Industry Trends

Defining the SD-Branch | SD-WAN

By John Maddison | July 08, 2019

One of the most important aspects of digital transformation is that it is a continual process. And most people don’t realize that it has been underway for several years, probably beginning when organizations decided to let users have access to the internet. Since then there have been several huge transformational movements, including the growth of application-layer traffic; the rapid adoption of BYOD and IoT; the transition of the datacenter to a virtualized infrastructure; and all of the clouds: private, public, hybrid, and multi-cloud.

One of the most recent places in the network that organizations have begun to update into their new digital business infrastructure has been the branch office. To continue to compete effectively, retailers, insurance companies, and large enterprises with a distributed workforce need to extend the same applications and functions to their remote users as they enjoy at their corporate offices, such as unified communications and cloud-based SaaS solutions like Office365 and SalesForce.

Start with SD-WAN

This process has begun with the recent move to adopt SD-WAN as a way to replace static and often costly fixed-line connections with a more intelligent and dynamic solution. The applications organizations now rely on are often in a variety of locations, and have different requirements for things like bandwidth and latency. Unlike traditional WAN connections, the SD-WAN controller can identify those applications, who is accessing them, and dynamically change routing paths and transport mechanisms to ensure maximum user experience. Likewise, advanced security needs to be applied to SD-WAN connections that not only secure traffic, but can also automatically adapt as connections change.

However, as SD-WAN has been applied, many organizations have realized that they need to extend its security into the branch itself. Most branch offices have always included their own local networks that have connected users and devices to the core network through the WAN connection. But today’s branch networks now include a growing number of IoT and enduser devices, many of which are BYOD. Because backhauling today’s application traffic can overwhelm connections and networking devices, in addition to a secure connection to the corporate network most of these devices also require a direct link to the internet and cloud-based SaaS solutions.

Integrate Security and Networking

This shift in the branch architecture, especially the growth of cloud applications and IoT devices, introduces a number of networking and security challenges that traditional branch networks and solutions cannot adequately address. From a networking perspective, this means managing things like QoS and bandwidth consumption. A security strategy includes maintaining access control, identifying, tracking and monitoring networked devices, analyzing traffic, and detecting advanced malware from attackers looking to initiate an attack through the traditionally less secure branch office.

The challenge is that these things can be difficult if not impossible to implement given that there are often no IT personnel at these remote locations, and that the majority of this functionality can no longer be implemented or controlled using traditional remote network devices such as integrated services routers.

Because security is at the core of maintaining the viability and integrity of branch offices, organizations need to start with a security driven strategy. That way, as the network needs to scale and change to meet changing business and application requirements, security can automatically adapt without requiring configuration or policy intervention from the IT team.

Key Elements of the SD-Branch

Building an SD-Branch requires the following critical elements:

  • Network Edge protection: A next-generation firewall is an ideal foundational component for secure SD-Branch deployments. An NGFW needs to be able to extend security from the SD-WAN connection to wired and wireless access controllers to ensure that all inbound and outbound traffic, including direct internet and cloud links generated by individual devices, is inspected and secured at digital speeds – even when encrypted.

However, not all NGFW solutions can meet the requirements of today’s branch offices. For example, an NGFW designed for branch deployments should also offer consolidated security and network access controls. And like all other SD-Branch components, it needs to also support zero-touch provisioning so it can be quickly installed and be fully operational in a matter of minutes.

  • Access protection: Secure access points are the other critical element for protecting the SD-Branch network edge. Wi-Fi APs need to provide adequate capacity and throughput to keep up with expanding bandwidth needs, while switches need to support higher speeds while also offering higher power (PoE) to run even the most power-hungry IoT devices.
  • Device Edge protection: The other critical component of an SD-Branch solution is providing per-device security. The proliferation of IoT devices at the branch represents a significant threat to organizations and must be properly identified and segmented. A network access control solution should provide automatic discovery, classification, and security for IoT devices as they enter the network, including intent-based segmentation. But its role shouldn’t end there.

NAC solutions, often in coordination with the NGFW, should also continuously monitor these devices for anomalous behavior via traffic scanning, allowing the security solution to not only detect bad device behavior, but also respond by dynamically segmenting those devices for quarantine and remediation.

  • Zero-Touch provisioning: As mentioned earlier, zero-touch deployment is a table-stakes requirement from an SD-Branch solution, allowing new branch environments to be rolled out quickly, even without IT staff on-site. Likewise, integrated management via a single-pane-of-glass console simplifies enterprise branch deployments by centralizing and automating things like configuration updates, patching, remote management and analysis, and policy updates.


Digital Transformation is driving an evolution at the enterprise branch. As services migrate to the cloud, and devices require direct links to the internet, more branch network edges are created. In addition to traditional enduser and networking devices, the branch is also seeing an explosion in connected IoT devices. All of these additional network entry points expand the potential attack surface, making security an even greater concern than ever before.

Extending the integrated simplicity, visibility, and security of the best SD-WAN solutions to the branch allows remote users and networks take advantage of the power of digital transformation without introducing unnecessary risk. SD-Branch is the essential and natural extension of SD-WAN by simplifying the enterprise branch through enhanced management and visibility, while securing the branch network, IoT and enduser devices, and all direct connection edges.

Read more about how to consolidate branch services, while delivering, security, agility, and performance with Fortinet’s Security Fabric.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.