Enterprises have moved away from traditional hub-and-spoke architectures where network security was focused on safeguarding the network perimeter—the boundary between the trusted internal network and the untrusted external network. In today’s landscape, enterprise users and workloads are highly distributed due to a surge in cloud adoption, SaaS usage, and a hybrid workforce model. Enterprises must also cope with an increasing number of sophisticated cyberattacks. Threat actors are constantly finding innovative ways to exploit enterprise IT infrastructure and compromise its data and digital assets.
In this dynamic and distributed environment, it is important to ensure that both remote and branch users experience peak application performance and have secure access to applications, data, and the internet. To address these networking and security needs, enterprises must rely on multiple-point solutions that increase operational complexity, present management challenges, and raise costs. Enterprises are looking to transition from conventional product-centric solutions to a cohesive as-a-service model.
Aryaka Unified SASE combines networking and security into an as-a-service (‘all-in-one’) solution that helps enterprises modernize their infrastructure. This solution allows an enterprise to configure, manage, and observe its network, security, applications, and users, all through a single management console without having to rely on disaggregated single-point solutions for each function independently. A defining feature of the Aryaka Unified SASE solution is its single-pass architecture that allows enterprises to perform comprehensive inspections and processing, while examining a given data packet only once. This approach reduces the attack surface and minimizes latency that would otherwise result from processing individual functions separately.
Aryaka has built an integrated architecture that offers a hybrid deployment solution to meet the needs of the enterprise for both on-premises and remote users. Security enforcement for workloads and users takes place directly at the edge appliance: either at the Aryaka Network Access Point (ANAP) for site users or at the Aryaka POP for remote users. Additionally, enterprises can benefit from our integrated lifecycle management support and managed services that offer a personalized experience for deployments and issue resolution 24/7. Aryaka plans to incorporate additional capabilities and features in the future, all seamlessly integrated into our single-pass architecture.
The Aryaka NGFW-SWG (Next Generation Firewall- Secure Web Gateway) strategy is to allow
enterprises to replace traditional multi-vendor networking and security services with a unified
platform from a single vendor.
The primary focus is described in the following two distinct use cases:
The first use case is replacing an enterprise’s existing on-premises firewall from a third-party security vendor with our natively built Aryaka solution. To accomplish this, Aryaka has built a dedicated security stack on top of our Software Defined Wide Area Network (SD-WAN) architecture that applies a common framework to a series of security policy engines.
Many vendors must tunnel traffic to POPs for security inspections. Aryaka can inspect traffic on the ANAP itself for on-premises users. Policy engines perform Next Generation Firewall and Secure Web Gateway (NGFW-SWG) security inspections, ensuring traffic is only sent to its intended destination when required. Both inbound and outbound traffic undergoes thorough examination for both pre-SSL and post-SSL data flows for the connections initiated from the LAN interface. In this use case, internet breakout occurs at the ANAP.
The second use case is replacing an enterprise’s cloud-based Secure Internet Access (SIA) or Secure Web Gateway (SWG) vendors with Aryaka’s natively built security stack on both POPs and ANAPs. The Aryaka NGFW-SWG protects web-based and SaaS application users from internet-borne threats.
Using our POP-centric cloud service delivery, Aryaka offers comprehensive security directly from the POP to remote users who access enterprise resources and cloud applications using the Aryaka VPNaaS client. This ensures secure connectivity for direct connections from headquarters and branch offices that do not have an ANAP within a cloud-as-a-service model. In these scenarios, internet breakout occurs at the POP. The ANAP and the POP both host identical security stacks to secure enterprise users and workloads from modern internet-borne threats. This ensures a consistent user experience whether the user is on-premises or remote. User licenses are used to provide NGFW-SWG security services to private access users.
Depicted below is the distributed policy enforcement on Aryaka POPs and ANAPs. Security scanning occurs at the service edges to protect both on-premises and remote users.
The Aryaka single-pass architecture processes network and security policies in a single pass, without the need for a packet to go through multiple security processing stages that can introduce latency and increase processing requirements. We process a packet once and only perform one TLS inspection across the entire packet flow.
Our management interface—MyAryaka— provides dashboards, analytics, observability, management, and monitoring for all networking and security services. Telemetry is collected in near-real time from all security engines and provides insights into security incidents, threat management, and performance. Using our intuitive interface, enterprises have the flexibility to self-manage security policies and create access controls without having to switch between multiple management consoles.
Our unified control plane combines networking and security capabilities to provide consistent policy enforcement on the ANAP, the POP, or both. This protects the enterprise’s users wherever they are.
The distributed data plane allows for policy enforcement at the nearest POP and at the ANAP edge, allowing security enforcement to happen closer to the source. For enterprises with site users behind an ANAP, network, security and application processing are performed at the ANAP itself. For private access users and enterprise sites without an ANAP, traffic is processed at one of our 40+ globally distributed hyperscale POPs that reach 95% of the world’s business population across six continents (including China).
| Features | Description |
| Aryaka SmartSecure NGFW-SWG | |
|---|---|
| Domain Reputation | Protects users from malicious domains using reputation scores for more than 750 million domains. For HTTP traffic, domain names are extracted from HTTP headers. For HTTPS traffic, domain names are extracted from “Server Hello” message during the SSL/TLS handshake. |
| URL Reputation | Protects users from accessing malicious URLs using reputation scores for more than 32 billion URLs. |
| IP Reputation | Restricts users from accessing malicious IPs using IP reputation verdicts (Good or Bad) for more than 4.3 billion IPs (includes all IPv4 and in-use IPv6). |
| Category-based Filtering | Simplifies policy management by grouping overarching web categories and enforcing policies to permit or deny traffic based on these predefined categories. |
| Application-based Access Control (Basic CASB) | Aryaka’s inline CASB identifies and classifies network traffic and applications using Deep Packet Inspection (DPI), then applies access controls to the sanctioned and unsanctioned applications that are discovered. |
| DNS Filtering | Inspects DNS queries and responses to permit or deny access to specific websites based on the domain and IP reputation scores. If non-DNS protocol messages arrive on port 53, the packets are automatically discarded. |
| Web Access Control | Provides access control for post-SSL traffic, including matches against HTTP headers for both HTTP and HTTPS traffic. HTTP headers can be saved as reusable assets that security policies can reference. |
| Network Access Control | Provides access control for pre-SSL traffic. Traffic can be permitted, denied, or allowed to skip to all subsequent processing engines. |
| Identity and Access Management (User-based Access Control) | Allows enterprises to connect to third-party identity providers (IdPs) or use Aryaka as the IdP. Supported IdPs are Enterprise LDAP, on-premises AD, Okta, Azure AD, and Aryaka DB. Azure AD and Okta are based on SAML and OIDC authentication standards. The IdP redirects the user to the captive portal for authentication and authorization. Unauthorized users are redirected to customized block pages. |
| Aryaka NGFW-SWG Add-on | |
| SSL/TLS Inspection and Decryption | Detects attacks in encrypted and unencrypted traffic using dynamic certificate generation with the option of selectively decrypting packets based on the sensitivity of personally identifiable information (PII). To better detect anomalies in encrypted traffic, TLS inspection is used to decrypt packets. Packets are then re-encrypted after the inspection is complete. |
| Centralized Management | Allows you to define SD-WAN and security policies consistently across distributed network and cloud resources. |
| Real-time Threat Insights | Delivers visibility and observability of network and application security events and threat insights using the Aryaka unified console. |
| Security Reports and Analytics | Provides comprehensive summary reports and graphs of an enterprise’s threat landscape over a configurable time period. |
| Alerting | Notifies administrators about security events for rapid incident response. |
| Logging | Creates and updates security logs with useful information about the event for debugging purposes. |
| Self Service | Provides enterprises with the flexibility to configure and self-manage security policies in the MyAryaka user interface. |
NGFW-SWG has two types of licenses to meet different deployment needs: site licenses and user licenses. Site licenses are used to enable NGFW-SWG at a specific location. User-licenses are used to enable NGFW-SWG services for remote users.
| Security Service | Prerequisite | Entitlements Upon Subscription |
| NGFW-SWG | Aryaka Unified SASE | All Aryaka SD-WAN and Unified SASE features (See Below) |
Secure SD-WAN
Global Connectivity
Multi-Cloud
WAN
Optimization
AI> Perform
Secure Remote
Access
Everything in Aryaka SD-WAN plus
NGFW-SWG
IPS
Anti-Malware
Everything in Unified SASE plus
CASB
DLP*
*Coming soon
Global, Scalable, and Flexible
Receive comprehensive security for any user, anywhere, anytime. With 40+ PoPs, Aryaka can accommodate enterprise growth, changes in demand, and can adapt to unique operational needs.
End-to-End Connectivity with One Vendor
Maintain a single point of contact for networking and security services with Aryaka’s as-a-service solution.
Consistent Protection Everywhere
Offer uniform security for both on-premises and remote workers with networking and security tied together under a common security policy framework.
Operational Simplicity
See a reduction in the complexity, overhead, and training required to deploy and maintain a multi-vendor network and security solution with Aryaka’s unified management console—MyAryaka.
Superior User Experience
Deliver speed and seamless access to applications while securing data in transit and at rest.
Lower Total Cost of Ownership (TCO)
Reduce costs by eliminating the burden of sizing, purchasing, installing, upgrading, patching, and managing multiple-point hardware and software solutions in a complex, ever-changing threat environment.
Aryaka is the leader in delivering Unified SASE as a Service, a fully integrated solution combining networking, security, and observability. Built for the demands of Generative AI as well as today’s multi-cloud hybrid world, Aryaka enables enterprises to transform their secure networking to deliver uncompromised performance, agility, simplicity, and security. Aryaka’s flexible delivery options empower businesses to choose their preferred approach for implementation and management. Hundreds of global enterprises, including several in the Fortune 100, depend on Aryaka for their secure networking solutions. For more on Aryaka, please visit www.aryaka.com.