A key component of SD-WAN is its ability to secure unreliable Internet links and identify anomalous traffic flows.\nSD-WAN technology providers are continuing to increase their native security features and to create robust ecosystems of network-security partners.\n\nIT managers should consider their branch network security requirements and carefully evaluate the security capabilities of leading SD-WAN providers, include their native security features and their partnerships with network security providers.\nBranch network security threats\nNetwork security is a constant concern for IT professionals, and surveys indicate the problem is getting worse. Security at the branch is a challenge due to the increased number of devices, including PCs, tablets, phones, point of sale devices, and IoT end points, that are attached to the branch network. All of these endpoints provide new opportunities for malware to infect the corporate network and for hackers to access important data. Branch security concerns are exacerbated by the lack of trained IT\/security staff at remote locations and the complexity of managing multiple security appliances including IP VPNs, IDS\/IPS, and firewalls.\nAn additional challenge for branch security is the requirement to coordinate security efforts across the entire network. Security systems at the branch need to talk to endpoint security products and campus\/data center network security systems. Traffic at the branch should be inspected, and any suspect traffic flagged there can then be analyzed by centralized or cloud-based security systems. Ideally, branch security systems will become fully automated and employ cloud-based intelligence.\nSD-WAN security capabilities\nThe SD-WAN market is highly competitive with several dozen suppliers. A key selling factor for SD-WAN is its ability to enable organizations to leverage low-cost Internet circuits as secure business-class links. Network security is a key differentiating factor in SD-WAN technology, and each supplier has its own unique methods for securing traffic flows and identifying \u201csafe\u201d sites.\nAlmost all SD-WAN providers now offer basic firewall capabilities as a standard product feature. They employ packet identification to understand traffic flows. For example, is the traffic going to or coming from a trusted location or cloud-based service?\u00a0 Additional features include content filtering, endpoint identification and management, and policy-enforcement capabilities.\nSD-WAN suppliers are actively courting leading network security suppliers \u2013 Palo Alto, Z-Scaler, CheckPoint, and Fortinet among them \u2013 to integrate their SD-WAN technology with next generation firewall and UTM functionality. This integration between SD-WAN and best-in-breed network-security suppliers needs to be streamlined to guarantee high performance and low latency because traffic handoffs between applications can impact latency. The goal is to provide granular traffic inspection and effectively white list cloud sites to securely prioritize critical traffic flows and applications.\nExamples of SD-WAN security features\nAruba ClearPass Policy Manager provides user, device, application and WAN context for consistent policy enforcement across its SD-WAN solution. Its role-based enforcement, device profiling and access controls enable IT organizations to centrally enforce LAN and WAN security policies across branch locations. This simplifies how policies are applied across different layers of the network and reduces the need for manual configurations.\nRiverbed\u2019s SteelConnect supports a native perimeter firewall, network address translation and policy-based network zoning that helps to mitigate network intrusion and limits further propagation of threats. It automatically forms secure IPsec VPN tunnels with AES-256 encryption between sites and offers deep-packet inspection for encrypted applications such as SSL\/HTTPS. SteelConnect Manager provides centralized management and visibility that allows IT to specify application-based security and traffic path.\nTalari Networks\u2019 Failsafe SD-WAN offloads Internet traffic at the branch using its integrated firewall and trusted-URL traffic can automatically be redirected to the Internet. Talari supports RADIUS authentication for management access to its edge appliances, and packets are encrypted by default.\nExamples of SD-WAN security ecosystems\nA critical aspect of SD-WAN security is whether SD-WAN platforms integrate and interoperate with leading network security products, including advanced firewalls, UTM, secure web gateways and cloud-based network security. Here are some examples of security ecosystems created by selected SD-WAN suppliers.\nCisco SD-WAN (Viptela): Cisco Security solutions (various), Bluecoat, Palo Alto, Z-Scaler\nCloud Genix: Palo Alto, Symantec, Z-Scaler\u00a0\nCradlepoint: Cisco, Trend Micro, Webroot, Z-Scaler\u00a0\u00a0\u00a0\nSilver Peak: Check Point, Fortinet, Palo Alto, Z-Scaler\nVMware (VeloCloud): Check Point, Palo Alto, Symantec, Z-Scaler\n(Disclosure: Aruba, Cisco, Cloud Genix, Cradlepoint, Riverbed, Silver Peak, Talari, and VMware are clients of Doyle Research.)\nSD-Branch is defined as having SD-WAN, routing, network security and LAN\/Wi-Fi functions all in one platform with integrated, centralized management. The advantage of SD-Branch is that it consolidates multiple software\/appliance modules from multiple vendors into one platform to make it easier to deploy and use. Many SD-WAN suppliers have or will soon introduce SD-Branch solutions.\nRecommendations for IT managers\nSD-WAN is powerful technology to connect distributed organizations and security is critical point of supplier differentiation. Each supplier has proprietary code for its native security capabilities. Customers should evaluate SD-WAN technologies based on both their native security capabilities at the branch and the cloud as well as their capabilities to develop a broad network-security ecosystem.\nSuppliers also need to further broaden and deepen their integration with a wide range of popular network-security products via their partner ecosystems.\nIT managers should evaluate SD-WAN security on its ability to easily enhance and integrate with their specific security environment and incumbent suppliers.