By Distributed Branches, I mean deployment scenarios where you see firewalls deployed in hundreds to thousands of branches. Examples of this deployment scenario are Retails and International Chains, which have stores or branches all over the globe.
- Retail/Department Stores
- Pharmaceutical Chains
- Financial Institutions
I will bring out specific examples with the number of firewalls they deploy in ensuing sections. As per my opinion there are 8 MUST HAVE features (summarized in the picture on the side) for such a deployment.
1. Zero touch deployments
These types of deployments generally have similar configuration at most branches so once the base configuration is decided it’s possible to reuse it at most locations. However, if not impossible, it’s very difficult to send an IT guy to install the firewall in a distributed branch location. That leads to most important requirement of being able to deploy these firewalls without having to send someone physically. The expectation will be that some network admin in the central office configures the firewall and then ships it to the distributed branch location, where someone will connect it to the network.
Now you may say, it’s a tall order satisfy that requirement. But I have seen some firewall vendors making it happen. It’s not impossible.
2. Scaled up device management
Most organizations, which have distributed branches have many of them – many times in thousands. Here are some samples from the US economy (these numbers keep changing but here is what I found as of today)
Walmart (>10,000 stores)
Walgreens, CVS Pharmacy etc. (>8000 branches)
Wells Fargo, JP Morgan Chase, Bank of America (>5,000 branches)
Staples (>3,800 stores)
Home Depot, Kroger (>2,500 stores)
Target, Lowe’s (>1,800 stores)
Kohl’s, JCPenny, Safeway, BestBuy (>1,000 stores)
Now most of these branch firewalls are deployed in a highly available (HA) pair so you can imagine the number of firewalls these organizations need to manage. Although these organization want their central management solution to manage these firewalls they also have need to provide local access for emergency purpose. So, the firewall management solution for such organizations should have that flexibility.
3. At scale log management & analytics
These thousands of firewalls in the branches will spew firewall device and security events on a constant basis. So, the management solution needs to be able to process all these events in near real time and provide immediate insights to the central as well as local users.
It’s also possible that such branches also have regulatory or compliance needs to store these events for couple of months. Although, these companies will most likely deploy a Security Information and Event Management (SIEM) type of solution, being able to process and store this massive data for every firewall at least couple of weeks is generally a requirement for such deployments.
And, a good central firewall management solution would not only be able to process these events but also provide meaningful analytics to make most use of that data to prevent attacks and threats.
4. Through 8
In the introductory paragraph of this post, I stated “8 MUST HAVE features,” however so far, I only wrote about 3. You can find remaining 5 in my previous blog “Firewall management needs of a Large Enterprise.”
Those needs are common between Distributed Branch and Large Enterprise types of firewall deployments.