Problem solve Get help with specific problems with your technologies, process and projects.

Securing and optimizing the direct-to-net branch network

When IT chooses to connect a branch network to both the Internet and the enterprise WAN, it creates the direct-to-net branch office: The WAN is only for traffic headed to internal hosts. Although this considerably reduces bandwidth demands on WAN connections, it can complicate both security and optimization. Learn in this tip how to secure and optimize the direct-to-net branch network.

Connecting a branch network to the Internet and enterprise WAN creates a direct-to-net branch office, but this complicates security and optimization. Learn how to secure and optimize direct-to-Internet branch networks below, or view the other articles in this tip series:

When IT chooses to connect a branch to both the Internet and the enterprise WAN, a direct-to-net branch is created. In a direct-to-net branch, the WAN is only for traffic headed to internal hosts. Although this considerably reduces bandwidth demands on the WAN connections, it can complicate both security and optimization.

With no central pipe through which Internet traffic is channeled, IT has to screen it in every branch network using firewalls, malware filters and IDS/IPS systems. Doing this via a stack of many single-purpose appliances in each direct-to-net branch can become daunting both financially and administratively. The alternatives for traditional in-house deployments are to combine security boxes into a unified threat management (UTM) appliance or to integrate security services into the router. A more recent option is to combine security and optimization layers. And, of course, the proliferation of security services on carrier connections, such as firewall-in-the-cloud offerings, shows a third path for securing branch networks.

As with the backhauled branch network, direct-to-net branch security should focus on protecting in-branch systems and branches from one another and providing an appropriate degree of visibility into the traffic in the branch network.

The optimization picture changes with direct-to-net branches, just as the security one does. In this context, with branch networks working as consumers of Web resources and no compression appliances at the far end of the connection, options for compression pretty much vanish on the Internet link. (It is possible to do a one-sided compression of outbound Web traffic since Web browsers can decompress many things). Caching remains important on both the WAN and the Internet links, even though it becomes less effective overall (i.e., for the entire organization). As the pool of users for which a caching appliance on either link can cache content shrinks, user requests result in fewer cache hits and more repetitive transmissions overall. WAN compression performs likewise -- working with smaller user pools decreases the opportunity for compressions.

WAN bandwidth optimization techniques like shaping and prioritization can apply to both Internet and WAN separately. Connections will be smaller, however, and  WAN and Internet have fewer traffic streams to manipulate in managing flow. So, they have fewer possible combinations to try in seeking the right balance -- that is, there is less slack and wiggle room to play with than on a single network link carrying all the traffic.

One problem that direct-to-net branch network connectivity exacerbates is management. By putting service delivery points for security and optimization in so many more places, direct-to-net branch increases the importance of management platforms that scale well and offer policy-driven management of groups of appliances. Also, as users become more mobile among different branch networks, taking laptops from place to place, solutions that are user-sensitive must cope with that mobility gracefully.

Where optimization is application sensitive, separating Internet-mediated SaaS applications from WAN-mediated in-house applications makes it harder to balance the two at the desktop. However, direct-to-net improves the ability to deliver consistent performance from SaaS solutions. With a backhauled branch network, performance is determined by both Internet and WAN performance; direct-to-net simplifies the picture and puts all users on a more equal footing.

As branch offices continue to proliferate (we expect growth rates to bounce back this year) while bandwidth costs continue to plummet and the use of SaaS spreads rapidly, we expect direct-to-net branches to increase quickly relative to backhauled connections. It will be essential for IT to approach questions of security and network performance up front, with a strategy that encompasses both varieties and with an expectation for coordinated, policy-driven management of all devices and/or services.

But what happens when there is no branch office and no WAN? Next up in this article series, micro-branch networks: What to do when there is no network closet.

Continue reading the other parts in this series or see our WAN security and performance tutorial for more information:

This was last published in March 2011

Dig Deeper on Network Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.