Security in Kaspersky SD-WAN is ensured in the data plane, control plane, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:
Secure management protocols
We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to components (see the table below).
Interacting components |
Protocol |
Additional security measures |
|---|---|---|
Orchestrator and SD-WAN Controller |
gRPC |
TLS is used for authentication and traffic encryption between the client and server. |
Orchestrator and CPE device |
HTTPS |
Certificate verification and a token are used for authentication and traffic encryption between the orchestrator and the CPE device. |
SD-WAN Controller and CPE device |
OpenFlow 1.3.4 |
TLS is used for authentication and traffic encryption between the SD-WAN Controller and the CPE device. |
Secure connection of CPE devices
The solution uses the following mechanisms for secure connection of CPE devices:
Using virtual network functions
You can provide an additional layer of security with virtual network functions deployed in the data center and/or on uCPEs. For example, traffic can be relayed from a CPE device to a virtual network function that acts as a firewall or proxy server. Virtual network functions can perform the following SD-WAN protection functions: