Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.
Organisations today work at scale, across multiple locations with branch offices, mobile users and regional hubs all requiring access to cloud services and corporate data. With a distributed workforce across so many locations, the need to maintain security across remote offices, users and corporate data arises.
Branch office network security is the challenge of protecting corporate data and users from security threats such as malicious sites, malware, and ransomware by enforcing the right security controls to protect the organisation.
Branch office networks are typically the most neglected part of the network, whilst been the most important in terms of carrying out business transactions and generating profits for the company. Let's put that in perspective, the branch is often the least secure, yet most important in terms of generating an organisations revenue.
With organisations operating at scale, often IT staff are centralised in head quarters or regional hubs, whilst the branch office is supported remotely. The organisations data is centralised in systems at head quarters, in the data center or in the cloud. Therefore most of the effort is placed on securing these locations, as that's where the data is. Meanwhile branch offices with no local IT staff lack visibility of security vulnerabilities,
A compromised branch office could leak important confidential company or customer data, as is often the case with compromised point-of-sales systems notable in many major high profile cases or be used as a pawn in an advanced persistent security threat such as island hopping, where the attack starts from a compromised remote end-point and slowly makes it's way through to important central systems.
Therefore regardless of size, branch offices need enterprise-grade network security and a firewall alone is often not enough.
Traditionally a firewall is placed at each location, requiring on-site deployment, policy configuration, on-going maintenance and monitoring. This is usually where things start to fall apart. Smaller organisations may overlook investing in branch network security at all, trusting that the basic router and firewall provided by their ISP combined with end-point security such as anti-virus is enough to protect them. Whilst as we've learned in larger organisations, all the resources are focused on protecting centralised data, so there is often little investment made in centralised policy control, monitoring and maintenance of the remote branch office locations.
The expectation from organisations is that securing branch offices, should be as simple as just deploying a firewall. Unfortunately, this is just not the reality, or is it? Enter SD-WAN, a new approach to managing wide area networks through zero-touch provisioning, centralised management and control. Gaining popularity for it's ability to help organisations reduce the cost of expensive MPLS leased lines, by moving to low-cost broadband internet connections, often load balanced across multiple low-cost connections for increased bandwidth and availability with quality of service controls to supplement the previous service levels offered by MPLS.
However SD-WAN doesn't solve the branch office security problem completely, due to a lack of security features, such as web filtering, intrusion prevention, anti-malware and protection against zero-day attacks. For this you will need to apply secure access service edge (SASE) as an integrated approach to delivering a secure branch office SD-WAN. Delivered as a service, a SASE SD-WAN solution provides complete security and control, centralised across all branch office locations for internet traffic and east-west communications across the WAN.
A SD-WAN solution with SASE built-in like the ICG SD-WAN leverages cloud to centrally enforce security policies and eliminate the need for IT to manually manage and maintain individual firewalls across many branch office locations.
Learn more about the ICG SD-WAN solution and visit our SD-WAN cost calculator to help guide your purchasing decision.
Face to face or over Zoom, we are here to help you.