Securing the New WAN Edge: SD-WAN and SD-Branch

Digital innovation is redefining networks to improve customer and worker experience, accelerate the development and delivery of critical applications, and gather and process data to more effectively meet modern customer demands. New cloud infrastructures and SaaS solutions, IoT devices, and highly mobile workers are all the result of this transformation.

Completing this picture requires extending these applications and services to branch offices, remote retail locations, and distributed classrooms and campuses. Traditionally rigid WAN connections, such as MPLS, need to be replaced with solutions that enable flexible access to applications and workflows, the rapid dissemination and processing of data, and instant collaboration with peers and partners.

The first step to addressing this for many organizations has been to adopt SD-WAN to provide remote users with critical business applications – such as unified communications, better enable interconnectivity between remote locations, and extend a fully integrated security solution right to the edge of the branch network.

The next step is to extend that security, as well as its visibility and control, deep into the branch. Today’s next-gen branch offices and digitally-enhanced retail locations not only require the same functionality as the core network, their local LANs also suffer from the same digital risks as the rest of the distributed network. Direct access to the internet and SaaS applications, along with the growing proliferation of IoT and BYOD devices being deployed at remote locations, has significantly expanded the potential attack surface of the branch environment.

The need adequately protect these systems while maintaining critical business applications and processes is overwhelming the resources of both IT and security teams. Extending the security functionality of a Secure SD-WAN solution into the branch network begins to address this challenge.

The New SD-Branch

SD-Branch is the natural extension of the Secure SD-WAN solution. It enables organizations to combine their local switch and wireless network management with Network Access Control to manage and secure all devices, while seamlessly extending critical security functionality into the branch to provide essential data and application inspection and protection.

For an SD-Branch solution to be effective, however, it needs to combine low to no-touch deployment with centralized policy management to address the lack of IT staff on-site. Its security must also be fully integrated into the larger security strategy – whether at the core network, in the cloud, or at other remote locations – in order to provide seamless visibility and control across the entire distributed network.

To achieve this, an SD-WAN solution must include the following elements

  • A Branch-Optimized Next-Generation Firewall. Not any NGFW solutions will solve today’s WAN-Edge challenge. It needs to be optimized for a branch environment to not only provide robust security, but also support connectivity and network management across the branch environment. This integration creates an ideal architecture solution. By combining ultra-high security performance – for things like inspecting encrypted traffic at network speeds, with advanced network and application awareness – to manage and secure network access, organizations can achieve device visibility and traffic anomaly detection without the need for additional hardware or management consoles.
  • Built-in Switch and Wireless AP Functionality. Networking services also need to be integrated into the NGFW in order to converge deeply inter-related functions such as security inspection and network access. This integrated approach reduces management and policy orchestration overhead, allows security policies to automatically adapt to constantly shifting network and connectivity demands, and enables network administrators to create and enforce consistent network and security policies across the enterprise, from core to cloud and branch, without needing separate controls.
  • Network Access Control. NAC provides visibility into the branch infrastructure by providing automatic discovery, classification, and security for all devices seeking access to the branch LAN, including IoT and BYOD. It then needs to interoperate with the NGFW’s networking and security functions to provide essential device security through continuous monitoring, dynamic micro-segmentation, and automated response to detected threats.


As services expand from the cloud to the branch, these additional network entry points amplify the potential attack surface, making security an even greater concern.

An effective Secure SD-WAN solution needs to combine simplicity, visibility, and security to improve WAN connectivity for branch users. That service then needs to be seamlessly extended deep into the local LAN through the addition of an SD-Branch solution. Its deep integration of networking and security services simplifies and expands enterprise branch functionality by enabling enhanced management and visibility, monitoring branch access and networking functions, securing IoT and enduser devices, and enabling the dynamic flexibility today’s branch users require.

Author's Bio

Nirav Shah

Senior Director Products and Solutions, Fortinet