You are protected by AWS network-level features, such as DDoS protection shields, which are active on all SD-WAN production fabrics. These protections reduce the risk of volumetric and application-layer attacks. AWS security groups control your access to cloud resources.

If someone tries to brute force SD-WAN Manager from an unathorized IP, the cloud provider’s security monitoring systems alert the SD-WAN CloudOps team so they can act immediately. This proactive monitoring prevents unauthorized access and protects your SD-WAN Manager control components.

While many customers globally access SD-WAN Manager without SSO, we have not observed security issues to date. We encourage you to adopt SSO, which is supported in all models except SD-WAN Cloud (formerly CDCS), to enhance security. If you do not use SSO, Cisco offers a custom VPC option that places private IP interfaces of cloud-hosted control components within your on-premises network. This allows secure access using TACACS, RADIUS, or AAA servers and avoids exposing public IP addresses.

Multiple layers of security protect your data, including Web Application Firewalls (WAF) and application-level DDoS protection. Your data is protected both in transit and at rest. WAF and integrated DDoS protections safeguard the publicly accessible SD-WAN models, preventing attacks and unauthorized access.

Cloud providers monitor for security breaches and suspicious activities at all times to help keep your SD-WAN environment secure. If a compromise or brute force attempt is detected, SD-WAN CloudOps responds immediately, according to incident management protocols. The Security and Trust Organization (STO) regularly scans production deployments for vulnerabilities, and you can review reports on the Cisco Trust Portal. Basic DDoS protection and WAF are enabled by default for both cloud deployments and publicly accessible portals. For more information, refer to the SD-WAN Security At-a-Glance guide on the Cisco website.

You can only access the environment if you are an authorized customer or part of the SD-WAN support team. Authenticate through Day Zero Servers, SD-WAN Validator, or SD-WAN Manager. The system enforces role-based access control and Access Control Lists (ACLs) on SD-WAN Manager and in the cloud environment to keep your access secure.

• For SD-WAN fabric control components hosted in AWS, conduct your own penetration tests in accordance with the AWS penetration testing policy at https://aws.amazon.com/security/penetration-testing/

• For Azure-hosted SD-WAN fabric control components, perform penetration testing adhering to the Microsoft rules of engagement at https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement

We provide direct access to the Cisco Trust Portal, which contains security compliance documents, industry certifications (such as SOC, ISO, FedRAMP, and PCI DSS), privacy data sheets, penetration test confirmations, and whitepapers. You can register to access content protected by a Non-Disclosure Agreement (NDA). If your questions are not covered by the Trust Portal, the Customer Information Clearinghouse (CIC) team can provide vetted responses. Engage CIC through the CIC Request Tool on Salesforce.