17 Jan What is a SASE architecture? CATO Networks has the answer
A SASE architecture is a must for any business. It checks each device before allowing it on your network. That way, you can stop worrying about scaling issues or logging into different cloud portals.
What problem does SASE tackle?
We have been using a lot of different security and connectivity solutions over the past few years, and for each technology we have been searching for the best-of-breed solution. Just think of the following scenario: a corporation with 25 different sites that need to be connected to each other. This is either done with traditional (expensive) MPLS connections, or they are already using a SD-WAN solution. Now, all the sites are connected to each other, but there is no security in place. Off we go, adding a NextGen Firewall or UTM firewall depending on the requirements of the site.
Great, connectivity and network security are handled now. That’s it, right? Well, no. There’s more to come. As there are a significant number of users that needed to connect from their laptop or mobile device when they are on the road, the company also invested in a VPN Concentrator. Once the pandemic hit, and everyone needed to work from home, their on-premises hardware device has been pushed to the limit of its capabilities. So having all these different point solutions leads to a substantial overhead in vendor evaluation, procurement, troubleshooting, maintaining the all the different solutions, creating a substantial hidden cost.
Say hello to SASE!
The term SASE itself was ‘invented’ by Gartner in 2019 and is short for ‘Secure Access Service Edge’. To address the above issues, an architecture was created with some principal elements:
- Convergence of WAN and security functions: having fewer devices to manage leads to better efficiency, and thus converging WAN connectivity and security seems like a no-brainer.
- A cloud-native architecture: because on-premises devices just can’t scale to our dynamic needs, it only makes sense to create an entire cloud-native architecture that scales to your needs.
- Identity-driven services: identity is at the core of today’s security requirements, whether we’re talking about a physical person, or a specific device. Security policies should be created to grant access only for specific persons to specific applications.
- Support all edges: as you’ll want to make sure that the security follows whoever is connecting from anywhere in the world, be it on the corporate campus, or from home (or anywhere in between for that matter), you’ll want that all edges are treated equal.
- Globally distributed fabric of PoPs (Point of Presence): having your latency as low as possible is key to make sure that users have the best experience possible. Therefore, there should be PoPs around the globe, and near to where the users and applications reside.
What are the advantages of SASE?
Well, because all services are now delivered from the cloud there are a couple of things less that you should worry about.
So first of all, no more logging in and out of different cloud portals to handle different point solutions. A decent SASE solution has one portal to: manage security, set up remote users, give them access to certain applications, get insights in shadow IT, etc. You get the picture.
Secondly, because security is now performed in the cloud with FWaaS or Firewall-as-a-service, you no longer have to worry about scaling issues in combination with certain features. Just open the data sheet of your favorite firewall and have a look at the performance numbers. You’ll see numbers ranging from multiple gigabits per second (with packet sizes of 1500 bytes) to mere megabits per second when all security features (IDP, Anti-malware, IPS, …) are enabled. Which means that by enabling a single feature, you might need a firewall upgrade. With SASE’s FWaaS this is no longer an issue as scaling is instant as you needed.
Even specific features are delivered as a service, think of IPS for example. The recent Log4J vulnerability is a great example here. In a typical scenario, whether your classic IPS was running on a firewall, or a dedicated appliance, the typical task is to update your signatures, start in detect mode, verify that there are no performance issues, monitor for false positives, and finally switch over to prevent mode. All this, while there is a vulnerability out there that is actively being abused.
With IPS-as-a-service, this entire process is handled by the SASE vendor, leading to much faster active protection. In the case of the Log4J vulnerability, customers were protected automatically days before the classical security vendors released their signature. So this is simply game changing!
So, any SASE solution will fit my needs?
Well, this would be a perfect scenario, but unfortunately, the world is not perfect yet. Some solutions have been brought to market specifically with SASE in mind, others were created a long time ago and need to be changed significantly to meet the architectural needs for SASE.
So SASE brings together security and networking into a single service. With this architecture, you can say goodbye to logging in and out of different cloud portals and you no longer have to worry about scaling issues in combination with certain features. A logical development to help your business if you ask me!
One of our favorite SASE vendors is Cato Networks, as they are truly cloud native. Enter your details and download the SASE for dummies E-book by CATO Networks below.
Written by Nick Leman.
Interested? Simply fill in your details and download the ‘SASE for dummies’ E-book from CATO Networks below!
No Comments