Security considerations for Secure SD-WAN Manager deployment

The information stored in the Secure SD-WAN Manager is highly valuable to anyone conducting or planning malicious activities in your network. Someone who gains administrator rights to the Management Server can change the configurations.

An attacker can gain access by exploiting operating system weaknesses or other services running on the same computer to gain administrator rights in the operating system.

Important: Secure the Management Server computer. Anyone who has administrator rights to the operating system can potentially view and change any Secure SD-WAN Manager configurations.

Consider at least the following points to secure the Management Server and Log Server:

Prevent any unauthorized access to the servers. Restrict access to the minimum required both physically and with operating system user accounts.
We recommend allowing access only to the required ports.
Never allow Management Client connections from insecure networks.
Take all necessary steps to keep the operating system secure and up to date.
We recommend that you do not run any third-party server software on the same computer with the Secure SD-WAN Manager servers.
We recommend placing the servers in a separate, secure network segment without third-party servers and limited network access.

You can optionally use 256-bit encryption for the connection between the engines and the Management Server. You must also use an Internal ECDSA Certificate Authority to sign certificates for Secure SD-WAN Manager communication.

When you create and use a new Internal ECDSA Certificate Authority to sign certificates for system communication, the Management Server and the engine re-establish their trust relationship. After the Management Server and the engine re-establish their trust relationship, 256-bit encryption is enabled for the connection between the engines and the Management Server.