How SD-WAN Addresses Complex Branch Office Security Challenges

How SD-WAN Addresses Complex Branch Office Security Challenges

Until recent advances made possible by SD-WAN, branch offices have had to rely on purely local protection from a security perspective. This usually meant point security appliances at the network boundary in the branch office, combining functions such as firewalls, unified threat management, and a variety of other functions for local use (content filters, data loss protection, data encryption services, etc.). Adopting SD-WAN provides new options for addressing typical multi-location network security challenges. Let’s review those challenges, and then explain how SD-WAN along with other security solutions can help to mitigate them.

SD-WAN faces many multi-location network security challenges

Most distributed organizations manage their security infrastructure in-house or work with a managed security service provider (MSSP). Despite these efforts, enterprises face a variety of security challenges when multiple point solutions are used to provide comprehensive coverage at branch locations. These include:

  • Latency from cloud-based apps and services: With applications being delivered both in the cloud and from corporate data centers, security requirements may mean cloud traffic must be routed through the data center to take advantage of deep packet inspection, content filtering, and data loss protection. This adds to network latency and imposes a drag on branch office communications.
  • Complexity due to network connectivity: Some locations may use differing WAN links for network access (broadband Internet, MPLS, or hybrid combinations). Security requirements may differ from location to location with link type, or by applications accessed. This creates added complexity when using security appliances to implement typical branch security models.
  • Complexity adding to cost of ownership: The need to purchase, deploy and maintain appliances for multiple layers of security at branch offices where IT/security expertise is either absent or scarce adds to both Capex and Opex costs.
  • Complexity increases security risks: Integrating multiple point solutions and managing multiple configurations always poses some risk that comprehensive coverage may not result from a combination of elements, thereby exposing the branch (and its parent organization) to a variety of security risks and vulnerabilities.
  • Inflexibility lengthens deployment cycles: Deployment can take considerable time for branch office point solutions (acquiring/shipping hardware, arranging/scheduling staff or vendors to handle installation, integration, testing, etc.). This can occur during both initial deployment, as well as each and every time an upgrade or change to the branch office environment is needed.

How SD-WAN helps boost branch security

Software defined technologies introduce the concept of network and function virtualization (NFV) – including security functions – and service chaining, which permits multiple functions to be linked together for servicing specific WAN connections. Thus, software defined technologies help deliver seamless, painless deployment and management of security at branch locations because they can be centrally handled by a service provider or from the data center. This enables virtualized network and security functions to migrate away from hardware point solutions into their virtualized software-based counterparts and improves the security integrity across all branches. This makes them easier to define, deploy, and manage at the branch, and to update, upgrade, or replace when the time comes to make changes. This approach makes it easier and less costly to update branch office security models used in data centers and at the network core.

This introduces a potential cloud-based approach to security, featuring a high-function, next gen virtualized firewall (NGFW) that runs at the network core. Once configured and tuned for the specific mix of apps used in the enterprise, this NGFW can be serviced-chained into SD-WAN connections to as many branch offices as desired. Such core-based solutions may pose some of the latency issues noted in the preceding “Enterprise Challenges,” so IT must be selective about how and when they’re used.

SD-WAN and the concept of “security classes”

For example, in a location where the traffic mix includes both A) customer records and transactions, and B) guest/visitor WiFi, it makes sense to differentiate the traffic according to “security classes.” The more sensitive customer records and transactions would be routed through the service chained NGFW functions to ensure the highest level of security, while the less sensitive traffic in the “guest WiFi class” could make use of local security appliances.

Such a configuration requires an enterprise to carefully consider and evaluate security classes for branch traffic and to impose policy and technical controls to ensure traffic/apps are treated appropriately by security class. Service providers can help by describing the kinds of hosted security solutions they implement for their SD-WAN services, and by describing how customers can segregate traffic to use or bypass the various security functions they provide.

By utilizing SD-WAN, customers can maintain the confidentiality of their communications through encrypted tunnels between branch locations, improve the integrity of security and business policies by having centralized policy management, and improve network availability, by seamlessly utilizing multiple access paths, and path condition to avoid service interruptions. Providing confidentiality, integrity and availability are the three main factors for developing and maintaining a secure network.

As this will be new to many people, our organization is happy to work with our customers to help them make such decisions and to make the best use of added security coverage that SD-WAN can provide. Happy to address any questions you may have on the topic, as well.

– Mike Frane


SD-WAN presents a dramatic step forward for multi-location organizations across every aspect of business. To learn how SD-WAN has impacted one such company, watch our video customer success story profiling Dunn-Edwards Paints. As Pete Garcia, manager of infrastructure services, explains, EarthLink SD-WAN Concierge helped the progressive paint manufacturer and retailer build on their differentiated customer experience, further strengthening their relationship with their discerning customers base.

Mike Frane Mike Frane (5 Posts)

Mike Frane is VP Product Management at EarthLink, with responsibility for the company’s broad portfolio of enterprise network, voice and security services, and solutions. Since joining the organization in 2008, he’s overseen the launch and lifecycle of products including LTE wireless, Ethernet and MPLS IPsec access elements, Secure WiFi & Analytics, Application Performance Optimization, IPsec VPN and Unified Communications services. Most recently, Mike and his team launched EarthLink SD-WAN, their most significant such product introduction in over a decade. Mike has a BS in Genetics and Cellular Biology from the University of Minnesota and was involved in gene therapy research at the Institute of Human Genetics before entering the telecommunications industry as a business analyst for an investment firm based in the Pacific Northwest.


No Comments

Comments Closed