Manage Learn to apply best practices and optimize your operations.

How to secure and optimize the micro-branch network

Learn how to secure and optimize the micro-branch network -- when only a few teleworkers or remote employees connect to the wide area network (WAN) via the Internet.

Learn in this article how to secure and optimize the micro-branch network -- where only a few teleworkers connect to the wide area network (WAN) via the Internet -- or view the previous tips in this series:

Nemertes Research sees a trend toward smaller and more scattered branches, driven by real estate prices, green initiatives and the rise of virtual workplaces enabled by effective unified communications. But even when a branch network has no wiring closet -- when it's just a few people with desktops or someone working from home -- IT still needs to think about securing and optimizing the network.

Since the so-called micro-branch network lives on the Internet and as a defining characteristic has no network infrastructure beyond a router, the network’s security and optimization have to be host-based.

The first thing to decide is whether or not you want to use a virtual private network (VPN) or not.

Users coming into the corporate network via IPsec or SSL VPN get LAN-like access to applications, so they can see and use everything as they could if they were on campus (assuming you configure the VPN to let them do so, that is). But there is no guarantee of LAN-like performance, and VPNs can be tricky to get working everywhere and for everyone.  VPNs are usually staff resource intensive, especially for the service desk and desktop management staff who field "I can't get connected" calls. Outsourcing VPN services is an option.

Without a VPN, IT must make sure any application that remote staff needs has a secure, Internet-accessible front end. Happily, most applications are already headed toward secure Web front ends, but not all are there, and some may not be easy to retrofit. IT should carefully assess whether it is better to speed up migration to Internet-friendly interfaces or to use a VPN or terminal services to provide comprehensive access.

It is important to note that the VPN will not make the end users' computers more secure unless they do all their work through it, including all Internet activity. If they do, they piggyback on core network security. However, if remote workers use Internet services directly -- and this makes lots of sense for SaaS, Web searches, etc. -- then having the VPN does not add much to the security of the endpoint. In fact, the VPN can create on-site security problems for IT because the VPN allows computers in the micro-branch network to access the campus network.

If , IT treats all end-user computers as untrusted-- as security trends in the last decade suggest is wise -- then the VPN is just another bunch of untrusted computers. If IT judges off-site computers as automatically less secure than on-premise computers, the VPN is a problem. IT needs to give access to inside applications and data while trusting these computers less and limiting and watching them more.

The VPN is thus a good place for a full network access control (NAC) solution. Beyond requiring authentication to access the network (which is kind of a given with VPNs anyway), a NAC system can do health checks on connecting computers to see whether IT has been able to keep their OS and application patching up to date and whether they are running antivirus and other security tools.

Once past the VPN question, IT must make sure micro-branch network computers have antivirus/anti-malware scanning and additional Web security. Software/service hybrids are ideal, combining local site filtering with continuously updated green/yellow/red lists of good/iffy/known-bad sites.

Lastly, IT should equip remote micro-branch network computers holding sensitive data with whole disk encryption, whether via OS functionality or a layered application. Here, the main caution is encryption key management.

On the optimization front, if it is needed, a soft client is the only option; optimized NICs or small office/home office routers may someday be available but are not for now. Such clients can do significant compression and some traffic conditioning. Ideally, they might be integrated with one or more security functions to cut down on the number of agents required per machine -- always a win for performance and manageability.

With all of these endpoint solutions, centralized management and maintenance of the clients is essential to their ongoing utility. Old, un-patched or non-updated security software might as well be turned off! Ideally, all tools will share a single policy definition mechanism. That is unlikely to be the case in most environments, so IT must be vigilant in setting policies consistently across all channels. IT should require that policies in each tool be able to use the groups defined in the enterprise directory, if there is one, to minimize redundant effort and the inevitable opportunities for things to get out of sync.

Read the previous articles in this series or see our WAN security and performance tutorial for more information:

This was last published in March 2011

Dig Deeper on Branch office network design

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.