How Secure SD-WAN Accelerates Branch Offices

Branch office digital innovation requires SD-WAN

Most multi-site organizations are in the process of implementing a distributed networking strategy that ensures that all branches and users can take full advantage of the company's digital innovation efforts. For true cross-organizational collaboration, productivity, and user experience, every employee needs access to core business applications. To do this, they need a very flexible and scalable connection to cloud applications and resources, direct access to the Internet and an on-demand connection with other users and devices.

This is simply not possible with traditional WAN routers and fixed MPLS connections. Business applications, especially those that provide rich multimedia resources or provide highly flexible interactions between users and locations, such as Unified communications (UC), Office 365 and similar tools, require a lot of bandwidth ... And in the traditional model, all this traffic must be routed through the main network. Multiply that with dozens of remote workers located in dozens of remote offices, and you can quickly overwhelm internal servers, computing resources, and even security and inspection tools.

SD-WAN requires integrated security to help scale the solution when needed

Fortunately, SD-WAN solves these connectivity issues. The biggest challenge for organizations is figuring out how to replace the traffic handling and connection security previously provided by the core network. However, simply adding an overlay security solution to an SD-WAN appliance to approximate previously provided security can significantly, and unexpectedly, increase both capital and ongoing operating costs.

This can also limit the ability to efficiently scale your SD-WAN solutions, as adding disparate layers of security across multiple sites can exponentially increase management complexity. For a recent customer looking to deploy an SD-WAN solution to more than 700 locations, such scaling is not even possible without huge support resources or significant compromises in functionality and security.

However, Secure SD-WAN addresses all of these challenges by adding connectivity, traffic shaping, network management, and application recognition to an existing next-generation firewall appliance. This not only ensures that the full suite of defenses is fully integrated into the SD-WAN functionality by default, but it also allows deployments to easily scale to hundreds or even thousands of remote locations without the added cost of implementation, management, and optimization.

The unique task of combining wholly owned subsidiaries

Scalability and interoperability are critical requirements for many organizations. For example, banks and insurance companies may have hundreds or even thousands of branches that require scalable and flexible communications. Organizations using the franchise model, where many or even all of the branches are subsidiaries, are in even greater trouble. Connections must not only provide scalable access to critical resources, but also maintain the privacy and integrity of individual owners by protecting their core and cloud resources from access from branch LANs that are not fully controlled by the main office.

For example, we recently had the opportunity to design and deploy a Secure SD-WAN solution for a company with over 700 branches. To complicate matters, many of them are wholly owned subsidiaries. The client's goal was to replace the traditional connection model with one that would provide much better access to online and cloud resources than their expensive MPLS to private cloud connections. They wanted to make the WAN more reliable and efficient to eliminate chronic network outages, improve user experience, and simplify and streamline the ability of remote offices and franchisees to efficiently and easily access critical business tools and resources using application management tools. , connection monitoring and management provided by SD-WAN.

Another part of the challenge was also ensuring optimal security for every connection, including encryption and inspection of traffic, firewall and IPS protection, and even things like web filtering and sandboxing to protect individual branches and prevent the spread of malware between carriers. The customer also intended to establish and maintain synchronized policies to provide consistent protection throughout the distributed environment, while eliminating the “weakest link” threat that puts everyone else at risk.

Solve connectivity, security and centralized management issues with Fortinet Secure SD-WAN

By carefully choosing an SD-WAN solution from four different options, the client was able to solve the entire range of his problems. Any full-featured SD-WAN solution, such as Fortinet Secure SD-WAN , should do three things - connectivity, security and management:

• For connectivity, an SD-WAN solution must provide dynamic link scalability, control and shaping for optimal performance, application detection for fast and uninterrupted connections to resources, and path monitoring and failover path repairs in less than a second to protect sensitive to application latency from things like jitter and packet loss. For more complex deployments, the solution must also provide advanced routing methods such as multicast to efficiently distribute one-to-many traffic. It should also support a variety of connectivity options, from direct broadband and Internet connections to MPLS, and LTE as a last resort to ensure and maintain maximum network uptime.

• For security purposes, this same solution should provide the same set of tools that were previously provided by the underlying network. It includes NGFW (Next Generation Firewall), IPS intrusion prevention and detection, web filtering, antivirus software, VPN encryption combined with high-speed encrypted traffic scanning, and even sandboxing for zero-day threat detection. Last but not least, security must be seamlessly integrated into network functions so that they can simultaneously respond to dynamically changing connections. Otherwise, the security system will constantly try to keep up with dynamic changes in connections, creating security gaps and delays that cybercriminals are willing to exploit. Finally, this security should work both ways, protecting both the branch and the larger network from compromise.

• Another element of this comprehensive approach is centralized management and analytics. To reduce deployment costs in situations where there is little IT staff on site, and especially when the branch LAN is controlled by an independent franchisee, any Secure SD-WAN solution considered should also include automated deployment. This provides seamless implementation along with branch office LAN integration and accelerates access to cloud applications and other resources.

It is very expensive to have separate management consoles for security and networking. Policies must be centrally enforced and affect both sides of the coin so that bandwidth can go up and down and connections can dynamically adapt to changes in availability without ever compromising security. In addition, there should be a single window in network and security functions so that you can see and manage the impact of changes made anywhere in the Secure SD-WAN process. Centralized visibility can also reduce troubleshooting cycles, especially when security is tied to the branch office to protect the local network, as well as to the central SOC / NOC to provide a single real-time view of the entire landscape.

Summing it up

The right Secure SD-WAN solution is critical to accelerate branch deployments and provide access to essential business applications and services, whether all branches are owned by the same organization or are separate entities. Despite everything, they all need connectivity, security and unified management to ensure the best user experience. Also, an added bonus is the ability to treat each branch as a separate entity when and where needed.

Alexey Andriyashin (Fortinet)
13/03.2020