How to Secure the Home Branch Office

Amid the pandemic, most workforces have shifted to remote work and home offices; essentially, transforming their living rooms into corporate branch offices. From a convenience and health perspective, this has worked well, for the most part. However, the convenience of working from home has put a lot of responsibility on corporate IT folks to ensure the security of these home offices is not compromised – including, importantly, the corporate networks.

As a result, a secure and scalable infrastructure is needed to provide secure, high-performance network access so enterprises can mitigate those risks while maintaining the productivity of their remote workers.

Densely Populated Network Edges Bring Higher Security Risks

Before COVID-19, most workers accessed their corporate networks from home sparingly – at most, to check email in the evening or wrap up any last, brief items they’d missed. Full-time remote workers were fewer in number. Now, with 82% of companies planning to allow employees to work remotely at least some of the time – and nearly half (47%) saying they intend to allow staff to work remotely full time – the number of remote workers has increased exponentially. Even after COVID-19 is history, these numbers will stay substantially higher than before the pandemic, as we fully adapt to the new normal.

So, as a network administrator, if you are looking at the topology of your wide area network (WAN), the number of ‘branches’ just multiplied and their usage, in terms of bandwidth and hours, has just exploded. At the same time, the security perimeter has also expanded, and with it, the potential for attacks.

The exponential rise of users at the periphery of the network provides greater opportunity for hacker attacks as the home branch is typically not as secure as a corporate office. When you include the home branch users’ access to cloud infrastructure, it further expands that security perimeter.

In November 2020, Nokia Deepfield’s Network Intelligence report found that, during the pandemic, DDoS traffic increased between 40% and 50%. Similarly, Interpol reinforced this rising concern when it reported in August 2020 that,“With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.”

Of course, the traditional way to provide secure connectivity for remote workers has been to use remote access VPN client software on their devices, which has served us well in the past for occasional usage. However, for mission-critical and privacy conscious users, including executives, HR or legal, something more secure and reliable is needed.

Scalable and Secure SD-WAN to the Rescue

A software-defined wide area network (SD-WAN) is a WAN that enables enterprises to use any combination of transport services, such as multiprotocol label switching (MPLS), internet or long-term evolution (LTE) to connect branches to the headquarters and a public cloud.

SD-WAN uses a centralized control function to securely and intelligently direct traffic across the WAN. In addition, it leverages network routing, intelligent path control, application-based routing and internet breakout features to provide seamless, efficient and high-bandwidth access to applications and workloads regardless of their location – whether that’s in private data centers or public clouds.

Thus, for remote working, SD-WAN provides the necessary application performance and high-bandwidth access to resources in private data centers or public clouds, so that remote workers can be as productive working from home as they are in the physical office.

SD-WAN Security

Effective SD-WAN implementation, however, also requires additional security within the enterprise infrastructure to ensure corporate security policies are enforced at all levels.

To secure SD-WAN at the branch level, SD-WAN security must include these four functions:

  • Protection against direct threats
    Protection against direct, external threats requires extensive network security functions deployed directly at the edge. These security capabilities can be supplied by dedicated hardware, virtual appliances or cloud services, and they must be enforced at the edge of the direct internet access. Features need to include stateful and next-generation firewalls (NGFWs), URL and content filtering, intrusion prevention systems, protection against distributed denial-of-service (DDoS) attacks, malware detection and encryption.
  • Trust
    The trust component of a security strategy is associated with the ability to authenticate and authorize users and devices, ensure they operate under the appropriate security policies, verify compliance requirements and enforce micro-segmentation.
  • Traffic Visibility
    Traffic visibility is key to any security strategy. Proper visibility must encompass central visibility and control for all internal, inbound and outbound traffic. This should include knowledge of which applications are accessed, what ports and protocols are active and views into the data, especially if it is encrypted with Transport Layer Security. Visibility is also especially important for auditing and reporting for compliance management.
  • Network security management and orchestration
    It is imperative that security strategies include a centralized management and orchestration capability with a single pane of glass console for IT and security personnel. Administrators must be able to update and disseminate corporate security policies, configuration changes and software upgrades to all locations or reconfigure individual devices. The orchestration processes should be as automated as possible, and include analytics that can provide organizations with early warnings of any problems.

Getting Ready for a SASE Future

Secure access service edge (SASE) addresses the numerous problems that have been discovered with traditional cybersecurity methods used in the cloud. Many of those problems have roots with the ideology that network security architectures must be placed at the center of connectivity in the data center. SD-WAN provides the flexibility in architecture to distribute the intelligence and processing away from the data center. Because of this, SD-WAN is an essential pillar of SASE framework.
The benefits of SASE overall are wide-reaching and include reduced management and administrative time, faster deployment time and reduced cost by eliminating the need to pay for multiple security point products. Moreover, SASE offers decreased complexity as it’s a cloud-managed solution, which simplifies installation processes/management of multiple hardware products. Lastly, SASE reduces the need for complex integrations since it can manage all the necessary integration for you.

Securing the Home Branch with SD-WAN

The pandemic has certainly changed the way we have worked for the past year, and the teleworking trend is here to stay. Therefore, security will be of paramount importance in making home branch access secure, as well as protecting the corporate network and cloud from attacks.

A secure and flexible SD-WAN makes it easier for IT professionals to provide high-performance access for the home branch users to access the corporate network, as well cloud applications. As the networking and security requirements converge, a universal network fabric based on SD-WAN will provide the foundation for deployment of a SASE framework in the future.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Charuhas Ghatge

Charuhas Ghatge is a product and solutions marketing director at Nuage Networks and is responsible for promoting SD-WAN, Security and SASE products and solutions for service providers and enterprises. Charuhas has held a number of engineering, product management and marketing roles during his 27 years in the networking industry. He was educated at the University of Oklahoma with a master's degree in computer science.

charuhas-ghatge has 1 posts and counting.See all posts by charuhas-ghatge