1.5 Security Requirements
| Item |
Details |
| Document Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Security Team |
| Organization |
Abhavtech.com |
| Classification |
Confidential |
1.5.1 Overview
This section documents the security requirements that must be addressed by the SD-WAN solution. These requirements encompass regulatory compliance, data protection, access control, and threat mitigation capabilities.
Security Objectives
- Maintain end-to-end encryption for all WAN traffic
- Ensure compliance with regulatory frameworks
- Enable micro-segmentation aligned with SD-Access
- Implement zero-trust security principles
- Provide comprehensive threat detection and prevention
1.5.2 Compliance Requirements
Applicable Regulatory Frameworks
| Framework |
Scope |
Requirements |
Deadline |
| PCI-DSS 4.0 |
Payment processing |
Network segmentation, encryption |
Mar 2025 |
| SOC 2 Type II |
SaaS operations |
Access controls, monitoring |
Annual |
| ISO 27001 |
Information security |
ISMS, controls |
Ongoing |
| GDPR |
EU data handling |
Data protection, privacy |
Ongoing |
| RBI Guidelines |
Indian banking |
Data localization, security |
Ongoing |
| HIPAA |
Healthcare data |
PHI protection |
Where applicable |
Compliance Mapping to SD-WAN Controls
| Compliance Area |
Requirement |
SD-WAN Control |
| Network Segmentation |
PCI-DSS 1.3 |
Service VPNs, VRF isolation |
| Encryption in Transit |
PCI-DSS 4.1 |
IPsec AES-256-GCM |
| Access Control |
SOC 2 CC6.1 |
ISE integration, RBAC |
| Audit Logging |
ISO 27001 A.12.4 |
vManage audit logs |
| Intrusion Detection |
PCI-DSS 11.4 |
UTD (Snort IPS) |
| Change Management |
SOC 2 CC8.1 |
Configuration versioning |
1.5.3 Encryption Requirements
Data-in-Transit Encryption
| Requirement |
Specification |
SD-WAN Implementation |
| Encryption Algorithm |
AES-256 minimum |
AES-256-GCM |
| Key Exchange |
IKEv2 |
IKEv2 with PFS |
| Perfect Forward Secrecy |
Required |
DH Group 19/20 (ECDH) |
| Certificate Authority |
Enterprise PKI |
Cisco PKI or Enterprise CA |
| Certificate Rotation |
Annual |
Automated via vManage |
| TLS Version |
1.2 minimum |
TLS 1.3 for control plane |
Encryption Standards by Traffic Type
ENCRYPTION REQUIREMENTS BY TRAFFIC TYPE
═══════════════════════════════════════════════════════════════
┌─────────────────────────────────────────────────────────────┐
│ CONTROL PLANE │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ vManage ↔ vSmart ↔ WAN Edge ││
│ │ Protocol: DTLS 1.2 / TLS 1.3 ││
│ │ Cipher: AES-256-GCM ││
│ │ Auth: X.509 Certificates ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ DATA PLANE │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ WAN Edge ↔ WAN Edge (Overlay) ││
│ │ Protocol: IPsec ESP ││
│ │ Cipher: AES-256-GCM ││
│ │ IKE: IKEv2 with PFS (DH Group 19) ││
│ │ Integrity: SHA-384 ││
│ │ Rekey: 1 hour (data), 24 hours (IKE) ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ MANAGEMENT PLANE │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ Admin ↔ vManage ││
│ │ Protocol: HTTPS (TLS 1.3) ││
│ │ Auth: SAML SSO + MFA via ISE ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
1.5.4 Segmentation Requirements
Network Segmentation Strategy
| Segment |
Purpose |
SD-WAN VPN |
VRF |
Isolation Level |
| Corporate |
Employee access |
VPN 10 |
CORPORATE |
Standard |
| Guest |
Visitor access |
VPN 20 |
GUEST |
Full isolation |
| IoT |
Device connectivity |
VPN 30 |
IOT |
Quarantine |
| Voice |
Unified communications |
VPN 40 |
VOICE |
QoS priority |
| PCI |
Payment processing |
VPN 50 |
PCI |
Enhanced |
SD-Access VN to SD-WAN VPN Mapping
SEGMENTATION ALIGNMENT
═══════════════════════════════════════════════════════════════
SD-ACCESS (LAN) SD-WAN (WAN)
───────────────────────────────────────────────────────────────
┌─────────────────┐ ┌─────────────────┐
│ Employee_VN │ ◄════════════► │ VPN 10 │
│ VRF: CORP │ VRF-Lite │ VRF: CORPORATE │
│ VNI: 50001 │ BGP/OSPF │ │
└─────────────────┘ └─────────────────┘
┌─────────────────┐ ┌─────────────────┐
│ Guest_VN │ ◄════════════► │ VPN 20 │
│ VRF: GUEST │ VRF-Lite │ VRF: GUEST │
│ VNI: 50002 │ BGP/OSPF │ │
└─────────────────┘ └─────────────────┘
┌─────────────────┐ ┌─────────────────┐
│ IoT_VN │ ◄════════════► │ VPN 30 │
│ VRF: IOT │ VRF-Lite │ VRF: IOT │
│ VNI: 50003 │ BGP/OSPF │ │
└─────────────────┘ └─────────────────┘
┌─────────────────┐ ┌─────────────────┐
│ Voice_VN │ ◄════════════► │ VPN 40 │
│ VRF: VOICE │ VRF-Lite │ VRF: VOICE │
│ VNI: 50004 │ BGP/OSPF │ │
└─────────────────┘ └─────────────────┘
┌─────────────────┐ ┌─────────────────┐
│ PCI_VN │ ◄════════════► │ VPN 50 │
│ VRF: PCI │ VRF-Lite │ VRF: PCI │
│ VNI: 50005 │ BGP/OSPF │ │
└─────────────────┘ └─────────────────┘
═══════════════════════════════════════════════════════════════
Inter-Segment Traffic Control
| Source Segment |
Destination Segment |
Allowed |
Control |
| Corporate |
Corporate |
Yes |
Default allow |
| Corporate |
Guest |
No |
Blocked |
| Corporate |
Voice |
Yes |
SIP/RTP only |
| Corporate |
PCI |
Limited |
Firewall inspection |
| Guest |
Any Internal |
No |
Full isolation |
| IoT |
Corporate |
Limited |
Specific services only |
| Voice |
Corporate |
Yes |
Signaling only |
| PCI |
Corporate |
Limited |
Reporting only |
1.5.5 TrustSec/SGT Requirements
SGT Propagation Requirements
| Requirement |
Description |
Implementation |
| SGT Inline Tagging |
Preserve SGT across WAN |
CTS manual on WAN Edge |
| End-to-End Policy |
Consistent policy LAN to WAN |
ISE + vManage sync |
| SGT-Based Routing |
Route by security group |
Data policies with SGT match |
| Cross-Domain |
SD-Access to SD-WAN |
Inline tagging at handoff |
Security Group Tag Inventory
| SGT Value |
SGT Name |
Description |
Policy |
| 10 |
Employees |
Standard employees |
Standard access |
| 11 |
Executives |
Executive staff |
Enhanced access |
| 12 |
Finance |
Finance department |
PCI access |
| 20 |
Contractors |
External contractors |
Limited access |
| 30 |
IT_Admin |
IT administrators |
Full access |
| 100 |
Guests |
Guest users |
Internet only |
| 200 |
IoT_Cameras |
Security cameras |
Restricted |
| 201 |
IoT_HVAC |
Building automation |
Restricted |
| 300 |
Voice_Phones |
IP phones |
Voice VLAN |
| 400 |
PCI_Servers |
Payment servers |
PCI zone |
SGT Propagation Architecture
END-TO-END SGT PROPAGATION
═══════════════════════════════════════════════════════════════
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Endpoint │───►│ SD-Access │───►│ SD-WAN │───►│ Remote │
│ SGT: 10 │ │ Fabric │ │ WAN Edge │ │ Site │
└────────────┘ └────────────┘ └────────────┘ └────────────┘
│ │ │ │
│ 802.1X/MAB │ VXLAN-GPO │ CTS Inline │
│ ISE assigns │ SGT in header │ SGT in ESP │
│ SGT:10 │ SGT:10 │ SGT:10 │
│ │ │ │
▼ ▼ ▼ ▼
┌─────────────────────────────────────────────────────────────┐
│ CONSISTENT POLICY ENFORCEMENT │
│ │
│ ISE Policy: SGT:10 (Employees) can access: │
│ - Corporate applications (SGT:400) │
│ - Voice services (SGT:300) │
│ - Internet via DIA │
│ │
│ Denied: │
│ - PCI servers without explicit need │
│ - IoT management networks │
└─────────────────────────────────────────────────────────────┘
1.5.6 Threat Protection Requirements
Required Security Features
| Feature |
Requirement |
SD-WAN Capability |
| Firewall |
Zone-based + App-aware |
Enterprise Firewall |
| IPS/IDS |
Signature + anomaly detection |
UTD (Snort 3.0) |
| URL Filtering |
Category-based blocking |
Umbrella/URL Filter |
| Malware Protection |
AMP integration |
Advanced Malware Protection |
| DNS Security |
DNS-layer protection |
Umbrella DNS |
| DDoS Protection |
Volumetric attack mitigation |
Rate limiting, ACLs |
Security Service Locations
| Security Service |
Hub Sites |
Branch Sites |
Cloud |
| Enterprise Firewall |
✅ |
✅ |
N/A |
| IPS (UTD) |
✅ |
✅ (major) |
N/A |
| URL Filtering |
✅ |
✅ |
✅ (Umbrella) |
| Advanced Malware |
✅ |
Via cloud |
✅ |
| DNS Security |
✅ |
✅ |
✅ (Umbrella) |
| CASB |
Via cloud |
Via cloud |
✅ |
1.5.7 Access Control Requirements
Administrative Access
| Role |
Access Level |
Authentication |
Authorization |
| Network Admin |
Full |
SAML + MFA |
vManage Admin |
| Security Admin |
Security configs |
SAML + MFA |
Security Role |
| NOC Operator |
Read + limited ops |
SAML + MFA |
Operator Role |
| Auditor |
Read only |
SAML + MFA |
Read Only |
| API Service |
Programmatic |
Certificate + Token |
API Role |
Authentication Requirements
| Requirement |
Specification |
| Primary Auth |
SAML 2.0 via ISE/Okta |
| MFA |
Required for all admin access |
| Session Timeout |
30 minutes idle |
| Password Policy |
14+ chars, complexity, 90-day rotation |
| Service Accounts |
Certificate-based, no interactive login |
| API Authentication |
OAuth 2.0 tokens, 1-hour expiry |
1.5.8 Audit and Logging Requirements
Required Logging
| Log Type |
Retention |
Destination |
Alert Threshold |
| Authentication |
1 year |
Splunk/SIEM |
Failed: 3 in 5 min |
| Configuration Changes |
2 years |
Splunk/SIEM |
All changes |
| Security Events |
1 year |
Splunk/SIEM |
Critical: immediate |
| Traffic Logs |
90 days |
Local + SIEM |
Anomalies |
| Performance Logs |
90 days |
vAnalytics |
SLA breaches |
Audit Trail Requirements
AUDIT LOGGING ARCHITECTURE
═══════════════════════════════════════════════════════════════
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ vManage │───►│ Syslog │───►│ Splunk │
│ Audit Log │ │ Server │ │ SIEM │
└─────────────┘ └─────────────┘ └──────┬──────┘
│
┌─────────────┐ ┌─────────────┐ │
│ WAN Edge │───►│ Syslog │───────────┤
│ Security │ │ Server │ │
└─────────────┘ └─────────────┘ │
│
┌─────────────┐ │
│ ISE │──────────────────────────────┤
│ Auth Logs │ │
└─────────────┘ │
▼
┌─────────────┐
│ Security │
│ Dashboard │
└─────────────┘
1.5.9 Security Requirements Summary
Critical Security Requirements
| Priority |
Requirement |
SD-WAN Control |
Status |
| P1 |
End-to-end encryption |
IPsec AES-256-GCM |
Required |
| P1 |
Network segmentation |
Service VPNs |
Required |
| P1 |
SGT propagation |
CTS inline tagging |
Required |
| P1 |
MFA for admin access |
ISE/SAML integration |
Required |
| P2 |
IPS/IDS |
UTD Snort |
Required |
| P2 |
URL filtering |
Umbrella/Local |
Required |
| P2 |
Comprehensive logging |
Syslog to SIEM |
Required |
| P3 |
Advanced malware |
AMP integration |
Recommended |
| P3 |
CASB |
Cloud integration |
Recommended |
Compliance Readiness Checklist
| Framework |
Requirements Met |
Gap |
Remediation |
| PCI-DSS 4.0 |
85% |
IPS deployment |
Enable UTD at all sites |
| SOC 2 |
90% |
Audit retention |
Extend to 2 years |
| ISO 27001 |
92% |
None critical |
Minor documentation |
| GDPR |
88% |
Data localization |
Configure geo-routing |
References
| Document |
Description |
| Cisco SD-WAN Security Design Guide |
Security architecture |
| PCI-DSS 4.0 Requirements |
Payment card security |
| ISO 27001:2022 |
Information security standard |
| Abhavtech Security Policy |
Corporate security policy |
Document Version: 1.0
Last Updated: December 2025
Classification: Confidential
Abhavtech.com - SD-WAN Documentation