ngena's Platform Security A whitepaper about ngena’s secure network architecture Introduction

ngena – the Next Generation Enterprise The ngena digital solution is highly secure Network Alliance – offers a completely and protects its customers’ data. The solu- new business model by connecting global tion is designed by keeping in mind core businesses with hybrid VPN services. ngena principles of security like authentication, uses innovative NFV/SDN technology to encryption and data integrity. The security provide a global SD-WAN platform de- guidelines are implemented globally for all livering VPN overlay networks on top of components of the SD-WAN platform: data an underlay network infrastructure which plane, control plane and management plane leverages network assets of trusted service using encryption, security policies, automa- providers. tion and orchestration.

End-to-End Managed Services with SLA

Internet Public Line

Ethernet Private Line

ngena CPE

2 ngena's Platform Security ngena's Platform Security 3 ngena's Secure Network Architecture Highly Secure Regional Internet Accesses

ngena has built a global network with control uted branch offices of enterprises. Moreover, A secure regional Internet access can be Multiple types of accesses are supported, and data plane managed via a central platform. it enables several cloud based connectivity added to the enterprise VPN service, allow- including both Internet Public Line (IPL) The physical and virtual network assets are options to services like SaaS ERP, Office or ing users to access the Internet through a and Ethernet Private Line (EPL) using Met- managed through data center hubs in Europe, storage applications. In addition, the hybrid fully managed, enterprise class firewall with ro Ethernet or Layer-2 VPN technologies. America, Africa and Asia. ngena offers several VPN service offers features such as multiple optional web security. The secure regional Several different customer access designs access designs with automated service provi- VPNs per site, Quality of Service (QoS) and Internet access service is provided via a fully are available to connect a customer site sioning, supported over ordinary IP transport. inter-region connectivity over ngena’s inter- orchestrated service chain of Virtualized via single or redundant Internet or Ether- Central orchestration facilitates quicker global national private transport network. All sites Network Functions (VNF), e.g. firewall or web net links, or a combination of both. The service delivery and agile network service. are connected with an end-to-end encryp- security services, provisioned in a regional access designs can be chosen based The hybrid VPN service uses a transport tion via secure IPSec tunnels. ngena hub. These service chains are fully on bandwidth and SLA requirements as agnostic overlay architecture providing a integrated into the customer's VPN and pro- well as consideration of costs. The VPN true any-to-any global VPN. It addresses vide resiliency and traffic load sharing across overlay and encryption are common to all challenges like high cost and provisioning multiple availability zones. access designs. complexity when connecting globally distrib- As an enhancement to the secure regional In- ternet access service, ngena offers the capa- bility to advertise publically routable IPv4 and ngena's Secure Regional Internet Access IPv6 addresses from an enterprise VPN. This will leverage the same VNF service chain with enhancements to routing policies to ensure symmetric traffic flows through the perimeter

Internet access is blocked as firewall. Individual firewall rules can be defined the sub-VPN is not allowed to have Internet access. in order to secure access to the enterprise network from the public Internet. Regional Internet Regional Internet Access Access

Secure Regional Internet Access – Service Chain

ngena Hub

Access Security Appliances No Internet access service is vRouter Gateway (Firewall, Web Security) deployed at the ngena hub as no VPNs are allowed to have Internet access.

VPN Encrypted Traffic Unencrypted Traffic Internet

4 ngena's Platform Security ngena's Platform Security 5 All the control plane communication is trans- In order to join the control plane, every de- The edge routers are authenticated by Data plane encryption and key generation ported over DTLS/TLS tunnels. These tunnels vice in the network must have its own digital controllers during a connection request with are done by AES-256, a symmetric-key have the following characteristics: certificate issued by a Root or Intermediate the certificate exchange. An OMP (Overlay algorithm that uses the same key to encrypt • Version: TLS v1.2 Certificate Authority (CA) that is trusted by all Management Protocol) similar to BGP (Border outgoing packets and to decrypt incoming • Authentication: Mutual, based on digital other devices in the overlay. Each network Gateway Protocol) runs inside the DTLS (Data- packets. Each router periodically generates certificates controller generates its private/public keys gram Transport Layer Security) control plane an AES key for its data path and transmits • Encryption: AES256 and Certificate Signing Request (CSR), which connections and carries the routes, next hops, this key to the controller which sends these • Message Integrity: SHA1 or SHA2 algorithms are required to be signed by an external CA. keys, and policy information needed to estab- packets to recipient routers in the network. lish and maintain the overlay network. In this way, the AES keys for all the routers Specific network policies and rules are imple- are distributed across the network. To further DDoS Protection for Edge Routers mented for several device identities, i.e. from strengthen data plane authentication and en- trusted devices to unknown sources, in order cryption, routers regenerate their AES keys to provide protection against DDoS attacks. every 24 hours locally without dropping any With robust traffic policies defined for each data traffic. The key exchange happens over source device, it’s easier to avoid network a secure control plane. flooding and to quickly neutralize any security For the management plane, only encrypted threat. protocols are used to ensure that manage- Authenticated Sources TLS/DTLS ment traffic is encrypted. A secure protocol The data plane is based on point-to-point includes the use of SSHv2 instead of Telnet Management Controller IPSec tunnels established between the so that both the authentication data and vEdge routers and has the following security management information are encrypted. Implicitly Trusted SD-WAN IPSec CPU characteristics: Moreover, encrypting the management traf- Sources • IPSec Mode: Tunnel with support for NAT- fic allows a secure remote access connec-

Edge Router traversal tion to the device. If the traffic for a manage- Control Plane Policing: • Authentication: Certificate-based device ment session would be sent over to the IPSec/GRE • 300pps per flow authentication performed via control plane network with insecure protocol, an attacker Explicitly Defined • 5,000pps Sources tunnel could obtain sensitive information about the Packet Cloud Security Forwarding • ESP Encryption: AES-GCM-256 encryp- device and the network. tion algorithm for unicast traffic Any Deny except: • ESP Authentication & Integrity algorithm: Unknown 1. Return packets matching flow entry (DIA enabled) Sources 2. DHCP, DNS, ICMP AH-SHA1 HMAC and ESP HMAC-SHA1 • Key Exchange Encryption: AES-256 cipher * Can manually enable: SSH, NETCONF, NTP, OSPF, Other BGP, STUN • Anti-replay-window: max 4096 packets

6 ngena's Platform Security ngena's Platform Security 7 ngena's Secure Platform Architecture

ngena’s global platform has three major delivery, connecting customer sites through and logs all commands entered by all users. components: local service provider access networks. Edge routers in the ngena network commu- a) a redundant CSFA (Central System Func- In addition, the ngena platform provides nicate with the remote AAA server using the tion Area) provides end-to-end service an aggregation and backbone transport TACACS+ protocol which allows authoriza- awareness and control network that connects all services globally tion and encryption of payload providing b) a number of regional hubs (“ngena hubs”) from the central hub to regional hubs and higher security then RADIUS. host the virtualized service platform and also between regional hubs. The breakout A stateless Access Control List (ACL) is ap- several Virtual Network Functions (VNFs) to the public Internet will always be “per plied in both inbound and outbound direc- to deliver the ordered services and region”. This means that the data traffic from tion to the Internet interface of the access c) a private backbone connects the ngena one region is transmitted to the Internet via gateway to filter out any private or internal hubs. a regional hub. addresses from leaking out to the Internet Regional hubs contain two SPAN (Service ngena's platform implements Authentica- and prevent IP spoofing. The ACL protects Provider Application Nodes) for redundancy. tion, Authorization, and Accounting (AAA) the internal infrastructure subnets such as They consist of Service End-To-End Control framework to secure network devices. The the backbone range and other administra- Function, Span Plane Function and Net- AAA framework provides authentication tive networks from being accessed and work Plane Function deployed globally for of management sessions, limits users to difficult to be discovered from outside the domain specific service management and specific administrator-defined commands, network.

Functional View of ngena's Platform for Hybrid VPN Services

Central Systems Function Area (central) ngena Node (decentral) All components which are deployed only once (or twice for redundancy) All components which are deployed on each hub

Central System BSS (Business Support Systems) Service E2E Control Function

Decentral Service Decentral Node Decentral Assurance Software Functions Provisioning Management Collection Control

SPAN – Plane Function Assurance and Storage and Provisioning Central System Central System OOB Management OOB Central System Data License Management License Software Functions Data Plane Compute & Storage SPAN – Switches Infra Collection Aggregation Central System Security System Central

Network – Plane Function

Platform Security ngena Admin LAN Gateway Access Backbone (IDS/IPS) (incl. OOB)

8 ngena's Platform Security ngena's Platform Security 9 Data Privacy Security Governance & Compliance

ngena follows the European General Data Security and Data Privacy activities are man- Protection Regulation (EU-GDPR) along with aged based on Information Security Man- worldwide recognised standards as ISO agement System guidelines which provide 2700x (Information Security Management a holistic view of running an enterprise with System – ISMS) and security framework from best practices and are compliant to global NIST (National Institute of Science and Tech- standards. This helps to make all the secu- nology), while being compliant for security rity operations as transparent as needed. frameworks from OWASP (Open Web Appli- cation Security Project) and ISECOM (Institute ngena regularly conducts penetration test- for Security and Open Methodologies). ing and vulnerability assessment, refer- encing to OWASP methodology, as well as Governance and IT Risk Management based on ISO/IEC 27001, ISO/IEC 30001 (Risk Management) and ISO 22031 (Business Continuity) to ensure proactive system hard- ening and to act on any threat or vulner- ability detected. The technology partners are periodically reviewed against security and data privacy compliances. There is an internal security organization which plans for information security, business continuity and risk management.

Altogether, ngena has implemented an extensive set of security and data privacy measures to fulfill global security standards for its network and platform to create a truly global network secured with best practices which can cater to evolving business needs, network requirements and technological trends to promote global business with local care.

10 ngena's Platform Security ngena's Platform Security 11 Abbreviations used in this Security Whitepaper

AAA Authentication, Authorization, and Accounting NETCONF Network Configuration Protocol ACL Access Control List NIST National Institute of Science and Technology AES Advanced Encryption Standard NFV Network Function Virtualization BGP Border Gateway Protocol NTP Network Time Protocol BSS Business Support System OMP Overlay Management Protocol CA Certificate Authority OOB Out-of-band CPU Central Processing Unit OSPF Open Shortest Path First protocol CSR Certificate Signing Request OWASP Open Web Application Security Project DDoS Distributed Denial of Service PPS Packets Per Second DHCP Dynamic Host Configuration Protocol QoS Quality of Service DIA Direct Internet Access RADIUS Remote Authentication Dial-In User Service protocol DNS Domain Name System SaaS Software as a Service DTLS Datagram Transport Layer Security SDN Software-Defined Networking E2E End-2-End SD-WAN Software-Defined Wide Area Network EPL Ethernet Private Line SHA Secure Hash Algorithm ERP Enterprise Resource Planning SLA Service Level Agreement ESP Encapsulating Security Payload SPAN Service Provider Application Node ICMP Internet Control Message Protocol SSH Secure Shell IDS Intrusion Detection System STUN Session Traversal of UDP through NAT IEC International Electrotechnical Commission TACACS+ Terminal Access Controller Access-Control System Plus ISMS Information Security Management System TLS Transport Layer Security IPL Internet Public Line VNF Virtual Network Function IPS Intrusion Prevention System VPN Virtual Private Network IPSec Internet Protocol Security ISECOM Institute for Security and Open Methodologies ISO International Organization for Standardization

12 ngena's Platform Security ngena's Platform Security 13 Follow us

linkedin.com/company/ngena bit.ly/ngena_on_youtube twitter.com/ngenagmbh xing.com/companies/ngenagmbh ngena.net ngena.net/infokit

Contact us ngena GmbH Managing Directors Hahnstrasse 40 Dr. Marcus Hacke, Alessandro Adriani 60528 Frankfurt Head of Supervisory Board Germany Patrick Molck-Ude [email protected] Commercial register www.ngena.net Amtsgericht Bonn HRB 20074 May 2018