Ensuring security

Support

Support for business applications

Kaspersky SD-WAN

About Kaspersky SD-WAN

Ensuring security

April 17, 2024

ID 239165

Security in Kaspersky SD-WAN is ensured in the data plane, control plane, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:

User authentication and authorization
Use of secure management protocols
Encryption of control traffic
Secure connection of CPE devices
Telecommunication equipment, including virtual machines, located at the client premises. Used to connect the client location to the SD-WAN network, establish tunnels and transfer traffic between client locations. Traffic can be sent to a data center to provide network functions such as routing protocols, intrusion prevention, or anti-virus protection.

Secure management protocols

We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to its components (see the table below).

Interacting components	Protocol	Additional security measures
Orchestrator and SD-WAN Controller	gRPC	TLS is used for authentication and traffic encryption between the client and server.
Orchestrator and CPE device	HTTPS	Certificate verification and a token are used for authentication and traffic encryption between the orchestrator and the CPE device.
SD-WAN Controller and CPE device	OpenFlow 1.3.4	TLS is used for authentication and traffic encryption between the SD-WAN Controller and the CPE device.

Secure connection of CPE devices

The solution uses the following mechanisms for secure connection of CPE devices:

Discovery of CPE device by DPID.
Deferred registration. You can select the state of the CPE device after successful registration: Activated or Deactivated. A deactivated CPE device must be manually activated after making sure it is installed at the location.
Two-factor authentication.

Using virtual network functions

You can provide an additional layer of security with virtual network functions deployed in the data center and/or on uCPEs. For example, traffic can be relayed from a CPE device to a virtual network function that acts as a firewall or proxy server. Virtual network functions can perform the following SD-WAN protection functions:

Next-Generation Firewall (NGFW)
Protection from DDoS (Distributed Denial of Service) attacks
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Anti-Virus
Anti-Spam
Content Filtering and URL filtering system
DLP (Data Loss Prevention) system for preventing confidential information leaks
Secure Web Proxy

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.