Multapplied SD-WAN enables security to be extended simply and easily to networks requiring redundant connections, LTE backup and to hosts or sites requiring broadband or Internet-based connectivity to meet business requirements for cost and performance.
Multapplied’s SD-WAN delivers secure architecture through…
Data transport using a Virtual Tunnel composed of multiple, diverse physical circuits with their own paths across multiple carrier networks.
This provides physical redundancy and security by splitting a host’s communications across multiple paths to another site or data center. The Tunnel protocol is proprietary.
Packet-based Load Balancing algorithms that distribute packets within every single stream of data originating from a host across multiple carrier circuits and paths.
No single circuit carries an entire stream of data, preventing intercepts from being successful.
Security Options that encrypt all traffic on each circuit in the Tunnel independently. Encryption can be enabled on all links using the AES128, AES256, or Salsa20 ciphers. Even if encryption is disabled, HMAC packet authentication is used to verify the integrity of packets, protecting the traffic from man-in-the-middle attacks.
Install natively on a WAN Edge device or Customer Premise Equipment (CPE)
- Third-party applications can be run on the CPE using containers, which have fine-grained access controls to limit access and exposure.
- The WAN Edge device uses an on-device firewall to limit remote access to network administrators.
- Management of the CPE is performed over a VPN between the CPE and the Management Server/Orchestrator. Symmetric cryptographic authentication verifies that the Orchestrator is valid for each WAN Edge device and that the CPE is valid for the Orchestrator.
In addition, Multapplied SD-WAN provides a selection of security options:
- Hash-Based Message Authentication Codes (HMAC) provides data integrity checks but does not provide secrecy. While a receiving host will be able to detect if any network data has been altered after it has been sent, the data is not hidden and can be seen by anyone with access to the networks between the site and the Data Center, or to the CPE at the Site or the switches, routers or servers/storage in the Data Center. The HMAC algorithm uses MD5 hashing and a 30-byte secret key as defined in RFC 2104.
- Encryption for data between a site and the Data Center using the DTLS 1.2 protocol (defined in RFC 4347 and RFC 6347). Each cipher offers perfect forward secrecy, ensuring that encrypted traffic cannot be decrypted later, if the private key is compromised. Three ciphers are available: AES128, AES256, Salsa20/256
- Containerized Layer 2 or Layer 3 firewall instances on a CPE. Multapplied SD-WAN supports deploying per-site firewalls in containers on the SD-WAN CPE. Firewall instances sit between the Tunnel and the LAN.
Encryption is performed using private keys generated when the Aggregator and CPE were provisioned, and hosts are authenticated with x.509 certificates signed by a certificate authority on the management server.
Each circuit in the Tunnel has its own encryption session. For example, a tunnel or bond of three circuits (a circuit is sometimes referred to as a ‘leg’) uses three independent sessions. Sessions renegotiate keys at the interval defined in the Management Server Bond Options—by default, every hour. This can be disabled by setting the value to 0.
Encryption increases the amount of overhead in each packet sent between the CPE and Aggregator, resulting in a smaller MTU available for site traffic. The amount of overhead is different for each cipher. The following list shows the MTU available on a bond with 1500 byte leg MTUs.
- No encryption, HMAC: 1452 bytes
- AES 128: 1403 bytes
- AES 256: 1375 bytes
- Salsa20 256: 1407 bytes
Some CPUs provide AES hardware acceleration when a 64-bit operating system is installed. This reduces the load on the CPU caused by turning on encryption significantly. The Node Details page on the Multapplied Management Server will show if a CPE or Aggregator CPU supports AES acceleration.