Versa Capabilities
Exceptional Capabilities, Delivered Through Single-Pass Architecture
To deliver business agility with the highest network availability and uniform security, a superior application user quality of experience and resilient, redundant WAN performance requires a reimagination of the corporate network edge.
Versa Secure SD-WAN is a key component in any digital transformation strategy: allowing organizations to enables secure, scalable, and reliable enterprise-wide networking while increasing multi-cloud application performance and dramatically driving down costs.
Versa Secure SD-WAN architecture which was built from the ground up as a complete integration of best-of-breed comprehensive security, scalable advanced routing, full-featured SD-WAN, genuine multi-tenancy, sophisticated analytics, and policy-based automation in a single Enterprise-class Carrier-grade operating system (VOS) that operates at exceptional scale. All of these capabilities are unique and outperform the competition in their respective fields alone, but combined together into a single software solution; makes Versa Networks the powerful SD-WAN product on the market.
Complete Integrated Security
Versa Secure SD-WAN integrates next generation firewall, intrusion prevention, secure virtual private networking, and universal threat management.
Full-Featured SD-WAN
Capabilities include sub-second packet steering across multiple WAN interface, packet loss reduction, packet replication, and poor-performing link avoidance.
Genuine Multi-Tenancy
The only SD-WAN solution allowing total separation between every tenant extended to every branch site allowing for granular roles and segmentation.
Scalable Advanced Routing
Architected from the ground up based on massively scalable Internet deployments. Features include traditional routing and the newest innovative capabilities.
Sophisticated Analytics
Real-time visibility into the traffic of your users, devices, applications, and system to be able to pull reports, audit, forecast, and make insightful decisions.
Policy-Based Automation
Apply consistent policy anywhere in your environment and automate workflows to create network slices or implement security remediation steps.
Security:
Security is an intrinsic part of Versa’s software architecture.
Due to the rise of cloud-based applications, remote work, and mobile devices, the Enterprise and all its branch sites are becoming more of a point of concern where the growing attack surface can lend itself to a host of vulnerabilities from the outside.
Securing the data center and the branch offices is not easy and it doesn’t make sense to backhaul all branch traffic through a centrally deployed firewall in the data center; correspondingly, the resulting latency impacts to application performance generally frustrate both IT and the end-users.
Versa Secure SD-WAN solution was built from the ground up, fully programmable and automated, with a cloud-native architecture and with integrated security, not as just another added feature or external bolt-on service. Security is an intrinsic part of Versa’s software architecture – unlike other vendors on the market. A core element of Versa Secure SD-WAN is the ability to “software-define” security in terms of form-factor and operations (e.g. policy creation and enforcement). A software-defined security platform separates security functions from proprietary hardware, enabling the use of security functions in software running on commodity x86 servers and white box appliances.
Versa offers comprehensive security with:
Stateful Firewall
Zone-based Firewall, support Address Objects, Address Groups, Services, Geo-Location, Time-Of-Day, Rules, Policies, Zone Protection, DDoS (TCP/UDP/ICMP Flood), Syn-cookies, Port-scans, ALG support, SIP, FTP, PPTP, TFTP, ICMP, QAT support.
URL Categorization and Filtering
URL categories and reputation including customer-defined, Cloud-based lookups, Policy trigger based on URL category, URL profile (blacklist, whitelist, category reputation), Captive portal response including customer defined, Actions include block, inform, ask, justify, and override.
Application Visibility
Identifies more than 3000 applications and protocols, Supports Application groups, Application filters, Application visibility and log.
Anti-Virus
Network/Flow based protection with auto signature updates, HTTP, FTP, MTP, POP3, IMAP, MAPI support, 35+ file types supported (exe, dll, office, pdf & flash file types), Decompression support, Storage profile support, Auto signature updates.
Next-Generation Firewall
Policy Match Triggers: Applications, App Filters, App Groups, URL Categories, Geo Location, Application Identity based (AppID) policy rules, Application Group and Filters, Packet Capture on AppID, IP Blacklisting, Whitelisting, Custom App-ID signatures, SSL Certificate-based protection, Expired certificates, Untrusted Cas, Unsupported cyphers and key lengths, Unsupported Versions, NSSLabs Recommended Rating.
IDS/IPS
Default and customer defined signatures and profiles, Versa and Snort rule formats, L7 DDoS, Layer7 Anomaly detection, Support for JavaScript attacks, Security package with incremental updates, Full incremental (daily) and real-time threat (every hour), Lateral movement detection.
IP Filtering
Filtering of traffic based on Geo-Location, DNS name, Reputation of Source/Destination IP Addresses – support for both IPv4 and IPv6. Automatic updates of IP Reputation database.
Intelligent security that understands your business needs.
Versa’s software-defined security is dynamic and encompasses the contextual intelligence and awareness of users, devices, sites, circuits and clouds; enabling robust and dynamic policies to achieve a multi-layered security posture. For example, IT teams can deploy contextual network and security policies for specific users and specific devices, like anti-virus and URL-filtering, when utilizing certain site-to-site or Internet links.
In addition, all SD-WAN connectivity is based on industry standard IPsec tunnel encapsulation and all traffic is encrypted and safe. IT security teams can even set unique security policies, differentiated services or security service-chains for guest access, corporate access and partner access networks at the branch. This enables the enterprise to meet business security and compliance policies - all with a single unified software platform.
SD-WAN:
Moving beyond traditional WAN to deliver speed and scale.
Legacy WAN architectures are simply not up to the task of supporting digital transformation trends such as cloud-first and mobility-first architectures. Organizations need to embrace a software-defined Enterprise to achieve optimal application performance. To achieve this, SD-WAN devices should be deployed at sites and gateways where traffic can securely use any transport available to it for the most direct access to the cloud. An agile software-defined Enterprise can instantly identify traffic flows to SaaS applications such as Office 365, Salesforce, or Gmail and apply optimal multi-dimensional policies—for best path selection, QoS, security—and guarantees consistent security posture and application performance.
Versa Secure SD-WAN delivers top-class networking, security, visibility, automation and performance capabilities all built ground-up into the architecture can help organizations of all sizes overcome the challenges and complexities of on-premises, hybrid, or multi-cloud environments.
With a single software platform that meet your networking and security needs, Versa Secure SD-WAN allows organizations to reap the benefits of a fast, agile, scalable, and secure IT deployment can bring including better application performance, smaller attack surface, and ultimately lower cost of ownership.
Full support for a flexible network topology.
Versa supports all topologies including full mesh, partial mesh, hub-and-spoke and other arbitrary topologies. Versa’s control plane provides flexibility to define and establish the topology of choice on any tenant. A single VRF per tenant can have one topology while another VRF for the same tenant can be part of a different topology.
Versa Secure SD-WAN also supports the propagation of routes to multicast source-subnets within MP-BGP. This allows the VPN topology for multicast to be different than that for unicast. For example, the multicast topology can be Hub-and-Spoke whereas the unicast topology can be full-mesh.
Optimized for flexible hybrid and multi-cloud deployment.
Leveraging Versa automation, customers can manage the complete lifecycle of VOS from creation to termination from a single pane of glass, in just a few clicks. The complete orchestration of VOS on cloud is done with true zero touch provisioning. This methodology significantly cuts down cloud instantiation times and operational involvement. Versa eliminates multi-cloud complexity by automating dynamic multi-cloud overlay connectivity from any user/device/branch.
Additionally, VOS can be deployed in a colocation facility like Equinix Network Edge or Versa POPs with a low-latency express connection and on-ramp to multi-cloud and SaaS applications. The cloud experience is fully automated with Equinix Network Edge and Versa POPs for both infrastructure and connectivity.
Versa Secure SD-WAN have several inbuilt optimizations to force SD-WAN nodes to always send traffic back to the originating WAN port with the best traffic performance capabilities, avoiding any chances of asymmetric routing. The solution also leverages several standards-based loop prevention algorithms to eliminate sub-optimal performance and unplanned downtimes.
Versa offers an extensive list of SD-WAN capabilities such as sub-second packet steering across multiple WAN interface, packet loss reduction through services such as FEC, packet replication, and poor performing link avoidance that outperform the competition.
Multi-Tenancy:
Management, data, and control plane independence.
Enterprises viewed network segmentation as a necessity to accomplish Network security and as a relief from limitations on Layer 2 domains. Virtual Local Area Networks (VLANs) became the de facto standard for segmentation. It provided a mechanism for segregating Business units, zones, and security.
However, VLANs provide a minimal set of security and separation within the average Enterprise network. While it is true that a user on a given VLAN cannot directly communicate nor access information on the other VLAN, the use of Denial of Service (DOS) attacks may cause impact to the other VLANs traffic and communication.
Versa offers Genuine Multi-Tenancy through our orchestration platforms, the control plane, and the data plane. This level of Multi-tenancy keeps the policies and configuration and the logs and statistics segregated from that of the other tenants.
A fully Multi-tenant system would be a system where Multi-tenancy was at the management level, controller plane, data plane, and the analytics Level.
Versa offers this level of multi-tenancy at the hub location and the edge device locations:
Management Plane Multi-Tenancy
- Independent RBAC for each tenant
- Users of a tenant can see only devices of that particular tenant only
Data Plane Multi-Tenancy
- Routing tables separation
- Each tenant can have up to 1024 VRFs
- Data Plane independently encrypted tunnel between SD-WAN devices
- Independent instances of a routing table, BGP instances, OSPF instances, etc.
Control Plane Multi-Tenancy
- Independent SD-WAN engines for each tenant
- Independently encrypted secure tunnels with Controllers for each tenant
- Independent topologies for each tenant
The only true multi-tenant architecture on the market.
Versa Networks is the only true multi-tenant solution on the market allowed you to achieve management plane, data plane, and control plane Multi-Tenancy at both the hub and edge device locations. Versa Secure SD-WAN has built-in, native segmentation with true multi-tenant implementation. Each Versa Secure SD-WAN node can support up to 256 tenants.
This provides flexibility to host multiple customers per instance while maintaining separation between each customer's traffic. Further, each tenant can have multiple virtual routing and forwarding tables (VRFs), VLANs and service chains with full separation of control plane, data plane, and management plane. No other solution on the market can come close to this level of segmentation.
Routing:
Carrier-grade routing delivered through software.
Modern networks today demand scalability, adaptability, and fast failure convergence irrespective of on-premises, cloud or the edge. To meet these demands, VOS and VOS with Titan deliver high-performance, application aware intelligent routing to guarantee performance at scale.
With Versa, you can get carrier-grade routing support through VOS and VOS with Titan that optimizes both common and advanced routing protocols which are crucial for WAN and LAN network agility. These include Static, OSPF, BGP, MP-BGP (MPLS based L3VPN, MPLS based EVPN, VXLAN based EVPN), RIP, IGMP, PIM, VRRP, PBR (policy-based routing).
Versa support Bi-Directional-Forwarding (BFD) that can be used with routing protocols such as BGP to monitor control plane health checks and provide sub-second failure convergence.
VOS supports IPv6 on both the LAN and WAN interfaces and all permutations of dual stack such as:
- IPv4 LAN over IPv6 WAN transport
- IPv6 LAN over IPv4 WAN transport
- IPv6 LAN over IPv6 WAN transport
Additionally, VOS natively supports Virtual Routing Forwarding (VRF), MPLS over GRE, and MPLS over IPsec to interoperate directly with the Service Provider Edge. With all of these capabilities available through an easy software architecture, Versa Networks offers the most robust and scalable routing solution for the modern Enterprise.
Delivering dynamic network intelligence to cloud.
One of the biggest networking challenges in cloud is very limited support for multicast, broadcast and dynamic routing. Such limitations adversely affect network resiliency in cloud. VOS overcomes these networking challenges in the cloud by using purpose built, cloud-native routing protocols.
These protocols can track the state of system objects like routes, interfaces and monitors and interact with the cloud environment to re-route around failures. VOS leverages this technology in cloud to deliver fast failure convergence, with near zero downtimes.
Routing that understands application context.
VOS and VOS with Titan auto-recognizes over 3600+ applications. VOS and VOS with Titan continuously monitor links, transport-paths and application performance (bandwidth, latency, jitter, error rate, packet loss, MOS, MTU etc.). VOS and VOS with Titan leverages this information for application-based link selection, intelligent traffic engineering, and smart re-routing. The solution also provides application-aware traffic steering and can consider time of day, link type (MPLS vs Internet), application requirements (bandwidth, delay, jitter, error rate) and link performance.
The solution can measure the MOS score for individual sessions of 190+ codecs. This MOS score can be used to make traffic routing decisions. Paths with better MOS score are chosen, ensuring users always experience the best voice, video and audio quality. VOS also supports first packet identification of SaaS applications such as Office365, ensuring that optimal path selection policies are effective from the first packet itself.
Analytics:
Real-time analytics that give you the visibility and control.
Versa Secure SD-WAN offers a centralized portal for cohesive visibility of applications, users, workloads, databases, web servers, and security policy violations without requiring anyone on staff to understand the intricacies of the specific clouds and their unique tools.
With the Secure SD-WAN single-pane-of-glass, you can view a global map and exactly pinpoint the geolocation of any particular workload, and which users are accessing that workload. If a workload is being attacked by an external actor, you can block it with a single click, as well as access deep analytics to give more insight into the attack: who is trying to bring down your service, what kind of attack are they using, and how can it be mitigated.
Sophisticated analytics allows you to adjust your baseline security posture across all environments. A pane that shows device utilization helps you manage performance.
If, perhaps, the CPU use of any specific device exceeds a given threshold, you can create an auto scaling policy to instantiate more devices and increase aggregate performance. You can also see exactly which users, in which regions, are using your service. These displays help you to architect high availability or prepare a design for future business expansion requirements. And it is all done from an application perspective and presented on a single analytics dashboard.
Versa Analytics is the big data solution that provides real-time and historical visibility, baselining, correlation, prediction and closed-loop feedback of your network:
- Policy driven data logging
- Real-time and historical traffic visibility and anomaly detection
- Reporting for multiple network and security services
- Multi-organizational reporting
- 3rd party application and monitoring tool integration
Custom reporting on user, device, and application traffic.
Versa provides a native Analytics engine that supports multi-dimensional, historical, and near real-time data reporting for network, security, application and user flows. Versa provides automated report generation and email capabilities to enhance monitoring efficiency.
Seamless, secure connectivity to multiple cloud services is one of the more prominent benefits of a cloud-smart SD-WAN. Versa supports path selection based on Versa Link Score (VLS). This is a composite score that takes into consideration TCP parameters, MOS-like scoring, round-trip-time, round-trip-delay, jitter, delay, loss and application performance metrics. Versa utilizes a MOS-like engine for all traffic flows across the SD-WAN. Using the “experience calculation” with active or passive monitoring, we can determine how the app is performing, combined with network monitoring.
By doing so, Versa provides application intelligence to multiple cloud/SaaS services that are available for easy export and auditing.
True first packet auto-recognition to thousands of applications
Versa Analytics auto-recognizes over 3600+ applications using a built-in Deep Packet Inspection (DPI) engine. Versa Analytics has the ability to identify many SaaS applications on the first packet using an automatically updated database of corresponding IP addresses and domain names. This enables the customer to create policies (including path selection, QoS, security policies) that get applied to the flow starting from the first packet itself.
Automation:
Automated and consistent policy enforcement everywhere.
Versa Networks provides a centralized approach to management for configuration, monitoring and troubleshooting via a single pane of glass, known as the Versa Director. This approach allows the security operator to configure and apply common security policies across the entire network as easy as configuring a single router. Implementing this modular methodology using templates eliminates configuration errors.
Further, this allows an organization to apply common policies within seconds across the entire SD-WAN environment, a huge improvement over the hours (or days) required in traditional networks. Versa Director provides both a web UI and a comprehensive API for customers to easily manage SD-WAN and security components via a single console. With Versa’s policy-based automation, you can achieve:
Automated Zero-touch Provisioning (ZTP)
Global Zero-touch provisioning enables organizations to rapidly deploy VOS automatically and remotely, at massive scale. VOS uses call-home features to connect to a cloud-based staging server automatically when it powers on. Alternatively, organizations can also choose to activate VOS devices through an onsite administrator using a laptop connected to the device, over a mobile phone for WiFi-enabled devices or through the device client.
Automation of Network Topologies
Versa Secure SD-WAN automates the creation of the most common network security topologies, namely full-mesh, partial mesh, hub & spoke and any other arbitrary topologies. By using the built-in workflows, administrators can create and deploy proven and security validated designs expeditiously. Additionally, workflows can automate the creation of network slices to meet the aggressive SLAs of 5G, MEC use cases effectively.
Versa SASE Automation
Versa provides automated signature and vulnerability updates, log analysis, configuration, and policy updates across on-premises, cloud and the edge. The engine also supports automated self-healing across any user/device/branch with unified policy infrastructure, reducing the touch points for change management.
Versa SD-LAN Automation
Versa delivers Software Defined LAN Networking for Campus with full programmability and automation. The architecture brings AI/ML based automation, tuning and self-healing to detect and contain non-authorized devices across the campus LAN.
Orchestration to Cloud Gateway Services
Versa has Azure API integration to automate IPsec-based connectivity to chosen Azure virtual WAN gateways and AWS Transit Gateways. Using this, site to site VPN tunnels are orchestrated and routes are automatically propagated between cloud and the branch devices. Using this integration, organizations can simplify their cloud architectures and effectively utilize the cloud backbone.
Orchestration to Third-party Secure Web Gateway
Versa Secure SD-WAN with Titan has a fully integrated security stack for customers who want to deploy SD-WAN with security on-premise. In addition, Versa supports orchestration and redirection to multiple third-party Secure Web Gateway providers. Versa supports GRE or IPSec tunnels through automated workflow templates to easily integrate with these Secure Web Gateways. Versa Secure SD-WAN is used as an appliance connecting to a cloud hosted Versa Secure Web Gateway, Versa offers better load balancing and flow distribution, increasing traffic performance.
Versa automation through the Versa Director provides a single pane of glass that is used for automated-update and upgrade of software and security packages of VOS and VOS with Titan instances. Both software and security packages upgrades can be scheduled, for a specific day/time, for all devices or a set of devices. If there is an error or failure during an update or upgrade, the solution supports automatic rollback to the prior version.