Security Is the Key to a Dependable SD-Branch Solution

Executive OverviewThere has been a long history of building networks and then adding on security at the end, as an afterthought. This was no different for branch offices, especially since traditionally, all traffic came back to a central location for security inspection. Dedicated network lines (typically multiprotocol label switching [MPLS]) connected branches back to corporate, and there was little perceived need to worry about security within the branch.

With the move to software-defined wide-area networking (SD-WAN), branches are now directly connected to the internet, bringing security to the forefront. The remote nature of branches makes security inherently challenging. Often there is reduced visibility and direct knowledge, not only about what is happening on the branch network but even simply who and what devices are connecting to it.

From branch employees to Internet-of-Things (IoT) devices that are being used to digitally transform the business, cyber criminals have plenty of targets. But branches often have little to no dedicated on-site IT staff who can investigate when something suspicious occurs. As threats continue to evolve and target the lowest-hanging fruit, weakly secured branches can serve as an easy entry point into the larger corporate system. Branch security needs to be a priority as branch locations are now far more vulnerable than they were in the past.

Many SD-Branch solutions focus on consolidation and ease of management (both important characteristics), but the dependability of a branch’s network is directly related to its security. This means reliable security must be a top consideration of SD-Branch deployments.

WAN EdgeThe rise of SD-WAN has completely changed how branch traffic is routed. With SD-WAN, traffic no longer travels back to corporate for security. Instead, to give the best quality of experience (QoE), traffic will often be routed to the internet directly at the branch. Therefore, SD-Branch solutions must inspect all traffic entering and exiting the branch, most particularly those involving internet sources. To make matters worse, with the move to secure web-based Software-as-a-Service (SaaS)

POINT OF VIEW

1

POINT OF VIEW | Security Is the Key to a Dependable SD-Branch Solution

Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

March 31, 2021 1:58 AM

D:\Fortinet\2021 Rebranded templates\POV\March\SD-Branch\pov-FA-security-to-a-dependable-sdbranch-solution-3302021\pov-FA-security-to-a-dependable-sdbranch-solution-3302021

940960-0-0-EN

solutions, more and more traffic is encrypted. Not only does this traffic need to be inspected, but it also requires decryption beforehand, then reencryption. All this needs to occur without impacting the QoE that SD-WAN has been installed for. Without fast and secure analysis of all traffic (encrypted or decrypted), performance will suffer, either from the need to route packets back to HQ for inspection, or from slow decryption/inspection.

LAN EdgeWhile the internet presents one class of risk to a branch, the local-area network (LAN) layer (where users and guests connect) presents another. Bad actors try to access branch resources and launch greater attacks to the larger network via the LAN. The larger the number of branches (and fewer IT staff to cover them), the more important it becomes to have reliable, consistent, and pervasive security at the branch. LAN security needs to be tied into a larger security context to ensure that the network continues to operate at peak efficiency.

Breach locations and attack methods are not predicable, so policies and settings across deployments need to be automated and enforced as close to the point of access as possible. Branch security needs to take into account that in addition to outside threats, the organization’s users are a potential problem. They may unwittingly compromise their machine either at the branch or while away, so the LAN must also be protected. SD-Branch security solutions need a tight coupling of all equipment at the branch.

Being constantly vigilant for indications of compromise on user devices and directly quarantining threats where they enter the network are also necessary. Integrated branch security will keep the network safe from breaches entering through endpoint devices, ensuring operations continue smoothly regardless of attack attempts.

IoT Device EdgeThe rising use of IoT devices within branches to drive important business outcomes has created a new issue that SD-Branch solutions must address. These devices are often highly vulnerable, lacking the security measures that higher-end client devices are capable of. Special care needs to be taken to secure IoT devices so they are not leveraged to launch an attack. The volume of IoT devices, and the varied solution sets they look to address, adds an additional level of challenge, as IT staff rarely has direct interaction with every device that is being brought online in any given branch.

Flexible and automated branch security is needed to remove IT from the critical path of deployment for these technologies. Solutions that require manual intervention slow down business initiatives at the branch and impact overall performance. Instead, SD-Branch equipment must be able to securely onboard these devices, allowing operations to continue without unduly exposing the network.

For Optimal Performance, SD-Branch Must Converge Around SecurityAbove all else, SD-Branch solutions are deployed to improve overall performance at the branch. While manageability may account for the more obvious return-on-investment (ROI) benefits of SD-Branch, without security, branch operations can slow or even grind to a halt. A reliable SD-Branch solution needs to offer security—not as a mere add-on—but integrated into all equipment to best address all aspects of branch dependability. By leveraging security at the heart of SD-Branch, the WAN, LAN, and device/IoT edge are all kept to optimal performance. Converging SD-Branch components with security enables a common framework for all branch network components, driving the best ROI.