SASE
WHat is SASE
Strengthen Your Network with Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) is a cloud-native architecture that unifies SD-WAN and VPN services with security functions like Secure Web Gateway, Firewall as a Service, Zero Trust Network Access, and more into a single service.
Why Use SASE?
The key purpose of SASE is to converge Wide Area Network (WAN) networks and security services that in the past were separate and disconnected. With SASE, all sites can be connected using classic WAN or SD-WAN technologies, connect remote users with VPN services, and apply a myriad of security controls to all network traffic using a single plane of traffic and security management.
Imagine having a single firewall and security policy that is applied the same for all users and buildings rather than managing tens or hundreds of different firewalls and security appliances.
- Simplify security and WAN management
- Allow support staff more time to focus on solving other problems
- Single plane of security visibility for all user security, device traffic, and attacker traffic
- Ease the burden on security analysts as well.
BENEFITS
Achieve Stronger Security and Cost Efficiency with Modern SASE and Zero Trust Solutions
Flexible Connectivity Options for Seamless User Access
Modern SASE solutions offer user connectivity to single applications or full VPN connectivity to company networks depending on the business needs. This traffic can be secured with many technologies such as Stateful Firewalling, User Identity services, Intrusion Prevention Services (IPS), Malware scanning and sandboxing, SSL/TLS Decryption, URL Filtering and Web Proxy Services, Data Loss Prevention, Remote Browser Isolation and more.
Proactively Securing WAN Networks Against Modern Threats
In the past, WAN services between buildings and users were largely insecure. At the time, the threats dealt with were much less impactful and the likeliness of them occurring much lower. That is no longer the reality. All businesses and organizations, small and large, and are often attacked. From small school districts and businesses to the biggest corporations and government agencies. It is no longer feasible to work on a WAN networking model where security largely depends on luck. Proactivity is required in securing WAN services in order to stay one step ahead of our adversaries.
WHAT TO EXPECT
Adopting a Zero Trust Approach for Maximum Security
SASE allows for implementation of a truly Zero Trust Network Access (ZTNA) model. Zero Trust is a security posture where all network connections from all users or devices are authenticated, identified, and given least-privilege access to network resources based on the needs of the business. Zero Trust is not an easy model to adopt and it cannot be achieved overnight. Modern SASE deployments are a force multiplier in adopting the Zero Trust model: with a Zero Trust mindset, SASE allows users, devices, application protocols, to be identified and determine whether they are legitimate or a threat to the network. It then allows for acting and reporting on this traffic.
Scalable, Cost-Effective Security with Cloud-Based SASE Solutions
SASE also provides a unique opportunity to scale security services in the cloud. This can both reduce costs and make them more predictable. Security services keep getting more and more advanced to keep up with adversaries. These advancements require more and more resources and higher costs. Implementing these security controls with on-premises security devices often require frequent hardware upgrades to keep up with the performance needed, particularly when it comes to SSL/TLS traffic decryption. This need for higher levels of security using on-premises devices leads us to unexpected CAPEX expenses and a less predictable cybersecurity budget. In a SASE model the “heavy lift” of the security services are provided in the cloud. The cloud allows for scaling up and down over time in small increments reducing the CAPEX burden.
Enhanced Reliability and Lower Latency with Global SASE Infrastructure
A SASE model of WAN networking and VPN services are highly redundant and its services are provided by hundreds of data centers all over the world. Due to this, the Business Continuity and Disaster Recovery (BC/DR) planning and testing burdens are lessened considerably for businesses that adopt SASE. If one or more SASE datacenters fail, the VPN users and buildings are reconnected to an operational datacenter seamlessly. A SASE model also reduces latency for users as network traffic is going to the closest datacenter for security services before going to the required resource. Here at Crossconnect, we have been deploying SASE solutions from many different vendors since the inception of the technology. Our security architects and engineers stand ready to help you down the journey of SASE and Zero Trust networking.
BENEFITS
How to Choose The Right SASE for your IT Culture?
Crossconnect is highly experienced with three SASE vendors in particular: Palo Alto Prisma SASE, Cisco Secure Access, and Zscaler SASE.The choice of SASE vendor depends on many factors: familiarity with the vendor, features supported, how well the solution meshes with your current infrastructure, IT and CyberSecurity goals, and business goals.
Palo Alto SASE (formerly Prisma Access)
Palo Alto’s Prisma SASE is often a good fit for organizations that have already chosen or adopted Palo Alto firewalls. The Prisma SASE service is very similar to having a Palo Alto firewall in the cloud that connects all sites and users together.
Both the features and the configuration of Prisma SASE are similar to configuring an on-premises Palo Alto firewall. Support staff that are familiar with Palo Alto Firewalls will be very comfortable with Prisma SASE. Some of the features in Prisma SASE include: SSL Decryption, URL Filtering, User-ID, App-ID, IPS, DNS Security, Feedlist blocking, File Blocking, Malware Scanning and Sandboxing, DLP, Remote Browser Isolation, SaaS Security, and more. Palo Alto SASE is largely a “firewall/VPN approach” to SASE. Sites are typically connected into the SASE cloud via IPSEC VPN and remote users are connected by Palo Alto’s proven GlobalProtect SSL VPN software. Though Palo Alto supports an “application publishing” approach via their ZTNA connector software this is not frequently used, most installations are VPN-centric. Like all architectures, this approach has its pros and cons. If comfortable with VPN architectures and prefer users have more complete access to the network then this approach may be the right one.
Cisco Secure Access
Cisco Secure Access has a resemblance to other Cisco products, particularly Cisco AnyConnect / Secure Client VPN and the Cisco Umbrella SIG Service. Organizations that are Cisco-centric will find a similar experience with Cisco Secure Access.
It carries much of the feature sets of Cisco SIG and Cisco Firepower Firewalls including Secure Web Gateway Category-Based Web Filtering, SSL Decryption, Stateful firewalling between sites, VPN Posture Assessment of remote users, Cloud Malware Protection/CASB, User Identity, File Blocking and Inspection, Safe Search, IPS, DLP, and DNS Security. Cisco Secure Access is also largely a “firewall/VPN approach” to SASE. Sites are typically connected to Secure Access through IPSEC VPNs and users are connected via the time-trusted Cisco Secure Client / Cisco AnyConnect VPN software. Much like Prisma SASE, Cisco Secure Access does support a “application publishing” approach with their ZTNA software client but it is not commonly used. If already familiar with Cisco’s security products and are comfortable with a VPN approach to SASE this may be the best solution.
Zscaler SASE
Zscaler takes a much different approach to SASE than Palo Alto or Cisco. Rather than a VPN networking architecture, Zscaler operates on a highly distributed, cloud based, proxy architecture. Zscaler’s approach is highly focused on “publishing applications” that users can then access through Zscaler software agents that are installed on user computers.
This approach, just like the others, has its pros and cons. In a VPN approach, to allow a user to access an application for the first time, a firewall rule is created, assuming the resource is at a site already connected via VPN to the SASE cloud. In an application publishing approach, a new SASE configuration is created to publish the application for the first time. An upside of the application publishing approach is that VPNs do not need to be maintained at all sites. Instead, users can just have the Zscaler software on their computers and access published resources, whether in the office, their homes, or at a remote location without a VPN solution.
With a proxy-approach Zscaler will often have more intelligent application controls and features than found in a VPN centric SASE system, such as DLP, CASB, Content/Application controls, and more. However, as with most proxy-based solutions, HTTP and HTTPS based applications have greater functionality with the added security measures than with non-web applications.
Zscaler’s focus on an application publishing has both pros and cons. For a very fine-grained, per-application, controlled SASE experience, with robust web application security controls, without the need for VPN configurations, this solution is a good fit.