Kaspersky SD-WAN
2.2
English

Contents

Ensuring security

Security in Kaspersky SD-WAN is ensured in the

data plane
,
control plane
, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:

  • User authentication and authorization
  • Use of secure management protocols
  • Encryption of control traffic
  • Secure connection of CPE devices

Secure management protocols

We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to components (see the table below).

Interacting components

Protocol

Additional security measures

Orchestrator and SD-WAN controller

gRPC

TLS is used for authentication and traffic encryption between the client and server.

Orchestrator and CPE device

HTTPS

Certificate verification and a token are used for authentication and traffic encryption between the orchestrator and the CPE device.

SD-WAN controller and CPE device

OpenFlow 1.3.4

TLS is used for authentication and traffic encryption between the SD-WAN controller and the CPE device.

Secure connection of CPE devices

The solution uses the following mechanisms for secure connection of CPE devices:

  • Discovery of CPE device by DPID.
  • Deferred registration. You can select the state of the CPE device after successful registration: Enabled or Disabled. A disabled CPE device must be enabled after making sure it is installed at the location.
  • Two-factor authentication.

Using virtual network functions

You can provide an additional layer of security with virtual network functions deployed in the data center and/or on

uCPEs
. For example, traffic can be relayed from a CPE device to a virtual network function that acts as a firewall or proxy server. Virtual network functions can perform the following SD-WAN protection functions:

  • Next-Generation Firewall (NGFW)
  • Protection from DDoS (Distributed Denial of Service) attacks
  • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
  • Anti-Virus
  • Anti-Spam
  • Content Filtering and URL filtering system
  • DLP (Data Loss Prevention) system for preventing confidential information leaks
  • Secure Web Proxy
Page top
[Topic 239165]