Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Network Architecture

Network Architecture

Section titled “Network Architecture”

5 automated security scanners

Zero Trust Network Implementation

Section titled “Zero Trust Network Implementation”

Purpose: The Zero Trust Network Implementation Scanner is designed to evaluate and analyze the effectiveness of a Zero Trust network architecture by testing various components such as continuous authentication, least-privilege access enforcement, micro-segmentation, identity-based controls, and encryption. This tool aims to identify potential risks associated with unauthorized access and lateral movement in trust-based architectures.

What It Detects:

  • Continuous Authentication: The scanner tests for ongoing identity verification, session re-authentication, multi-factor authentication (MFA) enforcement points, detection of implicit trust periods, and flags any static authentication methods that may be vulnerable to compromise.
  • Micro-segmentation Enforcement: It evaluates the effectiveness of workload isolation, application segmentation, network policy enforcement, and detects unrestricted lateral paths or coarse-grained controls that could lead to unauthorized access.
  • Least Privilege Access: The scanner tests default-deny policies, checks for role-based restrictions, verifies access scope limitations, and flags overprivileged accounts and open access policies that may expose sensitive information.
  • Identity-Based Controls: It tests for identity verification through various means such as certificate-based authentication, device trust assessment, and network-based access controls. Additionally, it detects location-based trust issues where physical proximity might be assumed without proper authentication.
  • Encryption Enforcement: The tool examines the implementation of Transport Layer Security (TLS) across all services, checks for east-west encryption practices, verifies encrypted tunnel usage, and flags any instances of plaintext communication that could lead to data leakage.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., acme.com), which is essential for testing various network endpoints and services.
  • ip_range (string): A CIDR block such as 10.0.0.0/24, used to scan a range of IP addresses for open ports or potential vulnerabilities that might bypass micro-segmentation controls.
  • port (integer): The target port number (e.g., 443) is crucial for directly accessing services and testing encryption settings and authentication mechanisms.

Business Impact: Poor Zero Trust implementation can lead to significant security risks, including unauthorized access to sensitive information, lateral movement through untrusted networks, and potential data breaches due to weak or non-existent authentication and authorization controls. This can have severe consequences on the confidentiality, integrity, and availability of critical systems and data.

Risk Levels:

  • Critical: Implicit trust enables lateral movement, missing continuous authentication allows session hijacking, weak micro-segmentation defeats isolation, open network zones bypass identity controls, and unencrypted east-west traffic exposes data.
  • High: The scanner identifies vulnerabilities in continuous authentication, least privilege access enforcement, or encryption practices that could be exploited to gain unauthorized access.
  • Medium: The scanner detects potential issues with micro-segmentation or identity-based controls that may not significantly impact security but are indicative of suboptimal architecture design.
  • Low: Informational findings regarding static authentication methods or overprivileged accounts without significant risk exposure.

Example Findings:

  1. A critical vulnerability was detected in the continuous authentication mechanism, which allows unauthenticated users to access sensitive data through session hijacking.
  2. High-risk micro-segmentation controls were identified as coarse-grained, enabling unauthorized access between different network zones without proper authorization checks.

Network Segmentation Effectiveness

Section titled “Network Segmentation Effectiveness”

Purpose: The Network Segmentation Effectiveness Scanner is designed to evaluate the effectiveness of network segmentation in preventing lateral movement and privilege escalation attacks. It analyzes various aspects such as VLAN isolation, subnet boundaries, ACL enforcement, inter-segment traffic filtering, and micro-segmentation to detect flat network architectures that may facilitate these types of attacks.

What It Detects:

  • Network Topology Discovery: Identifies accessible subnets from the target domain, detects VLAN configurations via DNS/routing, maps network boundaries and zones, tests cross-segment connectivity, and flags flat network indicators.
  • Subnet Boundary Testing: Checks for RFC1918 address exposure, tests subnet routing restrictions, verifies gateway ACL enforcement, detects unrestricted subnet access, and identifies segmentation gaps.
  • VLAN Isolation Assessment: Tests VLAN hopping vulnerabilities, checks for VLAN trunking misconfig, verifies VLAN separation enforcement, detects inter-VLAN routing issues, and flags promiscuous VLAN configs.
  • Micro-segmentation Analysis: Evaluates workload-level isolation, ensures zero-trust enforcement, verifies application segmentation, detects missing micro-segments, and assesses granular access controls.
  • Lateral Movement Risk: Tests cross-segment reachability, checks for unrestricted pivoting, verifies east-west traffic controls, detects lateral movement paths, and flags privilege escalation risks.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., acme.com)
  • ip_range (string): CIDR block to test (e.g., 10.0.0.0/24)

Business Impact: Poor network segmentation can significantly increase the risk of lateral movement and privilege escalation attacks, allowing attackers to bypass security controls and gain unauthorized access to sensitive information or systems. This poses a serious threat to the confidentiality, integrity, and availability of critical infrastructure and data.

Risk Levels:

  • Critical: Conditions that directly lead to flat network architectures enabling unrestricted pivoting and lateral movement across segments without adequate defense mechanisms.
  • High: Conditions where subnet boundaries are missing or ACL enforcement is weak, allowing unauthorized access and potential exposure of sensitive information.
  • Medium: Conditions where VLAN isolation is compromised or micro-segmentation practices are lacking, which can still facilitate some level of unauthorized access but to a lesser extent than high risk conditions.
  • Low: Conditions with minimal impact on security, such as well-defined subnet boundaries and strong ACL enforcement that significantly reduce the risk of lateral movement.
  • Info: Informal findings related to publicly disclosed security infrastructure or VLAN indicators that do not directly affect the risk level but are still important for awareness and planning.

Example Findings:

  • A flat network architecture where multiple subnets can be accessed from a single entry point, facilitating easy lateral movement of attackers.
  • A misconfigured VLAN allowing inter-VLAN routing without proper authentication or authorization checks, which could lead to unauthorized data access.

Network Function Virtualization Security

Section titled “Network Function Virtualization Security”

Purpose: The Network Function Virtualization Security Scanner is designed to assess and evaluate the security posture of Network Function Virtualization (NFV) environments. It aims to identify potential vulnerabilities, misconfigurations, and risks associated with virtualized network functions, hypervisors, orchestration APIs, and management interfaces that could lead to unauthorized access or system compromise.

What It Detects:

  • NFV Detection: Identifies the presence of virtualized network functions and detects the underlying NFV platforms (MANO, OSM, OpenStack) along with their management interfaces and API endpoints.
  • Orchestration Security: Tests the accessibility and security controls of NFV orchestrators including MANO/VIM, authentication mechanisms, and exposed APIs.
  • Hypervisor Isolation: Evaluates hypervisor indicators such as VM isolation controls and checks for vulnerabilities that could facilitate escape or manipulation.
  • VNF Access Controls: Assesses access controls to virtual network functions, identifies default credentials, and verifies role-based access control settings.
  • Management Plane Security: Investigates the security of NFV management interfaces, encryption enforcement, and secure configuration practices.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., acme.com)
  • ip (string): IPv4 address to test (e.g., 203.0.113.5)
  • port (integer): Target port for testing (e.g., 8080)

Business Impact: NFV security failures can significantly impact the integrity and availability of network services, potentially leading to unauthorized access, data breaches, service disruptions, and other severe consequences. The identification and mitigation of these risks are crucial for maintaining a secure and reliable NFV infrastructure.

Risk Levels:

  • Critical: Conditions where weak hypervisor isolation directly enables VM escape or where orchestration APIs can be exploited for system takeover.
  • High: Situations involving exposed management interfaces, insecure default credentials, or misconfigurations that could allow unauthorized manipulation of network functions.
  • Medium: Findings related to unencrypted management interfaces, unauthenticated access points, or lack of encryption which still pose significant risks but are less severe than critical issues.
  • Low: Informal findings such as banners indicating NFV presence without immediate security implications.
  • Info: Non-critical details that do not directly impact the security posture but may indicate areas for improvement in documentation and operational practices.

Example Findings:

  1. An identified vulnerability in a hypervisor’s VM escape mechanism, which could lead to unauthorized access to other VMs within the same host.
  2. A misconfigured orchestration API that allows unauthenticated users to modify network function configurations, posing a significant risk for malicious use.

Software-Defined Networking Security

Section titled “Software-Defined Networking Security”

Purpose: The Software-Defined Networking Security Scanner is designed to evaluate the security posture of Software-Defined Networks (SDNs) by identifying and assessing various vulnerabilities that could compromise their control plane, data plane, and API endpoints. This tool aims to detect SDN controllers, test OpenFlow protocol security, validate control-plane protection mechanisms, check for data-plane isolation, and identify misconfigurations that might enable unauthorized access or manipulation of the network architecture.

What It Detects:

  • SDN Controller Detection: Identifies the presence of SDN controller implementations such as OpenDaylight, ONOS, Floodlight, Ryu, POX, and Nox.
  • Control-Plane Security: Tests for accessibility of the controller, authentication mechanisms, API access controls, detection of default credentials, and exposure of control interfaces.
  • OpenFlow Security: Assesses encryption usage in OpenFlow, checks for enforced TLS/SSL, verifies certificate validation, detects unencrypted OpenFlow communications, and flags configurations that are considered weak or insecure.
  • Data-Plane Isolation: Evaluates the isolation of switch management traffic from control plane interactions, checks for out-of-band control mechanisms, verifies separation of control traffic, identifies mixed network modes where SDN controllers manage both control and data planes, and flags any direct exposure of the data plane to untrusted sources.
  • API Security: Investigates the endpoints provided by SDN APIs, tests for authentication bypass vulnerabilities, verifies authorization controls are in place, detects API vulnerabilities that could be exploited, and identifies insecure or exposed SDN APIs.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., acme.com) which is the target of the scan to detect potential SDN indicators.
  • ip (string): An IPv4 address (e.g., 203.0.113.5) that represents the IP of the device hosting the SDN controller, used for direct network interactions and port scans to test security configurations.

Business Impact: SDN security failures pose significant risks as they can lead to unauthorized access or manipulation of network infrastructure, potentially enabling cyber-attacks such as denial-of-service (DoS), man-in-the-middle attacks, data theft, and system takeover. These vulnerabilities are critical because they directly affect the integrity, availability, and confidentiality of network services and data.

Risk Levels:

  • Critical: SDN controllers are detected but specific vendors disclosed without proper security measures in place (e.g., no encryption, weak authentication).
  • High: Control plane is accessible without adequate authentication or there are indications of default credentials being used which could lead to unauthorized access.
  • Medium: OpenFlow configurations do not enforce encryption or have TLS/SSL vulnerabilities that allow interception of control traffic.
  • Low: Minimal exposure of SDN components and APIs, with no critical findings such as exposed control interfaces or use of insecure API endpoints.
  • Info: Informational findings about potential SDN presence without immediate security implications.

Example Findings:

  1. The domain acme.com hosts an OpenDaylight controller but does not enforce encryption for OpenFlow communications, posing a high risk due to the exposure of control traffic.
  2. The IP address 203.0.113.5 is hosting multiple SDN components with default credentials configured, which could be exploited by malicious users to gain unauthorized access to the network.

SD-WAN Security

Section titled “SD-WAN Security”

Purpose: The SD-WAN Security Scanner is designed to assess the security posture of Software-Defined Wide Area Networks (SD-WAN). It identifies and evaluates various aspects of SD-WAN implementations, including vendor detection, controller security, overlay network encryption, segmentation controls, and configuration security. This tool aims to uncover potential vulnerabilities that could lead to unauthorized access or data interception.

What It Detects:

  • SD-WAN Detection: Identifies the presence of SD-WAN vendors and detects indicators of an overlay network.
  • Controller Security: Tests the accessibility, authentication mechanisms, API security, default credentials, and exposed management interfaces of SD-WAN controllers.
  • Overlay Network Encryption: Checks for enforcement of IPsec/TLS encryption, the status of tunnel encryption, key exchange mechanisms, detection of plaintext overlay traffic, and weak encryption ciphers.
  • Segmentation Controls: Evaluates virtual network isolation, policy enforcement, application-aware routing, segmentation bypasses, and open overlay routes.
  • Configuration Security: Assesses the exposure of SD-WAN configurations, identifies vendor-specific vulnerabilities, verifies secure defaults, detects misconfigurations, and flags insecure settings.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., acme.com)
  • ip (string): IPv4 address to test (e.g., 203.0.113.5)

Business Impact: SD-WAN security failures can lead to significant network risks, including the exposure of unencrypted data, weak authentication mechanisms that could enable unauthorized access, lack of segmentation leading to lateral movement, and open management interfaces facilitating reconnaissance or exploitation. These vulnerabilities can be exploited by malicious actors to intercept sensitive information or gain unauthorized entry into the network.

Risk Levels:

  • Critical: The scanner identifies specific SD-WAN vendors or detects a clear vulnerability in encryption, authentication, or configuration that poses an immediate threat.
  • High: The presence of management portals, exposed API endpoints, or weak ciphers indicates high risk as these can be easily exploited to gain unauthorized access or data interception.
  • Medium: The scanner detects potential vulnerabilities without definitive evidence of exploitation but still represents a significant security concern that should be addressed.
  • Low: Informational findings indicating only theoretical risks or minimal exposure, which are less critical but still warrant monitoring and improvement.
  • Info: Findings that do not directly impact security but provide useful insights for ongoing network management and optimization.

Example Findings:

  1. The SD-WAN implementation on acme.com was detected using a known vulnerable vendor’s product, indicating critical risk due to lack of updates or patches.
  2. A misconfigured SD-WAN allows plaintext traffic over the overlay network, posing a high risk as it can be intercepted and decrypted by unauthenticated users.

IMPORTANT:

  • Be comprehensive, don’t summarize
  • Include ALL inputs from the README
  • Use professional security terminology
  • No code snippets or implementation details