SteelConnect and Network Security

Providing secure internet access, while preventing malicious content from entering an organization, is critical to maintaining employee productivity and defending the network against threats.

•Perimeter firewall - Easy-to-configure inbound/outbound firewall rules build a secure wall to control access into and out of the different segments of the internet edge. This functionality (along with a suite of other services, such as network address translation and policy-based network zoning) provides effective controls to mitigate the next step of a network intrusion and limits further movement across the network or propagation of a threat. SteelConnect logging capabilities support troubleshooting and policy-compliance auditing.

•VPN concentrator - SteelConnect automatically forms secure IPsec VPN tunnels with AES-256 encryption between your sites. IPsec VPN is configurable in full-mesh or hub-and-spoke modes from the centralized SteelConnect Manager.

This topic describes how SteelConnect can act as a robust perimeter firewall for your organization and addresses some common security use cases in the enterprise, including how to enforce firewall policies at branches for access control to zones and the internet.

Defending the network edge is an essential component for detecting and protecting the network from unwanted traffic, potentially malicious content, and intrusion attempts, and a perimeter firewall is the primary defense in a private network. The perimeter firewall identifies and logs these threats for the network administrator.

The perimeter firewall also blocks incoming network traffic from accessing internal networks and hosts and blocks outgoing traffic from accessing undesirable external networks and hosts. For example, organizations might block access to gaming sites or other social media sites. As such, a perimeter firewall can be considered as having an internal and external interface.

With SteelConnect networking and security integration, organizations can use internet connections while mitigating security risks. Also, with a centralized cloud-based console, business-intent policies are easy to configure and enforce for your entire organization.

Most enterprises backhaul data from their branch locations to their data centers for thorough inspection of the data going to and from the internet. Alternatively, steering Software as a Service (SaaS) traffic directly to the internet enables enterprises to offload their WAN network at a lower cost and reduced latency than backhauling traffic to the remote data center. Both backhaul and direct-to-net architectures require a network security stack to protect against malware, phishing, and other security threats. They also provide the ability to apply consistent security policies for all users, no matter where they connect.

Riverbed works with companies that develop specialized security functions to provide a holistic defense. Riverbed has partnered with Palo Alto Networks, Zscaler, and others to provide additional advanced security functions to organizations ensuring a stringent security posture at the branch offices as well as the data centers.

The following table summarizes SteelConnect firewall capabilities in addition to the advanced features provided by partnering with other security vendors.

	Feature	SteelConnect only	SteelConnect + security partner
Perimeter firewall	Application-based stateful firewall		
	Granular allow/deny filtering rules		
	Robust/hardened gateway		
	VPN capabilities		
	NAT capabilities		
	Logging		
Advanced security functions	Intrusion detection/prevention		
	Content scrubbing/malware detection		
	Acceptable use policy enforcement		
	Other InfoSec compliance requirements		

Application definitions are a way to attach a business relevancy to all traffic that goes through your network. The Riverbed Deep Packet Inspection (DPI) engine can identify and classify business-critical and nonessential network traffic beginning with the first packet of the traffic flow.

With SteelConnect, you can build a secure firewall policy that regulates who has access and to what resources. Security policies can apply to the entire network, such as a single security policy to turn zone access on and off. You can also make the policy more granular to accommodate specific security needs. For example, you can create firewalled zones that require specific user permission to use specific applications. You can also enable access control and data protection for registered and unregistered mobile phones, tablets, and laptops.

The outbound and internal rules specify a source, a target, and an action. The source can be either a special catch-all selection (such as all registered users) or a custom selection of user groups, device groups, individual users, individual devices, or policy tags. We recommend that you base the outbound and internal rules on user groups and device groups, and then make exceptions using policy tags.

•Allow/deny firewall rules - Define the policy for internal users and devices accessing internal or external applications.

•Inbound access control rules - Define the policy for external (internet) access to internal applications. Inbound rules offer optional support for NAT, port translations, and an external host whitelist.

You can easily create, review, enable, and disable these policy controls for the whole organization using SCM as opposed to creating tedious access-control lists and mapping them to interfaces on individual routers at each site.

Network hardening is a process to address network security vulnerabilities by implementing software patches, introducing new security systems, and adopting better configuration and operation policies.

You can deploy SteelConnect gateways at the internet edge to harden the enterprise network at branches. No unauthorized outside traffic is allowed to enter the branch unless the administrator permits it by configuring granular inbound and outbound firewall rules.

You can create inbound rules to allow only specific traffic on specific TCP/ UDP ports to or from specific servers both inside and outside the local branch network. Secure IPsec VPN tunnels allow for data to be encrypted and only secure data can transfer between branches over the internet. If the packet is not in the SteelConnect secure IPsec encrypted tunnel, it is not permitted.

SteelConnect zones help segment the network, and they help maintain control and organization of traffic. The use of zones within NAT rules gives an organization more flexibility and simplicity with its firewall management. In a world where Internet of Things (IoT) devices such as HVAC systems are used as a platform of attack to steal critical customer data, many organizations are taking steps toward network segmentation, such as building multiple subnetworks (overlays) within a shared network (underlay).

SteelConnect makes WAN segmentation radically simpler. You simply need to define a policy describing the underlying network. The policy is then distributed across the nodes in the SD-WAN network, which creates the multipoint (IPsec) tunnels linking these nodes defined in the policy. SteelConnect’s built-in software-defined intelligence also allows for automatic firmware updates to gateways that keep security patches and hotfixes current.

AutoVPN is a SteelConnect feature that automatically connects multiple sites with secure, full-mesh IPsec VPNs, without tedious manual configuration. AutoVPN provides a fast way to create a secure and resilient VPN backbone between all your sites.

•RouteVPN - A Layer 3 IPsec VPN between internal networks across physical sites.

•SwitchVPN - A bridged Layer 2 IPsec VPN that extends zones across multiple sites.

Some deployments require a SteelConnect gateway connection to an IPsec VPN built by a third-party vendor. You can connect to a third-party VPN using Classic VPN. Classic VPN creates a manual VPN tunnel using the standard IPsec IKEv1 or IKEv2 protocol.

Classic VPN configurations can classify traffic based on TCP/UDP port numbers, providing a more granular approach to traffic steering. Classic VPN is an easy and flexible method to use when:

•connecting to a third-party IPsec VPN gateway, such as a firewall or a Unified Threat Management (UTM) appliance.

•migrating from an existing VPN solution to SteelConnect RouteVPN. You can even use the IP subnets of the remote networks and rules.

•integrating sites with overlapping IPv4 addresses, using one-to-one NAT configuration. When connecting networks through VPN that use the same IP addresses on both sides, it’s impossible to create a simple IPsec tunnel, as routing through the tunnel doesn’t work. Classic VPN uses an integrated NAT layer, in which you can map an overlapping network one-to-one into a virtual network. This means that you can communicate with the remote location using the virtual NAT network and prior to entering the tunnel, the system transparently replaces IPv4 addresses with the matching address from the remote side, allowing both networks to remain unchanged.

•connecting to cloud security devices, such as Zscaler.

Note: SteelHead SD appliances, the SDI-2030 gateway, and the SDI-5030 gateway don’t support ClassicVPN in version 2.11 or later, however, they can connect to Zscaler.

For more details about building IPsec tunnels with a third-party vendor, see “Connecting to a third-party VPN” in the SteelConnect Manager User Guide.

By default, the outbound rules for a firewall let users and guests access the internet only. A default rule does not exist to allow communication between sites.

Network address translation (NAT) is the mapping network address to alternate and secure addressing. NAT helps improve security and decrease the number of IP addresses an organization needs.

•Dynamic NAT (DNAT) - Translates the source address for all outbound connections from the private address of the source host to a public address (typically the gateway public IP). This mode replaces the target address. It requires the target system to use the SteelConnect gateway as its default gateway.

•Full NAT - Replaces the source address of the incoming connection with the internal gateway address. This mode makes sure the return traffic is sent back to the SteelConnect gateway, even if the system uses a different default gateway.

You can create inbound rules to allow only specific connections to reach your internal NATed servers. While doing so, you are given the option of configuring No NAT, DNAT, or Full NAT as shown in the Mode field.

With SteelConnect Manager, you have a centrally managed system of products designed from the ground up to work together and you have total visibility into your network. You can use the Visibility page to read logs, view a history of the DHCP server IP address assignments, see if and where traffic was blocked, and generate user reports. You can export logs to syslog servers.

•Restrict physical access to all devices - Install all devices behind secured environments accessed only by authorized personnel.

•Implement multifactor authentication on SCM - SteelConnect supports two-factor authentication. At the realm level, choose Settings and ensure Two-factor Authentication is set to On.

When two-factor authentication is enabled for the realm, all access to the realm interface must be authenticated with a second authentication mechanism, such as mobile messaging. The value of this setting at the realm level is also the default setting for two-factor authentication when accessing individual organizations and the realm setting overrides the default settings at the organization level.

•Replace the default passwords with passwords that comply with the Information Security password standard of your organization - The realm administrator can set a password policy for all administrators, including both realm and organization administrators. The first time you enable a password policy, passwords for all users expire immediately and all users need to create new passwords to log in to SCM. By default, the password policy is disabled.

To enable a password policy, at the realm level, select the Settings tab. Under Password Policy, click On. A dialog warns that all user passwords will expire immediately. Click Expire All Passwords and you can customize password settings.

•Create unique usernames - When adding new users to SCM, we recommend creating unique usernames and passwords. You can identify users by name, roles, or job functions.

•Limit the number of users that have administrative access and follow the Principle of Least Privileges (PoLP) - Limit the number of administrators and assign a user account only those privileges that are essential to perform their intended function to reduce security risk, make it harder for successful exploitation, and for bad actors to do bad things if they are successful.

•Limit the number of realm administrators - Keep the number of realm administrators to a necessary minimum and create organization administrators to manage organizations. An administrator can be assigned to any number of organizations. An administrator can only be assigned one role per organization.

•Restrict sharing of user accounts - A unique username is the first part of the identification and authentication process. If usernames are not unique, there can be no accountability on the system for auditing purposes. Multiple accounts sharing the same name could result in the denial of service to one or both of the accounts or unauthorized access to files or privileges.

SteelConnect Manager provides an easy and intuitive way to define network access by user identity. The Users page associates those accessing the networks with the devices they are using, providing granular and automated user-to-device assignments, with an interface in each zone. Adding users is optional. Whether you propagate user identities depends on your policy strategy.

•Deploy role-based access control (RBAC) - SteelConnect provides role-based access control at the realm or organization level. An SCM realm administrator has full access permissions to all organizations contained within the SCM realm. The realm administrator creates organizations and organization administrators. By default, each organization administrator is configured to have full access to the network and policy configuration for the organization.

You can achieve further granularity by limiting the organization administrator to have permissions only for network configuration or policy configuration for the organization. Network configuration includes functions such as creating/managing sites, configuring network topology, and adding appliances. Policy configuration covers traffic path rules, application/user specific policies, and QoS.

•Routinely monitor access logs - Monitoring the system logs lets you know which administrators have accessed the SteelConnect Manager.

SteelConnect Manager event logs are accessible from any screen. These events are generally used to log access to SCM in addition critical events that occur on gateways.

With remote logging, all system logs from different gateways can be aggregated and stored in a single remote server located within the same enterprise network. After all logs are aggregated on one server, you can use third-party monitoring tools such as Splunk to perform log analysis and simpler reporting. This log aggregation is also useful for archiving logs. You can also forward real-time system messages from appliances to the remote server. You can configure up to three syslog servers per realm or per organization.

•Set the session inactivity timer in accordance to organizational policy - Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user.

As part of the SteelConnect Manager password policy, there is a session expiration setting. This setting specifies the number of minutes the session remains active after inactivity. The default setting is 30. When the expiration time elapses, the session becomes inactive. The Disable long-term session caching setting on the administrator’s Authentication tab must also be set to On. By default, long-term session caching is disabled.

•Use an appropriate login (banner) message in accordance to organizational policy - All log in methods should display an appropriate banner page per policy. In SteelConnect, the legal disclaimer is equivalent to an access banner. This feature provides a place to add a predefined legal disclaimer that appears each time a user logs in to SCM.

•Limit the use of remote SSH access - SteelConnect gateways, switches, and access points are zero touch configuration and don’t require console access; however, if you need to access the appliance console for troubleshooting, the controller can create an SSH tunnel. You enable SSH access to an appliance on the SSH tab. You must add a public SSH key.

SSH access to the gateways should only be configured for temporary use, for example during troubleshooting. Turn off SSH access when it is not needed.

•Lock down weaker ciphers on client browsers - SCM supports TLS versions and ciphers to allow maximum accessibility across a wide range of operating systems and browsers. The supported TLS versions and ciphers are periodically reviewed and weaker ciphers and protocols are aged out over time as customers move to newer client operating systems and browsers.

Weaker ciphers may be presented by the SCM in support of older browsers. Organizations can limit the available ciphers on some browsers.

•Monitor unregistered devices - SteelConnect gateways show up as unregistered devices when they first join the SCM. Any devices that are detected as unregistered appear on an unregistered list. Network access rules can be applied to allow only registered devices access to the network resources. This adds an additional layer of access control to the internal networks.

•Be aware of communications ports used by SteelConnect - Several connection ports are used by SteelConnect. Refer to the SteelConnect Manager User Guide to determine which communication ports are used by SCM and limit just those required to be accessed through your security devices.

•Specify the local Network Time Protocol (NTP) servers - We recommended that you configure your own internal NTP server instead of using the default, preconfigured servers.

•Routinely monitor event logs - SteelConnect Manager event logs are accessible from any screen. These events are generally used to log access to SCM in addition critical events that occur on gateways.

With remote logging, all system logs from different gateways can be aggregated and stored in a single remote server located within the same enterprise network. After all logs are aggregated on one server, using third-party monitoring tools such as Splunk can make log analysis and reporting simpler. This log aggregation is also useful for archiving logs. You can also forward real-time system messages from appliances to the remote server. You can configure up to three syslog servers per realm or per organization.