Barracuda SecureEdge Access: Features

SecureEdge is built on the same technology as CloudGen Firewall, Barracuda’s battle-tested enterprise firewall. Purpose-built for the cloud, SecureEdge provides advanced multi-layered security to protect your business-critical resources, leveraging a rich feature-set including:

• Advanced Threat Protection
• Intrusion detection and prevention
• Malware protection
• SSL inspection
• Stateful deep packet inspection
• Single pass architecture
• URL filtering--application-based ACL

While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered. Barracuda ATP offers administrators granular, file-type-based control including automatic quarantine and block-listing features to maintain the highest level of protection for an organization’s network.

Barracuda SecureEdge can apply IPS, virus protection, application control, URL filtering, and even Advanced Threat Protection to SSL-encrypted web traffic using the standard 'trusted man-in-the-middle' approach. SSL interception can be fine-tuned to exempt local networks, users/groups, URL filter categories, or custom defined domains from SSL inspection.

The Intrusion Prevention System (IPS) of SecureEdge strongly enhances network security by providing comprehensive real-time network protection against a broad range of network threats, hacking, vulnerabilities, exploits, and exposures in operating systems, applications, and databases. It prevents network attacks such as:

• SQL injections and arbitrary code executions
• Access control attempts and privilege escalations
• Cross-site scripting and buffer overflows
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Directory traversal and probing and scanning attempts
• Backdoor attacks, trojans, rootkits, viruses, worms, and spyware

As a result, Barracuda SecureEdge can identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

Automatic signature updates are delivered on a regular schedule or on an emergency basis as new vulnerabilities emerge, to ensure that Barracuda SecureEdge is constantly up to date.

Barracuda SecureEdge Service and SecureEdge Access Agent provide secure access to any private or SaaS application regardless of where they are hosted, following the zero-trust principles. Zero Trust Network Access (ZTNA) provides users with the least privileged access to business applications, minimizing business risk. Barracuda SecureEdge Zero Trust Security establishes unparalleled access control across users and devices without the performance pitfalls of a traditional VPN. It provides remote, conditional, and contextual access to resources, and reduces over-privileged access and associated third-party risks.

Connecting to corporate resources often suffers from limitations caused by shared lossy internet broadband lines. Last-mile optimization for application traffic via SecureEdge optimizes the end-user experience by reducing packet loss and carving out a greater slice of available bandwidth of shared lines, improving the quality of voice and video calls. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a new algorithmic coding scheme that reacts much quicker to losses and remediates these on the fly, thereby requiring fewer retransmissions and reducing overhead on the devices.

SecureEdge Access Agent app is available for all desktop and mobile platforms, providing consistent security and ZTNA functionality. Best of all: licensing is user based and covers up to 5 devices per user.

Routing back all traffic to a central access point can have an impact on latency-sensitive applications like Microsoft 365 or Zoom call. To offer the best possible Quality-of-Service, SecureEdge allows to define applications that can connect directly to such services, and what application traffic is meant to be backhauled for further processing.

Built-in internet traffic optimization from the service to the SASE agent enables endpoints to grab more of the available bandwidth on shared internet lines for improved application performance. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a powerful encoding scheme. Algorithms based on RLNC codes react much faster to losses and remediate these losses faster on the fly, thereby requiring fewer packet retransmissions and reducing overhead on the devices.

Secure web gateway functionality of the SecureEdge Service extended to the endpoint with the SecureEdge Access Agent providing Secure Internet Access (SIA). The Agent blocks known forbidden or unwanted web categories without further inspection. There is no reason to send this type of traffic to the cloud for inspection when it can be blocked immediately at the endpoint. This could be content that conflicts with regulatory or corporate compliance or websites that are known to be malicious. This even includes “outgoing calls” of malicious software that is already on the device and trying to phone home. Access to “known good” SaaS apps is allowed by default, without being sent to the cloud service for security inspection. Customers have full control by enabling or disabling access via the 100+ content filter categories and thousands of application definitions.

Full security inspection is applied for applications and websites that are neither known good nor known bad or that the IT department just requires full inspection of for compliance purposes. Traffic to and from these destinations is automatically sent to the SecureEdge Service for full next-generation security inspection, including IPS, deep SSL Inspection, and Advanced Threat Protection via the Barracuda BATP cloud.

The content filtering feature of SecureEdge lets you create and enforce effective internet content and access policies by enabling highly granular, real-time visibility into online activity broken down by individual users and applications. It protects user productivity, blocks malware downloads and other web-based threats, and supports compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

SecureEdge services and SecureEdge site devices include pre-written English-language dictionaries of keywords and phrases related to harassment, weapons, terrorism, and pornography. Administrators are notified when content containing these keywords or phrases is searched for online. The alerts are tagged with real network user identities, timestamps, IP addresses, and search terms making it easy to identify the source regardless of online profiles. Custom keywords for monitoring can be easily added via the web-based user interface.

Even though malicious and inappropriate websites are blocked, users can still access inappropriate content through popular search engines. SecureEdge site devices and SecureEdge services provide the ability to enforce the SafeSearch option for most popular search engines and YouTube. Because this is enforced at the network level, end users cannot manipulate or bypass this setting through their own accounts.

SecureEdge services and SecureEdge site devices provide the ability to transparently remove online advertising without displaying a block message or attention-grabbing notifications.

Barracuda’s unmatched global threat intelligence network ingests vast amounts of diverse, real-time threat information from millions of collection points around the world. Barracuda CloudGen Access leverages this system to continually enhance its threat-detection capabilities and respond to fast-evolving threat trends.

SecureEdge is easy to set up and does not require specialized IT skills. SecureEdge works out of the box with smart default configuration, suitable for all cloud and SaaS applications. The service can either be rolled out to all locations as a pure SD-WAN solution alongside existing firewalls or as a secure SD-WAN solution replacing existing firewalls.

Zero-touch deployment lets you send SecureEdge site devices directly from the factory to the desired remote location without the need for on-site IT personnel. Connect the unit and power it up and it automatically requests, receives, and installs its specific configuration file. This makes it extremely easy, fast, and inexpensive to roll out SecureEdge site devices across widely distributed organizations. For sites in areas where wired internet connectivity is not yet available the optional Barracuda USB LTE modem can be used to facilitate the initial rollout.

Directly managed via the SecureEdge Manager for all regions and all sites across your global WAN, regardless of the number of cloud entry points or locations. The central cloud portal offers the highest degree of automation and unparalleled ease of use. SecureEdge Manager continuously monitors and optimizes network performance to ensure uninterrupted always-on connectivity and high quality of service levels for your business-critical traffic and applications.

For content filtering, malware protection, SSL inspection, IPS, and firewall rules (ACLs), users or groups can be defined using inclusion criteria. Allow certain website categories for specific users or groups (e.g., give marketing staff access to Facebook while blocking it for everyone else) or exempt certain users or user groups from IPS or SSL scanning.

In the past, security solutions were either complicated to use or lacking in their underlying security capabilities. Firewalls and other security solutions were based on assigning networks, IP ranges, and point product security capabilities to these networks. Intent-based operations are built from the ground up as part of the concept of SecureEdge Manager for our unified SASE platform. The Barracuda SecureEdge SASE platform is strictly user-, group-, and application-specific. Remote users can thereby access private and public cloud applications, and the internet much faster.

In addition to thousands of predefined applications, the SecureEdge SASE platform lets you create private applications that can be hosted anywhere. It’s quick, easy, and has to be done only once-and is then shared with security, SD-WAN, and ZTNA policy definitions. All necessary networking and routing optimizations are done completely transparent in the background and automatically applied to each site, user, or service instance.

The SecureEdge Connector application allows to your workforce to securely connect to any cloud or local site running Windows or Linux Services or Servers for direct application access via ZTNA.

SecureEdge Manager provides a customizable yet intuitive dashboard interface for a quick overview regarding users, threats, activities on the network, infrastructure status, and SD-WAN connectivity status. Additional dashboards with custom configurations consisting of a choice of dozens of predefined tiles are just a few clicks away.