Extending secure SD-WAN to secure SD-Branch: The convergence of WAN and LAN at the edge

Digital transformation has changed networks so rapidly that traditional security tools can no longer provide the consistent security that networks require. As the SD-WAN market matured, it became evident that it is important to take a security-driven networking approach to SD-WAN to achieve successful business outcomes. The rise of SD-WAN has also given birth to new terms like SD-Branch. But what is a software-defined branch and why are more enterprises with large numbers of branch locations more likely to adopt SD-WAN? Here we explore Nemertes’ Research studies behind SD-Branch, helping you understand the benefits and how it’s addressing security challenges at the network edge.

What is SD-Branch?

SD-Branch is an SD-WAN-based strategy that allows enterprises to minimize IT infrastructure and automate operations at branch offices, helping to reduce costs while also improving application performance. SD-Branch replaces the standard IT branch office hardware stack with software, using SD-WAN as a single platform to address all branch network needs. In short, it allows organizations to consolidate the entire branch by converging their security and network access.

What benefits does SD-Branch provide?

In addition to minimizing the need for on-site IT personnel, SD-Branch helps:

• Manage branch routers, WiFi controllers and switches remotely
• Implement/replace branch firewalls to secure public connectivity and internet breakouts
• Operationalize WAN expenses, turning hardware into software and services
• Reduce the cost of branch connectivity, leveraging SD-WAN for the cost advantages of public access methodologies (broadband, direct Internet access)
• Improve network uptime and application performance, using SD-WAN’s abilities to connect directly to the Internet and better utilize bandwidth
• Quickly connect new sites, leveraging SD-WAN for rapid implementation using wireless connectivity (4G, 5G)

Who uses SD-Branch and why?

According to Nemertes, companies of all sizes use SD-Branch either at some or at all locations for the following purposes:

• Branch firewall (86.7%)
• WiFi controller (73.3%)
• Router (66.7%)
• WAN optimization (60%)

Research also shows that enterprises with a lot of branches (more than 250) are far more likely to be deploying SD-WAN and SD-Branch strategies. In fact, 87.5% of large enterprises are already adopting it; furthermore, analysts expect enterprise adoption to rise above 90% by the end of 2020.

How does SD-Branch address security?

One of the biggest challenges of deploying SD-branch solutions is direct access to the internet and SaaS applications that increase the attack surface. When firewalls are located back at the corporate data center, branch sites can be left vulnerable because they bypass the data center. But there’s help. Security-driven SD-WAN solutions embed next-generation firewalls and encryption to help clients implement security protections. These consolidated services converge end-to-end security coverage and network access services, making an ideal architecture solution for SD-Branch deployments.

The security-driven approach to SD-Branch: Fortinet and Masergy

Masergy and Fortinet have partnered together to provide security-driven SD-Branch solutions for global enterprises. SD-Branch solutions pair Fortinet’s edge devices and security features with fully managed SD-WAN services from Masergy.

SD-WAN with built-in security including next-gen firewalls and advanced routing

• Fortinet Secure SD-WAN with built-in Next-Generation Firewall (NGFW) capabilities offers robust security, connectivity, and management across the branch environment. Fortinet Secure SD-WAN is powered by purpose-built SD-WAN processor, combined with advanced network traffic management functionality such as application steering to ensure high application performance on any WAN link. Fortinet Secure SD-WAN has been recommended twice by NSS Labs consecutively in SD-WAN group tests and trusted bv over 21,000 customers.
• Shadow IT discovery: Get instant visibility into the cloud applications your employees are using but your IT department knows nothing about. Shadow IT Discovery automatically scans and identifies cloud-based SaaS applications running on your network.
• Three tiers of security services:
  • Unified Threat Protection (UTP)
    • Logging and alerting features in the customer portal.
    • Next-gen firewall with UTP security active across all remote sites
    • Antivirus / Anti-malware and Intrusion Detection/Prevention System (IDS/IPS)
    • Web filtering
    • Data Loss Prevention (DLP)
    • Application Control (e.g. IM and P2P)
  • Threat Monitoring & Response includes the bundle above along with
    • 24/7 monitoring and incident response of UTP events from certified security analysts in Masergy’s three global SOCs
    • Real-time incident response on suspicious events detected by the UTP
    • Real-time firewall integration for threat blocking at all SD-WAN sites
    • Traffic monitoring including “east/west” (site-to-site) connectivity between all sites
    • Consistent security policies enforced across all SD-WAN devices
  • Managed Security Services includes the bundle above along with all additional security features
    • Security Analytics: Patented machine learning and behavioral analytics
    • Cloud Security: Cloud Workload Protection for AWS®, Azure® and other IaaS/PaaS providers, Cloud Access Service Broker for SaaS apps, Microsoft® Office 365™ monitoring, Endpoint Detection & Response, and 3rd party integration for other security tools
    • Threat intelligence and threat hunting
    • Advanced IDS, anomaly detection, raw packet capture
    • Network visibility tool
    • Vulnerability scanning
    • SIEM as a Service (log alerting, management, and monitoring)

Plus, Masergy’s SD-WAN gives enterprises the agility they need in the digital age

• Flexible access options, public, private, and wireless
• Centralized policy management
• Virtual network advisor to help with optimization (AIOps)
• Limitless segmentation
• Network function virtualization
• WiFi services