Intelligent Routing

How Banyan automatically selects the appropriate mechanism to securely connect a user to the resource they need to access

  • Updated on May 10, 2023
  • 3 minutes to read
  • Contributors

Unlike traditional networking tools that require complex and often incompatible configurations such as VPN profiles, segmentation rules, PAC files, etc to route and inspect traffic, Banyan only requires administrators to specify services and policies for their workforce. Banyan then automatically selects the appropriate mechanism to securely connect a user to the resource they need to access and to enforce the requisite security policies.

Routing Framework

Banyan’s routing framework is applied at different layers of the networking stack:

  1. DNS Resolution - how a domain is resolved on the device
  2. Network-layer Steering - whether a packet is steered over a tunnel or the internet
  3. Application-layer Proxying - whether a request should terminate TLS and be proxied or not
  4. Application Authentication - how the resource identifies the user accessing it

DNS Resolution

DNS determines how a domain name is resolved to an IP address, and is configured as follows with Banyan:

  1. Private domains are resolved at internal DNS servers, typically over a service tunnel
  2. Published services use Service Domain Names that resolve via public DNS servers to your organization’s Banyan Edge
  3. If Internet Threat Protection is enabled, domains are inspected via Banyan’s DNS filtering capability and threats are blocked
  4. If Internet Threat Protection is not enabled, domains are resolved at the DNS server specified by the device’s network

Additional reading:

Network-layer Steering

Banyan makes a decision on whether to route a packet over a tunnel or directly to the internet:

  1. Private network traffic flows over a service tunnel
  2. Specified tunnel domains & CIDRs also flow over a service tunnel
  3. If Internet Threat Protection is enabled, URLs are inspected on device via Banyan’s URL filtering capability and threats are blocked
  4. Published services utilize TLS encryption and are routed over the public internet to your organization’s Banyan Edge
  5. All other traffic flows over the public internet to its destination

Additional reading:

Application Proxy

The Banyan Edge provides an identity-aware proxy that enforces application-layer policies.

  1. Published services are proxied through the Banyan Edge; the Edge terminates TLS and forwards requests to the backend
  2. If application-layer policies are specified, L7 requests and responses are examined and policies are enforced

Additional reading:

Application Authentication

Banyan issues short-lived cryptographic credentials - SAML and OIDC tokens, X.509 and SSH certificates - that can be used for application authentication.

  1. SaaS application can use Banyan’s IDP federation to authenticate users
  2. Infrastructure resources (SSH server, K8s API) can use Banyan’s tokens and certificates for authentication and authorization
  3. If policies are specified, Banyan can enforce user- and device-based controls

Other Scenarios

A few other scenarios that Banyan supports that are not explicitly called out in the framework above are noted here:

1. Clientless access

Users without a Banyan client cannot set up service-tunnel-based connectivity. In this scenario, you can use Banyan’s published services capability. Published services in Banyan resolve via public DNS servers and are proxied through the Banyan Edge, which terminates TLS using trusted Let’s Encrypt certificates and enforces application-layer policies.

2. Co-existing with traditional L3 VPN

Banyan can operate seamlessly atop an existing L3 VPN. Typically, traffic to published services flows over the public internet. However, you can configure Private DNS Override for a given published service so traffic will flow over your L3 VPN tunnel instead of the public internet.

3. Co-existing with on-premise Web Proxy

Banyan can operate seamlessly in secure networks that require all web traffic to be inspected by a web proxy. The Banyan App and Banyan Access Tier both respect the OS’s http_connect proxy setting, and so can communicate with the Banyan Cloud Command Center.


What’s next

Read more about how zero-trust policies work in Banyan.