Support

Support for business applications

Kaspersky SD-WAN

Ensuring security

Kaspersky SD-WAN
Online Help
FAQ Forum Contact support Recovery tools

Ensuring security

April 9, 2024

ID 239165

Get as PDF

Security in Kaspersky SD-WAN is ensured in the data plane, control plane, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:

  • User authentication and authorization
  • Use of secure management protocols
  • Encryption of control traffic
  • Secure connection of CPE devices

Secure management protocols

We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to its components (see the table below).

Protocols for transmitting control traffic

Interacting components

Protocol

Additional security measures

Orchestrator and SD-WAN Controller

gRPC

TLS is used for authentication and traffic encryption between the client and server.

Orchestrator and CPE device

HTTPS

Certificate verification and a token are used for authentication and traffic encryption between the orchestrator and the CPE device.

SD-WAN Controller and CPE device

OpenFlow 1.3.4

TLS is used for authentication and traffic encryption between the SD-WAN Controller and the CPE device.

Secure connection of CPE devices

The solution uses the following mechanisms to identify CPE devices during installation and registration:

  • Discovery of CPE device by DPID.
  • Deferred registration. You can select the state of the CPE device after successful registration: Activated or Deactivated. A deactivated CPE device must be manually activated after making sure it is installed at the location.
  • Two-factor authentication — the client receives a key that must be entered on the CPE device to activate it.

During registration, the CPE device verifies the authenticity of the orchestrator certificate and subsequently sends its DPID and token to the orchestrator. The orchestrator checks if the DPID and token against its database and, if the check is successful, provides the device with information necessary for connecting to the network as well as configuration. The device then establishes a connection with the SD-WAN Controller, which in turn programs the behavior of the device for subsequent traffic processing.

If the DPID is missing from the inventory, the CPE device is displayed with the Unknown status and does not connect to the SD-WAN network.

Using VNF

You can add a layer of security with VNFs deployed in the data center and/or on uCPE. For example, traffic can be routed from a CPE device to a VNF, which provides firewall or proxy server functionality. VNFs can perform the following SD-WAN protection functions:

  • Next-Generation Firewall (NGFW)
  • Protection from DDoS (Distributed Denial of Service) attacks
  • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
  • Anti-Virus
  • Anti-Spam
  • Filtering system for URL and web content
  • DLP (Data Loss Prevention) system for preventing confidential information leaks
  • Secure Web Proxy

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.