Barracuda Cloud Generation Firewall for IoT Deployments

Download PDF

Introduction

As the Internet of Things (IoT) becomes reality, your security challenges are growing dramatically more complex. Managing and protecting network traffic among the vast numbers of devices newly coming online is a potential logistical nightmare. Barracuda Cloud Generation Firewalls are designed with unique capabilities to help you secure IoT traffic easily and economically.

The ultra-compact Barracuda Secure Connector appliance reliably connects remote devices via multiple uplinks, with automatic failover to ensure uninterrupted operation. This makes it easy for you to securely and easily connect IoT devices and micro-networks to your corporate datacenter, whether it is centralized or distributed. A large number of Secure Connector appliances can use TINA VPN to connect to a regional Secure Access Controller, which automatically forwards all management traffic to your Firewall Control Center. It also enforces corporate application-control, URL-filtering, and virus-scanning policies, or forwards traffic to your perimeter firewall.

A single Firewall Control Center gives you simple, centralized management and confi guration of all your Secure Conectors and Secure Access Controllers, letting you scale your network at will without security headaches.

Barracuda Secure Connector

The Secure Connector is a small hardware appliance optimized to effi ciently connect remote devices and micro-networks to the corporate datacenter via TINA VPN tunnel. The confi guration is centrally managed by the Firewall Control Center, but can be overridden by the device’s web interface.

Barracuda Secure Access Controller

Secure Access Controller is available as a virtual appliance for on-premises and/or Microsoft Azure, AWS, and Google Cloud Platform public cloud deployments. It handles incoming SC VPN tunnels. Management traffi c is automatically forwarded to the Firewall Control Center, and user traffi c is processed either directly on the Secure Access Controller, or forwarded to the internal, border fi rewall. If necessary, Secure Access Controllers can be deployed in a high availability cluster. In addition to your Secure Access Controller license, you must also assign a Secure Connector Energize Updates pool license. The number of instances in the Secure Connector pool license determines the number of Secure Connector confi gurations allowed per Secure Access Controller. The size of the Secure Connector pool license may not exceed the maximum number of VPN connections for a given model of Secure Connector The following Secure Access Controller models are available:

  • Secure Access Controller FSAC 400 – 2 CPU cores, up to 500 Secure Connectors
  • Secure Access Controller FSAC 610 – 4 CPU cores, up to 1,200 Secure Connectors
  • Secure Access Controller FSAC 820 – 8 CPU cores, up to 2,500 Secure Connectors

Secure Access Controllers are stackable, and multiple units can be deployed at the same location and managed by the same Barracuda Firewall Control Center.

Secure Connector devices on the Firewall Control Center

Firewall Control Center is a central management appliance for Cloud Generation Firewall devices. The Firewall Control Center provides a central template-driven configuration management interface, firmware update management, and status information for all Cloud Generation Firewall devices.

Firewall Control Center includes a Secure Connector Editor, which allows you to create configuration templates and link them to individual appliances. Changes to the templates are immediately applied to the Secure Connector devices. The administrator decides which configuration options are device-specific, and which are to be applied globally. These settings are then configured directly on the device. Although it is possible to change the configuration of an individual device via its web interface, the Firewall Control Center configuration overrides any changes if the configuration lock is released within the web interface.

You may also define Secure Connector networks via the Firewall Control Center, with each Secure Connector network permanently linked to an Secure Access Controller. When a Secure Connector is deployed, a subnet of the Secure Connector network is automatically selected and permanently assigned to it.

How does it all works together

Each Secure Connector hides the end-device from the network and all traffic is backhauled via TINA VPN (Site-to-Site) to the Secure Access Controller.

About TINA Protocol

TINA protocol uses port 692 and encapsulates encrypted ESP payload in TCP or UDP packets, thus adapting to underlying transport network quality and providing failure-resistant, high-speed VPN connections. It also improves VPN connectivity substantially by adding:

  • Multiple concurrent physical transport paths per logical tunnel
  • Session level or packet level transport aggregation for increased total tunnel throughput
  • Adaptive traffic shaping depending on VPN transport availability
  • Fallback transports in case of uplink failure
  • Traffic compression and deduplication
  • DHCP and NAT support

Rollout process

Step 1: Order Secure Connector device

Step 2: Create a configuration file and enter the Secure Connector serial number

Step 3: Export the configuration file and, if necessary, transmit to a person in the same location as the Secure Connector

Step 4: Unpack the Secure Connector, connect it via USB to any workstation, and import the configuration file via drag and drop

Step 5: Your Secure Connector will reboot once the configuration file is applied. Then, simply connect it to the internet. It will automatically connect to the Secure Access Controller, at which point it is ready to use, and may be managed via the Barracuda Firewall Control Center.

Disaster Recovery

In case of a hardware failure a replacement device (the latest model) can be shipped to your remote location and the same procedure as described in “Rollout Process” can be applied.