Kaspersky SD-WAN
2.1
English

Contents

Traffic encryption

Traffic encryption is a mechanism of securing the exchange of traffic between

CPE devices
through tunnels. For example, you can encrypt traffic when sending data between devices over a tunnel built on top of an unsecured Internet connection.

Traffic encryption does not replace the need to use other information security measures, such as TLS, LDAPS, and other protocols that protect traffic within the overlay network.

The

SD-WAN Controller
automatically generates keys for encrypting and decrypting traffic and sends them to CPE devices. Traffic is encrypted on the source device with an encryption key before being sent to the tunnel. The destination device receives traffic from the tunnel and decrypts it with the decryption key.

The keys are regularly updated to deprive third parties of the opportunity to encrypt or decrypt the transmitted traffic if a key is intercepted. You can specify the length of time after which the keys are updated on CPE devices using the Dtopology.link.encryption.key.update.interval.minutes property of the SD-WAN Controller.

Traffic encryption is supported only on CPE devices running Kaspersky SD-WAN software.

If traffic encryption is enabled on a CPE device, all outbound tunnels that involve this device send encrypted traffic (including new tunnels that will be established later).

If traffic encryption is disabled on a CPE device, it sends unencrypted traffic. Note that if you disable traffic encryption on a device that previously encrypted its outgoing traffic, the keys generated by the SD-WAN Controller for encrypting and decrypting traffic are deleted from all associated devices.

Traffic encryption can also be enabled or disabled on tunnels. For example, you can enable traffic encryption on a CPE device, but disable it on a tunnel established with the participation of this device. When enabling or disabling traffic encryption on a tunnel, you must configure both the outgoing and incoming tunnels in the same way.

In this section

Traffic encryption on a CPE device

Traffic encryption on a tunnel
Page top
[Topic 244338]

Traffic encryption on a CPE device

If traffic encryption is enabled on a CPE device, encrypted traffic is transmitted through all links established with its participation. The exception is cases when you enable traffic encryption on the device, but disable it on an individual link.

You can enable or disable traffic encryption on an individual CPE device or on all devices that use the CPE template. By default, traffic encryption is disabled.

To enable or disable traffic encryption on an individual CPE device:

  1. In the menu, go to the SD-WAN section.

    By default, the CPE subsection is displayed with a table of CPE devices.

  2. Click the CPE device.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Tunnel encryption tab.

    The traffic encryption policy is displayed.

  4. Select the Override check box to ignore the applied CPE template and make the settings in the selected tab editable. This check box is cleared by default.
  5. In the Default encryption policy drop-down list, select Enabled or Disabled.
  6. In the upper part of the settings area, click Save to save the configuration of the CPE device.

To enable or disable traffic encryption on all devices that use a CPE template:

  1. In the menu, go to the SD-WAN → CPE templates subsection.

    A table of CPE templates is displayed.

  2. Click the CPE template.

    The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

  3. Select the Tunnel encryption tab.

    The traffic encryption policy is displayed.

  4. In the Default encryption policy drop-down list, select Enabled or Disabled.
  5. In the upper part of the settings area, click Save to save the configuration of the CPE template.
Page top
[Topic 243200]

Traffic encryption on a link

Expand all | Collapse all

You can enable or disable traffic encryption on an individual link. All links built within the SD-WAN network are displayed in the overall table of links in the Tunnels section, as well as in the graphic topology in the Topology section. A table of links built using a particular CPE device is also displayed in the configuration of that CPE device, on the Tunnels tab.

When enabling or disabling traffic encryption on an individual link, you must configure the opposite-direction link in the same way.

To enable or disable traffic encryption on a link, use the following instructions:

  • Enabling or disabling traffic encryption on a link using the overall table of links.

    To enable or disable traffic encryption on a link using the overall table of links:

    1. In the menu, go to the Infrastructure section.

      The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.

    2. Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.

      This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.

    3. Go to the Tunnels section.

      A table of links is displayed.

    4. Click Management next to the link and in the drop-down list, select Set encryption.
    5. This opens a window; in that window, select or clear the Override check box to enable or disable encryption of the selected link. This check box is cleared by default.
    6. Select or clear the Enable encryption check box. This check box is cleared by default.
    7. Click Save.
  • Enabling or disabling traffic encryption on a link using the graphical topology.

    To enable or disable traffic encryption on a link using the graphical topology:

    1. In the menu, go to the Infrastructure section.

      The SD-WAN infrastructure management page is displayed. By default, the Network resources tab is selected, which displays the table of SD-WAN Controllers.

    2. Click Management next to the SD-WAN Controller and in the drop-down list, select Configuration menu.

      This opens the SD-WAN Controller configuration menu. By default, you are taken to the Controller nodes section, which displays a table of Controller nodes.

    3. Go to the Topology section.

      The SD-WAN topology is displayed.

    4. Click the link to open a window and in that window, click Set encryption.
    5. This opens a window; in that window, select or clear the Override check box to enable or disable encryption of the selected link. This check box is cleared by default.
    6. Select or clear the Enable encryption check box. This check box is cleared by default.
    7. Click Save.
  • Enabling or disabling traffic encryption on a link in the configuration of a CPE device.

    To enable or disable traffic encryption on a link in the configuration of a CPE device:

    1. In the menu, go to the SD-WAN section.

      By default, the CPE subsection is displayed with a table of CPE devices.

    2. Click the CPE device.

      The settings area is displayed in the lower part of the page. You can expand the settings area to fill the entire page by clicking the expand button .

    3. Select the Tunnels tab.

      A table of links is displayed.

    4. Click Management next to the link and in the drop-down list, select Set encryption.
    5. This opens a window; in that window, select or clear the Override check box to enable or disable encryption of the selected link. This check box is cleared by default.
    6. Select or clear the Enable encryption check box. This check box is cleared by default.
    7. In the upper part of the settings area, click Save to save the configuration of the CPE device.
Page top
[Topic 245009]