Barracuda SecureEdge: Features

SecureEdge is built on the same technology as CloudGen Firewall, Barracuda’s battle-tested enterprise firewall. Purpose-built for the cloud, SecureEdge provides advanced multi-layered security to protect your business-critical resources, leveraging a rich feature-set including:

• Advanced Threat Protection
• Intrusion detection and prevention
• Malware protection
• SSL inspection
• Stateful deep packet inspection
• Single pass architecture
• URL filtering--application-based ACL

While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered. Barracuda ATP offers administrators granular, file-type-based control including automatic quarantine and block-listing features to maintain the highest level of protection for an organization’s network.

Barracuda SecureEdge can apply IPS, virus protection, application control, URL filtering, and even Advanced Threat Protection to SSL-encrypted web traffic using the standard 'trusted man-in-the-middle' approach. SSL interception can be fine-tuned to exempt local networks, users/groups, URL filter categories, or custom defined domains from SSL inspection.

The Intrusion Prevention System (IPS) of SecureEdge strongly enhances network security by providing comprehensive real-time network protection against a broad range of network threats, hacking, vulnerabilities, exploits, and exposures in operating systems, applications, and databases. It prevents network attacks such as:

• SQL injections and arbitrary code executions
• Access control attempts and privilege escalations
• Cross-site scripting and buffer overflows
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Directory traversal and probing and scanning attempts
• Backdoor attacks, trojans, rootkits, viruses, worms, and spyware

As a result, Barracuda SecureEdge can identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

Automatic signature updates are delivered on a regular schedule or on an emergency basis as new vulnerabilities emerge, to ensure that Barracuda SecureEdge is constantly up to date.

SecureEdge enforces full security with ACLs, app control, URL filtering, anti-virus, and Advanced Threat Protection, enabling network segmentation and control within Azure Virtual WAN. This eliminates the need for Security Groups, Azure Firewall, or Azure Security Partners and replacing these with one flexible solution that is easy to use and cost efficient. SecureEdge additionally provides unprecedented real-time visibility into all traffic entering as well as generating from inside Virtual WAN.

Adaptive Session Balancing technology ensures using the best available uplink for the application profile, for all encrypted tunnels across SD-WAN sites. If the health state of the initial uplink recovers, encrypted SD-WAN traffic transparently switches back to this uplink. Application-based routing, factoring in the results of Dynamic Bandwidth and Latency Detection, applies the same concept for outbound internet traffic, ensuring that SaaS applications like Office 365 are always leveraging the best available uplink, even when conditions change frequently.

To achieve the best possible user experience across the WAN, SecureEdge site devices proactively measure the available bandwidths and quality of all internet uplinks and between VPN endpoints. The results are directly available to the security and SD-WAN policy engine to select the best suitable uplink per application or to disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.

A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda SecureEdge to dynamically assign available bandwidth, uplink, and routing information based on protocol, user, location, and content as well as application, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

To view a current list of applications and sub-applications that SecureEdge recognizes for application-based routing, please visit the Online Application Explorer.

Barracuda SecureEdge uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.

If dynamic bandwidth and latency detection indicates that the measured bandwidth of an uplink is too low to support certain kinds of business-critical traffic (e.g., VoIP), Barracuda SecureEdge automatically shifts sessions for non-business-critical traffic to secondary links to free up bandwidth for critical traffic.

Secure SD-WAN between Barracuda Networks devices uses TINA (Transport Independent Network Architecture) by default, an enhanced version of the IPsec protocol designed to overcome the inherent limitations of IPsec. The TINA protocol uses a combination of TCP, UDP, and ESP for high-speed VPN connections, substantially improving VPN connectivity. It also adds default endpoint-to-endpoint (not network-to-network) connectivity, built in NAT-friendliness, built in HTTPS and SOCKS4/5 proxy compatibility, dynamic address support, and better VPN tunnel quality via advanced dynamic tunnel heartbeat monitoring.

With the optional USB LTE modem, SecureEdge site devices can leverage 4G/LTE connectivity and the cellular infrastructure to provide broadband speeds either in failover or load-balancing configuration. For locations without wired broadband options and sufficient cellular connectivity the USB LTE modem may serve as the primary internet connection. The Barracuda USB LTE modem can even be used for zero-touch deployment of SecureEdge site devices in areas where wired internet connectivity is not yet available.

To extend the SASE service at line speed to every site device and overcome limitations introduced by traditional SD-WAN technology based on shared uplinks like broadband, SecureEdge features uplink optimization technology with Forward Error Correction and self-healing traffic intelligence. This allows using the available physical bandwidth more effectively and expanding the benefits of SD-WAN to sites with single uplinks as well as optimized utilization of shared uplinks.

The Barracuda SecureEdge SASE service is available either as SaaS directly managed by Barracuda Networks, as SecureEdge for Virtual WAN in Microsoft Azure and managed by Microsoft, or as virtual and hardware appliances to be managed and hosted by the customer or trusted partner. Regardless of deployment type, all intent-based configuration management is done from the SecureEdge Manager cloud portal. The service then takes care of propagating and enforcing the changes to each service edge, site, user, or thing.

Once plugged in and turned on, each site device automatically makes use of all available uplinks to connect to the SASE service. With SD-WAN policy settings predefined for thousands of common business applications, the devices ensure that the best uplink path is always used for the application.

Barracuda SecureEdge Service and SecureEdge Access Agent provide secure access to any private or SaaS application regardless of where they are hosted, following the zero-trust principles. Zero Trust Network Access (ZTNA) provides users with the least privileged access to business applications, minimizing business risk. Barracuda SecureEdge Zero Trust Security establishes unparalleled access control across users and devices without the performance pitfalls of a traditional VPN. It provides remote, conditional, and contextual access to resources, and reduces over-privileged access and associated third-party risks.

Connecting to corporate resources often suffers from limitations caused by shared lossy internet broadband lines. Last-mile optimization for application traffic via SecureEdge optimizes the end-user experience by reducing packet loss and carving out a greater slice of available bandwidth of shared lines, improving the quality of voice and video calls. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a new algorithmic coding scheme that reacts much quicker to losses and remediates these on the fly, thereby requiring fewer retransmissions and reducing overhead on the devices.

SecureEdge Access Agent app is available for all desktop and mobile platforms, providing consistent security and ZTNA functionality. Best of all: licensing is user based and covers up to 5 devices per user.

Routing back all traffic to a central access point can have an impact on latency-sensitive applications like Microsoft 365 or Zoom call. To offer the best possible Quality-of-Service, SecureEdge allows to define applications that can connect directly to such services, and what application traffic is meant to be backhauled for further processing.

Built-in internet traffic optimization from the service to the SASE agent enables endpoints to grab more of the available bandwidth on shared internet lines for improved application performance. The underlying technology to remediate packet loss is based on random linear network codes (RLNC), a powerful encoding scheme. Algorithms based on RLNC codes react much faster to losses and remediate these losses faster on the fly, thereby requiring fewer packet retransmissions and reducing overhead on the devices.

Secure web gateway functionality of the SecureEdge Service extended to the endpoint with the SecureEdge Access Agent providing Secure Internet Access (SIA). The Agent blocks known forbidden or unwanted web categories without further inspection. There is no reason to send this type of traffic to the cloud for inspection when it can be blocked immediately at the endpoint. This could be content that conflicts with regulatory or corporate compliance or websites that are known to be malicious. This even includes “outgoing calls” of malicious software that is already on the device and trying to phone home. Access to “known good” SaaS apps is allowed by default, without being sent to the cloud service for security inspection. Customers have full control by enabling or disabling access via the 100+ content filter categories and thousands of application definitions.

Full security inspection is applied for applications and websites that are neither known good nor known bad or that the IT department just requires full inspection of for compliance purposes. Traffic to and from these destinations is automatically sent to the SecureEdge Service for full next-generation security inspection, including IPS, deep SSL Inspection, and Advanced Threat Protection via the Barracuda BATP cloud.

The content filtering feature of SecureEdge lets you create and enforce effective internet content and access policies by enabling highly granular, real-time visibility into online activity broken down by individual users and applications. It protects user productivity, blocks malware downloads and other web-based threats, and supports compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.

SecureEdge services and SecureEdge site devices include pre-written English-language dictionaries of keywords and phrases related to harassment, weapons, terrorism, and pornography. Administrators are notified when content containing these keywords or phrases is searched for online. The alerts are tagged with real network user identities, timestamps, IP addresses, and search terms making it easy to identify the source regardless of online profiles. Custom keywords for monitoring can be easily added via the web-based user interface.

Even though malicious and inappropriate websites are blocked, users can still access inappropriate content through popular search engines. SecureEdge site devices and SecureEdge services provide the ability to enforce the SafeSearch option for most popular search engines and YouTube. Because this is enforced at the network level, end users cannot manipulate or bypass this setting through their own accounts.

SecureEdge services and SecureEdge site devices provide the ability to transparently remove online advertising without displaying a block message or attention-grabbing notifications.

Barracuda’s unmatched global threat intelligence network ingests vast amounts of diverse, real-time threat information from millions of collection points around the world. Barracuda CloudGen Access leverages this system to continually enhance its threat-detection capabilities and respond to fast-evolving threat trends.

SecureEdge is easy to set up and does not require specialized IT skills. SecureEdge works out of the box with smart default configuration, suitable for all cloud and SaaS applications. The service can either be rolled out to all locations as a pure SD-WAN solution alongside existing firewalls or as a secure SD-WAN solution replacing existing firewalls.

Zero-touch deployment lets you send SecureEdge site devices directly from the factory to the desired remote location without the need for on-site IT personnel. Connect the unit and power it up and it automatically requests, receives, and installs its specific configuration file. This makes it extremely easy, fast, and inexpensive to roll out SecureEdge site devices across widely distributed organizations. For sites in areas where wired internet connectivity is not yet available the optional Barracuda USB LTE modem can be used to facilitate the initial rollout.

Directly managed via the SecureEdge Manager for all regions and all sites across your global WAN, regardless of the number of cloud entry points or locations. The central cloud portal offers the highest degree of automation and unparalleled ease of use. SecureEdge Manager continuously monitors and optimizes network performance to ensure uninterrupted always-on connectivity and high quality of service levels for your business-critical traffic and applications.

For content filtering, malware protection, SSL inspection, IPS, and firewall rules (ACLs), users or groups can be defined using inclusion criteria. Allow certain website categories for specific users or groups (e.g., give marketing staff access to Facebook while blocking it for everyone else) or exempt certain users or user groups from IPS or SSL scanning.

In the past, security solutions were either complicated to use or lacking in their underlying security capabilities. Firewalls and other security solutions were based on assigning networks, IP ranges, and point product security capabilities to these networks. Intent-based operations are built from the ground up as part of the concept of SecureEdge Manager for our unified SASE platform. The Barracuda SecureEdge SASE platform is strictly user-, group-, and application-specific. Remote users can thereby access private and public cloud applications, and the internet much faster.

In addition to thousands of predefined applications, the SecureEdge SASE platform lets you create private applications that can be hosted anywhere. It’s quick, easy, and has to be done only once-and is then shared with security, SD-WAN, and ZTNA policy definitions. All necessary networking and routing optimizations are done completely transparent in the background and automatically applied to each site, user, or service instance.

The small SD-WAN Connector application allows to connect any cloud or local site running Windows or Linux Services or Servers for direct application access via ZTNA and makes them available to your workforce.

Azure Monitor and the underlying Azure Log Analytics is Microsoft’s solution to collect, monitor, analyze, and act on telemetry data from any application hosted in Azure and on-premises environments, and even corresponding networking and security equipment. This allows customers to automate the analysis of the underlying data, set up alerts, and use machine learning-driven insights to quickly identify and resolve problems related to security and connectivity of their cloud infrastructure, without logging into the actual machines or devices. You can configure SecureEdge to send relevant log data for security, connectivity, SD-WAN, and point-to-site to Azure Log Analytics for further analysis.

Azure Secured Hub is a secured Azure Virtual WAN hub with associated security and routing policies configured by the Azure Firewall Manager, with outbound security provided by an approved Azure security partner provider service. Barracuda SecureEdge is fully compatible for deployment in these scenarios, to provide SD-WAN connectivity and next-generation firewall security to every site and high-performance private access to cloud resources for endpoints.

SecureEdge Manager provides a customizable yet intuitive dashboard interface for a quick overview regarding users, threats, activities on the network, infrastructure status, and SD-WAN connectivity status. Additional dashboards with custom configurations consisting of a choice of dozens of predefined tiles are just a few clicks away.