Receiving industrial network traffic from Kaspersky SD-WAN components

Kaspersky Industrial CyberSecurity for Networks can run integrated with Kaspersky SD-WAN. When running in this mode, Kaspersky Industrial CyberSecurity for Networks receives mirrored traffic that passes through switches on remote sites if a Customer Premise Equipment (CPE) device, a Kaspersky SD-WAN component, is installed on these sites. You can use CPE devices to implement some features of Kaspersky Industrial CyberSecurity for Networks sensors by forwarding industrial network traffic from remote sites to the application. The data is sent to the application via secure channels.

CPE devices that receive mirrored traffic directly on remote sites encrypt the traffic to forward it to other (receiving) CPE devices that share a network with Kaspersky Industrial CyberSecurity for Networks nodes. Receiving CPE devices must be assigned the SD-WAN gateway role if communication between devices that send mirrored traffic is only allowed through the gateway. We recommend placing receiving CPE devices on a dedicated Kaspersky Industrial CyberSecurity network. These devices relay mirrored traffic to the network interfaces of Kaspersky Industrial CyberSecurity for Networks nodes.

Traffic received at the network interface of the Kaspersky Industrial CyberSecurity for Networks node from various CPE devices is identified by virtual local area network (VLAN) IDs added to network packets in accordance with the IEEE 802.1q standard. When configuring an integration between Kaspersky Industrial CyberSecurity for Networks and Kaspersky SD-WAN, ensure that the VLAN IDs used by the Kaspersky SD-WAN components match those used by the computer with the Kaspersky Industrial CyberSecurity for Networks component installed. Each network interface receiving traffic with a certain VLAN ID must be the VLAN interface with the matching ID.

For efficient integration, you can relax the restrictions on the number of monitoring points in the application through additional configuration of the software components. Maximum possible restrictions on integration with Kaspersky SD-WAN:

A maximum of 100 monitoring points per node
Total, no more than 100 monitoring points in the application

The rest of the requirements for deployment of Kaspersky Industrial CyberSecurity for Networks components are similar to other typical deployment patterns, such as Server installation without external sensors.

For more information about configuring software components to run in integration mode, contact your technical account manager (TAM).

The figure below shows an example deployment pattern for Kaspersky Industrial CyberSecurity for Networks and Kaspersky SD-WAN for when mirrored traffic from multiple sites travels to the Kaspersky Industrial CyberSecurity for Networks Server through a single SD-WAN gateway. Computers connected to the dedicated Kaspersky Industrial CyberSecurity network and computers with central SD-WAN components installed are located in the corporate headquarters. The dotted lines designate the path that the mirrored traffic takes from the switches on the remote sites.

Diagram illustrating traffic delivery to a Server from sites via Kaspersky SD-WAN components

Example of a deployment pattern that includes Kaspersky SD-WAN

Page top