Internet Protocol Security (IPsec) is a suite of protocols developed by the Internet Engineering Task Force (IETF) that offer confidentiality, integrity, and authentication of data. IPsec allows secure communication between two hosts or network entities over an untrusted network. You can use IPsec to direct web traffic from your network to SIA Proxy for scanning. This method requires that you integrate your software-defined wide area network (SD-WAN) solution with SIA. With this integration in place, you can create IPsec tunnels that optimally and securely transport traffic from your branches to SIA.
To use IPsec as a fully proxy method, you must also enable SIA Proxy, set up the man-in-the-middle (MITM) CA certificate, and complete the steps that are required for the full web proxy. For more information, see About SIA Proxy and Enable full web proxy.
If your organization uses SIA Client, make sure you disable the client in policies that are associated with the IPsec tunnel locations.
For a list of cipher suites that SIA supports with IPsec, see Supported cipher suites for IPsec.
This graphic illustrates how your SD-WAN solution directs traffic to SIA Proxy.
In this graphic:
An SD-WAN appliance forwards traffic from the organization’s branch. Traffic from branches that are configured as known locations in SIA are forwarded and accepted by SIA.
The SD-WAN Orchestrator or the portal used to manage the SD-WAN solution is where an administrator configures the primary and secondary tunnels that send and receive traffic. The secondary tunnel serves as a backup tunnel in case of failure. An SIA administrator configures specific settings in SIA to establish communication with the IPsec tunnel.
The IPsec tunnels that are created direct traffic to SIA Proxy.
SIA Proxy inspects traffic and handles it based on SIA policy. If traffic is allowed, it is directed to the origin.
To configure an IPsec tunnel in a SD-WAN solution, you need this information:
Pre-Shared Key (PSK). A PSK is a random sequence of bytes that’s used for authentication between SIA and your SD-WAN solution. SIA and the SD-WAN solution exchange hash values to confirm identity and establish a secure channel. As part of the tunnel creation process, you provide the PSK in SIA and in the SD-WAN solution.
IKE Identifier. The Internet Key Exchange (IKE) Identifier is a unique ID for your organization. You configure this identifier in SIA and provide it in your SD-WAN solution. The IKE Identifier consists of a custom prefix that you configure and a predefined suffix that includes your SIA configuration ID.
IPsec Fully Qualified Domain Names. Depending on the SD-WAN solution, you’ll need these FQDNs or the IP addresses that are associated with these FQDNs:
These FQDNs or the IP addresses that resolve to them allow you to direct traffic from the SD-WAN to SIA Proxy.
SIA includes an activity report that lets you review the traffic that’s directed from the branch to SIA Proxy. The report identifies the branch IP address, the IP address that’s associated with SIA Proxy, the IKE Identifier that’s used for the tunnel, the overall status of the tunnel as detected by SIA, and the total number of inbound and outbound traffic. For more information, see IPsec tunnel activity.
Updated about 1 month ago