HPE Aruba Networking Blogs

Four main benefits of replacing branch firewalls with secure SD-WAN

Nowadays, a secure SD-WAN integrates advanced SD-WAN features with built-in next-generation firewall capabilities such as Deep Packet Inspection (DPI), IDS/IPS and micro-segmentation, allowing organizations to replace legacy branch firewalls. Even though security features in secure SD-WANs are often equivalent to legacy firewalls, a secure SD-WAN offers additional benefits that a firewall cannot provide, accelerating the retirement of legacy firewalls in branches.

The benefits of replacing a branch firewall with a secure SD-WAN include:

1.     Hardware consolidation at the branch

Branch offices often must deal with a multitude of disparate network and security equipment including firewalls, routers and WAN optimization devices. A secure SD-WAN not only includes advanced next-generation firewall features but also a router that allows organizations to steer the traffic based on business intent, prioritizing the traffic of mission critical applications, instead of using TCP/IP addresses and routing tables. Additionally, a secure SD-WAN integrates WAN optimization capabilities to reduce the effect of network latency, by using TCP protocol acceleration and data compression techniques.

By removing firewalls, routers and WAN optimization devices, branch offices can move to a lean network architecture, using a single appliance that is centrally managed. This simplifies and accelerates deployment and ongoing management of the network without the need for IT staff onsite. A secure SD-WAN can even be installed as a virtual appliance, further reducing the hardware footprint. As a result, organizations are able to reduce power consumption and improve sustainability through significant energy savings, achieved across dozens or even hundreds of branch locations.

2.     Consistent security policy across the LAN and WAN

Legacy firewalls are configured manually, which is inefficient and prone to errors. Consequently, security policies are not enforced consistently across branches, leading to increased cybersecurity risks. Additionally, branch offices lack trained personnel to configure firewalls locally.

A secure SD-WAN uses an end-to-end approach. Network and security policies are centrally configured and pushed to branches through zero-touch provisioning. Within minutes, secure SD-WANs are updated with the proper security policies across the entire fabric, eliminating misconfigurations. They form an end-to-end logical firewall that is centrally administered. A secure SD-WAN can even extend segmentation from the LAN to the WAN, ensuring that the traffic remains isolated anywhere on the network.

3.     A solid foundation for SASE and Zero trust

SASE (Secure Access Service Edge) is the combination of SD-WAN and cloud-delivered security services (SSE) allowing users to connect from anywhere and access sensitive data in the cloud. By implementing a secure SD-WAN that tightly integrates with multiple SSE solutions, organizations can implement a best-of-breed SASE architecture without compromising on networking or security. A secure SD-WAN locally enforces security based on advanced next generation firewall capabilities including IDS/IPS and deep packet inspection. It also automatically steers the traffic to SSE solutions to add ZTNA (Zero Trust Network Access), SWG (Secure Web Gateway) or CASB (Cloud Access Security Broker) capabilities.

An advanced secure SD-WAN can even go beyond SASE to secure IoT devices and implement a Zero Trust network. IoT devices are indeed difficult to secure because they cannot run a security agent. An advanced secure SD-WAN can segment the traffic based on identity and context so that users and IoT devices reach destinations consistent with their role in the business.

4.     Improved SaaS performance and support for multi-cloud architecture

A secure SD-WAN can securely steer the traffic to the cloud, without backhauling the traffic to the data center, greatly improving application performance. Based on first packet identification, traffic from trusted applications such as Microsoft 365, is sent directly to the cloud while only untrusted traffic is sent to a Data Center or to an SSE (Security Service Edge) solution for security inspection. The solution also optimizes the SaaS traffic by selecting the best path based on jitter and packet loss and by using the shortest path to the closest point of presence. Advanced secure SD-WAN can also be deployed in cloud providers such as Microsoft Azure, AWS and Google Cloud to accelerate the traffic from the branch to the cloud provider.

Aruba EdgeConnect is a secure SD-WAN solution that enables organizations to safely replace branch firewalls. It includes advanced SD-WAN, routing and WAN optimization capabilities paired with a next-generation firewall that provides security features such as deep packet inspection, IDS/IPS, and DDoS protection. It also supports role-based micro-segmentation and extend it to the WAN. The solution is centrally orchestrated, enforcing consistent security policies across the LAN and WAN. It tightly integrates with multiple SSE solutions such as Zscaler or Netskope to build a best-of-breed SASE architecture. Additionally, Aruba EdgeConnect combines and optimizes any transport links including MPLS, internet and 5G and builds encrypted IPsec tunnels across the entire fabric. It supports a multi-cloud architecture by intelligently steering the traffic to the cloud and can be deployed in any of the main cloud providers including AWS and MS Azure.

If you want to learn more, watch my lightboard video about replacing branch firewalls with a secure SD-WAN.

Other resources:

Aruba EdgeConnect SD-WAN Web page

What is a secure SD-WAN?

What is SASE?