A local internet breakout is an internet access point located as close to the user as possible. Local breakouts enable organizations to offload internet-bound traffic from local branches and remote offices, and route it directly to the internet via a local internet service provider (ISP).
Organizations have historically deployed a hub-and-spoke architecture to route traffic, typically over multiprotocol label switching (MPLS), to a centralized data center. In this architecture, traffic runs through stacks of security appliances, such as VPNs, prior to egressing to the internet. Today, because SaaS and cloud applications, such as Microsoft 365 and Salesforce, were designed to be accessed directly via the internet, traffic patterns have shifted.
Most wide area network (WAN) bandwidth is now consumed by traffic destined for the internet. Backhauling internet-bound traffic to corporate data centers no longer makes sense—it can be expensive and can increase application latency, which degrades the user experience. As organizations discover this, they are increasingly turning to local breakouts and SD-WAN to simplify the branch and more easily establish direct-to-internet connections.
With the help of Zscaler, Mondi could increase the available bandwidth at some locations by up to 15 times—making an MPLS-upgrade obsolete. This is not unimportant if you consider that the majority of everyday work today is handled over the internet.
Thomas Vavra, Manager Communication Networks, Mondi Group
How Do Local Internet Breakouts Work?
Local internet breakouts enable organizations to leverage lower-cost connections to route internet traffic to a local ISP so they can reduce the burden on the corporate network, deliver a fast user experience, and reserve MPLS for applications still residing in the corporate data center.
With a software-defined wide area network (SD-WAN) as an overlay, software-defined policies are used to select the best path to route traffic connecting the branch to the internet, cloud applications, and the data center. By defining policies for all branches in the cloud through a single interface, organizations can easily deploy new applications and services as well as manage policies across many locations.
What Are the Challenges of Local Internet Breakouts?
SD-WAN and local internet breakouts introduce new security challenges. Each individual breakout must be secured with the same protections that were historically delivered at the centralized security gateway, including firewall, sandboxing, advanced threat prevention, data loss prevention, and IPS.
Leveraging traditional security for local internet breakouts means organizations would need to replicate the corporate security stack at every location. This requires stacks of security appliances in every branch office, which simply isn’t viable in terms of cost—not to mention the complexity of buying, deploying, and managing all these appliances.
In addition, next-generation firewalls (NGFWs) and other security appliances were never designed to support cloud applications. They’re easily overwhelmed by cloud apps because they can’t scale to support the high volume of long-lived connections the apps create. So, they end up inhibiting the productivity that cloud apps were designed to provide. They also can’t natively handle SSL-encrypted traffic.
This has become increasingly important with the exponential growth in encrypted traffic during the past several years. To execute SSL inspection, traditional appliances have to bolt on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This has a significant impact on performance and results in a poor user experience.
Benefits of Local Internet Breakouts
As organizations embrace local internet breakouts and SD-WAN, they still need to deliver enterprise security capabilities across their local internet breakouts. Unfortunately, traditional NGFWs and appliance-based security stacks aren’t designed to support cloud applications, and their virtual counterparts leave you with many of the same limitations and challenges as traditional appliances. It makes sense that as applications are moving to the cloud, your security moves to the cloud as well.
Securing local internet breakouts and SD-WAN with cloud-based security provides multiple benefits over appliance-based solutions, including:
Fast, secure user experiences: Routing branch traffic direct to the internet and delivering security via a cloud-based service allows you to fully embrace cloud apps and provide your users with a fast and secure experience.
Reduced costs: Using a cloud-based security solution allows organizations to reduce MPLS costs, enable local internet breakouts, and inspect all your internet-bound traffic without buying, deploying, and managing stacks of costly security appliances or NGFWs in each branch.
Simplified branch IT operations: Delivering security as a cloud service gives you centralized control so you can prioritize critical apps, activate new services, and define and immediately enforce policies with just a few clicks.
User protection from anywhere: Securing local internet breakouts with cloud-based security provides identical protection for all your users, wherever they connect—at the coffee shop, corporate headquarters, or the local branch—with no security compromises.
The benefits of local internet breakouts are clear, but to fully realize them, you need to leverage a security services provider that’s truly built for the cloud without compromise. You need a vendor with years of experience securing internet connections for users working from anywhere, and you need the right SD-WAN overlay to ensure quick cloud connections. That vendor is Zscaler.
Secure Local Internet Breakouts and SD-WAN with Zscaler
Zscaler secures outbound internet traffic and delivers a fast user experience without backhauling and without duplicating the security appliance stack at each location. Because Zscaler delivers the entire security stack as a cloud service, there is no compromising on security.
With Zscaler, policies aren’t tied to a physical location. Instead, they follow users to provide identical protection no matter where they connect. Simply route internet-bound traffic to Zscaler and immediately begin inspecting all traffic—all ports and protocols, including SSL. You can define and immediately enforce access and security policies across all locations from a single console. With Zscaler, cloud services scale elastically, allowing you to deploy new services like bandwidth control in just a few clicks, without performance impact or the need to upgrade costly appliances.
SSL Inspection with SLA-Backed Performance
SSL is now the default communication protocol, and many threats like ransomware try to hide inside SSL—and sometimes even use other ports—so it’s imperative to inspect all traffic. But SSL inspection remains a significant challenge for security appliances; decrypting, inspecting, and re-encrypting that traffic is known to decimate a firewall’s performance.
Are you still relying on legacy hub-and-spoke architectures? Are you looking to establish local internet breakouts, but wonder how to best secure them? Request a demo to learn how Zscaler can secure your local internet breakouts and deliver a fast and secure user experience
Siemens Case Study
Watch the video
Cloud Transformation Requires New Ways of Thinking