The workplace has changed significantly—hybrid work is now the standard. Employees move easily between offices, campuses, home, and remote locations, working wherever they can be most productive. This shift has fueled an explosion of connected devices across all environments—especially in branches and campuses where employees frequently use personal devices for work, access sensitive data from multiple endpoints, and rely heavily on SaaS applications for daily productivity. Simultaneously, IT teams are deploying a growing number of IoT devices to streamline operations, enhance monitoring, and improve overall operational efficiency. The result is a dynamic network infrastructure that demands stronger visibility, control, and security.
These changes also bring a significant number of vulnerabilities, both sophisticated and unknown. According to industry reports, there is a 136% increase in vulnerabilities among IoT devices compared to the previous year, with the proportion of vulnerable devices rising from 14% in 2023 to 33% in 2024.
Branch and Campus networks are at the heart of enterprise IT operations. To secure this critical infrastructure, it’s essential to protect and monitor wired and wireless LANs at the point of connection. Despite evolving network demands, many teams still rely on traditional technologies, such as Virtual LANs (VLANs), for segmentation, monitoring, and enforcement.
However, with the rise in threats like MAC spoofing, malware attacks and command injection to exploit vulnerabilities, traditional measures such as 802.1x NAC for basic admission control and VLANs create broadcast domains that allow threats to propagate throughout the logical segment with no checks or counter-measures. Additionally, these legacy solutions cannot monitor and track movement, allowing high-risk devices to spread malicious threats.
To address these challenges, organizations must adopt a more unified, and secure networking approach starting from their Local Area Networks (LAN). They require Zero Trust with comprehensive visibility, dynamic policy enforcement, and the ability to segment users and devices with precision, thereby reducing their attack surface while significantly simplifying operations. Effectively, Enterprises need secure perimeters on their LAN that are built on zero trust principles.
Versa Secure SD-LAN is a LAN connectivity solution designed for a world of rapidly growing Enterprise, personal and IoT devices – and evolving security threats. Legacy LANs struggle to identify users or devices, segment traffic precisely, or track device movement. Versa’s approach solves this with built-in micro-segmentation, device-level visibility, and Zero Trust enforcement at every port. It unifies switching, routing, and security policy control into a centrally managed, software-defined platform—eliminating hardware lock-in and reducing operational overhead.
Versa Secure SD-LAN solution simplifies and secures your branch and campus networking with key capabilities that include:
Scalable software-defined architecture: Unlike traditional networks with point products of Ethernet switches, WLAN Access Points, routers and firewalls connected in a hierarchical Access-to- Distribution-to-Core model, Versa Secure SD-LAN takes a standards-driven software-defined approach. It establishes an overlay connection across all layers in a full mesh topology, overcoming the limitations found in underlay connectivity. It then connects this overlay control plane with central controller of Versa to deliver a unified control plane.
Built-in security features: Most solutions require an additional security appliance to enforce and protect branch networks. Versa Secure SD-LAN embeds security services directly into the networking function, including a next-generation firewall (NGFW), East-West visibility, and Zero Trust Network Access (ZTNA), which are integrated directly into the SD-LAN fabric. This enforces Zero Trust policies within the LAN —controlling access to the Enterprise LAN for corporate, guest, and IoT devices based on security posture, user identity, and device privileges, effectively providing a security perimeter for LAN which was not possible before.
Automatic Discovery of IoT Devices:
With the rise of unmanaged and headless devices in enterprise environments, Versa Secure SD-LAN eliminates visibility gaps by automatically identifying and classifying connected devices using device fingerprinting. This includes IoT and OT devices that lack built-in user interfaces or endpoint agents. Once identified, each device is tagged and mapped to the correct microsegment, enabling precise access control and tracking of lateral movement. Flow-level reporting is then generated and analyzed through Versa Analytics and Versa ALS, delivering comprehensive visibility and actionable insights to help strengthen LAN security.
Tracking and Containing Devices Across the LAN: By dividing the network into isolated zones called microsegments, Versa Secure SD-LAN prevents any communication between users and devices within the LAN. It leverages the Versa SASE client to identify user devices and device fingerprinting for headless devices like IoT/OT to tag them to the right micro-segment, thereby tracking their lateral movement anywhere within the LAN.
Continuous posture checks for policy-based access and control: Versa Secure SD-LAN constantly checks for user and device risk postures (like antivirus status) using real-time, inline evaluation of traffic patterns. This is achieved by creating unique tags for users and devices based on their risk posture, user identity, and device identity. Policy control is then implemented to determine the traffic flow and track device movement between segments. For example, if a user device has an outdated antivirus, it is immediately placed in a quarantine segment to prevent the threat from propagating to the rest of the network.
Accelerated enforcement of access controls: Unlike traditional switches that rely on software-based access controls, Versa Secure SD-LAN enforces micro-segmentation at wire speed by leveraging Network Processing Hardware. As a result, policy changes are provisioned instantly when the user device moves across the network, ensuring that the same security posture and enforcement are always maintained.
Complete IoT and OT visibility: With organizations adopting IoT from unknown vendors and running outdated operating systems, the threat of unknown vulnerability is now more than ever. Versa Secure SD-LAN eliminates these challenges by automatically identifying and classifying with an AI-powered IoT inventory. Once accurately identified, it generates inline, flow-level reporting that delivers comprehensive 360-degree visibility and further analyzes them through Versa Analytics and Versa ALS, providing deep insights and actionable intelligence to enhance network security and performance.
Versa Secure SD-LAN eliminates the deployment complexities of traditional networks with Zero Touch Provisioning, Dynamic Smart Ports and template-driven policies, simplifying day 0 operations. With unified management for switching, routing and security, it further reduces day 1 operational challenges with siloed tools and inconsistent enforcement. Finally, it reduces day 2 to day n operational overhead by leveraging the power of AI/ML to detect, identify the root cause, and resolve performance and security issues faster.
To learn more about how we can help you deploy, secure and scale your branches here.
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact