HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet the needs of the enterprise customer. APR 2009
White Paper HughesNet Broadband VPN End-to-End Security Using the Cisco 87x Introduction Hughes is one of the world s largest providers of managed broadband services to a wide range of enterprise and government customers for whom a high level of end-to-end security is an absolute requirement. This white paper describes the comprehensive security functions, features, and safeguards that Hughes has designed into its HughesNet managed service capabilities. As illustrated in Figure 1, a typical enterprise end-to-end network architecture covers all information paths from the customer premise equipment (CPE) to the Network Operations Center (NOC), and through to the backhaul terminating at the customer datacenter. Figure 1. Enterprise Network APR 2009
Customer Premises Equipment (CPE) As illustrated in Figure 2, HughesNet Managed Services employs the Cisco 87x family of routers at customer sites to enable virtual private networks (VPNs). In particular, the Cisco 877 is used for DSL circuits incorporating an integrated modem and connected directly to the twisted pair copper wire jack. The Cisco 871 is used for any non-dsl site and connects to a cable or wireless modem via Ethernet (not shown in the diagram) in order to transmit/receive traffic over the non-dsl broadband access network. In both cases, the modem serves as a Layer 2 bridge and has no routing functionality. Both models, the 871 and 877, provide all the Layer 3 routing, security, and management functions. The following discussion applies to both the 871 and 877, as the same implementation, configuration, and management rules apply. The HughesNet standard configuration of the Cisco 87x router is in a PCI-compliant architecture that does not allow open Internet connectivity. The configuration management system ensures that the router configuration allows only one route, which is to the 3DES IPSec tunnel, terminating at the Hughes NOC. The router s ACL has rules to ensure that all traffic is sent over the tunnel. Within the 3DES IPSec tunnel, HughesNet establishes, maintains, and monitors an L2TP tunnel. All management traffic is transmitted within the 3DES IPSec tunnel, including ICMP pings that are used to determine up/down status of the remote site. In addition, HughesNet can support a PCI-compliant, split-tunneling architecture, which provides simultaneous open Internet and secure tunneling. This requires an Intrusion Detection System (IDS) and/or Intrusion Prevention System (IPS) to maintain proper security of the secured tunnel traffic from the open Internet traffic. This document does not focus on the split-tunneling configuration and only discusses the standard secured tunneling approach. The 3DES IPSec tunnel provides security and encryption functionality protecting all data traffic from the remote site to the Hughes NOC and return. HughesNet supports both Layer 2 and Layer 3 broadband access architectures. For either option, the network only provides connectivity between the remote site and the Hughes NOC. There is no other connectivity allowed since these are private connections. With Layer 3, the Internet is used as a transport network, and the 3DES IPSec VPN tunnel is administered to maintain security. The same 3DES IPSec VPN tunnel used in the Layer 3 case is also used in the Layer 2 case. There is no local (LAN) access to the Cisco 87x to view or modify the configuration. Hence, there is no Figure 2. Hughes Enterprise Access Network
unauthorized way to alter the configuration for access to the network. Hughes implements two-factor authentication, and each user has his/her own username/password combination. All configurations are managed at the NOC and are pushed out to the remote sites. Hughes goes to great lengths to ensure proper configuration management. When a specific configuration is sent to the customer site, there are various quality assurance steps. Any potential mis-configuration that could impact security at the remote site is automatically crosschecked against the router s configuration capabilities. For example, if the configuration mistakenly allows open Internet connectivity and there is no IDS or IPS on the CPE, then the configuration management system will not allow the configuration to be sent. It will be reviewed and changed to the correct configuration. Very careful attention is paid to the remote site configuration to ensure proper safety guidelines. Network Operation Center (NOC) In the Hughes NOC, many devices are deployed to provide a high level of service functionality, as well as to maintain and enforce robust security. The Hughes NOC has several functions. First, it aggregates traffic from the remote sites regardless of the access transport used. Second, it provides connectivity to third-party entities such as credit processors. Third, it hosts the functionality to perform the Hughes Proactive Monitoring Service. Fourth, it provides connectivity to the datacenter(s) via a backhaul. All these functions are supported and maintained in a highly secure environment. Figure 3 shows the Hughes NOC architecture. Figure 3. Hughes NOC
All NOC equipment requires SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. It is a standard Hughes security practice to ensure that only authorized personnel have access to the network. Remote Site Aggregation There are four NOC devices to assist in aggregating remote site traffic; the DSL Provider Edge (PE) router, Hughes Internet (Inet) router, the L2TP router, and the IPSec firewall. The DSL PE router and the Hughes Inet router have similar functions. Both directly aggregate traffic, but the DSL PE router supports the Layer 2 network and the Hughes Inet router supports the Layer 3 network. Both routers forward data to the IPSec firewall, then to the LT2P router, and then to the enterprise LAN for transmission to the datacenter(s) or the credit card processor network. The DSL PE Router has no connection to the Internet. This router only aggregates sites served via a private Layer 2 connection, therefore, there are no inherent threats from third-party attacks on the Internet. The only type of attack could be from within the network via the remote site, but since there is no ability to access the Cisco 87x configuration from the remote site, there is no way to alter the configuration to allow for a rogue user to enter the network. The Inet router has access to the Internet to aggregate traffic from sites using the Layer 3 architecture. The router s ACL is set up to access traffic only from a remote site sent over the proper port with the proper protocol. Any third-party entity attempting to gain access to the network would have to emulate a remote site s IP address, emulate the Inet router s IP address, emulate the transport protocol, and send over the correct port. Also, penetration tests and port scans are conducted every three months (per the PCI standard) on the Inet router. After the traffic flows through either the DSL PE router (for Layer 2 traffic) or the Inet router (for Layer 3 traffic), it flows to the IPSec firewall. The IPSec firewall terminates the IPSec tunnel from the 87x located at the remote site. After the IPSec firewall is terminated, the traffic is sent to the L2TP router. The L2TP router terminates the L2TP tunnel. After this tunnel is terminated, the traffic is forwarded to the enterprise LAN for delivery to the corporate headquarters (via the backhaul) or the credit processor network. Third-Party Network Connectivity The credit processor routers have direct communication with the credit processor network. This architecture is supported either with private line access or public secure VPN access. Regardless of the architecture, Hughes, along with the credit card processor, ensures security. Hughes demarcation is the WAN side of the NAT router. The credit processor routers, collocated at the Hughes NOC, are managed by the third party, not by Hughes. Hughes Proactive Monitoring Service The Hughes proactive monitoring router serves to ping the remote sites and does not represent any live enterprise-specific traffic. The proactive monitoring traffic is in the form of Hughes-initiated pings. This management traffic is transmitted over the same 3DES IPSec tunnel as the enterprise data traffic. Optional Firewalls Hughes provides optional firewalls in the NOC. One firewall is used to protect the enterprise LAN from viruses or anomolous traffic. This way, if a remote site is affected, the impact can be quarantined to that site and not impact the corporate network. The second optional firewall is to provide secure Internet access via the NOC. Either open or fenced (white list) Internet access can be provided. The firewall protects the enterprise LAN and remote sites against security threats from the Internet. Backhaul Connectivity The Hughes NOC also supports backhaul connectivity to the datacenter(s) as described in the next section.
Backhaul The backhaul network connects the Hughes NOC to the customer datacenter(s). The NOC backhaul routers connect to the enterprise network routers at the datacenter(s). There are two different architectures to support the backhauls. First, there is the private line backhaul, which is supported by the enterprise backhaul router from the NOC. This router is connected to an enterprise router on the enterprise network at the datacenter. As with all the equipment in the NOC, both routers require SSL security for management access with two-factor authentication. The authentication request is logged through an RSA server. There also is an option for an IPSec VPN tunnel from the NOC to the datacenter(s). This is supported by the enterprise backhaul VPN router connected to the enterprise router at the datacenter. Both routers have restricted ACLs that permit only IPSec on the Internet interface for a VPN peer. The IPSec VPN is 3DES strength, using a pre-shared secret key with a 15-minute lifetime. There is no NAT supported for end-user client Internet access. Also, as explained above, SSL security is required for management access with two-factor authentication. The authentication request is logged through an RSA server. Figure 4. Backhaul Architecture
Security Management Hughes has been evaluated on various business practices based on Payment Card Industry (PCI) standards. In addition to the configuration of the network, Hughes takes pride in the processes and procedures that are in place in order to maintain its high level of security. This includes a structured and consistent installation procedure ensuring that only the correct configurations are deployed in the network by authorized personnel. Any changes in the network configuration are first reviewed and verified in a test environment before being launched in the production environment by authorized personnel. All critical NOC component configurations are reviewed and anti-virus programs run on a consistent basis. Additionally, Hughes has a process in place to identify new security risks and test the network for vulnerabilities. Logging occurs in case of unauthorized access to a critical NOC component. Lastly, Hughes strictly adheres to both physical and logical security. Only authorized personnel are allowed in controlled areas. Two-factor authentication is consistently used for logical access to sensitive equipment. Summary From the CPE to the NOC to the backhaul, all components in the HughesNet managed broadband service architecture have robust security. This has been validated by the successful PCI review of the HughesNet Managed Services conducted by the Cardholder Information Security Program (CISP) in 2006. By adhering to PCI standards, not only does Hughes provide strong protection and security for customer traffic, but the processes and procedures used for implementation, monitoring, and change management call for continuous improvement. The end result is a highly secure and reliable HughesNet managed broadband VPN service for even the most demanding enterprise customer. Proprietary Statement All rights reserved. This publication and its contents are proprietary to Hughes Network Systems, LLC. No part of this publication may be reproduced in any form or by any means without the written permission of Hughes Network Systems, LLC, 11717 Exploration Lane, Germantown, Maryland 20876. HUGHES, HughesNet, IPoS, TurboPage, SPACEWAY, AIReach, Broadband Unbound, and Connect to the future are trademarks of Hughes Network Systems, LLC. All other trademarks are the property of their respective owners. 2009 Hughes Network Systems. LLC. All information is subject to change. All rights reserved. HUGHES PROPRIETARY H39083 ID APR 09 7 11717 Exploration Lane Germantown, MD 20876 USA