Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

SD-WAN Security At-a-Glance

Networking Solution At-a-Glance

Available Languages

Download Options

  • PDF
    (200.5 KB)
    View with Adobe Reader on a variety of devices
Updated:October 20, 2020

Available Languages

Download Options

  • PDF
    (200.5 KB)
    View with Adobe Reader on a variety of devices
Updated:October 20, 2020


Right security, right place

Protect enterprises and evolve to a SASE architecture

To help with the ever-increasing adoption of multicloud environments, SD-WAN offers total transport flexibility to connect directly with the cloud using the internet. The network efficiency that comes with SD-WAN creates a better user application experience and reduces cost for organizations. Unfortunately opening to the Internet creates exposure to threats and adds security complexity.

How do you enable security with SD-WAN and protect against internal and external threats? If you plan to deploy additional security devices or services on-premises, in the cloud, or both, could you scale easily for future traffic growth? How do you reduce the complexity of deploying and managing security solutions from multiple vendors? And, most importantly, how do you evolve to a SASE architecture?.

Cisco® SD-WAN offers engineering leadership in both networking and security to include full-stack multilayer security capabilities on the platform and in the cloud. The integrated security arms IT with advanced threat defense wherever it is needed – for branches connecting to multiple SaaS or IaaS clouds, to data centers, or everything on the internet. Cisco SD-WAN with Cisco Umbrella delivers a fully cloud-enabled SASE architecture.

Built-in Full Edge Security Stack

Cisco SD-WAN offers a full security stack for protection against web attacks.

Cloud Security and SASE

Secure access to the internet and SaaS is delivered as a fully automated solution by Cisco Umbrella, and lays the building blocks for SASE.

Cloud Security and SASE

On-Premises Security

Security embedded in SD-WAN routers provide onsite capability for web security, firewall, IPS etc.

Data Center

Cisco’s open, integrated secure SD-WAN and SASE architecture

Cisco SD-WAN offers a full range of integrated security functionality that can be enabled on-premises and using the cloud security solution spanning major security categories: network segmentation, enterprise firewall, secure web gateway, and DNS-layer security. Each security category itself spans a different combination of security features. These security features are:

Network Segmentation: Secure isolation of different portions of the enterprise to protect critical assets

Enterprise Firewalls: Granular policy and control of thousands of applications

Secure Web Gateway: Full protection of all kinds of web-based attacks including SSL inspection

DNS Layer Security: Significantly reduce incidences by stopping threats at the earliest point

IPsec encryption: An underlying WAN fabric for securing on-premises WAN access and direct internet access

IPS: A built-in intrusion prevention system within an on-premises enterprise firewall based on Snort® and powered by Talos®

CASB: Protects against account compromises, breaches, and other major risks in the cloud app ecosystem

Malware protection: An extended security feature across both on-premises and cloud security using Cisco AMP and Threat Grid to prevent/detect malicious files with sandboxing

SSL/TLS decryption: A security feature with unlimited scale for either cloud security or on-premises security with sufficient resources

URL filtering: An extended security feature across both on-premises and cloud platforms with 80+ web categories covering millions of domains and billions of web pages

On-Premises Security

Key SD-WAN security use cases

Secure direct internet access

Cisco SD-WAN security delivers full protection and control against all major web attacks arising from SaaS and Internet access. The integrated security solutions provide the best balance of security and user experience for Direct Internet Access (DIA).

Secure end-to-end segmentation, at scale

In addition to extending branch segmentation into the data center and the cloud, Cisco SD-WAN protects users and devices within a specific segment from any internal and external threats. With Cisco SD-WAN you are able to manage segmentation policies across the entire network from a single pane of glass and to adapt automatically to any network’s changes.

Enforce regulatory compliance

Cisco SD-WAN addresses compliance in a holistic way by offering a comprehensive set of security controls.


Security controls

Control plane

Zero trust security model

Data plane

Integrated on-premises and cloud security layers

Management plane

Role-based access control and ACLs


Trustworthy hardware, software, and solution

Security benefits of Cisco SD-WAN

      Constant protection against all internal and external threats from branches to SaaS

      Improved user experience via secure direct internet and cloud access

      Centralized visibility and control for all internal, inbound and outbound traffic

      Reduced cost and complexity using a single product for networking, security, and cloud

Learn more

To learn more, please visit cisco.com/go/sdwan-security or contact your account representative.

Learn more