Considerations for a branch office firewall

Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.

What is branch office network security?

Organisations today work at scale, across multiple locations with branch offices, mobile users and regional hubs all requiring access to cloud services and corporate data. With a distributed workforce across so many locations, the need to maintain security across remote offices, users and corporate data arises.

Branch office network security is the challenge of protecting corporate data and users from  security threats such as malicious sites, malware, and ransomware by enforcing the right security controls to protect the organisation.

Challenges of branch network security

  • Bandwidth requirements, per user and application
  • Cloud applications such as Office 365, Google G Suite, Salesforce, and Zoom
  • Constant internet availability without interruptions
  • Lack of IT staff at remote offices to monitor and maintain network security
  • Maintaining quality of service across all sites, applications, and cloud services
  • Visibility of users, activity, and threats across all locations
  • Wide area networks interconnecting branch offices, regional hubs and data centers

Importance of branch network security

Branch office networks are typically the most neglected part of the network, whilst been the most important in terms of carrying out business transactions and generating profits for the company. Let's put that in perspective, the branch is often the least secure, yet most important in terms of generating an organisations revenue.

With organisations operating at scale, often IT staff are centralised in head quarters or regional hubs, whilst the branch office is supported remotely. The organisations data is centralised in systems at head quarters, in the data center or in the cloud. Therefore most of the effort is placed on securing these locations, as that's where the data is. Meanwhile branch offices with no local IT staff lack visibility of security vulnerabilities,

A compromised branch office could leak important confidential company or customer data, as is often the case with compromised point-of-sales systems notable in many major high profile cases or be used as a pawn in an advanced persistent security threat such as island hopping, where the attack starts from a compromised remote end-point and slowly makes it's way through to important central systems.

Therefore regardless of size, branch offices need enterprise-grade network security and a firewall alone is often not enough.

How to secure branch offices

Traditionally a firewall is placed at each location, requiring on-site deployment, policy configuration, on-going maintenance and monitoring. This is usually where things start to fall apart. Smaller organisations may overlook investing in branch network security at all, trusting that the basic router and firewall provided by their ISP combined with end-point security such as anti-virus is enough to protect them. Whilst as we've learned in larger organisations, all the resources are focused on protecting centralised data, so there is often little investment made in centralised policy control, monitoring and maintenance of the remote branch office locations.

The expectation from organisations is that securing branch offices, should be as simple as just deploying a firewall. Unfortunately, this is just not the reality, or is it? Enter SD-WAN, a new approach to managing wide area networks through zero-touch provisioning, centralised management and control. Gaining popularity for it's ability to help organisations reduce the cost of expensive MPLS leased lines, by moving to low-cost broadband internet connections, often load balanced across multiple low-cost connections for increased bandwidth and availability with quality of service controls to supplement the previous service levels offered by MPLS.

However SD-WAN doesn't solve the branch office security problem completely, due to a lack of security features, such as web filtering, intrusion prevention, anti-malware and protection against zero-day attacks. For this you will need to apply secure access service edge (SASE) as an integrated approach to delivering a secure branch office SD-WAN. Delivered as a service, a SASE SD-WAN solution provides complete security and control, centralised across all branch office locations for internet traffic and east-west communications across the WAN.

A SD-WAN solution with SASE built-in like the ICG SD-WAN leverages cloud to centrally enforce security policies and eliminate the need for IT to manually manage and maintain individual firewalls across many branch office locations.

Advantages of SD-WAN vs branch office firewall

  • Minimise hardware costs with less capital expense for acquiring, upgrading and replacing on-premise equipment.
  • Reduce management complexity by unified policy management across all sites, that can be easily customized as needed, saves hours of tweaking configurations and policies for each device.
  • Offered highly adaptive protection, unlike appliances that need to go through software updates, with security services that are seamlessly upgraded in the background with new capabilities. Develops and quickly deploys threat countermeasures to keep our defenses up-to-date.
  • ICG SD-WAN eliminates dedicated branch office equipment such as UTMs, Firewalls and WAN optimization appliances. ICG protects all connected locations and seamlessly scales to secure all traffic, without the need for unplanned hardware upgrades and resource-intensive software patches. ICG delivers continuous, up-to-date protection without any customer involvement.
  • Post pandemic, organisations have put a strong focus on enabling secure remote work, meaning investments in scaling a VPN gateway or next generation firewall. ICG SD-WAN scales VPN connections through the cloud with over 50 global PoPs, providing a low-latency VPN connection that's closest to your remote users.

Learn more about the ICG SD-WAN solution and visit our SD-WAN cost calculator to help guide your purchasing decision.

Have time for a coffee?

Face to face or over Zoom, we are here to help you.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Read more
You might also be interested in...
Gartner Report 2021 Strategic Roadmap for SASE Convergence
Gartner Report 2021 Strategic Roadmap for SASE Convergence
Digitalization, work-from-anywhere, and cloud computing have accelerated SASE offerings to address the need for secure and optimized access, anytime, anywhere, and on any device.
Industry 4.0 – Talking About a Revolution
Industry 4.0 – Talking About a Revolution
Industry 4.0 represents the next phase of innovation in production processes, merging traditional systems with new digital technologies (IoT, AI, big data, AR, robotics, M2M, real-time analytics, and so on), facilitating automation, agility, and efficiency to create a world of smart manufacturing.
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security
For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.
Why Remote Work and Legacy Security Architectures Don’t Mix
Why Remote Work and Legacy Security Architectures Don’t Mix
Last week, Cato Networks announced the results of the 5th annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for 2021, and what they think about secure access service edge (SASE).
SD-WAN or SASE: Choose a platform rather than a product
SD-WAN or SASE: Choose a platform rather than a product
As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.
Thought SD-WAN Was What You Needed to Transform your Network? Think Again.
Since its premier over a decade ago, SD-WAN was adopted by enterprises as the go-to-technology for preparing their network for the digital transformation.
Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity
Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity
The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.
Secure Remote Work: Deploying Zero Trust Access
Secure Remote Work: Deploying Zero Trust Access
The global pandemic has forced knowledge workers to move out of their offices en masse to the isolated environment of their homes. Most will return to the office at some point, even if only part-time, as companies adjust to social distancing measures meant to keep employees safe.
How much does SD-WAN cost?
How much does SD-WAN cost?
Calculating the cost of SD-WAN can be complicated, especially when it comes to CAPEX vs OPEX and ambiguous ROIs. With so many vendors promising massive savings over MPLS internet connections, SD-WAN is currently been touted as one of the hottest categories in networking today. Take a closer look at the costs, considerations, potential savings and leverage the SD-WAN calculator to estimate your organisations SD-WAN cost.
What is STaaS?
What is STaaS?
Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis.
What is SD-WAN?
What is SD-WAN?
Software-Defined WAN (SD-WAN) is a networking technology that seamlessly connects branch offices, HQs cloud and data centers over broadband internet rather than MPLS leased lines.
SD-WAN vs. VPN comparison
SD-WAN vs. VPN comparison
Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match.
SD-WAN vs. MPLS vs. broadband public internet
SD-WAN vs. MPLS vs. broadband public internet
To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks?
SD-WAN vs. MPLS: Choose the best WAN solution for you
SD-WAN vs. MPLS: Choose the best WAN solution for you
You've probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by enterprise networking we mean the use of MPLS at the core of enterprise networks. So, to SD-WAN or to MPLS? Here is what you need to consider.
Alternatives to MPLS internet
Alternatives to MPLS internet
SD-WAN is looking to address the challenges of MPLS like cost, capacity, rigidity, and manageability.
Challenges of SD-WAN security
Challenges of SD-WAN security
A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.
WAN Optimization in the SD-WAN Era
WAN Optimization in the SD-WAN Era
WAN optimization has been with us for a long time. Born alongside expensive and capacity constrained WAN connectivity, such as MPLS, WAN optimization appliances allowed organizations to squeeze more bandwidth out of thin pipes through compression, and prioritize traffic of loss-sensitive applications such as remote desktops.
History of SD-WAN
History of SD-WAN
Let's take a look at the history of WAN and as we journey from Point-to-Point, T1/T3, Frame Relay, to MPLS, and finally arrive at SD-WAN.
How to load balance multiple internet connections?
How to load balance multiple internet connections?
Internet load balancing or fail-over for multiple internet connections can seem like a tight rope walk, but it doesn't have to be. There are multiple ways to accomplish it, from point products to routers and firewalls. Let's take a look at the options and alternatives.
How does SD-WAN work?
How does SD-WAN work?
SD-WAN has quickly become the go-to technology for enterprises seeking to leverage the cloud and embrace digital transformation. Yet, much confusion still exists about what exactly is an SD-WAN, and how the technology works.
WAN Optimization vs. SD-WAN
WAN Optimization vs. SD-WAN
With the rising popularity of SD-WAN, there is a growing debate that WAN optimization is becoming obsolete. SD-WAN is gaining acceptance and for good reason. It creates an intelligent overlay of multiple transports on your WAN to efficiently and automatically route traffic over the most optimal path.
How to connect multiple branch offices?
How to connect multiple branch offices?
How do you connect multiple offices rapidly and affordably without sacrificing performance?
Last mile constraints for SD-WAN
Last mile constraints for SD-WAN
From pairing MPLS with a backup internet connection, to link-bonding for aggregate last-mile, SD-WAN introduces new ways to handle old problems, with policy-based routing, active/active links, packet loss mitigation, and quality of service (QoS).
Affordable MPLS Alternatives
Affordable MPLS Alternatives
After decades of use, enterprises are looking for MPLS alternatives. To be considered a viable alternative, a network must match MPLS’ service levels for predictability and consistency, while avoiding its pitfalls of cost, rigidity and capacity constraints.
SD-WAN vs. MPLS redundancy
SD-WAN vs. MPLS redundancy
How can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?
How does SD-WAN benefit digital transformation?
How does SD-WAN benefit digital transformation?
Digital transformation is all about agility. SD-WAN enables organisations to be more agile in multiple different ways. Such as the ability to rapidly stand-up a new site with secure internet and inter-office connectivity, without the need for additional security appliances, make policy changes across multiple sites on-the-fly, gain real-time visibility of users and connections, on-board new VPN users for remote work without worries license or connection limits.
Evolution of SD-WAN
Evolution of SD-WAN
SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements.