Industry Trends

Five Essentials for Your SD-Branch Security Deployments

By Fortinet | December 09, 2019

This is a summary of an article written for eWeek. The entire article can be accessed here.

With digital transformation initiatives in full swing, many enterprises are now focusing their change efforts on their local branch networks. Among their very first steps in this direction is to enable faster cloud adoption and expand their WAN edge operations.

Software-defined wide-area networking (SD-WAN) has played a critical role in helping bring local branches into the digital fold. On paper, this is good news for business leaders. But extending core networking strategies to local branch networks is risky. For example, the growing number of connected IoT and end-user devices needing network access has immensely increased the potential attack surface of branch offices. At the same time, business-critical applications running over broadband internet connections expose critical data to interception or disruption. 

To rectify these challenges, many organizations have taken the approach of deploying a multitude of different point security products at their branch. Unfortunately, this often creates more challenges than it solves, resulting in isolated management systems and complex deployment and optimization requirements – issues compounded by limited IT staff at branch locations. Importantly, this fractured set of security solutions being applied to the WAN also limits network visibility.

5 Best Practices for Managing SD-Branch Security 

To address these challenges, expanding organizations need a comprehensive strategy that’s specifically designed to secure local branch networks. An SD-branch architecture that is automated and centrally managed through a software-centric platform is the answer. Here are five best practices for managing SD-Branch edge security deployments.

1. Protect Network Edges

Devices may encrypt data for its journey to the internet or the cloud, but that data still needs to be inspected and secured – and at digital speeds. A next-generation firewall (NGFW) is ideal for securing SD-branch deployments because it provides security between wired/wireless access controllers and the SD-WAN, thus securing all traffic including direct and indirect cloud links. However, NGFWs are notoriously slow at decrypting and inspecting traffic. So when looking at an NGFW solution for your branch, decryption and inspection performance numbers are critical.

2. Protect Device Edges

Branches tend to have an abundance of IoT devices on hand, making branch security even more complex and challenging. And within today’s connected business environment, the number of connected IoT and end-user devices continues to grow – and with each new addition, the risks are mounting. To corral this proliferation and ensure security, security teams need a network access control (NAC) solution that automates several key functions, enabling every device to be categorized, segmented, monitored, and secured. Managing these critical functions with a comprehensive NAC tool gives teams a fighting chance in their fight against IoT-based threats.

3. Secure and Protect Access

It’s just as critical to protect your SD-branch network edge as it is to protect your WAN connections. SD-Branch networks require secure access points, including wireless access points and switches, that can also leverage the power of an NGFW to secure the WLAN edge. Beyond security, these access points also need the capacity to keep up with growing bandwidth requirements.

4. Monitor Your Devices

Your network access controls need to empower you to scan device traffic for abnormal behavior. These capabilities should also tie back into your firewall, which can then perform an on-the-spot quarantine-and-fix response should anomalous behavior be detected.

5. Demand Zero-Touch Provisioning

Security teams need to be able to roll out new branch locations quickly and without having to be on-site. And once things are up and running, IT staff should be able to manage security and networking functions remotely via a single console. It should also centralize, automate, and federate these important security functions across the entire distributed enterprise.


Expanding an organization’s digital strategy to its branch offices shouldn’t include compromising security. However, local branch networks require integrated security solutions designed to meet their specific challenges, such as rapid IoT adoption. Without an integrated approach to SD-branch architecture security, organizations are under-preparing themselves against the increasingly sophisticated cyber threats they face.

This is a summary of an article written for eWeek. The entire article can be accessed here.

Find out how you can consolidate branch services while delivering security, agility, and performance with Fortinet SD-Branch.

Read these customer case studies to see how Warrior Invictus Holding Co., Inc. and the District School Board of Niagara implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.