Most of the SD-WAN vendors promise to simplify branch management by automating the branch router configuration and delivering a zero touch deployment. There are common approaches between these vendors, but none of them are exactly alike. Once you dive into the details of what’s being done and how, even the common approaches seem to have as many differences as similarities, and some of these vendors fall short to deliver a secure flexible zero touch deployment.

Here are 6 questions that you should ask your SD-WAN vendor when you evaluate their Zero touch bootstrap capability.

  1. Is Internet access mandatory for the new device to connect to the dial-home server?

If Internet access is mandatory, then what happens to the branches that don’t have Internet access, and rely only on one or more MPLS connections? Some SD-WAN vendors host their ‘dial-home’ server only on the Internet

When you evaluate different SD-WAN solutions, make sure to check if the SD-WAN vendor offers a dial home that is reachable on both Internet and MPLS access.

  1. Who controls the ‘dial-home’ server?

Some SD-WAN vendors mandate that their customers must use their dial home server in order to bootstrap any new site. This prevents customers from auditing the bootstrap process or enforcing their security standards during the bootstrap process. Also, it allows SD-WAN vendors to gain sensitive information about their customers’ locations, size of deployment, IP addresses, and other information that can be considered as a breach to the customers’ security policy.

  1. Does the SD-WAN vendor use a Trusted Platform Module (TPM) chip on their devices to secure the initial bootstrap message?

A TPM chip is a specialized chip on an endpoint device that has a unique and secret RSA key, which is used for hardware authentication and as part of the device certificate process during bootstrapping. TPM enables binding of the storage (e.g. compact flash) to the motherboard. If the storage is moved to another appliance, and if there is a TPM mismatch, then it will not be possible to decrypt the private key thus ensuring security and integrity of the branch router software and certificate (used for authenticating the branch router). Without a TPM hardware module, the branch router doesn’t provide the security needed in most deployments, and leaves the door open for spoofing and other intrusions.

  1. Does the SD-WAN vendor support 1 or 2 factor authentication in addition to zero-factor-bootstrapping for extra security?

Most financial customers and government agencies don’t accept zero-touch bootstrapping due to the lack of security, they are looking for one or two step authentication; one step authentication means email activation, two step authentication means email and SMS message.

  1. Is the Zero Touch provisioning available on all router models and form factors (i.e., physical, virtual, cloud)?

Some SD-WAN vendors offer zero touch provisioning on a limited number of their WAN products. Customers usually have different site requirements. Some sites require a cloud router (i.e., Amazon AWS), some sites require a virtual router running on an x86 server, and some sites require a physical router with different bandwidth capability.

  1. Can the SD-WAN branch router deactivate itself and wipe its configuration?

This scenario is useful in case you want to:

  • Re-deploy the WAN router across different organizations or customers without exposing the current configuration to unauthorized personnel, and without restaging the router.
  • Prevent an intruder from getting access to configuration in case the branch router is physically stolen or compromised.
  • Perform RMA without manually deleting the configuration from the router.

Nuage Networks SD-WAN Bootstrap Support

VNS, the Nuage Networks SD-WAN solution has the most extensive and secure bootstrapping model in industry. Nuage has three different bootstrap models that customers can choose from based on their internal security policy. These models are:

  • Zero-Factor Bootstrapping – zero touch installation for semi-trusted device using a USB flash drive
  • One-factor Bootstrapping – one factor sign on for untrusted installer; authentication is done by email
  • Two-factor Bootstrapping – two step sign on for untrusted device and untrusted installer, in which is done by email and SMS code.

Customers can do Zero/One/Two factor bootstrapping on all Nuage Networks NSG routers including physical, virtual, and cloud routers (such as Amazon AWS).

NSG Examples diagram

All the physical Nuage Networks NSG routers come from the factory with TPM chips and pre-signed certificates to guarantee a secure bootstrap process.

With Nuage Networks SD-WAN solution, enterprises host their dial home server on-premise inside their organization. The dial home server can be reachable through Internet or MPLS circuits. Once the NSG router is bootstrapped, Nuage can assign the new NSG router to the right Enterprise/tenant automatically. This capability is very useful for service providers with multiple enterprise customers. Nuage Networks uses multiple identifiers (i.e., MAC address, Serial number, Hostnames, IP address, Device Type) to identify the bootstrapped NSG and auto-assign it to the right Enterprise without the Cloud Service Provider (CSP) manual intervention.

We also offer a deactivation capability on the NSGs, so SP’s can re-deploy the WAN router across different customers without exposing the current configuration to anyone, and without re-staging the router in the staging facility. In the deactivation process, the NSG wipes its entire configuration and resets itself to factory mode. Enterprises also take advantage of this deactivation capability, when they do RMAs or just to protect their NSGs against intruders who may gain physical access to the NSG router.

To learn more about Nuage solution, and how easy it is to onboard a new location in the enterprise network environment, please see the following demo: