• United States

How Secure SD-WAN Can Replace Traditional Branch Firewalls

Sep 28, 20226 mins

Fact: Best-in-class SD-WAN solutions now incorporate firewall capabilities that enable organizations to perform quick deployments without compromising security.

cyber security and data protection businesswoman using modern screen picture id1363467852
Credit: iStock

By: Gabriel Gomane, Senior Product Marketing Manager, Aruba, a Hewlett Packard Enterprise company.

Originally created primarily to support WAN virtualization, SD-WAN capabilities have evolved to manage more aspects of the network—including security. Today, secure SD-WAN solutions have also enabled IT teams to eliminate branch firewalls in favor of a simplified branch WAN infrastructure.

The reasons are manifold. As network architecture continues to shift to the cloud, branch offices must now tackle new security challenges as the network grows more complex as more users connect outside the traditional security perimeter. At the same time, enterprises want additional flexibility to cope with the growing number of cloud applications, the ability to open new branches faster, or host new applications more quickly. The traditional network structure, built on MPLS, routers, and firewalls, simply cannot handle the flexibility enterprises need, due to the cost, complexity, and rigidity this hardware demands…especially as it was never designed to be part of the emerging cloud infrastructure of today. 

In response, secure SD-WAN solutions now incorporate firewall capabilities that empower organizations to perform simple and quick deployments without compromising security. By taking advantage of the flexibility of SD-WAN virtual overlays combined with firewall capabilities, organizations can simplify the security function across the LAN, the WAN, and the cloud.

With these secure solutions, network administrators can enjoy the following benefits and more, including:

  • Create zones and restrict access between zones to segment the network based on identity and/or role
  • Detect and prevent intrusions, including DDoS attacks
  • Perform deep packet inspection and filter packets based on the application
  • Monitor the full slate of active network connections
  • Secure connections through data encryption
  • Tightly integrate with security functions in the cloud such as SWG, CASB, and ZTNA
  • Log security events

Outlined below are four specific reasons to replace branch firewalls with a secure SD-WAN, a key tenant to fully embracing the cloud-first era with modernized network and security architectures.

  • Delivering all-encompassing security services via secure SD-WAN

Secure SD-WAN solutions incorporate next-generation capabilities such as deep packet inspection, intrusion prevention, DDoS protection, application and access control through identity-based policies, and events logging.

Furthermore, secure SD-WAN can combine heterogeneous links such as MPLS, internet, and 5G. However, unlike MPLS, internet and 5G links are not secure. To secure these links, a secure SD-WAN solution builds IPsec tunnels using AES 256-bit encryption across the entire SD-WAN fabric, protecting branch offices from potential data breaches. When SD-WAN virtual appliances are deployed in public clouds, IPsec tunnels are also created, extending corporate security policies to the cloud.

Finally, a secure SD-WAN enforces security policies across the entire fabric by automatically propagating policy changes to branch offices through central orchestration.

Unlike branch firewalls, a secure SD-WAN solution provides additional threat protection while securing untrusted links and seamlessly enforcing security policies across branch offices.

  • Streamline local operations via secure SD-WAN

In the pre-cloud era, branch environments suffered from equipment sprawl and planned obsolescence issues with traditional firewalls, routers, and MPLS. They also required specific IT expertise to install and maintain the equipment, increasing costs, time, and complexity.

Secure SD-WAN solutions integrate the latest firewall technology in addition to offering WAN capabilities such as routing and WAN optimization so that organizations can consolidate equipment into one single appliance. By reducing equipment sprawl and management, IT can more easily control the network and its security capabilities within a single console instead of supporting multiple disparate management tools.

Furthermore, secure SD-WAN offers zero-touch provisioning, meaning the branch does not need experienced IT personnel on the ground to configure as security policies are automatically provided to the branch. Organizations can quickly and easily set up new branch environments or update potentially thousands of existing branches where security policy changes can be automatically distributed.

Utilizing a thin branch model, secure SD-WAN solutions reduce the burden on branch environments by virtue of easy deployments without sacrificing flexibility or security.

  • Secure SD-WAN smooths the path to the cloud

With most organizations moving critical applications to the cloud, sending the traffic back to the data center no longer makes sense as it impacts application performance and ultimately the end-user experience. A secure SD-WAN helps eliminate the need to backhaul traffic to the data center.

By automatically steering traffic to the internet based on pre-determined policies, thanks to the ability to identify applications, network administrators can greatly improve performance and experience through secure SD-WAN. A trusted cloud application such as Microsoft 365, Salesforce, or RingCentral, as defined by the organization’s security policies, can be sent directly to the cloud while untrusted applications can be directed first to a cloud-delivered security service before forwarding to the SaaS provider.

Going further, advanced secure SD-WAN tightly integrates with multiple cloud-security vendors offering the organization the freedom of choice to select the best security service and build a best-of-breed SASE architecture. With the offerings available today, choosing a single SASE vendor solution can’t deliver both best-in-class network and security technologies.

Secure SD-WAN solutions support cloud-first organizations by improving performance and security while enabling a best-of-breed SASE architecture approach.

  • Securing IoT devices via micro-segmentation through a secure SD-WAN

Organizations are witnessing an exponential rise in IoT devices connecting to the network, dramatically increasing the attack surface area while posing major cybersecurity challenges. IoT devices, based on simple architectures, cannot run security agents. Therefore, organizations require a different security approach for IoT devices to protect networks from potential vulnerabilities.

An advanced secure SD-WAN solution includes the ability to extend security beyond the SASE architecture with its next-generation firewall capabilities. It can implement zero trust network segmentation, based on identity and role-based access control, ensuring that users and IoT devices alike can only reach network destinations consistent with the respective roles within the business.

As SD-WAN uses virtual overlays that are mapped to firewall zones, organizations can provide each zone with security policies that limit connectivity with other zones. In essence, a policy may allow only outgoing traffic, or allow incoming traffic only from approved applications and services while blocking all traffic from less secure zones.

Secure SD-WAN solutions can create micro-segmentation policies that span from the LAN, across the WAN, to data centers, and cloud platforms.

A secure SD-WAN solution such as the Aruba EdgeConnect Enterprise SD-WAN platform provides a secure network foundation for Zero Trust and SASE frameworks. The solution includes a next-generation firewall with fine-grained segmentation and identity-based access control capabilities, as well as IDS/IPS and DDoS defense to protect branch offices from malicious activities. The solution tightly integrates with leading SSE (Security Service Edge) providers allowing organizations to build a best-of-breed SASE architecture.

Recognized by an independent, global organization, Aruba EdgeConnect Enterprise became the first solution to attain secure SD-WAN certification from ICSA Labs, thanks to its advanced security features.

To learn more, visit the Aruba EdgeConnect SD-WAN page.