Security Features

Separation of Management and Network Traffic

The Oracle SD-WAN explicitly segregates all management and network traffic. This affords the appliance the ability to use known hardened applications to protect the appliance's management and configuration features without concern for collisions with Talari technologies.

This division also means that the Oracle SD-WAN data path cannot be compromised through management applications with known or unknown exploits or through standard probing techniques as the data path is not required to monitor, respond to, or forward management application traffic.

Separation of Management and Network Traffic in the APNA

Security Zones

Oracle SD-WAN configuration allows for the explicit designation of network interfaces as Trusted or Untrusted.

A Trusted interface is a port that connects to a network where security is provided or is unnecessary. An example of this would be a link to an MPLS network or to a router that manages network-to-network security via a VPN infrastructure. Generally speaking, it is expected that a Trusted network segment is firewalled. Paths on a trusted interface can be configured as encrypted or non-encrypted.

An Untrusted interface is a port that connects to a network where no security/firewall is provided. An example of this would be a link to the public Internet, such as a DSL or Cable Internet connection. Paths on an untrusted interface can only be configured as encrypted. The Oracle SD-WAN does not allow non-encapsulated traffic to be forwarded from an Untrusted to a Trusted interface but does allow for PING and ARP requests.

Conduit Encryption Protocol

All data between sites is encrypted. The Oracle SD-WAN supports two types of Conduit Encryption Protocol:

TRP Encryption Protocol - This is based on Symmetric Key Encryption and implements Oracle propriety encryption protocol.
DTLS Encryption Protocol - This is an Open standard protocol and based on SSL/TLS.

One of the conduit encryption protocols is selected and configured globally for the entire SD-WAN.

Path Encryption

All Paths within a Conduit can be independently configured to encrypt or not encrypt their data between Sites. The method of encryption is configured globally for the entire Oracle SD-WAN. Path encryption is performed as follows:

AES Encryption with 128bit or 256bit key (key length configured globally)
Cipher Block Chaining (CBC) Mode
Per-protocol sequence numbers included in every encrypted packet to help ensure message indistinguishability
Per-session symmetric encryption keys negotiated using Elliptic Curve Diffie-Hellman exchange
Optional: Periodic encryption key rotation using Elliptic Curve Diffie-Hellman exchange
Optional: Use of an Initialization Vector, known as the Extended Packet Encryption Header
Optional: Use of additional message authentication information, known as the Extended Packet Authentication Trailer

Per-Session Encryption Keys and Encryption Key Rotation

Per-session encryption keys are generated and automatically rotated (when Encryption Key Rotation is enabled) using an Elliptic Curve Diffie-Hellman algorithm. This provides the following benefits:

Forward Secrecy
Frequency Analysis from one session to another becomes a cryptographically hard problem since the session start and sequence number wrapping events are not immediately known
A compromised encryption key does not automatically compromise the entire system and an Oracle SD-WAN reboot or encryption rekey re-secures the entire Oracle SD-WAN

Use of the Encryption Key Rotation feature is configured globally for the entire Oracle SD-WAN. It is enabled by default and Oracle strongly recommends that it remain enabled during normal operation. Disabling this feature may be relevant for certain troubleshooting scenarios. When enabled, Conduit encryption keys will be renegotiated on a random interval between 10 and 15 minutes.

Peer Message Authentication

The Oracle SD-WAN encrypts a checksum of the Talari Reliable Protocol (TRP) header as part of each outgoing message. After decryption is complete on the receiving end, the checksum is validated. Since the checksum was encrypted with the message, the Oracle SD-WAN assumes that a trusted party sent the message, provided that the encryption key is secure.

Size	Field
16 bits	Header Checksum
6 bits	Version, Flags (control, more to come, aggregated)
10 bits	Header Length
4 bits	Padding Length
14 bits	Remote WAN Link ID
14 bits	Local WAN Link ID
16 bits	Path Sequence Number

Users can also enable the Extended Packet Authentication Trailer, which greatly strengthens message authentication. This feature is described below.

Replay Attack Protection

In the Oracle SD-WAN, the NCN maintains a network time to which all Clients must sync. This gives the Oracle SD-WAN a uniquely accurate method to protect against replay attacks without the need for sequence number synchronization. The Oracle SD-WAN obfuscates a sent timestamp in the TRP trailer of each outgoing message. If the sent timestamp of an arriving packet isn't within a certain range of the current network time, the packet is unlikely to be needed by users in the network and is also unlikely to be valid for processing. The Oracle SD-WAN will discard the packet.

TRP Trailer

The timestamp is sent with microsecond resolution and is 32 bits in length, which yields a ~4300 second (72 minute) range of protection. Encryption key rotation (which is configurable, but enabled by default) causes encryption keys to be renegotiated at intervals not to exceed 15 minutes, which means that there is never a long term window in which a replayed packet could be successful. Additionally, packet and flow sequence numbers ensure that short term replayed packets are treated as duplicates and dropped accordingly.

Secure Key Regeneration

In the same sense that it is not possible to eliminate the security ramifications of leaked VPN passwords, it is not possible to eliminate the ramifications of leaked Secure Keys. To that end, the Secure Key for a Site or for all Sites in the Oracle SD-WAN can be quickly regenerated via the Oracle SD-WAN web console. Regenerating Secure Keys is a non-resetting configuration change and will not affect Oracle SD-WAN operations.

Secure Key Protection

In both Oracle SD-WAN Software and Oracle SD-WAN Aware, Secure Keys are removed from all diagnostic information and no information is provided in diagnostic information that would allow Secure Keys to be reverse engineered.

Message Indistinguishability

Sequence Number Size—The encryption key rotation window has been defined to guarantee that sequence numbers don’t wrap before the next key rotation. In order to balance the need for indistinguishability against the potential performance impact of key rotation, the rotation window and the size of various sequence numbers have been tuned against one another to extend the roll over time.
Initial Sequence Number—All sequence numbers, except for the internal TRP Flow sequence number, are seeded with a cryptographically random initial value to reduce the risk of Frequency Analysis. This eliminates the predictable nature of first packets having identical content.

Extended Packet Encryption Header (Optional)

An Initialization Vector (IV) is often used to provide very high unpredictability of the first encrypted block in a cipher block chain. However, using Initialization Vectors has some drawbacks:

A static IV is no more protective than a NULL IV.
While an IV need not be secured in the encrypted message, it must be known to both sides of the encryption. Typically, this means the IV is sent along side the encrypted message.
If an IV becomes predictable, much of the security it provides is compromised. There are known attacks to exploit this problem.

An alternative to rotating an IV in a cryptographically secure way is to seed the first cipher block of data with a large counter that is seeded with a cryptographically random initial value. After encryption, the counter is essentially a random block of data deterministic only with the encryption key. This method is proven to provide the same security as an IV, without incurring the process overhead of randomly generating an IV for each packet and guaranteeing that each IV is unique. See Appendix C of the NIST doc, which directly references this methodology: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf.

To provide users with the ability to have the highest level of packet uniqueness and protection against Frequency Analysis, an optional 16-byte counter can be prefixed inside the encrypted payload to act as a rotating, cryptographically random Initialization Vector.

This counter is known as the Extended Packet Encryption Header. Use of the Extended Packet Encryption Header is configured globally for the entire Oracle SD-WAN. It is disabled by default.

Encrypted Packet with Extended Packet Encryption Header

Extended Packet Authentication Trailer (Optional)

To provide users with the ability to have strong message authentication, an optional trailer inside the encrypted payload can be enabled. By default, this optional trailer is composed of a 4-byte checksum of the unencrypted packet data, which acts like a standard Hashed Message Authentication Code (HMAC). While a standard HMAC would impact performance significantly, this checksum trailer provides a similar benefit while minimizing processing overhead. Because the checksum is over unencrypted data and is itself encrypted, there is a very high statistical likelihood that any change made to the packet will lead to either an incomprehensible packet or a mismatching checksum.

If use of a standard HMAC is required, the optional trailer can be configured to use a 16-byte SHA-256 HMAC in place of the 4-byte packet checksum. (Note: When used as an authenticating HMAC, the result of the SHA-256 function is truncated to 16 bytes.) Use of a standard HMAC, though cryptographically more secure, significantly decreases forwarding performance.

This trailer is known as the Extended Packet Authentication Trailer. Use of the Extended Packet Authentication Trailer is configured globally for the entire Oracle SD-WAN. It is disabled by default.

Encrypted Packet with Extended Packet Authentication Trailer

GCM Encryption

GCM encryption, by design, combines the counter mode (Extended Packet Encryption Header) and the authentication (Extended Packet Authentication Trailer). Since these features are built into GCM encryption there is no need to specify the Extended Packet Encryption Header or the Extended Packet Authentication Trailer. GCM encryption offers a higher throughput performance over CBC encryption.

DTLS Encryption Protocol

DTLS (Datagram Transport Layer Security) is designed to secure UDP based application traffic over the network. It provides equivalent security protection guarantees as SSL/TLS. DTLS protocol is an extension of TLS protocol. It is a client / server session oriented protocol and uses all of the same handshake messages and flows of TLS protocol.

DTLS runs on UDP, which is unreliable, but DTLS guarantees reliable session establishment. DTLS uses an explicit sequence number in the TLS header to detect message loss and packet reordering. It also includes two additional fields in the handshake header to handle message fragmentation (to avoid IP packet fragmentation). It uses a retransmission timer to handle message loss.

Every TRP packet is encrypted and sent over the WAN and is decrypted on receiving from WAN when using DTLS.

IP

UDP

DTLS

TRP

For each Conduit, a new DTLS session is established. In order to form a DTLS session, each SD-WAN device needs a root CA certificate, Private Key and device Public certificate. For the entire network, the certificates and keys are generated, signed and distributed from NCN.

DTLS Certificate Management

NCN (Network Controller Node) acts as a Root Certificate Authority (CA). A Self-signed CA certificate is generated in NCN. For each SD-WAN device, a Private key and Public Certificate are generated and the certificate is signed by the NCN CA. Private keys are always password protected.

Each SD-WAN device specific certificate bundle (ca certificate, private key and public certificate) is distributed from the NCN. The certificate bundle can be manually downloaded from the NCN and uploaded into the respective SD-WAN device. There is a provision to regenerate the certificates for the entire SD-WAN network or a subset of SD-WAN devices.

Database Security

It is recommended, for security reasons, to limit access to the Aware database in order to protect the configuration and metric data. To accomplish list, remove external access to the database so that only the Aware application can access the database.

Management Interface Security

It is highly recommended for customers to not expose management interface to untrusted networks.

Changing a Password

To change the local user password:

Click Manage SD-WAN Edge and then Users/Authentication.
Enter the current password.
Enter a new password.
Confirm the new password.
Click Change Password.