Secure and simplify your network.
Secure Access Service Edge (SASE) is the future of network protection and access.
Digital transformation, the distributed mobile workforce, the adoption of cloud services, and emerging edge computing platforms have changed how enterprises operate. Today’s users expect to have access to corporate apps from anywhere and from any device. Barracuda SecureEdge is a SASE platform that cuts complexity and provides anytime/anywhere security and access to data and applications hosted anywhere. SecureEdge is affordable, easy to deploy, and easy to manage.
Barracuda’s cloud-first SASE platform will transform your business.
Barracuda’s cloud-first SASE platform enables businesses to control access to data from any device, anytime, anywhere, and allows security inspection and policy enforcement in the cloud, at the branch, or on the device. Barracuda SecureEdge delivers enterprise-grade security including Zero Trust Network Access (ZTNA), Firewall-as-a-Service, web security,and fully integrated office connectivity with Secure SD-WAN.
Go for a cloud-first SASE solution.
The enterprise is evolving. Move to modern cloud architecture. Deploy your security and network infrastructure where your data and applications live.
Secure your network.
Simplify your security deployment. Barracuda Security Service Edge provides the functionality of a next-generation firewall without capital expenditure costs.
Keep users connected and productive.
Ensure always-on connectivity and boost performance between sites and to the cloud with Barracuda Secure SD-WAN.
Simplify and secure network access.
Enable Zero Trust Network Access to all your apps and workloads. Improve security by continuously verifying access sessions and policies.
SASE at a glance.
IT professionals need a solution that combines network protection functions with WAN capabilities and supports the dynamic secure access needs of organizations. SASE is an integrated service that provides comprehensive secure access for modern computing environments, reduces complexity and costs by consolidating technology stacks, lowers operational overhead, and speeds up new technology adoption. According to Gartner, security and risk management leaders should build a migration plan from legacy perimeter and hardware-based offerings to a SASE model.1 With SASE, enterprises save management time, ensure business continuity, improve performance for latency-sensitive apps, and simplify the access experience for users by removing operational friction.
1 Gartner “2021 Strategic Roadmap for SASE Convergence” by Neil MacDonald, Nat Smith, Lawrence Orans, Joe Skorupa, Published 25 March 2021.
GO FOR A CLOUD-FIRST SASE SOLUTION
Benefit from the industry’s most flexible SASE platform.
Secure Access Service Edge (SASE) is the future of networks, but what is the best fit for your network infrastructure? Today, most organizations are leveraging a hybrid approach with applications hosted anywhere – in datacenters, on-site, in the public cloud, and consumed as software-as-a-service. Other SASE providers require sending all application traffic via their own cloud services. But many IT professionals would rather consider a SASE solution with the ability to adapt to the company’s specific requirements. Barracuda takes this into account and offers solutions ranging from on-premises deployments to SaaS offerings.
SECURE YOUR CLOUD NETWORK
Don’t give cybercriminals a chance.
In today’s rapidly evolving threat landscape, protecting your network infrastructure is key. Cybercriminals are getting increasingly sophisticated. New malware strains like ransomware are designed to evade traditional detection techniques and are often propagated through targeted zero-hour attacks. These advanced attack methods can cause severe damage to affected organizations, in terms of both financial loss and reputation. Barracuda SecureEdge is a cloud-native Firewall-as-a-Service with tightly integrated next-generation technologies, including application profiling, intrusion prevention, advanced threat and malware protection, antispam, and full-fledged network access control. Cloud-based web security and Zero Trust Network Access (ZTNA) are integral components of Barracuda SecureEdge.
KEEP USERS CONNECTED AND PRODUCTIVE
Boost application performance and reduce costs.
As your workloads move to the cloud and SaaS applications, it is critical to ensure reliable, fast, and secure connectivity for all your sites and remote users. Gone are the days when you could backhaul SaaS and internet-bound traffic to a central location. These days you need a faster, more agile network architecture to handle increased traffic from cloud apps, distributed sites, and off-network users. Barracuda SecureEdge uses application steering to automatically choose the most suitable physical path and makes dynamic, on-the-fly adjustments to QoS and application usage policies depending on real-time bandwidth and latency measurements, ensuring that users get the performance they need to be productive. Because it brings together Secure SD-WAN and next-generation security, Barracuda SecureEdge is more than just another SD-WAN product.
SIMPLIFY AND SECURE YOUR NETWORK ACCESS
Establish the Zero Trust model for secure access.
Remote work is here to stay, cloud migrations are accelerating, and secure access is critical. Enterprises need Zero Trust Network Access (ZTNA) to verify every access attempt to data and resources. Secure your team’s devices and reduce your attack surface by allowing only the right user to access the right corporate resources. Reduce breach risk while improving remote access performance and employee productivity. Barracuda SecureEdge grants least-privileged access to authorized apps without exposing your private network and helps enforce granular policy controls. Gain valuable insights and full visibility into your enterprise resource access flows to mitigate security and compliance risks.
Next-Generation Security
- Advanced multi-layered security
SecureEdge is built on the same technology as CloudGen Firewall, Barracuda’s battle-tested enterprise firewall. Purpose-built for the cloud, SecureEdge provides advanced multi-layered security to protect your business-critical resources, leveraging a rich feature-set including:
1. Advanced Threat Protection
2. Intrusion detection and prevention
3. Malware protection
4. SSL inspection
5. Stateful deep packet inspection
6. Single pass architecture
7. URL filtering–application-based ACL
- Advanced Threat Protection
While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered. Barracuda ATP offers administrators granular, file-type-based control including automatic quarantine and block-listing features to maintain the highest level of protection for an organization’s network.
- SSL interception
Barracuda SecureEdge can apply IPS, virus protection, application control, URL filtering, and even Advanced Threat Protection to SSL-encrypted web traffic using the standard ‘trusted man-in-the-middle’ approach. SSL interception can be fine-tuned to exempt local networks, users/groups, URL filter categories, or custom defined domains from SSL inspection.
- Intrusion prevention
The Intrusion Prevention System (IPS) of SecureEdge strongly enhances network security by providing comprehensive real-time network protection against a broad range of network threats, hacking, vulnerabilities, exploits, and exposures in operating systems, applications, and databases. It prevents network attacks such as:
SQL injections and arbitrary code executions
Access control attempts and privilege escalations
Cross-site scripting and buffer overflows
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Directory traversal and probing and scanning attempts
Backdoor attacks, trojans, rootkits, viruses, worms, and spyware
As a result, Barracuda SecureEdge can identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.
Automatic signature updates are delivered on a regular schedule or on an emergency basis as new vulnerabilities emerge, to ensure that Barracuda SecureEdge is constantly up to date.
- Full next-generation security and visibility in Azure
SecureEdge enforces full security with ACLs, app control, URL filtering, anti-virus, and Advanced Threat Protection, enabling network segmentation and control within Azure Virtual WAN. This eliminates the need for Security Groups, Azure Firewall, or Azure Security Partners and replacing these with one flexible solution that is easy to use and cost efficient. SecureEdge additionally provides unprecedented real-time visibility into all traffic entering as well as generating from inside Virtual WAN.
Secure SD-WAN
- Self-healing traffic intelligence
Adaptive Session Balancing technology ensures using the best available uplink for the application profile, for all encrypted tunnels across SD-WAN sites. If the health state of the initial uplink recovers, encrypted SD-WAN traffic transparently switches back to this uplink. Application-based routing, factoring in the results of Dynamic Bandwidth and Latency Detection, applies the same concept for outbound internet traffic, ensuring that SaaS applications like Office 365 are always leveraging the best available uplink, even when conditions change frequently.
- Dynamic bandwidth and latency detection
To achieve the best possible user experience across the WAN, SecureEdge site devices proactively measure the available bandwidths and quality of all internet uplinks and between VPN endpoints. The results are directly available to the security and SD-WAN policy engine to select the best suitable uplink per application or to disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.
- Application-based routing
A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda SecureEdge to dynamically assign available bandwidth, uplink, and routing information based on protocol, user, location, and content as well as application, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.
To view a current list of applications and sub-applications that SecureEdge recognizes for application-based routing, please visit the Online Application Explorer.
- Adaptive session balancing
Barracuda SecureEdge uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.
- Adaptive bandwidth protection
If dynamic bandwidth and latency detection indicates that the measured bandwidth of an uplink is too low to support certain kinds of business-critical traffic (e.g., VoIP), Barracuda SecureEdge automatically shifts sessions for non-business-critical traffic to secondary links to free up bandwidth for critical traffic.
- TINA VPN protocol
Secure SD-WAN between Barracuda Networks devices uses TINA (Transport Independent Network Architecture) by default, an enhanced version of the IPsec protocol designed to overcome the inherent limitations of IPsec. The TINA protocol uses a combination of TCP, UDP, and ESP for high-speed VPN connections, substantially improving VPN connectivity. It also adds default endpoint-to-endpoint (not network-to-network) connectivity, built in NAT-friendliness, built in HTTPS and SOCKS4/5 proxy compatibility, dynamic address support, and better VPN tunnel quality via advanced dynamic tunnel heartbeat monitoring.
- USB LTE modem
With the optional USB LTE modem, SecureEdge site devices can leverage 4G/LTE connectivity and the cellular infrastructure to provide broadband speeds either in failover or load-balancing configuration. For locations without wired broadband options and sufficient cellular connectivity the USB LTE modem may serve as the primary internet connection. The Barracuda USB LTE modem can even be used for zero-touch deployment of SecureEdge site devices in areas where wired internet connectivity is not yet available.
- Uplink optimization
To extend the SASE service at line speed to every site device and overcome limitations introduced by traditional SD-WAN technology based on shared uplinks like broadband, SecureEdge features uplink optimization technology with Forward Error Correction and self-healing traffic intelligence. This allows using the available physical bandwidth more effectively and expanding the benefits of SD-WAN to sites with single uplinks as well as optimized utilization of shared uplinks.
- Flexible Service Edge
The Barracuda SecureEdge SASE service is available either as SaaS directly managed by Barracuda Networks, as SecureEdge for Virtual WAN in Microsoft Azure and managed by Microsoft, or as virtual and hardware appliances to be managed and hosted by the customer or trusted partner. Regardless of deployment type, all intent-based configuration management is done from the SecureEdge Manager cloud portal. The service then takes care of propagating and enforcing the changes to each service edge, site, user, or thing.
- Auto-SD-WAN
Once plugged in and turned on, each site device automatically makes use of all available uplinks to connect to the SASE service. With SD-WAN policy settings predefined for thousands of common business applications, the devices ensure that the best uplink path is always used for the application.
Zero Trust Access
- Personal Access
Personal Access with Barracuda SecureEdge is the most convenient way to provide endpoint connectivity to workloads in Azure. Personal Access for SecureEdge lets remote users access company resources over an encrypted VPN tunnel directly from work-at-home environments or on the go. The high-performance TINA VPN protocol allows much more stable and resilient always-on connections from remote devices.
SecureEdge Access benefits compared to other client VPN solutions:
No need to deploy additional VPN gateways or services – SecureEdge Access uses the existing SecureEdge infrastructure.
Fast and easy self-enrollment for end users.
High-performance connectivity to cloud-hosted resources using TINA protocol—faster, more stable, and more resilient.
Integration with your existing Azure Active Directory.
Lower cost compared to built-in Azure Virtual WAN point-to-site connectivity.
Lower cost compared to dedicated VPN services—only pay for actual usage.
- Secure access to private and SaaS apps
Barracuda SecureEdge Service and SecureEdge Access Agent provide secure access to any private or SaaS application regardless of where they are hosted, following the zero-trust principles. Zero Trust Network Access (ZTNA) provides users with the least privileged access to business applications, minimizing business risk. Barracuda SecureEdge Zero Trust Security establishes unparalleled access control across users and devices without the performance pitfalls of a traditional VPN. It provides remote, conditional, and contextual access to resources, and reduces over-privileged access and associated third-party risks.
- VIP treatment on shared lines, better application performance
Connecting to corporate resources often suffers from limitations caused by shared lossy internet broadband lines. Last-mile optimization for application traffic via SecureEdge optimizes the end-user experience by reducing packet loss and carving out a greater slice of available bandwidth of shared lines, improving the quality of voice and video calls. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a new algorithmic coding scheme that reacts much quicker to losses and remediates these on the fly, thereby requiring fewer retransmissions and reducing overhead on the devices.
- All devices, any platform
SecureEdge Access Agent app is available for all desktop and mobile platforms, providing consistent security and ZTNA functionality. Best of all: licensing is user based and covers up to 5 devices per user.
- Role-based Access Control
Enable your organization to create robust access policies and gain visibility into who has access, to what and from where. Set role and attribute-based controls to grant contextual access to trusted users and devices, gain total visibility into access activities, and mitigate risks.
- Selective backhauling
Routing back all traffic to a central access point can have an impact on latency-sensitive applications like Microsoft 365 or Zoom call. To offer the best possible Quality-of-Service, SecureEdge allows to define applications that can connect directly to such services, and what application traffic is meant to be backhauled for further processing.
- Last Mile Optimization
Built-in internet traffic optimization from the service to the SASE agent enables endpoints to grab more of the available bandwidth on shared internet lines for improved application performance. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a powerful encoding scheme. Algorithms based on RLNC codes react much faster to losses and remediate these losses faster on the fly, thereby requiring fewer packet retransmissions and reducing overhead on the devices.
Web Security
- Content filtering
The content filtering feature of SecureEdge lets you create and enforce effective internet content and access policies by enabling highly granular, real-time visibility into online activity broken down by individual users and applications. It protects user productivity, blocks malware downloads and other web-based threats, and supports compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.
- Secure Internet Access (SIA)
Secure web gateway functionality of the SecureEdge Service extended to the endpoint with the SecureEdge Access Agent providing Secure Internet Access (SIA). The Agent blocks known forbidden or unwanted web categories without further inspection. There is no reason to send this type of traffic to the cloud for inspection when it can be blocked immediately at the endpoint. This could be content that conflicts with regulatory or corporate compliance or websites that are known to be malicious. This even includes “outgoing calls” of malicious software that is already on the device and trying to phone home. Access to “known good” SaaS apps is allowed by default, without being sent to the cloud service for security inspection. Customers have full control by enabling or disabling access via the 100+ content filter categories and thousands of application definitions.
- Cloud-delivered security
Full security inspection is applied for applications and websites that are neither known good nor known bad or that the IT department just requires full inspection of for compliance purposes. Traffic to and from these destinations is automatically sent to the SecureEdge Service for full next-generation security inspection, including IPS, deep SSL Inspection, and Advanced Threat Protection via the Barracuda BATP cloud.
- Barracuda Global Threat Intelligence
Barracuda’s unmatched global threat intelligence network ingests vast amounts of diverse, real-time threat information from millions of collection points around the world. Barracuda CloudGen Access leverages this system to continually enhance its threat-detection capabilities and respond to fast-evolving threat trends.
Management and automation
- Simple to deploy
SecureEdge is easy to set up and does not require specialized IT skills. SecureEdge works out of the box with smart default configuration, suitable for all cloud and SaaS applications. The service can either be rolled out to all locations as a pure SD-WAN solution alongside existing firewalls or as a secure SD-WAN solution replacing existing firewalls.
- Zero-touch site deployment
Zero-touch deployment lets you send SecureEdge site devices directly from the factory to the desired remote location without the need for on-site IT personnel. Connect the unit and power it up and it automatically requests, receives, and installs its specific configuration file. This makes it extremely easy, fast, and inexpensive to roll out SecureEdge site devices across widely distributed organizations. For sites in areas where wired internet connectivity is not yet available the optional Barracuda USB LTE modem can be used to facilitate the initial rollout.
- Simple to operate
Directly managed via the SecureEdge Manager for all regions and all sites across your global WAN, regardless of the number of cloud entry points or locations. The central cloud portal offers the highest degree of automation and unparalleled ease of use. SecureEdge Manager continuously monitors and optimizes network performance to ensure uninterrupted always-on connectivity and high quality of service levels for your business-critical traffic and applications.
- User- and group-based security policies
For content filtering, malware protection, SSL inspection, IPS, and firewall rules (ACLs), users or groups can be defined using inclusion criteria. Allow certain website categories for specific users or groups (e.g., give marketing staff access to Facebook while blocking it for everyone else) or exempt certain users or user groups from IPS or SSL scanning.
- Intent-based networking and policy management
In the past, security solutions were either complicated to use or lacking in their underlying security capabilities. Firewalls and other security solutions were based on assigning networks, IP ranges, and point product security capabilities to these networks. Intent-based operations are built from the ground up as part of the concept of SecureEdge Manager for our unified SASE platform. The Barracuda SecureEdge SASE platform is strictly user-, group-, and application-specific. Remote users can thereby access private and public cloud applications, and the internet much faster.
- Once only intent-based management
In addition to thousands of predefined applications, the SecureEdge SASE platform lets you create private applications that can be hosted anywhere. It’s quick, easy, and has to be done only once-and is then shared with security, SD-WAN, and ZTNA policy definitions. All necessary networking and routing optimizations are done completely transparent in the background and automatically applied to each site, user, or service instance.
- SD-WAN Connector to any cloud
The small SD-WAN Connector application allows to connect any cloud or local site running Windows or Linux Services or Servers for direct application access via ZTNA and makes them available to your workforce.
- Azure Log Analytics/Azure Monitor
Azure Monitor and the underlying Azure Log Analytics is Microsoft’s solution to collect, monitor, analyze, and act on telemetry data from any application hosted in Azure and on-premises environments, and even corresponding networking and security equipment. This allows customers to automate the analysis of the underlying data, set up alerts, and use machine learning-driven insights to quickly identify and resolve problems related to security and connectivity of their cloud infrastructure, without logging into the actual machines or devices. You can configure SecureEdge to send relevant log data for security, connectivity, SD-WAN, and point-to-site to Azure Log Analytics for further analysis.
- Support for Azure Secured hub
Azure Secured Hub is a secured Azure Virtual WAN hub with associated security and routing policies configured by the Azure Firewall Manager, with outbound security provided by an approved Azure security partner provider service. Barracuda SecureEdge is fully compatible for deployment in these scenarios, to provide SD-WAN connectivity and next-generation firewall security to every site and high-performance private access to cloud resources for endpoints.
