October 5, 2020

Considerations for a branch office firewall

Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.

What is branch office network security?

Organisations today work at scale, across multiple locations with branch offices, mobile users and regional hubs all requiring access to cloud services and corporate data. With a distributed workforce across so many locations, the need to maintain security across remote offices, users and corporate data arises.

Branch office network security is the challenge of protecting corporate data and users from  security threats such as malicious sites, malware, and ransomware by enforcing the right security controls to protect the organisation.

Challenges of branch network security

  • Bandwidth requirements, per user and application
  • Cloud applications such as Office 365, Google G Suite, Salesforce, and Zoom
  • Constant internet availability without interruptions
  • Lack of IT staff at remote offices to monitor and maintain network security
  • Maintaining quality of service across all sites, applications, and cloud services
  • Visibility of users, activity, and threats across all locations
  • Wide area networks interconnecting branch offices, regional hubs and data centers

Importance of branch network security

Branch office networks are typically the most neglected part of the network, whilst been the most important in terms of carrying out business transactions and generating profits for the company. Let's put that in perspective, the branch is often the least secure, yet most important in terms of generating an organisations revenue.

With organisations operating at scale, often IT staff are centralised in head quarters or regional hubs, whilst the branch office is supported remotely. The organisations data is centralised in systems at head quarters, in the data center or in the cloud. Therefore most of the effort is placed on securing these locations, as that's where the data is. Meanwhile branch offices with no local IT staff lack visibility of security vulnerabilities,

A compromised branch office could leak important confidential company or customer data, as is often the case with compromised point-of-sales systems notable in many major high profile cases or be used as a pawn in an advanced persistent security threat such as island hopping, where the attack starts from a compromised remote end-point and slowly makes it's way through to important central systems.

Therefore regardless of size, branch offices need enterprise-grade network security and a firewall alone is often not enough.

How to secure branch offices

Traditionally a firewall is placed at each location, requiring on-site deployment, policy configuration, on-going maintenance and monitoring. This is usually where things start to fall apart. Smaller organisations may overlook investing in branch network security at all, trusting that the basic router and firewall provided by their ISP combined with end-point security such as anti-virus is enough to protect them. Whilst as we've learned in larger organisations, all the resources are focused on protecting centralised data, so there is often little investment made in centralised policy control, monitoring and maintenance of the remote branch office locations.

The expectation from organisations is that securing branch offices, should be as simple as just deploying a firewall. Unfortunately, this is just not the reality, or is it? Enter SD-WAN, a new approach to managing wide area networks through zero-touch provisioning, centralised management and control. Gaining popularity for it's ability to help organisations reduce the cost of expensive MPLS leased lines, by moving to low-cost broadband internet connections, often load balanced across multiple low-cost connections for increased bandwidth and availability with quality of service controls to supplement the previous service levels offered by MPLS.

However SD-WAN doesn't solve the branch office security problem completely, due to a lack of security features, such as web filtering, intrusion prevention, anti-malware and protection against zero-day attacks. For this you will need to apply secure access service edge (SASE) as an integrated approach to delivering a secure branch office SD-WAN. Delivered as a service, a SASE SD-WAN solution provides complete security and control, centralised across all branch office locations for internet traffic and east-west communications across the WAN.

A SD-WAN solution with SASE built-in like the ICG Asia SD-WAN leverages cloud to centrally enforce security policies and eliminate the need for IT to manually manage and maintain individual firewalls across many branch office locations.

Advantages of SD-WAN vs branch office firewall

  • Minimise hardware costs with less capital expense for acquiring, upgrading and replacing on-premise equipment.
  • Reduce management complexity by unified policy management across all sites, that can be easily customized as needed, saves hours of tweaking configurations and policies for each device.
  • Offered highly adaptive protection, unlike appliances that need to go through software updates, with security services that are seamlessly upgraded in the background with new capabilities. Develops and quickly deploys threat countermeasures to keep our defenses up-to-date.
  • ICG Asia's SD-WAN eliminates dedicated branch office equipment such as UTMs, Firewalls and WAN optimization appliances. ICG Asia protects all connected locations and seamlessly scales to secure all traffic, without the need for unplanned hardware upgrades and resource-intensive software patches. ICG Asia delivers continuous, up-to-date protection without any customer involvement.
  • Post pandemic, organisations have put a strong focus on enabling secure remote work, meaning investments in scaling a VPN gateway or next generation firewall. ICG Asia's SD-WAN scales VPN connections through the cloud with over 50 global PoPs, providing a low-latency VPN connection that's closest to your remote users.

Learn more about the ICG Asia SD-WAN solution and visit our SD-WAN cost calculator to help guide your purchasing decision.

Get a complimentary assessment.

Compare your infrastructure against industry best practices,
identify performance bottlenecks and architecture enhancements.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Read more
You might also be interested in...
How much does SD-WAN cost?

October 6, 2020

Calculating the cost of SD-WAN can be complicated, especially when it comes to CAPEX vs OPEX and ambiguous ROIs. With so many vendors promising massive savings over MPLS internet connections, SD-WAN is currently been touted as one of the hottest categories in networking today. Take a closer look at the costs, considerations, potential savings and leverage the SD-WAN calculator to estimate your organisations SD-WAN cost.
Considerations for a branch office firewall

October 5, 2020

Organisations looking for a branch office firewall upgrade, refresh or deploying firewalls to new sites, need to consider multiple different elements. Let's walk through all of the major factors to consider for a branch firewall and why organisations should consider SD-WAN, and more recently Secure Access Service Edge (SASE) as part of their next-generation of branch network security.
What is STaaS?

September 22, 2020

Storage as a service (STaaS) is a managed service model for purchasing data storage based on consumption, where a company only pays for what they use, typically on a per-GB per-month basis.
What is SD-WAN?

September 21, 2020

Software-Defined WAN (SD-WAN) is a networking technology that seamlessly connects branch offices, HQs cloud and data centers over broadband internet rather than MPLS leased lines.
WAN Optimization in the SD-WAN Era

September 3, 2020

WAN optimization has been with us for a long time. Born alongside expensive and capacity constrained WAN connectivity, such as MPLS, WAN optimization appliances allowed organizations to squeeze more bandwidth out of thin pipes through compression, and prioritize traffic of loss-sensitive applications such as remote desktops.
Affordable MPLS Alternatives

July 29, 2020

After decades of use, enterprises are looking for MPLS alternatives. To be considered a viable alternative, a network must match MPLS’ service levels for predictability and consistency, while avoiding its pitfalls of cost, rigidity and capacity constraints.
SD-WAN vs. VPN comparison

September 15, 2020

Internet-based VPN vs MPLS was the debate for some time, WAN technology has evolved in recent years. During that time, SD-WAN has emerged as an enterprise WAN connectivity solution that provides a combination of cost efficiency, agility, and cloud-friendliness that neither MPLS nor Internet-based VPN can match.
SD-WAN vs. MPLS vs. broadband public internet

September 10, 2020

To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks?
SD-WAN vs. MPLS: Choose the best WAN solution for you

September 9, 2020

You've probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by enterprise networking we mean the use of MPLS at the core of enterprise networks. So, to SD-WAN or to MPLS? Here is what you need to consider.
Alternatives to MPLS internet

September 8, 2020

SD-WAN is looking to address the challenges of MPLS like cost, capacity, rigidity, and manageability.
Challenges of SD-WAN security

September 6, 2020

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.
History of SD-WAN

August 28, 2020

Let's take a look at the history of WAN and as we journey from Point-to-Point, T1/T3, Frame Relay, to MPLS, and finally arrive at SD-WAN.
How to load balance multiple internet connections?

August 18, 2020

Internet load balancing or fail-over for multiple internet connections can seem like a tight rope walk, but it doesn't have to be. There are multiple ways to accomplish it, from point products to routers and firewalls. Let's take a look at the options and alternatives.
How does SD-WAN work?

August 12, 2020

SD-WAN has quickly become the go-to technology for enterprises seeking to leverage the cloud and embrace digital transformation. Yet, much confusion still exists about what exactly is an SD-WAN, and how the technology works.
WAN Optimization vs. SD-WAN

August 11, 2020

With the rising popularity of SD-WAN, there is a growing debate that WAN optimization is becoming obsolete. SD-WAN is gaining acceptance and for good reason. It creates an intelligent overlay of multiple transports on your WAN to efficiently and automatically route traffic over the most optimal path.
How to connect multiple branch offices?

August 10, 2020

How do you connect multiple offices rapidly and affordably without sacrificing performance?
Last mile constraints for SD-WAN

August 3, 2020

From pairing MPLS with a backup internet connection, to link-bonding for aggregate last-mile, SD-WAN introduces new ways to handle old problems, with policy-based routing, active/active links, packet loss mitigation, and quality of service (QoS).
SD-WAN vs. MPLS redundancy

July 23, 2020

How can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?
How does SD-WAN benefit digital transformation?

July 21, 2020

Digital transformation is all about agility. SD-WAN enables organisations to be more agile in multiple different ways. Such as the ability to rapidly stand-up a new site with secure internet and inter-office connectivity, without the need for additional security appliances, make policy changes across multiple sites on-the-fly, gain real-time visibility of users and connections, on-board new VPN users for remote work without worries license or connection limits.
The Trombone Effect

July 3, 2020

The “Trombone Effect” occurs in a network architecture that forces a distributed organization to use a single secure exit point to the Internet. Simply put, network traffic from remote locations and mobile users is being backhauled to the corporate datacenter where it exits to the Internet through the corporate’s security appliances stack. Network responses then flow back through the same stack and travel from the data center to the remote user.
Evolution of SD-WAN

June 2, 2020

SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements.