Home / Solutions / Industrial Networking & Datacom / Branch & Remote Access Security (SASE)
DOMAIN 02 · INDUSTRIAL NETWORKING

Branch & Remote Access Security (SASE): One Policy for Every Site and Every Remote Worker

A box at headquarters protects headquarters. It does nothing for the twenty branches that dial the internet on their own, and nothing for the people working from home. This solution delivers the inspection from a cloud service instead: a lightweight edge at each branch, zero-trust access for remote staff, one policy written once and pushed everywhere — designed on open-brand product categories, sized by sites and users, with the crossover point where a plain firewall is cheaper stated out loud.

What Happens When the Network Stops Being One Building

Four problems that appear the moment a company has more than a couple of sites:

Every branch bought its own firewall, and nobody owns themDifferent brands, different rule sets, different firmware ages — installed by whoever was available that week. Nobody can say what is actually allowed at branch eleven.
Home workers on a VPN that is slow and only feels safeThe tunnel drops the laptop straight onto the corporate LAN and trusts it entirely, while pushing every video call back through headquarters. Slow enough that people turn it off.
Cloud traffic detours through headquartersA branch two streets from a cloud data centre reaches it by crossing the country to headquarters and back. The latency is self-inflicted, and users blame the application.
Policy synchronised by hand across dozens of sitesOne rule change means someone logs into every box, one after another, over weeks. Three sites get missed. Nobody finds out until an audit — or an incident.

Architecture: Move the Inspection, Not the Traffic

Security functions live in a cloud service between your sites and the internet; the branch keeps only what it needs to get there safely:

BRANCH SITES Branch A · light edge + local LAN Branch B · broadband + cellular backup Branch C … and every site after it zero-touch onboarding: the edge is shipped, plugged in, and pulls its policy — no engineer flight no full security stack per branch to patch REMOTE & HOME USERS laptop / phone with a zero-trust client per-application access, checked every session — not a tunnel that drops the laptop onto the LAN device posture checked before entitlement applies CLOUD SECURITY SERVICE delivered from service locations near your sites · firewall & intrusion prevention as a service · secure web gateway · URL & app control · cloud-application access control · zero-trust access broker for remote users · encrypted-traffic inspection where lawful licensed per user, per year — see the limits below UNIFIED POLICY & LOG PLATFORM one rule set, written once, pushed to every site application-aware path selection per branch logs from all branches in one place, retained the part that ends the by-hand synchronisation INTERNET & CLOUD APPS cloud suites · video calls · web reached from the nearest service point, not by crossing the country to HQ first local breakout for trusted apps · everything else inspected before it leaves HQ / DATA CENTRE ERP · file · internal apps still reachable — published per application, not by opening the whole LAN to a tunnel encrypted tunnels per-app publishing

Architecture drawn by AtlasCommTech following carrier-grade network-security design practice. Diagram labels are kept in English for engineering clarity.

How this differs from our Enterprise Internet Edge Security solution — read this first. That page describes one company, one building, one internet exit: a firewall pair in your rack, zones, NAT, intrusion prevention, logs. Hardware you own and control, and for a single site it is the correct and cheaper answer. This page exists for the shape of company that model cannot cover: many branches plus staff who are not in any building. Put a box in every branch and you own that box's licence, its firmware, its configuration drift and its 2 a.m. failure — multiplied by however many sites you signed. Here the inspection moves to a cloud service, the branch keeps a small edge that just gets there safely, remote laptops join the same policy, and the rule set exists in one place. Same functions, different delivery model. The honest crossover is discussed in the limits section, because for a handful of branches, boxes still win.

Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks — the environment where a policy change has to land on hundreds of sites correctly, the first time, because there is no second window. That is the discipline we bring to a thirty-branch rollout.

Equipment Options

The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.

Huawei — enterprise campus, WAN and security linesMature ecosystem with a global service network.
ZTE & Wantone — comparable datacom linesPrice-performance direction; supply runs smoother in some markets.
H3C — campus and data-center linesWidely deployed campus and data-center portfolio.
Atlas industrial switches — industrial-scenario access layerOur own industrial line — compatible with any brand's core layer.

What the Design Delivers

Six capabilities — the point of all six is that the number of branches stops being the thing that decides how much work security is:

Inspection delivered from the cloudFirewalling, intrusion prevention, web gateway, URL and application control run in a service near your sites — not in a box per branch that someone has to patch.
Lightweight branch edge, zero-touch onboardingThe edge is shipped to the site, plugged in by whoever is there, and pulls its configuration. Opening branch twenty-one stops requiring an engineer on a plane.
One policy, pushed everywhereThe rule set is written once and applied to every site and user. No more logging into thirty boxes and missing three — the audit question becomes answerable from one screen.
Zero-trust remote access instead of blanket VPNEach person reaches only the applications they are entitled to, with user and device checked per session. A stolen laptop no longer means a stolen network.
Local breakout with application-aware path selectionCloud and video traffic exits at the branch under policy instead of hairpinning through headquarters; the design picks the link per application, with the second link as backup.
All branches visible in one log platformWho reached what, from which site and which account, retained to your regulator's clock — the difference between suspecting a problem and being able to show it.

Three Sizes, One Design Logic

Cloud-delivered security is sized by users and sites, not by a throughput number on a datasheet — here is how the tiers differ:

Numbers we design around:
Site count decides the model: below ~5 branches, boxes are usually cheaper — we do the arithmetic before you commit
Licensed per user per year — count contractors and remote staff, not just desks
Per branch: link count, uplink bandwidth and which applications must survive a link failure
Scale tierTypical organisationWhat the design includes
~5 branchesSmall chain · regional office group · a few project sitesThe crossover tier, and we treat it as one: light edge per branch with a single broadband link, cloud inspection for internet traffic, encrypted tunnels back to headquarters, remote access for a small user group. At this size we always price the box alternative alongside — and if it wins, we say so.
~20 branchesRetail chain · bank branch network · school or clinic groupWhere the model starts paying for itself: zero-touch onboarding as standard, dual link per branch (broadband plus cellular backup), local breakout for cloud applications under policy, one policy set with per-site exceptions, central logging with retention, zero-trust access for the whole mobile workforce.
50+ branches & remote workforceNational chain · government branch network · distributed enterpriseOperations-first design: policy grouped by site role rather than by site, staged rollout with a pilot group before the fleet, redundant service connections per region, application-aware path selection tuned per branch class, endpoint posture tied into the access decision, and a change process that assumes people leave and documents must survive them.

Equipment Roles (Categories, Not Models)

The solution is built from these product and service categories — the brand is chosen with you at design stage. Exact models depend on your site count, bandwidth, enabled functions and destination country — so we spec models after your requirements list, not before.

RoleWhat it does
Branch edge devicesThe small router or firewall-router at each site: builds the encrypted tunnel, selects the link per application, keeps a local rule set when the tunnel is down. Sized by branch bandwidth and user count, not by the biggest branch you have.
Cloud-delivered security serviceFirewalling, intrusion prevention, web gateway and cloud-application control, subscribed per user per year. This is a service line in your budget forever, not a purchase — we say that plainly before you sign.
Unified controller / management platformWhere the single policy is written and from where it is pushed; also where onboarding, per-site exceptions and change history live. The component that makes fifty sites one job instead of fifty.
Zero-trust access gateway & clientPublishes internal applications per person instead of exposing the LAN, checks user and device each session, and replaces the full-tunnel VPN that everyone quietly disables.
Endpoint agent (posture & response)Feeds device health into the access decision and handles what the network cannot see. Whether it is bundled with the service or bought separately depends on the brand — we spell out which, for your shortlist.
Branch links (broadband + cellular backup)Not a box we sell, but the thing your branch availability actually depends on. Buy from local carriers; we specify what the design needs and how the backup should behave.

Send us your requirements list — site count, users per site, links per branch, which applications must never stop — and the model list follows. That order keeps the design honest.

Design Notes & Honest Limits

Read this before you commit:
  • Cloud-delivered security is licensed per user, per year. Below roughly five branches, a traditional firewall is usually the better buy — you pay once and own it. We will say so directly rather than sell you a subscription that outlives its own logic. Above that, the operating effort of many boxes is what tips the arithmetic, and we will show you that arithmetic with your numbers in it.
  • A cloud security model does not remove your dependency on the branch link. If a site has one internet line and it is cut, the branch is down — no architecture repairs a cut cable. Redundancy is bought from carriers, per site, and it is a real line in the budget. We design for the failure and tell you what it costs.
  • Service-point coverage is not the same everywhere. In markets with few nearby service locations, traffic may travel further than the marketing map suggests, and latency shows it. We check the actual coverage for your countries before the design is fixed — not after.
  • Zero-trust access reduces the blast radius; it does not stop a person from clicking a bad link with valid credentials. It limits what those credentials can then reach. Ransomware defence still needs endpoint protection, offline backups and trained staff — we name those layers instead of implying this one covers them.
  • Licensing policy, service availability and data-residency rules differ by brand and by destination country — and for cloud-delivered security, where the inspection happens can itself be a legal question. We confirm both the commercial and the residency position for your countries at design stage, before you commit.

FAQ

What is SASE, in plain words?
Instead of putting a full security stack in every branch, the inspection happens in a cloud service that sits between your sites and the internet. Each branch keeps only a small edge device that builds an encrypted tunnel to the nearest service location; remote laptops connect to the same service with a client. One policy is written once and applied to every site and every user. The trade is ownership for subscription: you stop patching twenty boxes, and you start paying per user per year.
How is this different from your Enterprise Internet Edge Security solution?
That solution secures one egress: a firewall pair at headquarters, zones, NAT, IPS, logs — hardware you own, sitting in your rack. It is the right answer for a single-site company. This solution exists because that model does not scale sideways: at fifteen or thirty branches you would be buying, licensing, patching and rule-matching fifteen or thirty separate boxes, and mobile staff are outside the perimeter entirely. Here the inspection moves to a cloud service, the branch keeps a light edge, and policy is written once. Same security functions, different delivery — chosen by how many sites you have, not by fashion.
Can staff work from home without a full VPN?
Yes, and that is the point of the zero-trust part. A classic VPN drops the laptop onto the corporate LAN and trusts it, then hairpins all its internet traffic through headquarters — which is why it feels slow. Zero-trust access publishes only the specific applications a person is entitled to, checks the user and the device on every session, and lets everything else go straight out. The user gets a faster session and you get a smaller blast radius if the laptop is stolen.
What happens at a branch if the internet link or the cloud service is unreachable?
Design for it rather than hope. Branch edges hold a local rule set and keep forwarding when the tunnel drops, a second link (broadband or cellular) covers the common case of one line failing, and the design states which applications must keep working offline. Full honesty: if the branch has one internet line and it is cut, no cloud-delivered security architecture will save that branch. Redundancy is a link decision, not a security-product decision.
Is SASE cheaper than putting a firewall in every branch?
It depends on the site count, and we will do the arithmetic with you rather than assume the answer. Cloud-delivered security is licensed per user per year, so it never fully stops costing. Firewalls are bought once, then licensed for signatures — but every extra box adds installation, patching and someone's time. The crossover sits around a handful of branches: below roughly five sites, boxes usually win on cost; well above that, the operating effort of boxes wins the argument for the cloud model. If your case falls on the boxes' side, we will say so and quote you boxes.

Send us your site count, users per site and how many people work remotely

An engineer replies with an architecture outline, a policy structure and the equipment-category list — including whether boxes would serve you better at your size. Send us your requirements list; the model list follows.

WhatsApp an engineer →

Related Solutions