🧘SD-WAN & The Art of Network Maintenance🥷

The original book remains a classic and in this article we borrow from it liberally:

This article describes the steps taken within SD-WAN to provide overall better operations and security for a network. SD-WAN is Zen. This article deals with how many firewall administrators are missing Zen, as many security requirements are not the exclusive ambit of firewalls.

But there is some help in network maintenance. Here is the network equivalence of motorcycle manuals:

DNS Server

This simple configuration is where the security of most firewalls break! 8.8.8.8 is not a secure DNS server. It is the spawn of Satan that monitors your activities and uses the mined information to blast you with ads.
Only having the google DNS server configured with no secondary is a real brainfart. And then using 8.8.4.4 as the secondary is bordering on being certifiably insane. The security nomenclature of C.I.A. also includes "Availability" which is broken by the google DNS strategy, as when you lose connection to google you lose everything...

As a matter of best practice it is preferable to use 3 x DNS servers. As a minimum use the secure ones:

9.9.9.9 # Quad9
1.1.1.2 # Cloudflare
208.67.222.222 # OpenDNS

This blocks access to insecure and dodgy sites. (BTW: That is a good thing.)

If you are a business you can go one step further and implement NSFW!

1.1.1.3 # Cloudflare
208.67.222.123 # OpenDNS
94.140.14.15 #AdGuard

The Centre for Internet Security actually uses configuring google as a DNS as an example. Sies, that is like a Meerkat inviting a Rinkhals into his burrow and expecting not to be attacked.

Using DNS filters prevents access to malware related C&Cs or Botnet sites as an example.

Network isolation

Behind the perimeter of the firewall it is usually a party. Most firewalls by default allow zones to communicate with each other. That means all it takes is one end point to be compromised and its a breeze to implement lateral movement throughout the whole organization. As a minimum, zones need to be segmented. As an example, partition IoT devices from office computers.

Direct WAN Management

This is one many ISPs implement management direct over the WAN interface. There is no separate management plane and access is directly via the WAN port of the firewall. Crikey, they love living dangerously!

Login Awareness

Leaving banners on defaults is clumsy. Customize the banners so that their is awareness of what is being accessed and then trigger notifications of successful logins.

Use keys and implement hacking mitigation using tools such as sshguard and fail2ban. Even if you have a separate management plane, its better to have multiple mitigation strategies.

Logs & Time

Make certain that suitable logging exists and that these are aggregated to a management server. And set the time and its zone correctly, otherwise those logs will be of no value! And set you hostname to something tangible or else you will also be in the dark.

Use a pool of NTP servers as follows and add a stable regional time source:

debian.pool.ntp.org
ntp.nap.africa

In the above example, we are using the time server located at the NAPAfrica peering exchange.

Firmware

There are 2 IT memes that highlight the problems in technology mindsets.

If it was working correctly it shouldn't break! Ja wll no fine.

If you don't fix it and its a firewall then you will be compromised. As an example, Fortigate is the most compromised network infrastructure as reported by CIS. If you don't update the firmware, then you will be screwed. If you cannot afford the Fortinet subscriptions then change to alternatives. Fix it.

Monitor the Device Metrics

Its crucial to have access to device metrics especially something like the CPU and processors. This also needs to be historically trended.

You will be bumping around in the dark if there is no decent management applications that provides device metrics, As an example, you won't even be able to diagnose something as simple as a reboot or power outage.
Also, its not a BGP flap when the firewall or router is attached to a switch which reboots due to a code violation error. (Bug!🐛) You need visibility for causation.

Inventory

If you have a large real estate of technology then it is imperative that you have an inventory that is up to date and correct. You cannot blindingly trust whoever or whatever is on your network. This is a gap that many network and firewall administrators skip. Mostly, because the firewall does not do it and in most cases there is only a superficial attempt at capacity management. Ja well no fine. That oversight will cost you badly. Its not to difficult and there are even some open source derivatives available.

At a push try something like 👉 Pi.Alert! You be more secure than someone with boggerol.

No Noobs

Enough said! Security is not about acting like an ostrich which seems par for the course for many...

Trust

You have to whitelist management servers and access. Unless you are accessing for a known address, jammer!

A well known ISP didn't white list their management servers on a client's firewall as they didn't want the IP address known. WTO!!! What The Ostrich...

Ports

Change the access ports because it makes the task for an intruder more difficult. Of course this strategy isn't bullet proof, but it will disrupt a significant number of script kiddies.

Rule Reviews

It is important to track rules and be able to audit them in a reasonable fashion. First the rule must have a name that is suitably descriptive and have a comment associated with it that is relevant to a change or service request. Leaving rule names and comments blank is a major oversight.

Next at a high level you want to know what rules identified by the rule number have been added, changed or deleted during the review period. This will allow a audit validation of those rules.

It is not feasible to do once off rule validation on a complete rule set as it is time consuming and tedious. Doing it on regular review periods is more pragmatic.

Often what is required is to pick up when a rule is created that uses "all" as a service which is not secure.

Blocking

Blocking needs to be implemented for the devices which include Tor Exit Nodes, Tor Relay Nodes, Censys/Shodan/Expanse Scanners, Botnet C&C, Phishing, Proxies, Spam, VPNs, and Malicious/Abuse IPs.

Dodgy applications

Stop torrenting. Eish!

Review and find unencrypted traffic.

The Firewall is not a Castle

Don't run your VPNs on the network firewall. Create a DMZ for the purpose.

Size matters

Many performance problems are MTU related and a decent SD-WAN automatically adjusts to the right value. The 800 pound gorillas? No way, they are slow, clumsy and not optimal!

---

Ronald Bartelsensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa- the leading specialized SD-WAN provider in South Africa. Learn more: 👉 Contact Fusion

---