Best Practices for Branch Office Edge Security

eWEEK RESOURCE PAGE: Advances in SD-WAN security are all well and good, but here’s the catch: SD-WAN solutions don’t address the changes that the branch office itself is undergoing. A new perspective must be undertaken.


At last it is the enterprise branch’s turn to experience digital transformation in earnest. Organizations want faster cloud adoption and an expansion of their WAN edge operations. SD-WAN (software-defined wide-area networking) has helped in these endeavors, and secure SD-WAN has gone even further with enterprise-class security that is fully integrated.

These advances are all well and good, but here’s the catch: SD-WAN solutions don’t address the changes that the branch itself is undergoing. The ramped-up adoption of internet of things (IoT) devices and the growth of connected end-user devices, for example, have overwhelmed the local branch network. What’s more, this transformation has expanded the potential attack surface, bringing security to the fore. No organization wants a branch office to be the weak link in their security strategy.

Go here to see eWEEK's list of Top SD-WAN Vendors.

Go here to see eWEEK’s listing of Top Next-Generation Firewall Vendors.

However, many organizations are shooting themselves in the foot by assuming they can address branch security with the same approach used at their core network. Branch offices have quickly been overwhelmed with point security products, isolated management systems and complex integrated services routers, coupled with little to no local IT staff. Consequently, branch network security often suffers from lack of visibility, complex management challenges and too many solutions being used to secure WAN and access edges beyond the SD-WAN connection.

To address this mounting challenge, organizations are beginning to turn to SD-branch architecture: one automated and centrally managed software-centric platform. In this eWEEK Data Points article, security provider Fortinet offers a list of essential elements of SD-branch security deployments.

Data Point No. 1: Network Edge Protection

For secure SD-branch deployments, a next-generation firewall (NFGW) is a perfect fundamental component. An NGFW needs to be able to extend security from the SD-WAN connection to wired and wireless access controllers. This ensures that all inbound and outbound traffic, including direct internet and cloud links generated by individual devices, is inspected and secured at digital speeds—even when encrypted. 

An NGFW designed for branch deployments should also offer consolidated security and network access controls. And like all other SD-branch components, it needs to also support zero-touch provisioning so it can be quickly installed and be fully operational in a matter of minutes.

Data Point No. 2: Access Protection

To protect the SD-branch network edge, access points must not only be secure, but be able to extend next-gen firewall capabilities to the WLAN edge so it receives the same level of protection as the WAN edge. WiFi APs need to provide adequate capacity and throughput to keep up with expanding bandwidth needs, while switches need to support higher speeds while also offering higher power (PoE) to run even the most power-hungry IoT devices.

Data Point No. 3: Device Edge Protection

Per-device security is another must-have for an SD-branch solution. The proliferation of IoT devices at the branch represents a significant threat to organizations and must be properly identified and segmented. A network access control (NAC) solution should provide automatic discovery, classification and security for IoT devices as they enter the network, including intent-based segmentation. But its work is not yet done.

Data Point No. 4: Device Monitoring

Because they often work with the NGFW, NAC solutions should also constantly monitor these devices for anomalous behavior via traffic scanning. This allows the security solution to identify potentially compromised devices and can respond by dynamically segmenting those devices for quarantine and remediation.

Data Point No. 5: Zero-Touch Provisioning

Zero-touch deployment is a foundational requirement from an SD-branch solution, allowing new branch environments to be rolled out quickly, even without IT staff on site. Likewise, integrated management via a single-pane-of-glass console simplifies enterprise branch deployments by centralizing and automating configuration updates, patching, remote management and analysis, policy updates and more.

If you have a suggestion for an eWEEK Data Points article, email [email protected].