SD-WAN with local internet breakout moves the security perimeter from the data centre to every branch. Each site with direct internet access needs its own threat prevention stack. BT SD-WAN addresses this through integrated NGFW capabilities on the Fortinet and Meraki appliances, with optional SASE and zero trust extensions for organisations adopting cloud-delivered security. This page maps out the full security architecture available through BT SD-WAN and shows which components are included at each licence tier.
Get a BT SD-WAN Quote
Use our pricing calculator to compare security options across Fortinet and Meraki licence tiers.
Open the BT SD-WAN Pricing Calculator →
Use our pricing calculator to compare security options across Fortinet and Meraki licence tiers.
Open the BT SD-WAN Pricing Calculator →
Security Architecture: Centralised vs Distributed
| Model | Where Security Is Enforced | Suited To | Limitation |
|---|---|---|---|
| MPLS + centralised firewall | Hub site or data centre only | Legacy environments where all traffic routes through the hub | All internet traffic backhauled. No protection if the hub is bypassed. |
| SD-WAN + branch NGFW | On the SD-WAN appliance at each branch | Organisations wanting security in one box at every site | Appliance throughput limits security inspection speed. |
| SD-WAN + cloud security (SASE) | Cloud points of presence (FortiSASE, Cisco Umbrella) | Distributed workforce, BYOD, remote users | Requires internet connectivity to reach cloud security. Adds some latency. |
| SD-WAN + branch NGFW + SASE | Both: branch appliance and cloud | Full zero trust architecture | Highest cost. Requires Advanced/Plus licence tiers. |
Fortinet Security Stack
| Security Function | Standard Tier | Advanced Tier | Technology |
|---|---|---|---|
| Stateful firewall | Yes | Yes | FortiOS firewall engine |
| Intrusion Prevention (IPS) | No | Yes | FortiGuard IPS signatures (updated hourly) |
| Antivirus / antimalware | No | Yes | FortiGuard AV with AI/ML detection |
| Web filtering | No | Yes | URL and category-based filtering (77 categories) |
| DNS filtering | No | Yes | Blocks malicious domains at DNS level |
| SSL/TLS inspection | No | Yes | Decrypts and inspects encrypted traffic |
| Sandboxing | No | Yes | FortiSandbox Cloud (zero-day detection) |
| ZTNA (Zero Trust Network Access) | No | Yes | FortiSASE ZTNA agent-based and agentless |
| CASB | No | Yes | Cloud Access Security Broker for SaaS visibility |
| SWG (Secure Web Gateway) | No | Yes | Cloud-delivered web security via FortiSASE |
Meraki Security Stack
| Security Function | Enterprise | Advanced Security | SD-WAN Plus |
|---|---|---|---|
| Stateful firewall | Yes | Yes | Yes |
| Content filtering | Yes | Yes | Yes |
| L7 firewall (application control) | No | Yes | Yes |
| IPS (Snort-based) | No | Yes | Yes |
| AMP (Advanced Malware Protection) | No | Yes | Yes |
| Cisco Umbrella (DNS security) | No | No | Yes |
| Secure Connect (SASE/ZTNA) | No | No | Yes |
| CASB | No | No | Yes |
What Is SASE and How Does It Fit?
Secure Access Service Edge (SASE) combines SD-WAN with cloud-delivered security. Instead of running all security functions on the branch appliance SASE routes traffic through cloud security points of presence that provide SWG, CASB, ZTNA and FWaaS.
- Fortinet SASE is delivered through FortiSASE cloud PoPs. Included in the Advanced licence tier. Branch FortiGate appliances tunnel traffic to the nearest FortiSASE PoP for inspection.
- Cisco SASE is delivered through Cisco Umbrella and Secure Connect. Included in the Meraki Secure SD-WAN Plus licence tier. DNS-layer security and SWG applied in the cloud.
Zero Trust with BT SD-WAN
Zero trust assumes no user or device is trusted by default. Access is granted per-session based on identity, device posture and context. BT SD-WAN supports zero trust through:
| Zero Trust Component | Fortinet (Advanced) | Meraki (SD-WAN Plus) |
|---|---|---|
| User identity verification | FortiAuthenticator / SAML/RADIUS integration | Cisco ISE / SAML integration |
| Device posture checking | FortiClient EMS agent | Cisco Secure Client |
| Per-application access control | ZTNA access proxy on FortiGate | Cisco Secure Connect ZTNA |
| Micro-segmentation | VDOM and policy-based segmentation | Group policy and VLAN segmentation |
| Continuous monitoring | FortiAnalyzer + FortiSIEM | Meraki Dashboard + Cisco SecureX |
Choosing the Right Security Level
- Standard/Enterprise tier is sufficient if you already run a separate cloud security stack (Zscaler, Cloudflare, Palo Alto Prisma Access) and only need the SD-WAN appliance for routing and basic firewall.
- Advanced/Advanced Security tier is the right choice when the SD-WAN appliance is the primary and only security device at the branch. This covers NGFW, IPS, antivirus/AMP and web filtering in one appliance.
- Advanced + FortiSASE / SD-WAN Plus is required for organisations adopting a full SASE architecture with ZTNA, CASB and cloud-delivered SWG. Also required if you need to secure remote and mobile users through the same platform.
Threat Landscape: Why Branch Security Matters
With local internet breakout every branch becomes an attack surface. The threats that were previously filtered at the centralised data centre firewall now need to be caught at each site.
| Threat Type | Attack Vector | SD-WAN Defence |
|---|---|---|
| Malware / ransomware | Malicious downloads via web or email | Antivirus, sandboxing (Fortinet Advanced) / AMP (Meraki Advanced Security) |
| Phishing / credential theft | Fake websites and DNS hijacking | Web filtering, DNS filtering, SSL inspection |
| Exploitation of vulnerabilities | Network-based attacks targeting unpatched services | IPS with hourly signature updates (FortiGuard / Snort) |
| Data exfiltration | Unauthorised data transfer to external services | CASB, application control, DLP integration |
| Lateral movement | Attacker moves between network segments after initial breach | Micro-segmentation, VDOM/VLAN isolation, ZTNA per-app access |
Regulatory and Compliance Considerations
- PCI DSS — Requires network segmentation, firewall at network boundaries, IPS and logging. Fortinet Advanced and Meraki Advanced Security both meet these requirements when properly configured.
- Cyber Essentials / Cyber Essentials Plus — Requires boundary firewalls, secure configuration and access control. SD-WAN with NGFW satisfies the boundary firewall requirement at each branch.
- GDPR — Requires appropriate technical measures to protect personal data. Encrypted overlay tunnels, access control and audit logging support GDPR compliance.
- ISO 27001 — Centralised policy management, consistent security controls across all sites and comprehensive audit trails align with ISO 27001 control objectives.
