A local internet breakout is an access point to the internet located as close to the user as possible. Local breakouts enable organizations to offload internet-bound traffic from local branches and remote offices, and route it directly to the internet via a local internet service provider (ISP).
Organizations have historically deployed a hub-and-spoke architecture to route traffic, typically over multiprotocol label switching (MPLS), to a centralized data center. Traffic then ran through stacks of security appliances prior to egressing to the internet. Because cloud applications, such as Office 365 and Salesforce, were designed to be accessed directly via the internet, traffic patterns have shifted.
The majority of wide-area network (WAN) bandwidth is now consumed by traffic destined for the internet. Backhauling internet-bound traffic to corporate data centers no longer makes sense – it can be expensive and can increase application latency, which degrades the user experience. As organizations discover this, they are increasingly turning to local breakouts and SD-WAN to simplify the branch and more easily establish direct-to-internet connections.
Local internet breakouts emerged to enable organizations to leverage lower-cost connections to route internet traffic to a local ISP, so they could reduce the burden on the corporate network, deliver a fast user experience, and reserve MPLS for applications still residing in the corporate data center.
Software-defined WAN (SD-WAN) and local internet breakouts introduce new security challenges. Each individual breakout must be secured with the same protections that were historically delivered at the centralized security gateway, including firewall, sandboxing, advanced threat prevention, data loss prevention, and IPS.
Leveraging traditional security for local internet breakouts means organizations would need to replicate the corporate security stack at every location. This requires stacks of security appliances in every branch office, an option that is simply not viable in terms of cost, as well as in the complexity of buying, deploying, and managing them all.
In addition, next-generation firewalls (NGFWs) and other security appliances were never designed to support cloud applications. They are easily overwhelmed by cloud apps, because they cannot scale to support the high volume of long-lived connections the apps create. So, they end up inhibiting the productivity that cloud apps were designed to provide. They also cannot natively handle SSL-encrypted traffic. This has become increasingly important with the exponential growth in encrypted traffic during the past several years. To execute SSL inspection, traditional appliances must bolt-on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This has a significant impact upon performance, and results in a negative user experience.
As organizations embrace local internet breakouts and SD-WAN, they still need to deliver enterprise security capabilities across their local internet breakouts. Unfortunately, traditional NGFWs and appliance-based security stacks are not designed to support cloud applications, and their virtual counterparts leave you with many of the same limitations and challenges as traditional appliances. It makes sense that as applications are moving to the cloud, your security moves to the cloud as well.
Securing local internet breakouts and SD-WAN with cloud-based security provides multiple benefits over appliance-based solutions, including:
Are you still relying on legacy hub-and-spoke architectures? Are you looking to establish local internet breakouts, but wonder how to best secure them? Request a demo to learn how Zscaler can secure your local internet breakouts and deliver a fast and secure user experience.