How Banyan automatically selects the appropriate mechanism to securely connect a user to the resource they need to access
- DNS Resolution
- Network-layer Steering
- Application-layer Proxying
- Application Authentication
- Other Scenarios
Unlike traditional networking tools that require complex and often incompatible configurations such as VPN profiles, segmentation rules, PAC files, etc to route and inspect traffic, Banyan only requires administrators to specify services and policies for their workforce. Banyan then automatically selects the appropriate mechanism to securely connect a user to the resource they need to access and to enforce the requisite security policies.
Banyan’s routing framework is applied at different layers of the networking stack:
- DNS Resolution - how a domain is resolved on the device
- Network-layer Steering - whether a packet is steered over a tunnel or the internet
- Application-layer Proxying - whether a request should terminate TLS and be proxied or not
- Application Authentication - how the resource identifies the user accessing it
When Internet Threat Protection (ITP) is enabled, Banyan automatically updates the routing logic on a device to secure access to internet resources as well as private resources.
DNS determines how a domain name is resolved to an IP address, and is configured as follows with Banyan:
- Private domains are resolved at internal DNS servers, typically over a service tunnel
- Published services use Service Domain Names that resolve via public DNS servers to your organization’s Banyan Edge
- If ITP is enabled, domains are inspected via Banyan’s DNS filtering capability and threats are blocked
- If ITP is not enabled, domains are resolved at the DNS server specified by the device’s network
- DNS and routing when securing private resources such as internal websites and infrastructure servers.
- DNS and routing when securing networks utilizing Banyan’s service tunnel capability.
Banyan makes a decision on whether to route a packet over a tunnel or directly to the internet:
- Private network traffic flows over a service tunnel
- Specified tunnel domains & CIDRs also flow over a service tunnel
- Published services utilize TLS encryption and are routed over the public internet to your organization’s Banyan Edge
- If ITP is enabled, URLs are inspected on device via Banyan’s URL filtering capability; threats are blocked and risky URLs are forwarded to the Banyan Edge for further inspection
- All other traffic flows over the public internet to its destination
- Routing public domains over a tunnel for IP whitelisting
- Security for internet traffic that is always-on but not always-inline
The Banyan Edge comprises of identity-aware reverse proxies as well as a TLS-inspection forward proxies that enforce least-privilege-access and data-loss policies.
- Published services are proxied through the Banyan Edge; the Edge terminates TLS and forwards requests to the backend
- If ITP is enabled, risky URLs are inspected at the Banyan Edge; the Edge intercepts TLS and blocks threats
- If Data Loss Prevention (DLP) is enabled, specific domains are inspected at the Banyan Edge; the Edge intercepts TLS and applies DLP policies
- If application-layer access policies are specified, L7 requests and responses are examined and policies are enforced
- Applying API-level policies for hosted websites
- Defining Data Loss Prevention (DLP) policies for sensitive applications
Banyan issues short-lived cryptographic credentials - SAML and OIDC tokens, X.509 and SSH certificates - that can be used for application authentication.
- SaaS applications can use Banyan’s IDP federation to authenticate users
- Infrastructure resources (SSH server, K8s API) can use Banyan’s tokens and certificates for authentication and authorization
- Based on the policies specified, Banyan can enforce user- and device-based controls
- Protect SaaS applications with IDP Federation where Banyan enforce device trust policies
- Use SSH certificate authentication to manage end user access to Linux servers
A few other scenarios that Banyan supports that are not explicitly called out in the framework above are noted here:
1. Clientless access
Users without a Banyan client cannot set up service-tunnel-based connectivity. In this scenario, you can use Banyan’s published services capability. Published services in Banyan resolve via public DNS servers and are proxied through the Banyan Edge, which terminates TLS using trusted Let’s Encrypt certificates and enforces application-layer policies.
2. Site-based enforcement
Banyan can be used to enforce policies at a site level in addition to enforcing policies at the user & device level. A site is a single network location, with a fixed IP address, associated with the Banyan Connector component. The Banyan Connector forwards traffic to the Banyan Global Edge Network where site-based policies are enforced.
3. Co-existing with traditional L3 VPN
Banyan can operate seamlessly atop an existing L3 VPN. Typically, traffic to published services flows over the public internet. However, you can configure private or public DNS so traffic will flow over your L3 VPN tunnel instead of the public internet.
4. Co-existing with on-premise Web Proxy
Banyan can operate seamlessly in secure networks that require all web traffic to be inspected by a web proxy. The Banyan App and Banyan Access Tier both respect the OS’s
http_connect proxy setting, and so can communicate with the Banyan Cloud Command Center.
Read more about how zero-trust policies work in Banyan.