Key Components of SASE Solution

SASE has many moving parts, each of which contributes a crucial function to the whole. The single, unified SASE product is a collection of utilities that will be familiar to organizations, but offered in a streamlined package that hasn’t ever existed in this form.

Building Out SASE

Secure Access Service Edge (SASE) security solutions combined with SD-WAN technology provide additional levels of protection and security functionality that may include secure web gateways (SWG), cloud access security broker (CASB) capabilities, firewall as a service (FWaaS) functionality, and Zero Trust Network Access (ZTNA) for secure network access in cloud and mobile environments, both locally and globally.

Essentially, SASE is a new package of technologies including SD-WAN, SWG, CASB, ZTNA and FWaaS as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.

Gartner Research Vice President Andrew Lerner, Gartner

With these components, SASE enables the delivery of integrated secure network security services that supports digital business transformation, edge computing, workforce mobility and identity and access management. In addition to improved security and network performance, key benefits include increased user and IT staff productivity, operational efficiency, cost reduction and new digital business scenario enablement. Additionally, cloud-based SASE offerings enable organizations to update their security solutions against new threats and establish policies more quickly for agile adoption of new security capabilities.

Following is an overview of the key components that make up a complete SASE solution:

SD-WAN

An SD-WAN, also known as a software-defined wide-area network, is a virtualized network that is abstracted from datacenter or branch office hardware to create an easily configurable and scalable overlay wide area network distributed across local and global sites. It’s also an application of Software Defined Network (SDN) technology that is more reliable and scalable than VPN-based WAN solutions because it takes a software-based approach to building and extending enterprise networks beyond the core SDN.

SD-WAN virtual appliances, connected by encrypted tunnels, connect to sets of network services that provide enhanced functionality across the virtualized network. Moreover, traffic reaching an SD-WAN appliance can be classified based on application or service type which is then prioritized using centrally-managed policies to optimize network traffic.

The challenge with SD-WANs, however, is that the virtualized network “fabric” may not always include the security and access controls that organizations require to protect their networks across multi-cloud environments. Yet by combining Secure Access Service Edge or SASE solutions with SD-WAN technology, organizations can deploy flexible and scalable comprehensive security functions across their virtualized networks both locally and globally.

Firewall as a Service (FWaaS)

A Firewall as a Service or FWaaS protects an organization’s site-centric networks from potential threats by filtering out malicious traffic, while at the same time implementing modern security features for next-generation firewalls. FWaaS is delivered as a cloud-based service or hybrid solution, both in the cloud and as on-premises appliance solution. It provides a more streamlined and flexible architecture that uses centralized policy management, enterprise firewall features and traffic tunneling to conduct web traffic inspections in the cloud.

These Next-generation firewalls (NGFW) include technologies not previously available in traditional firewall products. This includes intrusion prevention systems (IPS) that detect and block cyber attacks. Deep packet inspection (DPI that inspects data packet headers and payload information, versus just the headers and helps detect malware and malicious data. And finally, application controls: NGFWs can control what individual applications can access, or block applications altogether.

Cloud Access Security Broker (CASB)

Cloud Access Security Brokers (CASBs) are security policy enforcement points that ensure policy compliance between cloud service customers and cloud service providers. A CASB is a tool or service that also manages and tracks an organization’s and cloud provider’s compliance. CASBs help organizations to mitigate cloud service risks, audit cloud resource access, enforce security policies and meet strict compliance regulations.

CASBs may include firewalls for malware prevention, user credential authentication checks, Web Application Firewalls (WAFs) to protect against malware at the application level, and Data Loss Prevention (DLP) services to prevent users from sending sensitive information outside of an organization.

Secure Web Gateway (SWG)

Secure Web Gateway (SWG) solutions provide advanced, cloud-delivered or on-premises network security services that protect user devices against malware infections from web-surfing activities and enforce organizational security policies. They filter unwanted malware from web-requested traffic and enforce corporate and regulatory policy compliance.

Secure Web Gateways must include URL filtering, malware detection and filtering, and application controls for web-based applications. This includes apps such as instant messaging (IM) and Skype. Data leak prevention is also a characteristic of Secure Web Gateways.

Encrypted Tunneling

Remote Access enables network security and compliance for organizations that have transitioned to the public cloud or hybrid cloud environments using SSL or Internet Protocol Security (IPsec), the secure network protocol suite that authenticates and encrypts data at the IP Packet Layer. IPSec Site-to-Site tunneling enables IT administrators to create secure communication links between two different networks located at different sites.

By creating the IPSec Tunnel, gateways can securely connect to local networks or cloud services. Establishing a virtual tunneled connection with IPsec between network resources and an external device and user requires two main components: remote access client software and secure network access gateway.

DNS Security

DNS filtering allows administrators to block network users from navigating to web page URLs with their internet browser. The process filters out malicious websites and allows access to approved ones is accomplished with IP and URL restriction tools that block traffic on an individual basis or by category (gambling, social networks, etc.).

When restricting a URL with DNS filtering features, the DNS Resolver does not resolve the website associated with its unique IP address. Instead, it will display a custom message notifying users that their access to the page is restricted. Accordingly, DNS filtering is crucial for productivity and protection as well.

IP Whitelisting

IP whitelisting allows IT administrators to assign any team member a single, static outgoing IP address. This capability enables new types of cloud and on-premises configurations that are only possible with static IP addresses. Instead of blocking access to identified risks and threats, IP whitelisting allows admins to identify and permit access to trusted resources.

By whitelisting IP’s, admins grant only trusted users within a specified IP address range permission to access domains or network resources such as email, applications, or URLs. While IP whitelisting does not encrypt data the way a site-to-site connection does, it still limits access to resources such as an entire network or a specific machine or application. Once whitelisting your gateway IP, the resource will be accessible only for devices using this particular IP with whitelisting.

Cloud Sandboxing

Traditional appliance-based sandboxing solutions are normally deployed on-premises and only protect users when using an organizational network. They allow traffic through a network while inspecting suspicious files but may not be able to completely inspect SSL traffic because of hardware limitations. Moreover, attackers are exploiting hardware limitations to distribute malware.

Cloud Sandboxing provides full SSL traffic analysis and real-time threat detection, without the need for expensive hardware. Cloud Sandboxes scan unknown files for zero-day exploits and advanced persistent threats both on and off the network versus DNS Security that automatically blocks malicious domains that are identified with real-time analysis and global threat intelligence.

Zero Trust Access

Zero Trust networking is a security model that removes the idea of trust for all users on a network. This means a Zero Trust Network Architecture (ZTNA) provides privileged network access and policy-based segmentation while also constantly monitoring all individuals on the network, regardless of their status or role. ZTNA internal networks are made up of different levels of “trust boundaries” that should be segmented according to sensitivity.

The Zero Trust security model is an approach to combining operational rigor and new security capabilities to protect organizations from credential theft, network- based attacks, and unauthorized access to sensitive data. By monitoring the network via centralized management capabilities, network visibility can be enhanced to detect unknown threats, or support compliance reporting.

Endpoint Security & Compliance

Organizations today must ensure that each of their endpoints is secure and compliant with their security and operational policies at all times. Endpoint security can deliver multiple endpoint protection capabilities, including next-generation malware protection and support for visibility into encrypted traffic.

Using a continuous, 'Set and Forget' agent-based compliance solution, security and operational policies are enforced at the endpoint with an intelligent agent. This agent connects corporate and customer data for endpoints that are both on or off an organization’s network.