You simply can’t take advantage of all that SD-WAN has to offer without giving branch offices local Internet access and you can’t give them local Internet access without securing them. SD-WAN for all its strengths does not provide robust edge security. Yes, data is encrypted in transit. And, yes, some SD-WAN appliances come with basic stateful firewalling capabilities. But with attacks coming at layer-7, branches require a next-generation firewall (NGFW) and updated IPS/IDS capabilities to protect locations — not a basic firewall. For all intents and purposes, branch SD-WAN needs layer-7 security, which is why you see so many SD-WAN vendors striking partnerships with security vendors or some building security into their appliances.