7 min read

Businesses with multiple small branch locations over a wide geographical area, face a unique networking and cybersecurity challenge when compared to other types of enterprises. For instance, the lack of IT staff at these hundreds (and sometimes thousands) of branch type locations, makes the ease and speed of deployment and provisioning a must. Furthermore, the connectivity costs and network complexity skyrocket proportionally to the number of branches being serviced. When adding compliance needs like PCI (Payment Card Industry) requirements unique to businesses transacting with credit cards, the challenge increases even more. These are just a few unique head winds the IT professionals at a distributed business face.

But just like the cybersecurity market, the networking market is loaded with ambiguous buzzwords and competing acronyms that make it difficult to clearly distinguish one capability from another. It is understandable that the resulting confusion makes it even harder to choose the right branch network and edge security solution. So, let’s break down those buzzwords and competing acronyms that are the most commonly compared as if they were apples to apples.


SD-WAN (Software Defined Wide Area Networking) is usually presented as an alternative to expensive MPLS (Multiprotocol Label Switching). Indeed, it can be implemented as a full replacement, but it can also become a complementary network architecture when laid alongside an existing MPLS network, creating what some call a “hybrid” architecture. SD-WAN laid alongside MPLS serves the purpose of gradually migrating to SD-WAN as MPLS contracts expire, or to reduce costs and enhance IT agility by replacing areas of the network. SD-WAN is not an MPLS instant killer.

Nonetheless, it is important to understand that the choice is not between SD-WAN and MPLS, but rather what your business is willing to compromise when choosing one technology vs the other. Network Function Virtualization (NFV) started a new era for WAN networks inducing improved IT agility and management to reduce CapEx and OpEx. Yet by leveraging broadband for connectivity, SD-WAN security and failover connectivity suddenly introduced pros and cons to SD-WAN. If that was not enough, the need for Quality of Service (QoS) of mission critical functions became a priority, where MPLS remained the better choice.

Yet for many distributed businesses with multiple branch locations, the benefits of SD-WAN vastly out-match any drawbacks. Nothing beats a double-digit percentage reduction in operating costs, reducing total cost of ownership, and reducing (or eliminating) truck rolls to service complex IT appliances on premise. The reduction in complexity and the possibility to fully or partially outsource network and security management make SD-WAN solutions very appealing, especially when it is possible to quickly scale services up or down based on needs. Nothing beats connecting, provisioning, and disconnecting a branch whenever needed in a matter of minutes, compared to days or weeks when dealing with MPLS.

SD-WAN vs SD-Branch

Although sometimes used interchangeably when referring to SD-WAN architecture for branches, SD-Branch takes an evolutionary step beyond SD-WAN for the branch and aims to not only virtualize networking and security functions, but also to integrate various hardware options into a single device. So, with the goals of optimizing IT budget, improving IT agility, gaining full visibility and control, and increasing security, the mission of delivering a better branch experience now seems viable thanks to Network Functions Virtualization (NFV).

Connecting the branch is just the first step, which can be done rather quickly and easily by non-technical staff. Plugging a pre-configured, multi-function edge appliance in at the branch to a broadband connection is as straight forward as it can be. But then, the connection to SD-WAN enables IT teams (or a Managed Service Provider (MSP) to perform other functions remotely without the need of a truck roll. Consequently, zero touch provisioning of a single branch appliance becomes a time and money saver.

Network resiliency can be achieved in many ways, such as bonding diverse carriers (DSL or Cable) while meshing VPN links across the WAN, and then by enabling cellular failover that goes online automatically when the broadband connection fails. Traffic segmentation, application performance, and QoS (thanks to VPN) is all done remotely via a single pane of glass: a cloud-based orchestrator.

As communications are encrypted end-to-end, security is inherent. Managing a Next-Gen Firewall (NGFW), scheduling regular vulnerability scans, and connecting to Security Incident and Event Management services (SIEM) becomes much more efficient thanks to the visibility and control offered by an SD-Branch appliance managed via cloud-based consoles.

In short, when offered SD-WAN to replace expiring MPLS contracts, ask for an SD-Branch solution instead. Reduce complexity of branch network management, consolidate bills, and make a CFO happy.

Stateful Firewall vs NGFW

The importance of firewalls has only increased as cybersecurity threats evolved and became more advanced over the years. Firewalls had to evolve to be able to keep at least one step ahead of threats. Security at the edge today is just as important as endpoint security. Distributed enterprises recognize the need for firewalls at the branch level to ensure business continuity and to protect the brand reputation. Compliance requirements may also come into play. Keep in mind that not all firewalls are created equal.

While stateful firewalls protect networks and data, they offer features such as static and dynamic packet filtering, Network Address Translation (NAT), and Virtual Private Networks (VPN). NGFW offer more advanced functionalities. The most common features offered by the latter are Intrusion Prevention System (IPS), deep packet inspection (DPI), secure sockets layer (SSL) decryption, application-level security policies, directory-based policies, whitelisting and blacklisting, and more.

With the constant evolution of the threat landscape, it is not unforeseeable that the future cybersecurity battleground will see AI (Artificial Intelligence) vs AI battling each other. NGFW being the third generation of firewall technology, we can only wonder what capabilities the fourth-generation firewalls will have to develop to stay ahead of bad actors.

uCPE vs vCPE

IT sprawl at branch locations has been out of control in recent years. In order to connect and secure branches of a distributed business, IT professionals or an MSP had to install, configure, and provision an assortment of purpose-built hardware appliances on premise. Often times, each of the hardware appliances have their own complexities and skill set requirements to install. Each branch setup took weeks and provisioning demanded truck rolls.

With the advent of NFV (Network Functions Virtualization), vCPE (Virtual Customer Premise Equipment), and uCPE (Universal Customer Premise Equipment) made connecting and provisioning branch locations much faster, simpler, and cost-efficient. A multiplicity of network and security functions have then been virtualized, such as routing, switching, content filtering, network access control, firewall policy creation, segmentation, and many more, enabled by on-premise hardware appliances.

What is the difference between vCPE and uCPE? Both offer the flexibility of not having ASIC (Application Specific Integrated Circuits) which, although powerful, are very limiting into what the hardware can do. vCPE is basically just that: a hardware that does not rely on ASIC to perform network functions and can include centralized cloud orchestration functionalities. On the other hand, uCPE is not reliant on a centralized cloud for additional network functions and orchestration. A uCPE is a much more powerful appliance than hybrid/cloud vCPE setup because it is self-contained and can offer additional functionalities. In fact, uCPE helps reduce IT sprawl as it consolidates what multiple vCPE could do into a single appliance, further reducing complexity and consolidating bills.

Final comments

We hope these short comparisons highlight what’s important when looking into an SD-Branch solution. We believe that a combination of multi-function on premise hardware, easy to use cloud-based orchestration software, and managed services when needed, are both effective and cost-efficient for distributed enterprises.

If your MPLS contracts are about to expire, consider leveraging broadband with an SD-WAN architecture and 4G LTE failover connectivity rather than renewing an expensive and complex architecture. Optionally, add-on managed firewall, switching, and Wi-Fi services. uCPE opened a new plethora of services that leverage NFV.

What at first seems complex, is instead an evolutionary step towards reducing complexity and optimizing IT spend.