How SD-Branch Enables Security from Edge to Endpoint

SD-Branch (software-defined branch networking) is the next step in the evolution of SD-WAN technologies. It takes branch networks to a new level of performance optimization, cost-efficiencies, resilience, and network security. SD-Branch is a single integrated hardware platform that supports routing, security, Wi-Fi, and cellular failover functions that can all be configured and managed centrally via a cloud-based orchestration portal. Where before there were multiple single-purpose hardware appliances at the branch, now there is a single multi-functional device that delivers multiple IT functions, including, but not limited to, those functions just mentioned.

What makes SD-Branch so compelling to cybersecurity professionals?

First and foremost, SD-Branch enables an affordable cloud-deployed multi-layer cyber-defense for multi-location businesses. Retail chains, quick service restaurants (QSRs), and other highly distributed businesses like these see a lot of value in services beyond the management of “traditional next-gen firewalls” (if you excuse the oxymoron). Managed Wi-Fi, cellular failover, performance optimization, and VPN configuration management are all important network services to these companies. When combined with advanced threat detection and response that is multi-layered from the edge to the endpoint, it makes a very compelling value proposition. Add Security Information Event Management (SIEM) and Endpoint Detection and Response (EDR) managed services, and all that north-south traffic monitoring is complemented by east-west traffic monitoring, thus facilitating a Zero-trust network cybersecurity strategy.

What are the more compelling security features of an SD-Branch solution?

Firewalls: SD-Branch edge routers usually include an integrated stateful firewall for layer-2 perimeter protection, yet through the benefits of its SD-WAN capabilities, they can also deliver a next-gen firewall (NGFW) via the cloud for layer-7 protection.

Do SD-Branch appliances replace on-premise firewalls? The answer depends on the use case. For most small-to-medium size locations, typical of specialty retailers and QSRs, an all-in-one SD-Branch device is a viable firewall replacement because it helps consolidate hardware, reduce IT complexity, increase IT agility, and reduce cost.

Unified Threat Management (UTM): SD-Branch routers (also called “universal customer premise equipment” or “uCPE”), can deliver unified threat management functionalities at the edge because they can include network access control, instruction detection and prevention (IDS/IPS), malware prevention, and other security capabilities, depending on the make and model.

Do SD-Branch appliances replace UTM appliances? Once again, the answer depends on the use case. Like in the case of firewall appliances, for most small-to-medium size locations, an all-in-one SD-Branch device is a viable on-premise UTM replacement for the same reasons. It may not include some of the most advanced capabilities of specialized UTM hardware, but in most cases, UTM hardware at small and medium-size locations is under-utilized and expensive.

Advanced Deep Packet Inspection (DPI): Advanced DPI is one of the most compelling security features of SD-Branch solutions, especially attractive to MSPs. It delivers first packet inspection at layer-7 and enables visibility and traffic control of all the applications communicating into the LAN and out to the WAN. Advanced DPI helps identify improper traffic segmentation (i.e., mission-critical traffic in the same segment as un-trusted traffic) and facilitates active threat hunting at the edge.

Most leading firewall and UTM services run the Qosmos engine for advanced DPI, and so do Netsurion’s SD-Branch solution, BranchSDO. In essence, a good SD-Branch platform can have the same advanced DPI capabilities as leading firewall and UTM services.

Internal Vulnerability Scanning (IVS): SD-Branch solutions such as Netsurion’s, offer additional features such as orchestrated internal vulnerability scanning. Most multi-location businesses with small-to-medium branches are point-of-sale (POS) locations transacting with payment cards. As such, being able to orchestrate scans per site at different days and times is a very attractive proposition. By scheduling scans at the most convenient dates and times, cybersecurity professionals avoid potentially disrupting network performance and operations.

Payment Card Industry Data Security Standard (PCI DSS) Compliance Simplification: To protect a brand’s reputation and to help the survivability of a business in a complex threat landscape, merchants need to fear not the auditor, but the hacker. PCI DSS is of special concern for specialty retail, QSRs, convenience stores, and any highly distributed enterprises that accept payments on site. SD-Branch platforms and services check many boxes when it comes to compliance with PCI DSS. Good SD-Branch services include PCI DSS compliance support and tools that simplify management and allow those businesses to focus on security beyond that bare minimum.


SD-Branch is a cost-effective platform that converges security and network management services. It is very compelling to cybersecurity professionals tasked to protect multi-location businesses. As a result, diversifying the service portfolio by including SD-Branch services that help these companies to consolidate hardware and bills, and to transition to an OpEx model, is a good strategy for MSSPs. It helps tighten security from the edge to the endpoint.

Netsurion BranchSDO has deployed over 4,000 SD-Branch devices in the USA since its launch over a year ago, the majority of which are managed by MSPs. Become a Netsurion Partner and learn how to offer BranchSDO to your clients while also offering EventTracker SIEM with EDR. Netsurion helps you catch threats others don’t.

Blog courtesy of Netsurion, which offers the EventTracker security platform. Read more Netsurion guest blogs here.