Versa Secure SD-WAN Licensing Overview (2019 to 2024)

Versa Secure SD-WAN Licensing Tiers

Versa bundles its SD-WAN features into prime and premier tiers. This tiering provides ease of purchase, ease of deployment, and cohesive value to customers at each tier. The prime tier focuses on providing core features of SD-WAN, while the Premier tier offers features to optimize application and user experience and to dynamically manage and enhance the user experience with SD-WAN.

For security, Versa combines Layer 4 to Layer 7 security features into next-generation firewall (NGFW) and unified threat management (UTM) tiers. The NGFW tier focuses on Layer 7 security features that are application, URL filtering, IP reputation filtering, DNS proxy, and control of traffic for each relevant type. The UTM tier focuses on scanning traffic inline for malware, vulnerability exploit attempts, and stopping such malicious activities.

For WAN edge deployment, Versa bundles the NGFW tier with SD-WAN. This helps you to utilize a single solution that covers SD-WAN, routing, and comprehensive NGFW capabilities using a single license per CPE with major pricing, right to use (RTU), and deployment advantages.

Versa Secure SD-WAN features are grouped in to the following four tiers:

• Prime SD-WAN tier—Core SD-WAN functions for branch-to-branch or hub-and-spoke over multiple access technologies:
  • Stateful firewall, DOS protection, extensive routing protocols coverage, and extensive Layer 2 feature set coverage
  • Secure, dynamic, encrypted VPN overlays
  • Application detection and visibility
  • Application traffic control and traffic engineering, and application quality of service (QoS)
  • SLA-based path measurement
• Prime Secure SD-WAN tier—All prime SD-WAN features and NGFW:
  • Advanced security features, such as URL filtering and IP filtering
  • Provides web security by blocking web access using URL reputation
  • Provides security by blocking access to IP addresses with low reputations
  • SSL proxy to break encrypted sessions for captive portal purposes
• Premier Secure SD-WAN tier—Upgrades SD-WAN while retaining NGFW capabilities, in addition to Prime Secure SD-WAN features:
  • Advanced SD-WAN capabilities
  • Application acceleration
  • Application-specific optimizations
  • Cloud and direct internet access (DIA)-destined traffic optimizations
  • Optimized voice service using MOS scores
  • Accelerated applications using FEC or packet cloning
  • Optimized access to SaaS cloud
  • Provides user/user group-based traffic engineering and SLA policy
• Premier Elite tier—All features and capabilities of Versa Secure SD-WAN, Layer 4 security, Layer 7 security, and UTM tiers.

The following figure shows the building block view of each of these tiers.

SD-WAN Bandwidth Capacity Tiers

The purchase plan for Versa Secure SD-WAN tiers is based on WAN bandwidth for sizing and capacity management purposes. The WAN bandwidth tier represents the amount of WAN traffic that is entitled to be processed by the CPE in the uplink and downlink directions. The bandwidths in the uplink direction and the downlink direction are measured separately. The bandwidth tier of 25 Mbps allows you to process up to 25 Mbps in the uplink direction, and up to 25 Mbps in the downlink direction, over WAN interfaces. 

Available WAN bandwidth tiers are 10/25/50/100/250/500 Mbps and 1/2/5/10/20/50/100 Gbps.

The WAN bandwidth used for a subscription is measured at 5 minimum intervals for each month. Versa license management software obtains all these datapoints, ranks them from highest to lowest, and uses the 95th percentile as the used bandwidth for the CPE.

The Versa Secure SD-WAN subscription bandwidth only references WAN link utilization and excludes any traffic between LAN ports and on CPE cross-connect links. For high availability, the licensed bandwidth must be equivalent to the expected bandwidth used on the WAN links attached to the CPE.

License Duration

Versa Secure SD-WAN is available in one (1) year, three (3) year, and five (5) year subscription license terms.

Stateful HA Cluster Add-On Option

Versa Networks provides stateful HA synchronization capabilities across active-standby clusters. Stateful HA cluster capability synchronizes long-lived flows from the active node to the standby node. The prerequisite for stateful HA synchronization is any tier that includes NGFW or UTM capabilities, including secure SD-WAN tiers. Bandwidth capacity needs to match the bandwidth capacity of the underlying SKU on a given device.

On-Premises Versa Headend Licensing

You can deploy the Versa headend on-premises for data sovereignty, specific regulatory, or other reasons. If you purchase this option, you or your partners must download orchestration software images from the Versa Networks software repositories and install them on your servers based on the procedures described in the Versa documentation portal. After installation, you must install an appropriate license file on Versa Director to activate the on-premises orchestration setup.

To request the license key, contact the Versa TAC team. For more information about on-premises Versa Orchestration suite installation, see the Versa documentation at https://docs.versa-networks.com.

The Versa on-premises headend suite license is sold separately in different setup sizes to address all deployment requirements. Each of these allows you to manage up to a specific number of CPEs. The following sizes are available: 250, 1000, 2500, 4000, 5000, 10000, 15000 and 20000 CPEs.

Note that Secure SD-WAN, Secure SD-LAN, or NGFW licenses are separate from the on-premises headend licenses. The on-premises headend license with specific capacity is a superset of the actual number of Secure SD-WAN CPE licenses that you can purchase. In such cases, you are entitled to deploy SD-WAN CPEs based on the number of CPE software subscription licenses purchased, and not based on the headend capacity.

As an example scenario, you buy the on-premises license to manage up to 1000 CPEs. You currently have plans to deploy 742 CPEs, so you purchased 742 Secure SD-WAN subscription licenses. You are now entitled to deploy only 742 Secure SD-WAN CPEs using on-premises orchestration software. On request, the Versa TAC team can provide you with an SD-WAN license key for 742 CPEs to activate these devices. Subsequently, you can purchase an additional 258 instances of Secure SD-WAN licenses to be managed by the same orchestration without paying extra for the orchestration suite.

Versa Hosted Headend as a Service

Versa offers cloud-based Versa Hosted Management (VHM) for customers to eliminate the need to deploy the Versa headend on-premises and the associated overhead. After you subscribe to the VHM service, you can leverage the Versa headend components from the Versa cloud as a SaaS service. With this option, you can use the multitenant or dedicated headend instances to deploy, configure, and operate VOS instances on-premises or in their cloud locations. VHM as a SaaS service provides the Versa headend platforms RTU for the duration of the VHM subscription, with no need to install and maintain the headend.

The Versa-hosted headend comprises a completely redundant cloud-based setup for all Versa SD-WAN headend components deployed across the globe. The VHM service helps to deploy Versa Secure SD-WAN using multitenancy on shared headends, or can be dedicated to a specific customer.

The following options are available for VHM as a SaaS service:

• Dedicated cloud-hosted Versa Orchestration as a SaaS service
• Shared hosted headend SaaS service

Versa Networks offers dedicated cloud-hosted orchestration as a SaaS service for a given customer without sharing that VHM instance with any other customer. This provides the flexibility to run your own software version, independent software upgrade timelines, maintenance windows, cloud orchestration locations, with no dependencies to any other Versa customers. 

The dedicated cloud-hosted orchestration SaaS service is offered at capacities of 500, 1000, 2500, 4000, 5000, 10,000, 15000, and 20,000 CPEs. When you purchase a respective capacity and geography-based, cloud hosted orchestration suite, the Versa Managed Services team instantiates and provides access to the SaaS service.

Versa shared hosted headend SaaS service is the other option. VHM as a SaaS service in shared option is delivered from the cloud environment that is shared across multiple customers or tenants and purchased on a per device basis. Shared headend provides additional granularity in pricing by mapping each CPE to one of the following 4 buckets based on the aggregate WAN bandwidth of the device (and the number of logs expected from each):

• Small (up to 50 Mbps)
• Medium (up to 500 Mbps)
• Large (up to 2 Gbps)
• X-Large (above 2 Gbps)

Note that secure SD-WAN,  secure SD-LAN, or NGFW licenses are separate from the cloud hosted orchestration SaaS service licenses and the actual number of secure SD-WAN CPEs the customer is entitled to deploy is determined by the number of CPE software subscription licenses purchased by customer.

Both shared and dedicated Versa hosted orchestration SaaS service include instantiation of Versa orchestration suite in Versa-cloud instance(s) by Versa personnel in high available form. Dedicated cloud-hosted orchestration SaaS service includes monitoring and maintenance by Versa’s managed services team. For more information including SLAs, see Datasheet.

Advanced Logging Service

As new sophisticated threats emerge, identifying, stopping, and remediating such threats is top priority for security administrators. You can evaluate the scope and seriousness of threats by analyzing the network events occurring at the time of the event. Advanced logging service (ALS) is a SaaS offering that you can integrate with your SD-WAN headend (both on-premises or Versa-hosted) to provide a scalable solution to store and efficiently retrieve network logs. ALS is a big-data based system optimized to search, filter, and retrieve logs of interest and provide them instantaneously to your security team for further analysis.

You can subscribe to ALS on the basis of the amount of logs that you store in the service in multiples of 1 TB (terabyte). The log storage required for the logs and the SKU depends on the number of logs stored in the service and the duration for which they are stored. For example, for 100 GB of logs generated each day with 30 days of storage requirement, 3 TB of ALS subscription is required. While the size of the log varies based on types of data stored, one log consumes approximately 1600 bytes of storage.

You subscribe to ALS on a geographic region basis. For example, if you need 5 TB in North America and 3 TB is APAC (Sydney), then you need to subscribe to 2 SKUs, one for 5TB and another for 3 TB of ALS.

Data Protection

The data protection add-on option provides inline CASB and inline data leakage prevention (DLP) capabilities. Inline DLP provides real-time protection against data leakage outside of the enterprise perimeter. It protects you from erroneously or maliciously exfiltrating enterprise data to third-party destinations.

Inline DLP provides the following features:

• Detects confidential files being uploaded to internet-based applications or external servers. Works with Microsoft Information Protection (MIP) to detect confidentiality of files and block the channel.
• Detects patterns (for example, credit card numbers, SSN, and patient information) and blocks the channel.
• Contains pre-defined policies matching your regulatory domain (for example, PCI-DSS, HIPAA).

Inline CASB enables control and visibility of user actions within internet-based applications. For example, administrators can analyze user actions (for example, likes, comments, uploads) on social media applications and can enforce rules to protect data from being exfiltrated either maliciously or due to user error. For example, you can define a rule that an engineering user cannot comment on social media, but marketing users can comment and upload but cannot “like” content. 

Inline CASB provides real time visibility, classification, and access control of SaaS-based applications. Many enterprises face the challenge of users enrolling third-party applications without the visibility or knowledge of the IT department. These applications are called unsanctioned applications, and such unauthorized or unapproved applications can cause data leakage, violation of company policies, violation of company compliance, and can act as sources that spread malicious content or code. Therefore, IT departments require reliable methods to discover and classify SaaS applications to identify such applications and users to control the usage of unsanctioned applications. Inline CASB plays a key role in achieving this goal.

Together, inline CASB and inline DLP provide SaaS-based application discovery, access control, and data leakage prevention, ultimately securing enterprises on cloud-based applications and data repository usage.

On-Premises ZTNA

The zero trust framework secures the network by not trusting any user or device. Today, most networks use Network Access Control (NAC) to admit users and devices to an enterprise network. In this scenarios, it is assumed that if the user is an authorized enterprise user, it is a trusted user, which need not be a valid assumption in many circumstances. A corporate user with valid credentials may end up being the method of delivering malware without knowledge of the user due to poor or degraded posture of the device.

After using cloud-delivered ZTNA solutions, enterprise IT administrators now demand on-premises-based ZTNA solutions. The on-premises ZTNA add-on option for decouples the right to access the network from right to access applications. It uses multiple factors such as user authentication, user behavior, device posture, and device ID to make decisions to grant access to the network or to network segment for specific applications and/or specific micro-segments.

As conditions change, IT administrators require the capability to automatically adapt to conditions, such as the security posture degrading or improving, and to automatically apply policy enforcement, segmentation or micro-segmentation actions. Effectively, the on-premises ZTNA add-on option provides ZTNA to users connected to the enterprise network while the policy enforcement point is the SD-WAN router.

XoT Device Fingerprinting and Classification

Devices with a wide variety of computing capabilities and device complexity connect to enterprise networks. Enterprise administrators do not always have complete knowledge of the devices connected to their network, their capabilities, and potential weaknesses of these devices. A device with known vulnerabilities can provide attackers with a launchpad for bigger attacks on the network. Though there are several tools available to maintain an inventory of devices, many of these tools are not dynamic and require manual intervention to add new devices. The exponential increase of devices requires automated mechanisms to detect and catalog devices. 

XoT device fingerprinting automatically detects any device that is active on the network. It detects details of a device, such as the device manufacturer, firmware version, and open CVEs associated with the device. This allows enterprise administrators to take appropriate actions, such as quarantining a device using the on-premise ZT-LAN solution.

Advanced Threat Protection and  Sandboxing

Malicious actors frequently stage zero-day attacks against high value targets. They exploit vulnerabilities that are not widely known or announced publicly. Signature-based intrusion prevention solutions used by traditional firewalls cannot detect and block these threats. Advanced threat protection (ATP) secures an enterprise against such threats.
ATP uses multi-stage scanning of threats to evaluate threat levels: 

1. Static analysis—Uses a multi-antivirus engine to scan files using different virus definition files. At this stage, even if a single antivirus vendor recognizes the threat, it gets blocked.
2. AI/ML engine—Uses more than 200 data points that are indicators of exploit, which detects obfuscated files that typically pass through signature-based detection. 
3. Sandboxing—Deploys the file in a VM and observes the behavior of the file, for example, registry accesses and system calls. 

If a threat is detected in any of these stages, the administrator is notified of the attempt and communication to the threat actors is shut down to protect the enterprise.

Stateful HA Cluster

Versa provides stateful HA synchronization capabilities across active-standby clusters. Stateful HA cluster synchronizes long-lived flows from the active node to the standby node. The prerequisite for stateful HA synchronization is that any tier must include NGFW or UTM capabilities, including secure SD-WAN tiers. Bandwidth capacity must to match the bandwidth capacity of the underlying SKU on a device.