Transcription
How SASE empowers yourbusiness for the cloud generation.Traditional networking and security concepts are obsolete whenadopting the public cloud for digital transformation.WHITE PAPERNETWORK SECURITY
Traditional networking and security concepts are obsolete whenIn early 2016, market analyst firm Gartner conducted a survey ofadopting the public cloud for digital transformation.high-profile technology managers and decision makers.SASE solutions by Barracuda Networks accelerate all-in publiccloud initiatives by providing ubiquitous cloud access for everybranch, access to the fastest global WAN backbone, clouddelivered security enforcement, and Zero Trust Access to anyapp for all remote employees.Which portion of your network is themost expensive / most critical?Campus / user edge6%11%23%Data centerIntroductionWide area networks (WANs) have played a critical role inbusiness growth for several decades. Early WANs were used toWANprovide mainframe access to remote terminals using networkingprotocols that were in place long before IPv4 came along. TheseNetwork security56%63%11%7%networks were gradually replaced by WANs that used expensivepoint-to-point leased lines to connect local area networks across23%Gartner Data Center Conference 2016 (n 94 / 84)multiple locations. By backhauling traffic from branch offices tothe data center, companies could centralize security resourcesCompanies were looking for a way to resolve the disparitiesin one location and avoid the overhead of distributed securitybetween priorities and costs, and they found it in cloud servicesappliances.and SD-WAN.Beyond the software-defined WANGartner defines software-defined WAN (SD-WAN) as solutionsFull security stack deployedat the central entry point onlythat “provide a replacement for traditional WAN routers and areagnostic to WAN transport technologies.” Because SD-WAN isboth carrier- and transport-agnostic, it can use any transportHQmode regardless of who provides it or where the network edgesare located. Network traffic is managed intelligently across theseBranchBranchtransports for the best network performance.Enterprise bandwidth requirements were increasing, and SDWAN solutions enabled corporate technology budgets to keepBranchBranchBranchClassic backhauling architecture with a single gatewayAs WAN technology matured and software as a service (SaaS)became popular, legacy WANs gave way to new architecturesup with these needs. Simplified deployment, rapid bandwidthprovisioning, and centralized administration reduced the timeand effort needed to manage the WAN. And because SD-WANis transport-agnostic and supports multiple links, redundancyand failover are baked into the network. ‘Always-on’ internetconnectivity had become mission critical, and SD-WAN made thiseasier and less expensive to deploy.built around branch office firewalls with secure internet breakoutsIndustry analysts watched carefully as SD-WAN displaced olderalongside site-to-site virtual private networks (VPNs). This solvedtechnology and became the “backbone of the enterprise.”the problem of network congestion caused by backhauling, butBranch-to-branch and branch-to-site connections were losingit created additional overhead at each branch office. By the earlyrelevance outside of proprietary application requirements, and2010s, companies all over the world were struggling with multipleGartner analysts predicted that most enterprise data centersvendors and legacy technologies with no single pane of visibilitywould be eliminated by 2025.into networking, security, performance, or compliance.Barracuda Networks WHITE PAPER How SASE empowers your business for the cloud generation.NETWORK SECURITY
This shift in the business technology landscape brought newchallenges. How do companies make sure that all locations andall users are always connected to the public cloud? What is themost efficient way to provide access to data and applications toremote workers? How can IT deliver the best possible internetDigital transformation “all-in” with SASESecure Access Service Edge, or SASE, is a simple concept putforth by Gartner in a 2019 research note. SASE (pronounced“sassy”), is based on a simple assumption:performance while keeping costs aligned with priorities? How canIf the vast majority of data, applications and servers is hostedIT provide application performance from anywhere across thein the public cloud or as a SaaS solution, it just simply makesglobe without having to host the application in various regions orsense to move away from traditional data center and “protectedspend a fortune on private lines and co-location providers? Hownetwork edge” in favor of direct cloud access where everythingcan IT scale the network and the related security enforcementneeds to be considered as an edge and secured and manageddynamically up and down according to current demand? How canby a cloud service. Hence the name Secure Access ServiceIT apply and scale security and access policy to all offices andEdge. So, when optimizing networking around ubiquitous anytimeremote employees equally?anywhere access to the cloud, the next logical step is to move allrouting, networking, and security functions there to. Once this isdone the next step is to provide secure access for remote users.Traditional VPN solutions turn out to be not agile enough,costly and inflict quite an overhead on the typical remote user.When establishing a VPN connection, the device is essentially“teleported” into the network, and any possible infection thatcan spread and infect the applications with it. ZTNA, short forZero Trust Network Access, an upcoming technology at the time,solves these issues. Connectivity is seamless for the end user,BranchBranchonly the application currently needed is accessed, network levelinfections and malware are kept out by definition.Combining all these services and functions into a cloud deliveredservice enables enterprises to deploy and scale their resourcesBranchBranchas needed, enjoying unprecedented agility and networkperformance across the globe.HQSD-WAN architecture for accessing internet and SaaS solutionsThe solutions to these challenges were found in a completelynew technology framework known as Secure Access ServiceS appsSaaNetworkIaaSw orklo a dsud appsCloBarracuda Networks WHITE PAPER How SASE empowers your business for the cloud generation.SASESecuritybile workersoMEdge.NETWORK SECURITY
Barracuda CloudGen WAN: the SASE you need inthe cloud you want.Barracuda CloudGen WAN provides cloud on-ramp with SecureWeb Gateway (SWG) and Next-Generation Firewall as a Service48%45%37%30%27%27%(NGWFaaS) for remote endpoints connecting to the SASE entry20%28%19%point hosted in any of the Azure Regions as well as private SASEentry point capabilities.My organization’s preferred platformThe most secure platformThe most user-friendly platformOffice locations are connected to the SASE service by means ofthe CloudGen WAN site devices. These provide cloud on-rampcapabilities including SD-WAN with simultaneous use of up to 16physical internet connections that are constantly evaluated byMicrosoft AzureAmazon AWSGoogle GCPPreferred public-cloud platform of IT business decision makers in the U.S.,EMEA, and APAC (Secure SD-WAN: the launch pad into cloud by VansonBourne, 2020) (n 750)dynamic bandwidth and latency detection. This information isused in application-based routing to dynamically assign availablebandwidth, uplink, and routing information based on protocol,user, location, and content as well as application, applicationcategory, and even web content categories. This even works forapplication and traffic flows across multiple logical VPN tunnelsspread across multiple physical uplinks and ensures applicationtraffic always uses the best possible uplink for the use case.In the event of adverse network conditions adaptive sessionThe site devices are available in virtual form factor or as easy todeploy hardware unit from small desktop form factor for SOHOor small offices to large 1U office devices up to 10 Gbps SASEthroughput per site device. Managed via a cloud console andshipped directly to the branch with zero-touch deployment, setupand onboarding of locations to SASE provided by CloudGen WANon Azure is a fast and seamless experience.balancing and adaptive bandwidth protection selectively shiftThe SASE Edges in Azure also provide traffic visibility and SWGrecreational lower priority traffic to less suitable links or blocksand NGFWaaS security enforcement for intra-cloud or cloudrecreational traffic completely until the network conditions haveegress use cases, overcoming the cumbersome deployment ofbeen restored.multiple virtual security devices in the cloud or having to dealAt the network level the SASE site devices use built in linkoptimization technology with advanced Forward Error Correction(FEC) technology to optimize real time traffic like VOIP or videowith Azure Security Groups or Azure Firewall and Azure securitypartner providers. These solutions are typically more expensive,less integrated and more complicated to use.communication. The implementation uses Random LinearThe Service Edge in Azure as well as the private enforcementNetwork Coding (RLNC) technology to overcome packet losspoints on the site devices are controlled by the security policiesby sending repair packets. Using Forward Error Correctiondefined centrally in the CloudGen WAN Management Portal,on RLNC basis means a more dynamic adjustment of repairwithout the need for the administrator to know where the trafficpackets, less network overhead, faster reaction times and fewerenters the service.retransmissions required. By eliminating the number of requiredretransmissions, the available bandwidth is restored quickly,and applications perform as expected, even when the networkconditions are suboptimal.All of this works seamlessly in the background between theCloudGen WAN site devices and the SASE entry points hostedin the Azure region, effectively creating a self-healing cloud onramp, even if only a single uplink is deployed.For organizations that have certain geopolitical requirements orusing applications requiring an organization’s IP address as thesource IP address, every CloudGen WAN site device can serve asa private enforcement node for SWG, NGFWaaS enforcement andDashboard of CloudGen WAN Management Portalentry point to the cloud service for remote endpoints.Barracuda Networks WHITE PAPER How SASE empowers your business for the cloud generation.NETWORK SECURITY
SASE with Barracuda CloudGen WAN is differentMany vendors attempt to provide all SASE core capabilities usea process called “VM service chaining” in the public cloud. Thisprocess provides the combined SD-WAN and security functions ofSASE by stringing together virtual appliances that are dedicatedBarracuda CloudGen WAN on Microsoft Azure is the only solutionthat allows the use of the Microsoft Global Network, completelyeliminating the need for another third-party cloud or third partynetwork that might lead to potential outages, bottlenecks orregulatory issues.to a specific subset of functions. The customer receives the SASEservice, but Gartner has noted that service chaining will introduce“inconsistent services, poor manageability and high latency” intoa SASE solution.Direct access to all applications without thecomplexity of VPNZTNA with CloudGen AccessRouterFixedaccessnetworkVideo optimizationWeb proxyAn integral part of SASE is Zero Trust Network Access (ZTNA),MobileaccessnetworkFirewallRouterwhich is the new and easy way to connect users to applicationsdirectly without the need to use cumbersome VPN technology. Inline with the SASE concept, ZTNA with CloudGen Access shiftsthe perimeter from the network to the device edge as definedby user identity, device health and security posture. The solutioncontinuously verifies that only the right person, with the rightdevice, the right device health status, and the right permissionscan access company data or apps.Zero Trust architecture is a set of guiding principles that relyVM service chainingon the key assumption that the new corporate network is theinternet and as such a hostile environment. So, the companyBarracuda takes a different approach. Barracuda CloudGennetwork infrastructure is not more secure than any other networkWAN for Azure is a cloud-native SASE solution that does notand each access must be independently authorized andrely on service chaining or multiple service providers. This is aauthenticated.pragmatic implementation of SASE that was jointly developed byMicrosoft and Barracuda and is available as a service in the AzureMarketplace. It offers the scalability and automation of MicrosoftAzure and the battle-tested security and SD-WAN capabilitiesof the Barracuda CloudGen Firewall. All of this works along theMicrosoft Global Network, which is over 165,000 miles of fiberand subsea cable that connect 61 Azure regions and strategicallyplaced PoPs in edge sites around the world.To ensure security, the enterprise must continuously analyzeand assess risks to its internal resources, business apps, andworkloads. Zero Trust not only restricts access to resources toonly those who must have it, but also goes beyond the conceptof role-based access control (RBAC) to implement attribute-basedaccess control (ABAC) and ephemeral trust models. Access isgranted only after authenticating the identity and security postureof each access request. To eliminate unauthorized access to dataand services and ensure secure access, the focus is on strong“A cloud-first strategy asks for a differentapproach on connectivity. We have investedheavily in Microsoft Office 365 adoptionacross the organization, and traditionalconnectivity doesn’t fit the bill anymore. Weneed a solution that is focused on deliveringapplication performance, not just ‘plain’connectivity. That’s why we’re movingforward with Barracuda CloudGen WAN.”Leon Sevriens, Program Manager IT at HumankindBarracuda Networks WHITE PAPER How SASE empowers your business for the cloud generation.authentication, authorization, and granular access controls.How ZTNA with CloudGen Access worksZTNA with CloudGen Access relies on three main components:a small lightweight app available for all device types (CloudGenAccess App), a proxy on each protected network (CloudGenAccess Proxy), and the SASE cloud console (CloudGen AccessConsole) for management. The CloudGen Access app operatesat the network layer at the endpoint devices. When a devicestarts a connection to a protected resource, the app automaticallyintercepts it and opens a mTLS (mutually encrypted TLS, meaningNETWORK SECURITY
the connection is encrypted using both private keys, the one fromthe endpoint and the one from the Access Proxy) connectionwith the CloudGen Access Proxy, sending the device and userattributes to CloudGen Access Console which evaluates theZTNA with CloudGen Access is differentApplication agnostic: Works for any application based on TCP orUDP, not only web appspolicy. The app also queries the device posture and sendsNo third-party cloud: You own data traffic and decide where itthe information to the console. The console then checks thegoes, CloudGen Access do not require funneling of any dataattributes and device posture against the predefined policies fortraffic outside of your infrastructure or your preferred cloudthe device, user, application combination and allows or deniesprovider.the connection to the resource. All traffic then flows encryptedfrom the device -intercepted by the app- to the CloudGen AccessProxy, and then directly to the application.Designed for the cloud: Deploys in microservices, infrastructureas-code template (Kubernetes, Docker, CloudFormation).CloudGen Access is the only solution that allows completeautomation of ZTNA access to microservices managed byKubernetes clusters (Automatic tear down and re-init).Customer infrastructureCloudGen Access App- Device health checks- Remediation- Web security- Traffic interception- mTLS tunnellingSingle-Sign-OnCloudGen Access ProxyDataApplicationResourceCloudGen Access ConsoleSoftware-as-a-ServiceData pathControl pathCloudGen Access environmentWhen a connection to a resource is denied, the app receivesa list of attributes that are not compliant with the policy/policiesconfigured for the resource, together with a list of steps that theuser can perform to fix the issue.For example, an access policy requires users to have the latestsoftware updates installed and prevents access from knownWorkload-2-workload: CloudGen Access Proxy as well as theendpoint application are available for docker so CloudGenAccess can provide ZTNA protection of intra cloud or workload toworkload traffic setups. This setup can be automated via API andallows workload-2-workload ZTNA across regions, data centersand even across public cloud types.Fast: Fast setup and quick self-deployment for the end users fromany app store. Rollout of the ZTNA app at the client level doesnot require an MDM or Admin interaction.Available everywhere: The complete set of functions is availablefor all endpoint types: Windows, macOS, Android, iOS, iPAD OS,Chromebook, Linus, Docker.hacked Wi-Fi Networks on their devices. CloudGen Access willIntuitive: to use for the end user: The CloudGen Access endpointthen deny access to the application. The CloudGen Access appapp is intuitive to use and provides the common look and feel ofwill receive a response from the CloudGen Access Console thattoday’s apps on mobile devices.includes the reason for the denied access and the steps requiredto fix it: e.g. “Update iOS version”, together with a URL that links tospecific content that shows the user how to do this.Barracuda Networks WHITE PAPER How SASE empowers your business for the cloud generation.NETWORK SECURITY
The easy way to start with SASEGartner recommends starting the journey to SASE by looking intodeploying ZTNA as a high priority:Set a three- to five-year goal to replace 90% of legacy network-“By 2022, 80% of new digital businessapplications opened up to ecosystempartners will be accessed throughZero Trust Network Access (ZTNA).”Gartner, 2019level VPN access with zero trust network access over the nextfive years.Adopt cloud-based ZTNA to augment legacy VPN access forhigher-risk use cases such as: Contractor and third-party access Unmanaged device access Cloud administrator and developer accessSource: Gartner 2021 Strategic Roadmap for SASE Convergence available for download here.SummaryBarracuda CloudGen Access is a cloud native Zero Trust NetworkAccess (ZTNA) solution that provides anytime and anywheresecure access to any application and workload from any deviceand location. Barracuda CloudGen Access is your onramp toSASE to deliver seamless, consistent and secure applicationaccess regardless where hosted.Learn moreBarracuda CloudGen WAN is a cloud-native SASE solution inMicrosoft Azure. CloudGen WAN enables companies to deploySASE the way they prefer, running SD-WAN, security, networkingand Zero Trust Access using the Microsoft Global Network as theenterprise backbone. All security and connectivity functions arecentrally managed by a cloud console. All heavy-lifting securityfunctions like Advanced Threat Protection are done by theBarracuda ATP Cloud service.Barracuda CloudGen Access enables Zero Trust Access to all“Traditional data centers are going away.More than ten percent of organizations havealready shut theirs down, and Gartner haspredicted that will rise to 80 percent by 2025.”Gartner, 2020of your apps and data from any device and any location. Thesoftware-defined perimeter reduces over-privileged accessand risks of third-party access corporate applications and cloudworkloads. Built for modern cloud infrastructures, BarracudaCloudGen Access enables you to provide secure remote accesswithout creating additional attack surfaces.If needed, customer premises equipment provides Secure SDWAN connectivity to the SASE service and even functions as acloud edge entry point. Deployment of the optional site devices istruly zero-touch and does not require technical personnel on site.CloudGen WAN is the SASE solution for Azure by BarracudaNetworks. Typical SASE solutions just replace on premisesappliances by moving security and networking into their cloud.CloudGen WAN is the only SASE service delivered natively byAzure, tightly integrated with its services and using the MicrosoftGlobal Network as its WAN backbone.Learn moreWHITE PAPER US 1.0 Copyright 2021 Barracuda Networks, Inc. barracuda.comBarracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners.
Gartner Data Center Conference 2016 (n 94 / 84) Companies were looking for a way to resolve the disparities between priorities and costs, and they found it in cloud services and SD-WAN. Beyond the software-defined WAN Gartner defines software-defined WAN (SD-WAN) as solutions
