Cisco has bolstered the security and AI control features in its latest release of SD-WAN software.
The company rolled out Cisco SD-WAN 26.1.1 with a number of new features that, for example, let enterprise customers define security policies once and apply them consistently across the network, gain end-to-end visibility, and pivot from a traditional WAN to a high-performance, AI-ready fabric—all without requiring a major architecture refresh, according to a blog about the update from Sunakshi Tickoo, Cisco product marketing manager for Enterprise Networks & Cloud.
The security enhancements stem from Cisco’s Resilient Infrastructure plan announced last November that detailed how the company would strengthen network security by increasing default protections, removing insecure legacy features, and introducing new capabilities that reduce the attack surface and enable better threat detection and response in a number of core product portfolios. In this case, the SD-WAN program can address vulnerabilities in CLI and UI configurations to help protect the control plane from unauthorized access and privilege escalation, Tickoo wrote.
“With these enhanced security advisory capabilities, you get a single, centralized view through the Insecure Configurations dashboard to identify insecure or outdated configurations across your SD-WAN fabric, assess the trust posture of devices in real time, and take guided actions to remediate vulnerabilities,” Tickoo wrote.
In the release notes for the SD-WAN software Cisco said such insecure or outdated commands are categorized as:
- Line transport: Updates to secure remote access methods.
- Device server configuration: Hardening of server-side settings.
- File transfer protocols: Transitioning to encrypted transfer methods.
- SNMP: Enhancements to secure management traffic.
- Passwords: Strengthening authentication and credential management.
For all detected insecure configurations during device boot or upgrade, error messages are displayed, according to Cisco. “In the corresponding Cisco IOS XE 26.1.1 release, all insecure CLI commands are blocked by default to strengthen your network infrastructure. If your environment requires the use of a legacy command, you must enable the system mode insecure command in global configuration mode,” Cisco stated.
“Simply put, we are making it incredibly obvious when our customers are configuring insecure features that introduce new and unnecessary risks into their networks,” wrote Anthony Grieco, senior vice president and chief security and trust officer at Cisco, in a blog post when the initiative was introduced. “Initially, customers will receive increased security warnings that recommend discontinuing the use of any insecure features. In subsequent releases, features will be disabled by default or require additional steps to allow for configuration. Eventually, insecure options will be removed entirely.”
Another new feature in the SD-WAN software portfolio is the ability from Meraki SD-WAN sites to define firewall policies once at the organization level and apply them everywhere, instead of configuring each site individually, according to Cisco.
“Managing firewall policies one network at a time does not scale for distributed organizations. With org-wide group policies, teams can define reusable policies once and enforce them consistently across the organization,” Tickoo wrote. “This enables a more centralized and flexible approach to policy management, reducing operational overhead while ensuring consistency across environments.”
The software also supports improved Transport Layer Security decryption capabilities. “With the majority of internet traffic now encrypted, TLS decryption plays a critical role in threat detection. At the same time, inspection must not come at the cost of performance and platforms such as the Catalyst 8375-G2—Cisco’s large enterprise branch SD-WAN router—deliver up to 1.6 Gbps throughput on 100% HTTPS traffic, enabling teams to achieve strong security outcomes without introducing performance bottlenecks,” Tickoo wrote.
As more enterprise customers deploy AI applications, Cisco said it was enhancing the Catalyst SD-WAN software to better help customers support and manage AI traffic. With the enhancements customers can automatically identify and classify AI-based application traffic across cloud, edge, and hybrid environments, according to Cisco. With that visibility, organizations can apply intent and differentiate between business-critical AI workloads and non-critical usage then apply policies that optimize performance and enforce governance, Ticktoo wrote.
“Security is built in, with Zero Trust enforcement applied directly to AI traffic and the ability to redirect traffic to Cisco Secure Access for deeper inspection when needed,” Ticktoo wrote. “The outcome is a WAN that not only carries AI traffic but continuously optimizes and secures it as usage grows.”
Cisco also enhanced the natural language AI Assistant in the SD-WAN software to better handle troubleshooting issues, monitor network performance, search documentation, and manage Technical Assistant Center (TAC ) trouble ticket cases from a single tool.
The idea is to better integrate the AI Assistant to handle operational troubleshooting and support case management, Cisco stated.