Ensuring security

Security in Kaspersky SD-WAN is ensured in the data plane, control plane, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:

• User authentication and authorization
• Use of secure management protocols
• Encryption of control traffic
• Secure connection of CPE devices

  Telecommunication equipment, including virtual machines, located at the client premises. Used to connect the client location to the SD-WAN network, establish tunnels and transfer traffic between client locations. Traffic can be sent to a data center to provide network functions such as routing protocols, intrusion prevention, or anti-virus protection.

Secure management protocols

We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to its components (see the table below).

Protocols for transmitting control traffic

Interacting components	Protocol	Additional security measures
Orchestrator and SD-WAN controller	gRPC	TLS is used for authentication and traffic encryption between the client and server.
Orchestrator and CPE device	HTTPS	Certificate verification and a token are used for authentication and traffic encryption between the orchestrator and the CPE device.
SD-WAN controller and CPE device	OpenFlow 1.3.4	TLS is used for authentication and traffic encryption between the SD-WAN controller and the CPE device.

Secure connection of CPE devices

The solution uses the following mechanisms to identify CPE devices during installation and registration:

• Discovery of CPE device by DPID.
• Deferred registration. You can select the state of the CPE device after successful registration: Activated or Deactivated. A deactivated CPE device must be manually activated after making sure it is installed at the location.
• Two-factor authentication — the client receives a key that must be entered on the CPE device to activate it.

During registration, the CPE device verifies the authenticity of the orchestrator certificate and subsequently sends its DPID and token to the orchestrator. The orchestrator checks if the DPID and token against its database and, if the check is successful, provides the device with information necessary for connecting to the network as well as configuration. The device then establishes a connection with the SD-WAN Controller, which in turn programs the behavior of the device for subsequent traffic processing.

If the DPID is missing from the inventory, the CPE device is displayed with the Unknown status and does not connect to the SD-WAN network.

Using VNF

You can add a layer of security with VNFs deployed in the data center and/or on uCPE. For example, traffic can be routed from a CPE device to a VNF, which provides firewall or proxy server functionality. VNFs can perform the following SD-WAN protection functions:

• Next-Generation Firewall (NGFW)
• Protection from DDoS (Distributed Denial of Service) attacks
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• Anti-Virus
• Anti-Spam
• Filtering system for URL and web content
• DLP (Data Loss Prevention) system for preventing confidential information leaks
• Secure Web Proxy

Page top