With reference to Cisco SD-WAN, what are the two types of control tunnels used to enhance network security?
Two types of control tunnels are available in Cisco SD-WAN: TLS and DTLS.
TLS provides security by encrypting all communication between the SD-WAN devices and the controller, ensuring that the information exchanged is protected from eavesdropping, tampering, or forgery. The use of TLS requires both the SD-WAN devices and the controller to have a valid digital certificate, which provides mutual authentication.
DTLS, on the other hand, is designed to provide low-latency communication for real-time applications such as voice and video. DTLS uses a UDP-based protocol to encrypt all communication between the SD-WAN devices, ensuring that the information exchanged is protected from eavesdropping, tampering, or forgery.
Cisco SD-WAN supports two transport layer security protocols that vEdges use for control-plane tunnels: DTLS (Datagram Transport Layer Security) defined in RFC 6347 and TLS (Transport Layer Security) defined in RFC 5246. Both protocols are very similar, and from a high level, they both serve the same goal – to provide end-to-end transport security between a router and an SD-WAN controller.
The main difference is that DTLS uses UDP and TLS runs over TCP. This means that they handle packet loss differently. TLS primarily relies on TCP for packet delivery. On the other hand, DTLS implements its own sequence numbers, fragment offsets, and retransmissions because UDP does not guarantee reliable delivery of packets. In the end, TLS is slightly more secure and reliable but slower. DTLS is marginally faster and more efficient but less secure. However, the differences are so slight that they are pretty much the same in practice.
By default, Cisco SD-WAN utilizes DTLS for all control plane communications because it is faster than TLS, and latency is essential when devices are managed remotely. However, the solution allows us to change the protocol to TLS easily.
By using control tunnels in Cisco SD-WAN, organizations can enhance their network security by ensuring that all communication between SD-WAN devices is secure and protected. Whether you are securing control traffic or real-time communication, Cisco SD-WAN has you covered.