access to the network. Remote Site Aggregation There are three NOC devices that assist in aggregating remote site traffic; the DSL Provider Edge (PE) router, the Hughes Internet (Inet) router, and the Hughes IP Gateway. The DSL PE router and the Hughes Inet router have similar functions. Both directly aggregate traffic, but the DSL PE router supports the Layer 2 network and the Hughes Inet router supports the Layer 3 network. Both routers forward data through the Hughes IP Gateway and the enterprise LAN for transmission to the data center(s) or the credit card processor network. Figure 5. Hughes NOC
8 The DSL PE router has no connection to the Internet. This router only aggregates sites served via a private Layer 2 connection. So inherently, there is no threat from third-party attacks on the Internet. The only type of attack could be from within the network via the remote site, but since there is no ability to access the HN7700S-R configuration from the remote site, there is no way to alter the configuration to allow for a rogue user to enter the network. The Hughes Inet router has access to the Internet to aggregate traffic from sites using the Layer 3 architecture. The router s ACL is set up to access only HNR UDP traffic and ICMP echo. Both traffic types only would be coming from the HN7700S- R. If neither one of these traffic patterns is sent, it is dropped or is not allowed. So, any third-party entity attempting to gain access to the network would have to emulate a remote site s IP address and the proprietary transport protocols used by the HN devices. Also, penetration tests and port scans are conducted every three months (per the PCI standard) on the Hughes Inet router. The Hughes IP Gateway ultimately is the traffic aggregation device. As mentioned earlier, the Hughes IP Gateway gateway establishes the AES IPSec tunnel and the PEP tunnel to the remote HN7700S-R. To accommodate this tunnel, the Hughes IP Gateway only allows traffic destined for the UDP port. This is enforced by a software packet filter. So, even if a third party initiated a malicious attack from the Internet, the traffic would be dropped, because it would not be in the proper packet format, port, or protocol. Moreover, the Hughes IP Gateway only allows remote HN7700S-Rs with the correct keys to access the network. Lastly, as an additional safeguard, the Hughes IP Gateway does not allow site-to-site connectivity. Hence, if there were ever an issue with a remote site in spite of all the aforementioned precautions since the Hughes IP Gateway does not allow site-to-site connectivity that issue could be localized so as not to cause any impact to the rest of the network. Third Party Network Connectivity The credit processor routers have direct communication with the credit processor network. This architecture is either supported with private line access or public secure VPN access. Regardless of the architecture, Hughes, along with the credit card processor, ensures security. Hughes demarcation is the WAN side of the NAT router. The credit processor routers, collocated at the Hughes NOC, are managed by the third party, not by Hughes. Hughes Proactive Monitoring Service The Hughes Proactive Monitoring router serves to ping the remote sites and does not represent any live enterprise-specific traffic. The proactive monitoring traffic is in the form of Hughes initiated pings. This management traffic is transmitted over the same AES IPSec tunnel as the enterprise data traffic. Optional Firewalls Hughes provides optional firewalls in the NOC. One firewall is used to protect the enterprise LAN from viruses or anomolous traffic. This way, if a remote site is affected, the impact can be quarantined to that site and not impact the corporate network. The second optional firewall is to provide secure Internet access via the NOC. Either open or fenced (white list) Internet access can be provided. The firewall protects the enterprise LAN and remote sites against security threats from the Internet. Backhaul Connectivity The Hughes NOC also supports backhaul connectivity to the data center(s) as described in the next section.
9 Backhaul The backhaul network connects the Hughes NOC to the customer data center(s). The NOC backhaul routers connect to the enterprise network routers at the data center(s). There are two different architectures to support the backhauls. First, there is the private line backhaul which is supported with the enterprise backhaul router from the NOC. This router is connected to an enterprise router on the enterprise network at the data center. As with all the equipment in the NOC, both routers require SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. Second, there is also an option for an IPSec VPN tunnel from the NOC to the data center(s). This is supported with the enterprise backhaul VPN router connected to the enterprise router at the data center. Both routers have restricted ACLs which permit only IPSec on the Internet interface for a VPN peer. The IPSec VPN is 3DES strength, using a pre-shared secret key with a 15-minute lifetime. There is no NAT supported for end-user client Internet access. Also, as explained above, SSL security is required for management access with two-factor authentication. The authentication request is logged through an RSA server. Figure 6 shows the backhaul architecture. Figure 6. Backhaul Architecture 9
10 Security Management Hughes has been evaluated on various business practices based on the Payment Card Industry (PCI) standards. In addition to the configuration of the network, Hughes takes pride in the processes and procedures in order to maintain the high level of security. This includes a structured and consistent installation procedure ensuring that only the correct configurations are deployed in the network by authorized personnel. Any changes in the network configuration are first reviewed and verified in a test environment before being launched in the production environment by authorized personnel. All critical NOC component configurations are reviewed, and anti-virus programs run on a consistent basis. Additionally, Hughes has a process in place to identify new security risks and and to test the network for vulnerabilities. Logging occurs in case of unauthorized access to a critical NOC component. Lastly, Hughes strictly adheres to both physical and logical security. Only authorized personnel are allowed in controlled areas. Two-factor authentication is consistently used for logical access to sensitive equipment. Summary Hughes has an extremely comprehensive network security system. From the CPE to the NOC to the backhaul, all components have robust security. This is supported by the successful PCI review of the HughesNet Managed Network Services solution. By adhering to PCI standards, not only does Hughes provide strong protection and security for customer traffic, but the processes and procedures used for implementation, monitoring, and change management provide for continuous improvement. The end result is a highly secure and reliable managed broadband VPN service for the enterprise customer. Proprietary Statement All rights reserved. This publication and its contents are proprietary to Hughes Network Systems, LLC. No part of this publication may be reproduced in any form or by any means without the written permission of Hughes Network Systems, LLC, Exploration Lane, Germantown, Maryland HUGHES, HughesNet, IPoS, TurboPage, SPACEWAY, AIReach, Broadband Unbound, and Connect to the future are trademarks of Hughes Network Systems, LLC. All other trademarks are the property of their respective owners Hughes Network Systems. LLC. All information is subject to change. All rights reserved. HUGHES PROPRIETARY H39058 ID FEB Exploration Lane Germantown, MD USA