Virtualization Featured Article

How SD-WAN Can Support Branch Security

November 07, 2017
By Special Guest
Steve Brar, Director of Solutions Marketing for Riverbed -

Your organization’s branch offices are critical to your business. Your users need high performing applications no matter where they are or how they connect to the network. SD-WAN provides a simple, cost-effective solution to enable the rapid deployment of network connectivity to your branch offices and provides centralized control that helps ease the management burden.

Ensuring branch security is of utmost importance. The right SD-WAN solution, architected based on core security precepts, helps keep your network secure and trouble-free at the branch so you can use SD-WAN as it was intended—realizing the full potential of digital branch and cloud transformation while also supporting branch security.

Secure Design

Traditional WANs have been considered relatively secure - they are usually private connections into the corporate network. As long as the corporate network was secure, the WAN was as well. Organizations now must contend with both internal and external threats, so they are in need multiple layers of security and visibility.

SD-WAN can offer support for centralized embedded security, firewalls, access points and switches to help simplify and consolidate the overall management of equipment, especially at the branch and other distributed locations. Look for solutions that include these capabilities as well as the ability to integrate with third-party CASB or on-premises firewalls.

Automatically deploy and change any time

Security rules that are part of the network policy and easy to implement, deploy, manage and change universally throughout the system—without requiring any of the command-line interface (CLI) configuration that is often prone to human error—help keep branches secure. A centralized, secure, global management system based on a single global policy should automate services like security and be easily changed for rapid response to changing conditions or new needs.

Implement Trusted Industry Standards/Approaches

Fundamental to secure branch operations is the establishment of a secure overlay Virtual Private Network (VPN) and SD-WAN security policies for traffic flows.


AutoVPN, based on the industry standard IPsec with AES 256 encryption, is a fast way to create a resilient, secure VPN backbone between all your sites. You can deploy AutoVPN between gateways, between an access point and gateway, between access points, as well as connect to a third-party VPN (ClassicVPN). Secure, encrypted AutoVPNs should be supported over all WAN types including Internet and MPLS. 

photo courtesy of BigStock


SD-WAN Gateways should also provide distributed firewalling, simple network services to zones (segmentation), and extended reporting. VPN links should be constantly monitored, and traffic included in policy controls. The SD-WAN solution should also work in combination with existing firewalls and switches and/or partner with other security vendors to form a full-fledged firewalled and secured edge branch office.


Network segmentation offers yet another layer of branch security. Based on policy, zoning provides unified segmentation of LAN and WiFi users and devices–-dynamically and in all locations. Organization-wide virtual network zones reduce attack surfaces and contain possible breaches. When the SD-WAN Gateway is handling gateway functionality for a zone, it will provide DHCP, NTP and DNS services automatically. SD-WAN also provides security for devices and reporting functionality for connected zones.


Look for a system that has been architected to reduce exposures that would otherwise have to be secured. Tools used to harden the system include automated operations and minimized attack surfaces. For example, Role-Based Access Controls (RBAC) can prevent certain UI options from being displayed to lower RBAC categories.

Protect Perimeters with Access Control

User identity control is central to allowing direct Internet access. Direct Internet access poses security challenges that include network isolation, data confidentiality/integrity, intrusion/attack prevention, content inspection and malware detection.

User identity-based control provides an easy and intuitive way to define network access. Be sure you can identify users by name, roles or job functions. Associate those accessing the networks with the devices they are using, providing granular and automated user-to-device assignments, with an interface in each zone.

Organizations assign users to a virtual network zone only once. From then on, these virtual zones automatically follow users across all locations, no matter which device is used. Smart roaming streamlines connectivity handover between access points and sites, and user-based network access control secures bring-your own-device (BYOD) environments.

Empower and secure guests

Guest Wi-Fi access utilizes authenticated and identity-based registration and then directs all guest traffic over the Internet—with a firewall between the guest zones and the internal zones. Guest restrictions are based on the policy attached to each guest device. For maximum convenience and secure control of device proliferation guests can self-register each device in a matter of minutes. The administrator then attaches the security policy to each device registered by that user. Web content restriction and malware filtering are also based on the policy you set up.

Make visible the problems you can’t see

The ability to validate that policies, especially security policies, are working as expected, troubleshoot problems quickly, and plan for changes can help ensure branch security.

A management dashboard should be available to offer a unified at-a-glance view of your network topology, including registered and online appliances, and new events. It should also provide continuous automatic monitoring of network events, site, and tunnel status.

In addition to network visibility, integrated analytics should be available to provide analysis of shared flow data into information reports and problem–focused troubleshooting. The integration provides path quality and QoS reporting with events overlaid on report.

Secure the Cloud

Cloud technologies are essential for digital business at the branch, but they introduce unique challenges for managing and securing enterprise networks. Combining SD-WAN with cloud-based security eliminates the complexity and compromise, including the need to backhaul traffic to data centers.

You can provide identical protection for users wherever they connect by seamlessly routing Internet-bound traffic to a cloud-based security solution. The cloud-based security solution inspects all traffic inline, including SSL, and provides advanced threat prevention, data protection, and access controls, while maintaining performance and an improved user experience.

Secure Your Branch with SD-WAN

SD-WAN dramatically simplifies and streamlines the process of designing, deploying, and managing distributed networks, enabling organizations to modernize and secure their network architecture to realize the full potential of digital and cloud transformation. SD-WAN’s strong system-wide and built-in security, combined with business partners who are equally dedicated to keeping hackers and intruders away from the business and customers, can form the core of your networking, datacenter, branch and cloud defense.

About the Author: Steve Brar is the Director of Solutions Marketing for Riverbed. In this role, he leads the marketing strategy for Riverbed's Application Performance Platform and cross-portfolio solutions. Steve has been with Riverbed since 2014. Prior to joining Riverbed, Steve led product marketing for HP's campus networking product lines. At HP he held engineering, product management roles, and product marketing roles. He has more than 12 years of experience in the networking industry. Steve graduated with a BS in Computer Science & Engineering from the University of California, Davis. He is currently based in San Francisco, California.

Author Email 

Twitter Link  

LinkedIn Link

Edited by Mandi Nowitz

Click here to share your opinion – Would color of equipment influence your purchasing decision, one way or another?

Featured Blog Entries

Day 4, Cisco Live! - The Wrap

Day 4 was the final day of our first ever Cisco Live! We had a great show, with many great conversations and new connections with existing and potential end users, resellers, partners and job hunters.

Day 3, Cisco Live!

Day 3 of Cisco Live is history! For Fiber Mountain, we continued to enjoy visits from decision makers and influencers who were eager to share their data center and structured cabling challenges.

Day 2, Cisco Live!

Tuesday was Day 2 of Cisco Live for Fiber Mountain and we continued to experience high levels of traffic, with many high value decision makers and influencers visiting our booth. One very interesting difference from most conferences I attend is that there are no titles on anyone's show badges. This allows open conversations without people being pretentious. I think this is a very good idea.

Day 1, Cisco Live!

Fiber Mountain is exhibiting at Cisco Live! In Las Vegas for the first time ever! Our first day was hugely successful from just about any perspective - from quantity and quality of booth visitors to successful meetings with customers.

Industry News