HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Similar documents
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Virtual Private Networks (VPN) Connectivity and Management Policy

Understanding the Cisco VPN Client

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

WAN Failover Scenarios Using Digi Wireless WAN Routers

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Firewalls. Chapter 3

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

NETASQ MIGRATING FROM V8 TO V9

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewalls, Tunnels, and Network Intrusion Detection

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Security Technology: Firewalls and VPNs

VOICE OVER IP SECURITY

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Network Access Security. Lesson 10

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Recommended IP Telephony Architecture

Cisco Integrated Services Routers Performance Overview

The BANDIT Device in the Network

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Case Study for Layer 3 Authentication and Encryption

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Cornerstones of Security

Gigabit SSL VPN Security Router

HughesNet High Availability VPN

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Building A Secure Microsoft Exchange Continuity Appliance

Cisco SR 520-T1 Secure Router

The BANDIT Products in Virtual Private Networks

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Steelcape Product Overview and Functional Description

IOS NAT Load Balancing for Two ISP Connections

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

ReadyNAS Remote White Paper. NETGEAR May 2010

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

CS5008: Internet Computing

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Chapter 4 Firewall Protection and Content Filtering

UIP1868P User Interface Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

The next generation of knowledge and expertise Wireless Security Basics

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Table of Contents. Introduction

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Firewall Defaults and Some Basic Rules

Achieving PCI-Compliance through Cyberoam

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

ISG50 Application Note Version 1.0 June, 2011

Cisco RV180 VPN Router

74% 96 Action Items. Compliance

MANAGED SECURITY SERVICES

- Introduction to PIX/ASA Firewalls -

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

Innominate mguard Version 6

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Internet Security Firewalls

Novell Access Manager SSL Virtual Private Network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Safeguards Against Denial of Service Attacks for IP Phones

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Endpoint Security VPN for Mac

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Gigabit Multi-Homing VPN Security Router

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

About Firewall Protection

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Gigabit Multi-Homing VPN Security Router

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Virtual Private Networks Secured Connectivity for the Distributed Organization

Lecture 17 - Network Security

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

BT Business Broadband

Network Virtualization Network Admission Control Deployment Guide

Managing Digital Signage Over 3G Using Intel Active Management Technology (Intel AMT)

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Chapter 4 Security and Firewall Protection

Transcription:

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by Hughes to meet the needs of the enterprise customer. FEB 2009

White Paper HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R Introduction Hughes provides HughesNet managed broadband network services to enterprise customers. As part of the managed services umbrella, Hughes maintains a high level of end-to-end security. From a Hughes perspective, end-to-end is defined as the remote CPE demarcation point through the Hughes NOC to the backhaul terminating at the customer data center. Hughes is very aware of the importance of both data and network security and has designed a robust architecture that addresses the needs of its customers. This paper describes the various security functions, features, and safeguards throughout each point in the customer s network. In addition, this paper provides detailed information on the CPE, Network Operations Center (NOC) and backhaul. Figure 1 illustrates the end-to-end architecture for an enterprise private network. Figure 1. Enterprise Network FEB 2009

White Paper Customer Premise Equipment (CPE) The HN7700S-R CPE is a custom-designed platform, using Hughes-developed proprietary hardware and software to deliver private WAN networking using a wide range of connectivity options. The router may be deployed behind any IP WAN access, including private or public (Internet) connections to a Hughes Network Operations Center (NOC), where it communicates with an IP Gateway another Hughes-developed proprietary platform which connects to the customer s data center network. Hughes uses the HN7700S-R to manage the HughesNet broadband VPN service. The HN7700S-R router connects to a modem (not shown in any diagram) in order to transmit/receive traffic over the broadband access network (for example, DSL, cable, wireless, etc.). The modem serves as a Layer 2 bridge and has no routing functionality. The HN7700S-R provides all the Layer 3 routing, security, and management functions. Refer to Figure 2 to see the HN7700S-R. Figure 2. Hughes Enterprise Access Network It is important to understand that the HN7700S-R is not an Internet access router. Rather, it is a secure tunneling router that uses the Internet as a transport. The router s ACL enforces the rule that all traffic is sent over the AES IPSec tunnel. The HN7700S-R must always interoperate with and connect to a Hughes IP Gateway hosted at the Hughes NOC. Between both devices, Hughes establishes, maintains, and monitors an AES IPSec tunnel. Within the AES IPSec tunnel, Hughes establishes, maintains, and monitors a Performance Enhancement Proxy (PEP) tunnel. The PEP tunnel is used to accelerate the traffic from the CPE to the Hughes NOC and is part of the Hughes WAN Optimization feature. Also, all management traffic is transmitted within the AES IPSec tunnel (inclusive of ICMP pings which are used to determine up/down status of the remote site). This ensures that there is no out-of-band attack vector through which an attacker could compromise the network via the CPE s WAN connection. Only packets which are successfully decrypted and authenticated may be consumed by the management software. In addition, a Hughes-proprietary SDL protocol is used to communicate configuration information.

The AES IPSec tunnel provides security and encryption functionality protecting all data traffic from the remote site to the Hughes NOC and return. Hughes has both Layer 2 and Layer 3 broadband access architectures. For either option, the network only provides connectivity between the remote site and the Hughes NOC. There is no other connectivity allowed since these are private connections. With Layer 3, the Internet is used as a transport network and the AES IPSec VPN tunnel is administered to maintain security. With the HN7700S-R, however, the same AES IPSec VPN tunnel used in the Layer 3 case is used in the Layer 2 case. The HN7700S-R has many built-in security safeguards. First, the HN7700S-R is designed to transmit/receive traffic with the AES IPSec tunnel established. If the tunnel is not functioning correctly, then the data will not be sent. Also, if there is a security misconfiguration, the router will not transmit. The Hughes router cannot send traffic to the open Internet and over the AES IPSec tunnel simultaneously as it does not have split tunnel functionality. The IPSec tunnel uses the Internet Key Exchange (IKE) protocol between the HN7700S-R and the IP Gateway to dynamically negotiate random encryption keys which are periodically refreshed. The initial pre-shared key is a strong key generated and stored in an encrypted format in a central database, and downloaded to the remote sites via a secure management communications channel. IPSec packets are encapsulated over UDP on a Hughes-assigned port for transport over the WAN network. Only packets, which are addressed to the HN7700S-R on the appropriate port from the configured IP Gateway s IP address, are consumed by the IPSec stack. Therefore, only packets which can be properly decrypted and authenticated are processed by the software. In addition, the IPSec tunnel is only initiated from the HN7700S-R. Again, the software has no provisions for accepting an incoming IPSec request, which precludes an attack by an imposter IP Gateway. Second, the HN7700S-R does not respond with its public IP address to any third-party destination on the Internet (even if a third party would try to hack the site). The public IP address is known only by the Hughes NOC. Even if a third party were to perform a port scan on the HN7700S-R (not even possible in the Layer 2 scenario since it is a private connection), no address would be sent back to the third party as the router only responds to ICMP echo. Third, the HN7700S-R can establish a connection only with the Hughes IP Gateway hosted in the Hughes NOC. Even if a third party were to attempt to access the HN7700S-R (notwithstanding the previous paragraph), it would not be able to communicate unless there was a properly configured Hughes IP Gateway on the opposite side. Since the connection between the HN7700S-R and the Hughes IP Gateway is proprietary, it is not feasible to replicate this function with a phony Hughes IP Gateway. Although there is no current logging functionality available with the HN7700S-R, any such logging is of limited value from a security standpoint, since the only destination where the data traffic can be sent is to the Hughes IP Gateway at the NOC. Fourth, there is no local (LAN) access to the HN7700S-R to view or modify the configuration. Hence, there is no unauthorized way to alter the configuration for access to the network.

Figure 3 shows at a high level, the protocol stack and packet flow for user traffic coming into the HN7700S-R from the WAN. No Other Services ICMP WAN Network Layer IP PPPoE (optional) WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX IPSec HTTP Acceleration (TurboPage) Transport Layer UDP TCP Spoofer (PEP) Services Web Server, DNS Proxy, DCHP Server, etc. NAT (optional) LAN Network Layer IP LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX WAN LAN Figure 3. HN7700S-R Stack Architecture, Data Plane The most important element of this diagram regarding security is the red box on top. As a purpose-built router, the HN7700S-R has no services which are accessible from the WAN interface, other than the encapsulated IPSec tunnel which is initiated by the router itself. This is different from an off-the-shelf router with an ACL. With a commercial router, there are a number of services running on the router, which must be explicitly blocked via configuration to close off possible attack vectors. This is because, as routers they are designed to accept and transmit packets on all interfaces, and their IP stack is common for both the WAN and LAN side. That is, all packets are received and routed according to a common set of instructions. This allows a WAN interface and a LAN interface to operate in the same way, with the same functionality. While this provides flexibility, it also necessitates a complex set of ACLs which must be managed to allow only the desired access from the WAN interface. Figure 4 shows a simplified example of an off-theshelf router. Services Web Server, Telnet, DNS Proxy, DHCP Server, etc. TCP Stack ACL List IP Stack WAN Link Layer Ethernet WAN PHY 10/100BaseT/TX WAN LAN Services TFTP, SNTP, etc. UDP Stack LAN Link Layer Ethernet LAN PHY 10/100BaseT/TX Figure 4. Off-the-shelf Router Stack Architecture, Data Plane

With the HN7700S-R, the protocol stacks are separate all the way through not just to the jacks themselves. This provides the unique advantage of seamlessly protecting all access to the device from the WAN interface. With the exception of encrypted IPSec packets, no traffic is accepted from the WAN interface. Hence, the HN7700S-R does not require specific configuration to block access to services which might have exploitable security vulnerabilities. For example, there is no risk of an attacker exploiting a buffer overrun in an on-board web server, since there is no innate capability of processing Internet-sourced packets by any software in the device. The following output of an exhaustive nmap probe shows that there are no services listening on the WAN interface of the HN7700S-R. That is, the device cannot process or respond to any ports or protocols. Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-07 09:42 EST Initiating ARP Ping Scan at 09:42 Scanning 192.168.1.101 [1 port] Completed ARP Ping Scan at 09:42, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:42 Completed Parallel DNS resolution of 1 host. at 09:42, 0.70s elapsed Initiating SYN Stealth Scan at 09:42 Scanning 192.168.1.101 [65536 ports] SYN Stealth Scan Timing: About 2.14% done; ETC: 10:05 (0:22:53 remaining) Completed SYN Stealth Scan at 10:05, 1359.35s elapsed (65536 total ports) Host 192.168.1.101 appears to be up... good. All 65536 scanned ports on 192.168.1.101 are filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1360.284 seconds Raw packets sent: 131073 (5.767MB) Rcvd: 1 (42B) Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-07 09:43 EST Initiating ARP Ping Scan at 09:43 Scanning 192.168.1.101 [1 port] Completed ARP Ping Scan at 09:43, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:43 Completed Parallel DNS resolution of 1 host. at 09:43, 0.78s elapsed Initiating UDP Scan at 09:43 Scanning 192.168.1.101 [65536 ports] UDP Scan Timing: About 2.14% done; ETC: 10:07 (0:22:53 remaining) Completed UDP Scan at 10:06, 1359.47s elapsed (65536 total ports) Host 192.168.1.101 appears to be up... good. All 65536 scanned ports on 192.168.1.101 are open filtered MAC Address: 00:80:AE:A9:EF:9B (Hughes Network Systems) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1360.494 seconds Raw packets sent: 131073 (3.670MB) Rcvd: 1 (42B) The only response received was to the initial ping. Even the ability to respond to ICMP Echo Requests (Pings) could be disabled, if it were not needed. To date, there has never been a successful penetration of a HughesNet customer network from the outside world.

White Paper Network Operations Center (NOC) In the Hughes NOC, many devices are deployed to provide a high level of service functionality, as well as to maintain and enforce robust security. The Hughes NOC has several functions. First, the Hughes NOC aggregates traffic from the remote sites regardless of the access transport used. Second, it provides connectivity to third-party entities such as credit processors. Third, it hosts the functionality to perform the HughesNet proactive monitoring service. Fourth, it provides connectivity to the data center(s) via a backhaul. All these functions are supported and maintained in a highly secure environment. Figure 5 shows the Hughes NOC architecture. All NOC equipment requires SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. This is a standard Hughes security practice to ensure only authorized personnel have access to the network. Remote Site Aggregation There are three NOC devices that assist in aggregating remote site traffic; the DSL Provider Edge (PE) router, the Hughes Internet (Inet) router, and the Hughes IP Gateway. The DSL PE router and the Hughes Inet router have similar functions. Both directly aggregate traffic, but the DSL PE router supports the Layer 2 network and the Hughes Inet router supports the Layer 3 network. Both routers forward data through the Hughes IP Gateway and the enterprise LAN for transmission to the data center(s) or the credit card processor network. Figure 5. Hughes NOC

The DSL PE router has no connection to the Internet. This router only aggregates sites served via a private Layer 2 connection. So inherently, there is no threat from third-party attacks on the Internet. The only type of attack could be from within the network via the remote site, but since there is no ability to access the HN7700S-R configuration from the remote site, there is no way to alter the configuration to allow for a rogue user to enter the network. The Hughes Inet router has access to the Internet to aggregate traffic from sites using the Layer 3 architecture. The router s ACL is set up to access only HNR UDP traffic and ICMP echo. Both traffic types only would be coming from the HN7700S- R. If neither one of these traffic patterns is sent, it is dropped or is not allowed. So, any third-party entity attempting to gain access to the network would have to emulate a remote site s IP address and the proprietary transport protocols used by the HN devices. Also, penetration tests and port scans are conducted every three months (per the PCI standard) on the Hughes Inet router. The Hughes IP Gateway ultimately is the traffic aggregation device. As mentioned earlier, the Hughes IP Gateway gateway establishes the AES IPSec tunnel and the PEP tunnel to the remote HN7700S-R. To accommodate this tunnel, the Hughes IP Gateway only allows traffic destined for the UDP port. This is enforced by a software packet filter. So, even if a third party initiated a malicious attack from the Internet, the traffic would be dropped, because it would not be in the proper packet format, port, or protocol. Moreover, the Hughes IP Gateway only allows remote HN7700S-Rs with the correct keys to access the network. Lastly, as an additional safeguard, the Hughes IP Gateway does not allow site-to-site connectivity. Hence, if there were ever an issue with a remote site in spite of all the aforementioned precautions since the Hughes IP Gateway does not allow site-to-site connectivity that issue could be localized so as not to cause any impact to the rest of the network. Third Party Network Connectivity The credit processor routers have direct communication with the credit processor network. This architecture is either supported with private line access or public secure VPN access. Regardless of the architecture, Hughes, along with the credit card processor, ensures security. Hughes demarcation is the WAN side of the NAT router. The credit processor routers, collocated at the Hughes NOC, are managed by the third party, not by Hughes. Hughes Proactive Monitoring Service The Hughes Proactive Monitoring router serves to ping the remote sites and does not represent any live enterprise-specific traffic. The proactive monitoring traffic is in the form of Hughes initiated pings. This management traffic is transmitted over the same AES IPSec tunnel as the enterprise data traffic. Optional Firewalls Hughes provides optional firewalls in the NOC. One firewall is used to protect the enterprise LAN from viruses or anomolous traffic. This way, if a remote site is affected, the impact can be quarantined to that site and not impact the corporate network. The second optional firewall is to provide secure Internet access via the NOC. Either open or fenced (white list) Internet access can be provided. The firewall protects the enterprise LAN and remote sites against security threats from the Internet. Backhaul Connectivity The Hughes NOC also supports backhaul connectivity to the data center(s) as described in the next section.

Backhaul The backhaul network connects the Hughes NOC to the customer data center(s). The NOC backhaul routers connect to the enterprise network routers at the data center(s). There are two different architectures to support the backhauls. First, there is the private line backhaul which is supported with the enterprise backhaul router from the NOC. This router is connected to an enterprise router on the enterprise network at the data center. As with all the equipment in the NOC, both routers require SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. Second, there is also an option for an IPSec VPN tunnel from the NOC to the data center(s). This is supported with the enterprise backhaul VPN router connected to the enterprise router at the data center. Both routers have restricted ACLs which permit only IPSec on the Internet interface for a VPN peer. The IPSec VPN is 3DES strength, using a pre-shared secret key with a 15-minute lifetime. There is no NAT supported for end-user client Internet access. Also, as explained above, SSL security is required for management access with two-factor authentication. The authentication request is logged through an RSA server. Figure 6 shows the backhaul architecture. Figure 6. Backhaul Architecture 9

Security Management Hughes has been evaluated on various business practices based on the Payment Card Industry (PCI) standards. In addition to the configuration of the network, Hughes takes pride in the processes and procedures in order to maintain the high level of security. This includes a structured and consistent installation procedure ensuring that only the correct configurations are deployed in the network by authorized personnel. Any changes in the network configuration are first reviewed and verified in a test environment before being launched in the production environment by authorized personnel. All critical NOC component configurations are reviewed, and anti-virus programs run on a consistent basis. Additionally, Hughes has a process in place to identify new security risks and and to test the network for vulnerabilities. Logging occurs in case of unauthorized access to a critical NOC component. Lastly, Hughes strictly adheres to both physical and logical security. Only authorized personnel are allowed in controlled areas. Two-factor authentication is consistently used for logical access to sensitive equipment. Summary Hughes has an extremely comprehensive network security system. From the CPE to the NOC to the backhaul, all components have robust security. This is supported by the successful PCI review of the HughesNet Managed Network Services solution. By adhering to PCI standards, not only does Hughes provide strong protection and security for customer traffic, but the processes and procedures used for implementation, monitoring, and change management provide for continuous improvement. The end result is a highly secure and reliable managed broadband VPN service for the enterprise customer. Proprietary Statement All rights reserved. This publication and its contents are proprietary to Hughes Network Systems, LLC. No part of this publication may be reproduced in any form or by any means without the written permission of Hughes Network Systems, LLC, 11717 Exploration Lane, Germantown, Maryland 20876. HUGHES, HughesNet, IPoS, TurboPage, SPACEWAY, AIReach, Broadband Unbound, and Connect to the future are trademarks of Hughes Network Systems, LLC. All other trademarks are the property of their respective owners. 2009 Hughes Network Systems. LLC. All information is subject to change. All rights reserved. HUGHES PROPRIETARY H39058 ID FEB 09 10 11717 Exploration Lane Germantown, MD 20876 USA

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information