A number of branch network security suppliers are touting their abilities to add software-defined WAN capabilities to their firewall platforms. In the meantime, SD-WAN suppliers continue to improve their native network security capabilities.
Organizations must carefully evaluate their security and WAN requirements, as they select the appropriate architecture for their unique branch network needs. Many will continue to use SD-WAN and firewalls at their branch locations, making integration between these platforms essential.
What is a firewall?
In the context of a branch network, the firewall is responsible for identifying and blocking suspicious traffic to and from the branch. Current-generation firewalls can be deployed either as an appliance or as software. They can detect and block attacks using traffic analysis by application, protocol or port.
The current generation of firewalls generally includes the following functionality:
Using deep packet inspection, the firewall can peer into plain or encrypted traffic to understand the context of internet-based traffic and block traffic that looks to exploit security vulnerabilities. Firewall management capabilities include fine-grained application, user control and centralized reporting consoles.
Branch security a top concern
The branch network is a key security concern, with the massive increases in internet traffic, due to the range of devices attached to the network — PCs, tablets, IP phones and point-of-sale systems, for example. Many branches also support internal and customer Wi-Fi traffic.
Increased exposure to the internet and to endpoint diversity provides new avenues for malicious actors to penetrate the network to access sensitive data. Lack of trained IT and security personnel at most branch locations means security appliances must be easy to deploy and allow central management. Security appliances should route suspicious traffic to centralized or cloud-based security systems.
Firewall suppliers add SD-WAN functionality
The firewall market is highly competitive, with each supplier looking to add features to differentiate their offerings. In addition to continually introducing features to counter new security threats, many firewall suppliers have added networking functionality — including routing, unified communications, VoIP and Wi-Fi — to their products. Most firewall products already have a measure of application awareness, so basic SD-WAN functionality is a natural evolution.
In 2018, a number of firewall suppliers announced their entry into the SD-WAN space. They typically have added SD-WAN features to their existing firewall appliance or software, which is available to their installed base with a software upgrade — usually for an additional fee.
Firewall suppliers that have announced SD-WAN capabilities include Fortinet, SonicWall, WatchGuard, Forcepoint and Barracuda Networks. Cisco is working to increase the integration between its firewall and SD-WAN offerings, as a leading supplier of both network security and branch network products.
Another avenue to SD-branch
Software-defined branch (SD-branch) is defined as having network security, SD-WAN, routing, WAN optimization, LAN and Wi-Fi functions with integrated, centralized management for branch locations. SD-branch consolidates multiple software functions and appliances into an easy-to-deploy platform that can be centrally managed.
SD-branch platforms are becoming more popular, as network security and SD-WAN vendors deliver more mature options. SD-branch suppliers include Cisco, Cradlepoint, Fortinet, Riverbed, Versa Networks and WatchGuard.
SD-WAN products provide basic security for internet traffic, and most have the ability to identify suspicious traffic flows. A key competitive feature for SD-WAN suppliers is their ability to improve their native network security features. Every SD-WAN provider has its proprietary methods for network security functionality, like whitelisting and traffic inspection, for example. Most offer basic firewall and VPN capabilities as standard features. Additional security options can include application identification, policy enforcement, content filtering and endpoint security.
Network security and SD-WAN partners
Network security and SD-WAN suppliers have natural incentives to work together to deliver more integrated products to their customers. Various levels of integration are possible between security and SD-WAN suppliers, including basic management integration. They can also integrate their sales and marketing efforts. The best partnerships will deliver high performance at low latency and provide highly integrated management consoles that quickly screen and identify potential security risks.
Below are a few examples of SD-WAN suppliers and their security ecosystems:
- Cisco (Viptela): Cisco Security, Symantec’s Blue Coat Systems, Palo Alto Networks and Zscaler.
- CloudGenix: Palo Alto, Symantec and Zscaler.
- Cradlepoint: Cisco, Trend Micro, Webroot and Zscaler.
- VMware (VeloCloud): Check Point, Palo Alto, Symantec and Zscaler.
Doyle Research expects the ecosystems between network security and SD-WAN suppliers to continue to expand during 2019, with deeper and more beneficial integration.
The final rundown
SD-WAN product sales continue to grow, as distributed organizations deploy the technology to improve application performance and control WAN costs. While network security intelligence is migrating to the cloud, most organizations will continue to rely on firewall security at the edge of their network.
Organizations should carefully evaluate their WAN and network requirements. Regulated industries with high security and compliance requirements and relatively low bandwidth needs may find that some firewalls can deliver adequate SD-WAN functionality. Other enterprises will discover that SD-WAN platforms deliver suitable network security at the branch, especially when combined with cloud-based network security intelligence.
Finally, many IT teams that continue to deploy both SD-WAN and firewall appliances at the branch will benefit from the improved integration between these platforms.