Strengthening enterprise security with VeloCloud SD-WAN

As enterprises grow their distributed environments, they face mounting challenges in securing branch locations, ensuring regulatory compliance, and maintaining optimal performance across hybrid networks. VeloCloud SD-WAN addresses these needs by embedding advanced, on-premises security capabilities directly at the edge—eliminating reliance on third-party appliances while streamlining operations.

Deep Application Recognition (DAR): contextual visibility for compliance

VeloCloud integrates Deep Application Recognition (DAR) as a foundational layer of its Enhanced Firewall Services (EFS). This capability enables the system to identify, classify, and manage traffic at a granular level—critical for visibility, control, and compliance enforcement, including PCI DSS.

DAR supports real-time application identification, traffic classification based on applications type and protocol, and URL categorisation through a local database and VMWare’s Threat Intelligence Cloud.

With support for over 80 URL categories, DAR enables blocking, allowing, or monitoring traffic based on customisable policy objects and 5-tier reputation scoring. This ensures encrypted traffic (HTTPS) is filtered via domain-based inspection without degrading performance—delivering secure, standards-aligned oversight across all environments.

Adaptive Firewall Architecture

VeloCloud’s SD-WAN Edge devices are equipped with a Layer 7 stateful firewall as part of the Enterprise license, which in turn delivers:

• Stateful and session-aware inspection, allowing for the identification and monitoring of traffic flows based on established session data, ensuring precise and efficient enforcement of security policies supporting:

• Centralised firewall policy orchestration, providing administrators with streamlined control over policy management across distributed networks, improving consistency and reducing operational complexity

• Use of 5-tuple session tables and dynamic policy enforcement enables granular control of network traffic while accommodating evolving application requirements.

• Industry leading per-packet load balancing and failover to provide the best level of performance and redundancy without compromising security functionality.

The firewall is segment and device-aware, which is key for managing BYOD policies across iOS, Android, Windows, and macOS. This allows organisations to apply controls that align with zero trust principles, minimising the attack surface while maximising network intelligence.

Enhanced Firewall Services (EFS)

The Enhanced Firewall Services (EFS) add-on license enriches VeloCloud SD-WAN with more advanced, robust threat protection capabilities through a multi-layered security architecture

• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS): Native edge-based analysis prevents exploits, including zero-day network-based exploits, by leveraging NSX’s distributed intelligence.

• URL Filtering: Using real-time threat intelligence from VMware’s cloud and a local categorisation engine to ensure precise, context-aware filtering.

• Malicious IP Protection: Proactive defence using known threat feeds synchronised to Edge appliances.

This layered architecture allows for high-speed inspection and enforcement without backhauling to centralised appliances, maintaining performance across branch offices, data centres, and cloud edges and delivering robust and adaptive threat mitigation.

Real-time Defence and Compliance Alignment

VeloCloud’s on-prem security engine aligns with globally recognised compliance standards including PCI DSS, FIPS 140-2, GDPR, ISO 27001, 27017, 27018, AICPA SOC 1/2/3 and ICSA Labs Certified Firewall

These certifications underpin the solution’s suitability for regulated industries, enabling compliance without added complexity.

By shifting from bolt-on appliances to built-in security, organisations gain operational efficiency, agility, and a security posture capable of adapting to modern digital risk.

Secure Connectivity and Data Protection at the Edge

In an era where distributed networks are the norm, secure communication between branches, data centres, and cloud workloads is paramount. VeloCloud SD-WAN addresses this with robust encryption standards, dynamic tunnel management, and intelligent enforcement that safeguards data in motion without compromising speed.

Multi-tiered Encryption for Enterprise-grade Protection

VeloCloud utilises IKEv2/IPsec tunnels to establish encrypted links across all network endpoints. These tunnels are secured using AES-128 or AES-256 encryption for confidentiality, and SHA-1 or SHA-256 for data integrity, applied through IKEv2/IPSec tunnels. TLS 1.2 (over TCP 443) is used separately for secure communication with the Orchestrator and essential control-plane functions.

These encryption protocols meet stringent regulatory standards and ensure that sensitive data remains protected throughout its journey.

Flexible Encryption Models for Distributed Topologies

VeloCloud supports a range of encryption deployment strategies to adapt to unique enterprise architectures:

• Gateway-based encryption: Traffic is encrypted at the branch edge and routed via secure VMware-hosted gateways, ideal for cloud-first or internet-bound traffic.

• Hub-based encryption: A centralised model where data is decrypted and re-encrypted at a trusted hub before reaching its destination—commonly used in hybrid or MPLS-linked deployments.

• Dynamic branch-to-branch encryption: VeloCloud SD-WAN tunnels are automatically created between branches, minimising latency and enhancing direct-site security.

This flexibility allows enterprises to architect secure communication pathways tailored to performance and compliance needs.

Role-based Access and Administrative Auditability

Secure connectivity must be matched by secure operational controls. The VeloCloud Orchestrator delivers granular Role-Based Access Control (RBAC), enforced through:

• Two-factor authentication (2FA) providing an added layer of security for administrative logins, and comprehensive activity logging, ensuring readiness for audits and enabling traceability

• Comprehensive activity logging for audit readiness

• Four pre-defined roles ensure access is aligned with operational requirements. This layered access model minimises insider risk while enabling collaborative operations:

o Super User: Full configuration and policy control

o Standard admin: Scoped admin capabilities

o Customer support: Read-limited access for troubleshooting

o Read-only: Visibility without change privileges

Compliance Alignment Through Embedded Visibility and Control

Regulated sectors such as finance, healthcare, and retail demand consistent adherence to compliance frameworks like PCI DSS, GDPR, and ISO 27001.

VeloCloud simplifies this through native capabilities that support audit readiness and data protection:

• Encrypted tunnels to ensure confidentiality and regulatory compliance

• DAR and granular traffic segmentation to isolate sensitive workloads

• Detailed system logs to track changes and access attempts for audit trails

Together, these features enable enterprises to meet compliance objectives without introducing operational friction.

Security As a Built-in Function of Connectivity

VeloCloud SD-WAN doesn’t treat security as an overlay or optional module—it embeds it directly within the edge fabric. From threat prevention and encryption to access control and compliance logging, the solution enables

• Resilient, encrypted connectivity

• Centralised policy enforcement

• Real-time visibility and auditability

As enterprises evolve to meet the realities of cloud-first, hybrid, and remote operations, VeloCloud provides the secure, intelligent foundation necessary to protect data and ensure regulatory alignment—at scale, at speed, and at the edge.