With the recent launch of FirePower Threat Defense on Cisco 4000 Series Integrated Services Routers, I would like to spend some time talking about enterprise branch security and what are the requirements to keep in mind to secure your branch office. Let’s start out by examining your branch environment.

What’s happening at the branch today?

Cloud is redefining application delivery. Mobility is redefining network architecture. Next generation applications like Ultra High Definition videos, Web, and SaaS applications put increased pressure on bandwidth availability.

Organizations may be considering Direct Internet Access (DIA) at the branch to leverage local internet path for public cloud and internet access. Leveraging the local internet path at the branch reduces IT spending (freeing up costly WAN bandwidth for mission critical applications) and ensures better application experience, for example for applications hosted in the public cloud (less latency)  but it may come with a cost since now the branch may be exposed to security threats.

Why should branch office security matter to you?

Gartner projects that by 2016, 30% of advanced targeted threats – up from less than 5% today – will specifically target branch offices as an entry point.

We all read in the news stories of data and identity theft, data loss and consequent loss of revenue associated with security attacks. We are also witnessing a shift in the accountability for data breaches from IT departments to business leaders. Additionally, according to Oracle’s Security Overview, it has been found that 80% of data loss is caused by insiders and 40% of Internet break-ins occur in spite of a firewall being in place. PCI and other regulatory compliance is the threat protection starting point for companies that handle cardholders’ information and other sensitive data.

It is recommended that you consider additional security requirements in your branch office network design.

DIAHere’s a list of Direct Internet Access use cases you may have at the branch:

  • Guest user Wi-Fi
  • Access to the public cloud (example, Office365 or salesforce.com) or partner sites
  • Full direct internet access

Let’s explore what are the requirements to protect your branch against internal and external threats in each of those use cases and how Cisco Integrated Services Routers can help you meet those requirements.

Guest user Wi-Fi

With guest user Wi-Fi, your business intent is to route guest traffic directly to the internet. You want to ensure high guest users satisfaction by routing guest user traffic directly to the Internet while your corporate traffic keeps being back-hauled to the headquarter. However, it is paramount that guest traffic does not pose a threat to your corporate environment. Therefore, you may want to create policies to segment your guest and corporate traffic as well as deploy content filtering policies for Wi-Fi users to ensure appropriate usage of the Wi-Fi network and avoid liability.

Advanced DIA Options

As you move to more advanced Direct Internet Access (DIA) options, you also need to beef up security at your branch. There are two scenarios: partial and full DIA.

  • Partial DIA: only selected types of traffic or applications leverage the local internet path– for example for you to be able to redirect certain traffic to the public cloud or partner sites. A combination of technologies such as firewall, content inspection and filtering and malware protection give you a multi-layered protection against unauthorized network access, web-based threats and malware.
  • Full DIA: all traffic is routed to the internet via the local path. In this scenario, your security needs at the branch very much resemble those at the headquarter and you need enterprise class protection against enterprise class threats. A full threat defense stack that includes firewall, content security, intrusion detection and prevention, advanced malware protection and application visibility provides the best protection against increasingly more sophisticated cyber attacks.

Cisco Integrated Services Routers with Integrated Security help you meet the additional security requirements that Direct Internet Access at the branch poses without the cost of deploying additional appliances in your network:

  • IOS Zone-Based Firewall offer perimeter control, anomaly detection and stateful inspection and in combination with Cisco TrustSec provides a straight-forward method for traffic segmentation in guest Wi-Fi use cases;
  • Cloud Web Security provides industry-leading content filtering with web and file reputation, inspection and advanced malware protection (AMP) in all the scenarios where web filtering and web-based threat protection is required;
  • Integrated IPS and FirePower Next-Generation IPS offer signatures intrusion detection and threat prevention and contextual awareness respectively;
  • FirePOWER Threat Defense on Cisco ISR routers provides industry-leading multi-layered threat protection with real-time contextual awareness, full-stack visibility and lower cost of ownership through intelligent security automation.

Visit our page for more details on Router Security.

Please feel free to comment, share and connect with us @CiscoEnterpriseFacebook, LinkedIn and the Enterprise Networks Community.


Elisa Caredio

Product Manager

Enterprise Routing