Starting May 2, 2024, find new blogs on HPE Community. Questions? Contact us

Go to new blog site

HPE Aruba Networking Blogs

Four reasons to replace your branch firewall with a secure SD-WAN

Four reasons to replace your branch firewall with an advanced secure SD-WAN

There was a time when SD-WAN solutions only focused on WAN virtualization with few considerations for security. Advanced secure SD-WAN solutions have emerged to fill this security gap to include the highest threat protection capabilities. In fact, the advanced security functions now supported on the most advanced SD-WAN platforms enable customer to completely retire dedicated branch firewalls and further simplify branch WAN infrastructure.

With a network architecture shifting to the cloud, branch offices must now tackle new security challenges as the network grows more complex, and more users connect outside the security perimeter. At the same time, enterprises are asking for more flexibility to cope with the growing number of cloud applications or the challenges of opening new branches or introducing new applications more quickly. Traditional network infrastructure based on MPLS, routers, and firewalls are not able to keep up with this trend due to their rigidity, their cost, complexity, and because they were never designed for the cloud.

That’s why, advanced SD-WAN solutions have incorporated next-generation firewall capabilities allowing organizations to perform simple and quick deployments without compromising security. These solutions leverage the flexibility offered by SD-WAN virtual overlays combined with firewall capabilities, providing security across the LAN, the WAN, and into the cloud. With these advanced solutions, network administrators can:

  • Create zones and restrict access between zones to segment the network based on identity and role
  • Detect and prevent intrusions and DDoS attacks
  • Perform deep packet inspection and filter packets based on applications
  • Monitor the full state of active network connections
  • Secure connections through data encryption
  • Tightly integrate with security functions best performed in the cloud such as SWG, CASB and ZTNA
  • Log security events and much more

In this blog, we’ll cover four reasons why you should replace your branch firewalls with an advanced SD-WAN to fully embrace the cloud-first era and modernize both your network and security architectures.

Reason #1: An advanced SD-WAN can deliver comprehensive security services

Advanced SD-WAN solutions incorporate next-generation capabilities such as deep packet inspection, intrusion prevention, DDoS protection, application and access control through identity-based policies, and events logging.

Intrusion prevention typically monitors network traffic to find patterns that match a particular attack signature. When an intrusion is detected, the system performs actions such as inspect, drop, and allow traffic. In the event of a DDoS attack, an advanced SD-WAN solution limits the number of malicious requests with actions such as rapid aging, drop excess, and block source. Event logging can be filtered and viewed across the entire SD-WAN fabric to analyze events that require further investigation.

To provide flexibility to connect remote branches, SD-WAN combines heterogeneous links such as MPLS, internet and 5G. However, unlike MPLS, internet and 5G links are not secure. To secure these links, an advanced SD-WAN solution builds IPsec tunnels using AES 256-bit encryption across the entire SD-WAN fabric, protecting branch offices from potential data breaches. When SD-WAN virtual appliances are deployed in public clouds, IPsec tunnels are also created, extending corporate security policies to the cloud.

Finally, an advanced SD-WAN enforces security policies across the entire fabric by automatically propagating policy changes to branch offices through central orchestration.

Unlike branch firewalls, an advanced SD-WAN solution provides advanced threat protection but also secures untrusted links and seamlessly enforces security policies across branch offices.

Reason #2: An advanced SD-WAN helps simplify local operations

In traditional router-based environments, local branches must deal with a sprawl of network and security equipment accumulated over the years. Additionally, local branches often lack experienced IT staff to install and maintain this equipment.

Not only does an advanced SD-WAN solution integrate a next-generation firewall, but it also includes WAN capabilities such as routing and WAN optimization so that organizations can consolidate their equipment into one single appliance. It increases IT efficiency by consolidating network and security management in a single console instead of supporting multiple disparate management tools.

An advanced SD-WAN is easy to deploy with zero-touch provisioning. No experienced IT staff is required locally, configuration and security policies are automatically pushed to branches. New branch offices are set up quickly and easily, and security policy changes can be automatically distributed to hundreds or thousands of branches in minutes while minimizing errors.

Unlike branch firewalls, an advanced SD-WAN solution relies on a thin branch model that is easy to deploy, flexible, and secure.

Reason #3: An advanced SD-WAN fully supports cloud-first organizations

Traditionally, organizations routed the traffic to a data center for security inspection. As organizations have moved most of their applications to the cloud and increasingly use cloud applications like Microsoft 365, Salesforce, or RingCentral, sending the traffic back to the data center negatively impacts application performance.

An advanced SD-WAN can break out cloud application traffic locally, eliminating inefficient backhaul to the data center. It automatically steers traffic to the internet based on business policies by identifying applications on the first packet, which greatly improves performance, and hence user experience. For example, trusted cloud applications, as defined by organization’s security policies, can be sent directly to the cloud while untrusted applications can be directed first to a cloud-delivered security service before forwarding to the SaaS provider. This approach allows organizations to build a best-of-breed SASE architecture, bringing security inspection closer to the user. An advanced SD-WAN tightly integrates with multiple cloud-security vendors, offering the freedom of choice to select the best security service based on the security requirements of the organization. With the offerings available today, choosing a single SASE vendor solution can’t deliver both best-in-class network and security technologies.

Unlike branch firewalls, an advanced SD-WAN solution provides the ability to support cloud-first organizations, improve performance and security, while enabling a best-of-breed SASE architecture.

Reason #4: An advanced SD-WAN helps secure IoT devices using micro-segmentation

In the recent years, organizations have witnessed an explosion in the number of IoT devices, dramatically increasing the attack surface and posing major cybersecurity challenges. IoT devices, based on a simple architecture, cannot run security agents. Therefore, organizations require a different security approach for IoT devices to protect their networks from potential vulnerabilities.

An advanced SD-WAN solution can go beyond what is defined by SASE with its next-generation firewall capabilities. It can implement zero trust network segmentation, based on identity and role-based access control, ensuring that users and IoT devices can only reach network destinations consistent with their role in the business.

SD-WAN uses virtual overlays that are mapped to firewall zones. Each zone can be assigned security policies that limit connectivity with other zones. For example, a policy could allow only outgoing traffic, or allow incoming traffic only from approved applications and services or block all traffic from less secure zones.

Unlike branch firewalls, an advanced SD-WAN solution creates micro-segmentation extended from the LAN, across the WAN, and to data centers and cloud platforms.

An advanced SD-WAN solution such as the Aruba EdgeConnect Enterprise SD-WAN platform provides a secure network foundation for Zero Trust and SASE frameworks. The solution includes a next-generation firewall with fine-grained segmentation and identity-based access control capabilities, as well as IDS/IPS and DDoS defense to protect branch offices from malicious activities. The solution tightly integrates with leading SSE (Security Service Edge) providers allowing organizations to build a best-of-breed SASE architecture.

Recognized by an independent, global organization, Aruba EdgeConnect Enterprise has earned the Secure SD-WAN certification from ICSA Labs thanks to its advanced SD-WAN and security features.

ICSA Labs Secure SD-WAN certification requirements include:

  • Advanced SD-WAN features such as tunnel bonding, dynamic path selection and zero-touch provisioning
  • Native support (or via service chaining) for advanced security functions such as anti-malware, intrusion prevention and DoS protection
  • Encryption of sensitive data, as well as administrative and operational communications
  • Policy enforcements for both WAN-specific functions and security policies
  • Security events logging

The certification provides the assurance to securely replace firewalls in branches with Aruba EdgeConnect Enterprise. It allows organizations to gain flexibility and reduce risk when implementing security controls at the branch and across the WAN. It increases IT efficiency, simplifies management by consolidating network and security equipment into one single platform, and helps enforce consistent security policy.

To learn more, please visit our website on Aruba EdgeConnect SD-WAN

Related resources: