In my last blog post, Cisco Innovations Create a More Secure and Scalable SD-WAN Fabric, we covered the newest innovations that integrate identity awareness with Cisco Identity Services Engine (ISE) into the SD-WAN fabric; extend the network security fabric to remote home offices and workspaces; and detects advanced persistent threats through integrations with Cisco Secure Network Analytics. In this post, we will delve into new capabilities and integrations into the Cisco SD-WAN fabric that provides specific capabilities that support security operations persona.

The Cisco SD-WAN fabric, with all its existing rich security capabilities, enables the convergence of a two-box approach to secure the branch into a single-box solution. From a management perspective, Cisco vManage controller enables a seamless and converged experience for both the networking and security aspects of the SD-WAN fabric. However, the requirements from security professionals to manage the threats and risks in the enterprise are evolving as applications and the workforce become more distributed. To accommodate these changes, the Cisco SD-WAN secure fabric is being enhanced in multiple dimensions to cater to the more specific operational requirements of the SecOps persona.

An SD-WAN Dashboard Tailored for SecOps

Recent innovations in Cisco SD-WAN enable the secure fabric’s WAN functions to be managed by the networking operations team while the security functions are managed by the security operations team. In addition to a NetOps persona, a new SecOps persona is available in Cisco vManage controller. Logging into the controller, the SecOps persona is presented with a security-focused dashboard and management privileges so that the security administrator can quickly gain a comprehensive understanding of the security health of the network. From a management perspective, the SecOps persona will be able to create and associate security policies to specific sites and VPNs in the SD-WAN fabric. SecOps persona will also be able to view SD-WAN operational statistics, but will not be able to create SD-WAN-specific routing policies and configurations.

Security-Focused Visibility for Troubleshooting SD-WAN Fabrics

Logging for the purpose of visibility and troubleshooting is a critical requirement for security persona to be able to defend the far-reaching WAN fabric. The Cisco SD-WAN router generates comprehensive logs for all the security and connection events detected in the SD-WAN router. These logs can be consumed, parsed, and analyzed in real-time by Security Information and Event Management (SIEM) systems to drive timely security remediations, or stored for long-term historical reference. The security event logs are stored in Cisco Secure Analytics and can be filtered and visualized on Cisco Defense Orchestrator (CDO).

Intrusion Event Logging for SD-WAN Security Persona
Figure 1. Intrusion Event Logging for SD-WAN Security Persona

In addition, Cisco is partnering with Splunk to enable visualization and analysis of the security and connection-related logs generated from SD-WAN. The Cisco SD-WAN application ingests logs from SD-WAN routers and presents actionable security analytics on a pre-populated dashboard. Example uses cases enabled by the Splunk integration for the security operations persona are:

  • A holistic view of all the security events captured by the SD-WAN security stack.
  • Ability to examine any security event at the device level along with traffic patterns occurring when the security event was triggered.

The Cisco SD-WAN Splunk Integration consists of two components:

  • Cisco SD-WAN Add-on for Splunk – Add-ons are used for data optimization and collection processes. Cisco SD-WAN Add-on for Splunk collects a range of Cisco Logs Data and NetFlow Data and stores them in Splunk indexes.
  • Cisco SD-WAN App for Splunk – Using data from the Add-On, the Cisco SD-WAN App presents dashboards for Cisco Logs and NetFlow Data with detailed visualization, analysis, and representation.
Cisco SD-WAN App for Splunk Provides SecOps with Increased Visibility into Threats
Figure 2. Cisco SD-WAN App for Splunk Provides SecOps with Increased Visibility into Threats


Cisco SD-WAN App for Splunk Provides Detailed Threat Visibility
Figure 3. Cisco SD-WAN App for Splunk Provides Detailed Threat Visibility

SecOps Can Rely on Cisco SD-WAN Secure Fabric

There is an abundance of security features in the Cisco SD-WAN fabric now that will become invaluable to SecOps, whether they are hunting for intrusions, assigning security permissions, or detecting threats. Cisco SD-WAN is always evolving to make managing networks simpler and more secure, even as the scale of networks continues to scale and threats increase in complexity.


Additional information:

Defeating Complexity with Cisco Enterprise Networking Innovations

SD-WAN and SASE: The new landscape of networking

Evolving to SASE with Integrated Cloud Security and SD-WAN (Video)

Keep up with the latest in networking, get curated content from networking experts at the Networking Experiences Content Hub


Ram Singh

Vice President of Engineering

Catalyst Engineering