Reverse Route Injection

Zero Trust SASE

 

sase

 

Zero Trust SASE

Today’s digital transformation and strategy initiatives create a need for speed and agility in I.T. However, there is a lag, and that lag is with security. Security can either hold them back or not align with the fluidity needed for agility. As a result, we have decreased an organization’s security posture, which poses a risk that needs to be managed. We have a lot to deal with, such as the rise in phishing attacks, mobile malware, fake public Wi-Fi networks, malicious apps, and data leaks. These are some of the challenges that new security requirements have propelled. One of these is the key capability to continuously discover, assess, and adapt to ever-changing risk and trust levels. These are bundled into a Secure Access Service Edge: SASE Definition solution and Zero Trust Network Design capabilities combined into one SASE architecture.

 



SASE Architecture

Key Zero Trust SASE Discussion Points:


  • The rise of SASE.

  • Challenges to existing networking.

  • The misconception of Trust.

  • SASE definition and SASE architecture.

  • SASE requirements.

 

The Rise of SASE

The rise of SASE and Zero Trust Security Strategy. The security infrastructure and decisions must become continuous and adaptive, not static, that formed the basis of traditional security methods. Consequently, we must enable real-time decisions that balance risk, trust, and opportunity. As a result, security has beyond a simple access control list (ACL) and zone-based segmentation based on VLANs. In reality, there is no network point to act as an anchor for security.

 

Zero trust SASE
Diagram: Zero Trust SASE: Digital transformation and strategy.

 

 

Zero Trust SASE: SASE Architecture

Many current network security designs and technologies were not designed to handle all the traffic and security threats we face today. This has forced many to adopt multiple-point products to handle the different requirements. Keep in mind that for every point product, there is an architecture to deploy, a set of policies to configure, and a set of logs to analyze. I find it hard to correlate logs across multiple-point product solutions used in different domains. For example, a different team may operate the secure web gateways (SWG) to that of the virtual private network (VPN) appliances. It could be the case that these teams work in silos and are in different locations.

 

Challenges to existing networks

We have many challenges to existing networks and infrastructure that create considerable security holes and decrease security posture. In reality, several I.T. components give the entity more access than they require. We have considerable security flaws with the use of I.P. addresses as a security anchor and static locations; the virtual private networks (VPN) and demilitarized zone (DMZ) architectures used to establish access are often configured to allow excessive implicit trust.  

 

  • The issue with a DMZ

The DMZ is the neutral network between the Internet and your organization’s private network. It’s protected by a front-end firewall that limits Internet traffic to certain systems within its zone. The DMZ can have a major impact on security if not protected properly. Remote access technologies such as VPN or RDP, often located in the DMZ, have become common targets of cyberattacks. One of the main issues I see with the DMZ is that the bad actors know it’s there. It may be secured, but it’s visible.

 

  • The issue with the VPN

In basic terms, a VPN is meant to provide an encrypted server and hide your I.P. address. However, the VPN does not secure users when they land on a network segment and is based on coarse-grained access control where the user has access to entire network segments and subnets. Traditionally, once you are on a segment, there will be no intra-filtering on that segment. That means all users in that segment need the same security level and access to the same systems, but that is not always the case. 

 

  • Overly permissive network access

VPNs generally provide broad, overly permissive network access with only basic access control limits based on subnet ranges. So, the traditional VPN provides overly permissive access and security based on I.P. subnets.

 

 

Security infrastructure
Diagram: Security infrastructure: The issues.

 

SASE Architecture and Misconception of Trust 

Much of the non-zero trust security architecture is based on trust. Bad actors abuse this trust. On the other hand, examining a SASE overview includes Zero Trust Networking and remote access as one of its components can adaptively offer the appropriate trust required at the time and nothing more. It is like providing a narrow segmentation based on many contextual parameters continuously assessed for risk to ensure the user is who they are and that the entities, either internal or external to the network, are doing what they are supposed to do.

 

  • Removes excessive trust

A core feature of SASE and Zero Trust is that it removes the excessive trust once required to allow entities to connect and collaborate. Within a Zero Trust environment, our implicit trust in traditional networks is replaced with explicit identity-based trust with a default deny. With an identity-based trust solution, we are not just looking at IP addresses to determine trust levels. After all, they are just binary, either deemed as a secure private or a less trustworthy public. This assumption is where all of our problems started. They are just ones and zeros.

 

  • Zero Trust concept: Proxy for trust

To improve your security posture, it would be best to stop relying primarily on I.P. addresses and network locations as a proxy for trust. We have been doing this for decades. There is very little context to place a policy with the legacy constructs. To determine the trust of a requesting party, we need to examine multiple contextual aspects, not just I.P. addresses. And the contextual aspects are continuously assessed for security posture. This is a much better way to manage risk and allows you to look at the entire picture before deciding to enter the network or access a resource.

 

zero trust requirements
Diagram: Zero Trust requirements. Lockdown of trust and access

 

 

Challenging Environments

  • More outside than inside

The current environmental challenge is that more users, devices, applications, services, and data are located outside of an enterprise than inside. As a result, there has been a rapid rise in remote working, especially in recent times. Also, there has been an increase in the adoption of cloud-based services, particularly SaaS. These environmental changes have turned the enterprise network “inside out.”. So the traditional perimeter that we had was useless.

 

  • Multi-cloud

Also, many organizations are adopting multi-cloud. There are challenges in deploying and managing native security offerings from multiple cloud service providers. The different service providers will have different management consoles and security capabilities that do not share or integrate the policies. Although we have technologies that help with this, cloud providers are different entities. So to combat these, let’s say, evolutions in the environment, we have attempted other attempts to secure our infrastructure.

 

sase

 

 First attempt to 

Organizations have been adopting different security technologies to combat these changes to include in their security stack. Many of the security technologies are cloud-based services. Some of these services include the cloud-based secure web gateway (SWG), content delivery network [CDN], and web application firewall [WAF]. A secure web gateway (SWG) protects users from web-based threats and applies and enforces acceptable corporate use policies.  A content delivery network (CDN) refers to a geographically distributed group of servers working together to deliver Internet content quickly. A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

 

  • A key point: Data center is the center of the universe

However, even with these welcomed additions to security, the general trend was that the data center is still the center of most enterprise networks and network security architectures. Let’s face it; these designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.

 

Second attempt to

The next attempt was for a converged cloud-delivered secure access service edge (SASE) to accomplish this shift in the landscape. And that is what SASE architecture does. As you know, the SASE architecture relies on multiple contextual aspects to establish and adapt trust for application-level access. It does not concern itself with large VLAN and broad-level access or believe that the data center is the center of the universe. Instead, the SASE architecture is often based on PoP, where each PoP acts as the center of the universe.

 

SASE Definition

The SASE definition, along with its components, is a transformational architecture that can combat many of these discussed challenges. A SASE solution converges networking and security services into one unified, cloud-delivered solution that includes the following core capabilities of sase.

 

From the network side of things: SASE in networking

    1. Software-defined wide area network (SD-WAN)
    2. Virtual private network (VPN)
    3. Zero Trust Network ZTN
    4. Quality of service (QoS)
    5. Software-defined perimeter (SDP)

From the security side of things: SASE capabilities in security

    1. Firewall as a service (FWaaS)
    2. Domain Name System (DNS) security
    3. Threat prevention
    4. Secure web gateways
    5. Data loss prevention (DLP)
    6. Cloud access security broker (CASB)

 

Zero Trust SASE: What the SASE architecture changes

SASE changes the focal point to the identity of the user and device. With traditional network design, we have the on-premises data center that is considered the center of the universe. With SASE, that architecture changes this to match today’s environment and moves the perimeter to the actual user, devices, or PoP with some SASE designs.  In contrast to the traditional enterprise network and security architectures where the internal data center is the focal point for access. 

 

SASE features
Diagram: SASE features

 

VPN Security Scenario 

The limitations of traditional remote access VPNs

Remote access VPNs are primarily built to allow users outside the perimeter firewall to access resources inside the perimeter firewall. As a result, they often follow a hub-and-spoke architecture with users connected by tunnels of various lengths depending on their distance from the data center. Traditional VPNs introduce a lot of complexity. For example, what do you do if you have multiple sites where users need to access applications? With this type of scenario, the cost of management would be high. 

 

Tunnel based on I.P

What’s happening here is that the tunnel creates an extension between the client device and the application location. The tunnel is based on I.P. addresses set on the client device and the remote application. Now that there is I.P. connectivity between the client and the application, the network where the application is located is extended to the client. However, the client might not be sitting in an insecure hotel room or from home. These may not be sufficiently protected, and such locations should be considered insecure. The traditional VPN has many issues to deal with. They are user-initiated, and policy often permits split-tunnel VPN where there can be no Internet or cloud traffic inspection.

 

SASE and VPN: A zero-trust VPN solution

A SASE solution encompasses VPN services and enhances the capabilities to operate in cloud-based infrastructure to route traffic. On the other hand, with SASE, the client connects to the SASE PoP, which carries out security checks and forwards the request to the application. A SASE design still allows clients to access the application, but they can only access that specific application and nothing more, like a stripped-down VLAN known as a micro-segmentation.

Clients need to pass security controls, and there is no broad-level access susceptible to lateral movements. Access control is based on an allowlist rule instead of the traditional blocklist rule. Also, other variables present in the request context are used instead of using I.P. addresses as the client identifier. As a result, the application is now the access path, not the network.

 

sase

 

ZTNA remote access

So no matter what type of VPN services you use, the SASE provides a unified cloud to connect to instead of backhauling to a VPN gateway—simplifying management and policy control. Well-established technologies such as VPN, secure web gateway, and firewall are being reviewed and reassessed in Zero Trust remote access solutions as organizations revisit approaches that have been in place for over a decade. 

 

  • A quick recommendation: SASE and SD-WAN

The value of SD-WAN is high. However, it also brings many challenges, including new security risks. In some of my consultancies, I have seen unreliable performance along with increased complexity from the need to have multiple overlays. Also, these overlays need to terminate somewhere, and this will be at a hub site. However, when SD-WAN is combined with SASE, the SD-WAN edge devices can be connected to a cloud-based infrastructure rather than the physical SD-WAN hubs. This brings the value of interconnectivity between branch sites without the complexity of deploying or managing physical Hub sites.

 

sase in networking
Diagram: SASE in networking.

 

Zero Trust SASE: Vendor considerations

SASE features converge various individual components into one connected, cloud-delivered service, making it easy to control policies and behaviours. The SASE architecture is often based on a PoP design. When examining the SASE vendor, consider the vendor’s PoP layout should be geographically diverse with worldwide entry and exit points. Also, considerations should be made regarding the vendor’s edge/physical infrastructure providers or colocation facilities. We can change your security posture, but we can’t change the speed of light and the laws of physics.

 

  • SASE capabilities and route optimizations

Consider how the SASE vendor routes traffic in their PoP fabric. There should be route optimization at each PoP. Some route optimizations are for high availability, while others are for performance. Does the vendor offer cold-potato or hot-potato routing? The cold-potato routing means bringing the end-user device into the provider’s network as soon as possible. On the other hand, “hot-potato routing” means the end user’s traffic traverses more of the public Internet.

 

The Main Zero Trust SASE Architecture Requirements List

The following is a list of considerations to review when discussing SASE with your preferred cybersecurity SASE vendor.

 

zero trust environment
Diagram: Zero trust environment

 

Zero Trust SASE requirements: Information hiding

Secure access service requires clients to be authenticated and authorized before accessing protected assets, regardless of whether the connection is inside or outside the network perimeter. Then, real-time encrypted connections are created between the requesting client and the protected asset. As a result, all SASE-protected servers and services are hidden from all unauthorized network queries and scan attempts.

 

You can’t attack what you can’t see

The base for network security started by limiting visibility – you cannot attack what you cannot see. Public and private IP addresses range from separate networks. This was the biggest mistake we ever made as I.P. addresses are just binary, whether they are deemed public or private. If a host were assigned a public address and wanted to communicate with a host with a private address, it would need to go through a network address translation (NAT) device and have a permit policy set.

 

Security based on the visibility

Network address translation is mapping an I.P. address space into another by modifying network address information in the I.P. header of packets while they are in transit across a traffic routing device. Limiting visibility this way works to a degree, but we cannot get away from the fact that a) if you have the I.P. address of someone, you can reach them, and b) if a port is open, you can potentially connect to it. Therefore, the traditional security method can open your network wide for compromise, especially when bad actors have all the tools. However, finding a port scanning tool, downloading, and running is not hard.

“Nmap,” for Network Mapper, is the most widely used port scanning tool. Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services, responding. Nmap reads and interprets the response that comes back and uses the information to create a network map.

 

sase

 

Zero Trust network security is used for information and infrastructure hiding through lightweight protocols such as a single packet authorization (SPA). No internal I.P. addresses or DNS information is shown, creating an invisible network. As a result, we have zero visibility and connectivity, only establishing connectivity after clients prove they can be trusted to allow legitimate traffic. Now we can have various protected assets hidden regardless of location: on-premise, public or private clouds, a DMZ, or a server on the internal LAN, in keeping with today’s hybrid environment.

This approach mitigates denial-of-service attacks. Anything that is internet-facing is reachable on the public Internet, therefore, susceptible to bandwidth and server denial-of-service attacks. The default-drop firewall is deployed, with no visible presence to unauthorized users. Only good packets are allowed.

 

Zero Trust SASE tools: Single packet authorization (SPA)

Single packet authorization (SPA) also allows for attack detection. If a host receives anything other than a valid SPA packet or similar construct, it views that packet as part of a threat. The first packet to a service must be a valid SPA packet or similar security construct. If it receives another type of packet, it views this as an attack, which is useful for bad packet detection. Therefore, SPA can determine an attack based on a single malicious packet, a highly effective way to detect network-based attacks. Therefore, external network and cross-domain attacks are detected.

 

single packet authorization
Diagram: Single packet authorization (spa)

 

Zero Trust SASE architecture requirements: Mutually encrypted connections

Transport Layer Security ( TLS ) is an encryption protocol that protects data when it moves between computers. When two computers send data, they agree to encrypt the information in a way they both understand. Transport layer security (TLS) was designed to provide mutual device authentication before enabling confidential communication over the public Internet. However, the common TLS configuration is the validation that ensures that the client is connected to a trusted entity. So the typical TLS adoptions are to authenticate servers to clients, not clients to servers. 

 

Mutually encrypted connections

SASE uses the full TLS standard to provide mutual, two-way cryptographic authentication. Mutual TLS provides this and goes one step further to authenticate the client. Mutual TLS connections are set up between all components in the SASE architecture. Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X. 509 digital certificates to authenticate each other.  MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps.

Firstly, this offers robust device and user authentication as connections from unauthorized users and devices are mitigated. Secondly, forged certificates which are attacks aimed at credential theft, are disallowed. This will mitigate impersonation attacks where a bad actor can forge a certificate from a compromised certificate authority.

 

Zero Trust SASE architecture requirements: Need to know the access model

Thirdly, SASE employs a need-to-know access model. As a result, SASE permits the requesting client to view only the allowed resources appropriate to the assigned policy. Users are associated with their devices that are validated based on policy. Only connections to the specifically requested service are enabled, and no other connection is allowed to any other service. 

SASE provides additional information such as who made the connection, from what device, and to what service. All these give you full visibility into all the established connections, which is pretty hard to do if you have an IP-based solution. So now we have a contextual aspect of determining the level of risk. As a result, it makes forensics easier. The SASE architecture only accepts good packets, and any bad packets can be analyzed and tracked for forensic activities.

 

  • A key point: Device validation

Secondly, it enforces device validation which helps against threats from unauthorized devices. Not only can we examine the requesting user, we can also perform device validation. Device validation ensures that the device is running trusted hardware and used by the appropriate user. Finally, suppose a device does become compromised. In that case, there is a complete lockdown on lateral movements as a user is only allowed access to the resource it is authorized to. Or they could be placed into a sandbox zone where human approval must intervene and assess the situation.

 

Zero Trust SASE architecture requirements: Dynamic access control

This traditional type of firewall is limited in scope as it cannot express or enforce rules based on identity information which you can with zero trust identity. Attempting to model identity-centric control with the limitations of the 5-tuple, SASE can be used alongside traditional firewalls and take over the network access control enforcement that we attempt to do with traditional firewalls.

SASE deploys a dynamic firewall that starts with one rule – deny all. Then, requested communication is dynamically inserted into the firewall providing a dynamic firewall security policy instead of static configurations. Every packet hitting the firewall is inspected with, for example, a single packet authentication (SPA), then is quickly verified for a connection request. 

 

 

sase and zero trust
Diagram: Zero trust capabilities

 

  • A key point: Dynamic firewall

Once established, the firewall is closed again. Therefore the firewall is dynamically opened only for a specific period. The connections made are not seen by rogues outside the network or the user domain within the network.

Allows dynamic, membership-based enclaves that prevent network-based attacks. The SASE dynamically binds users to devices, enabling those users to access protected resources by dynamically creating and removing firewall rules. Access to protected resources is enabled by dynamically creating and removing inbound and outbound access rules. Therefore, we now have more precise access control mechanisms and considerably reduced firewall rules.

 

Zero Trust SASE architecture requirement: Micro perimeter

Traditional applications were grouped into VLANs whether they offered similar services or not. Everything on that VLAN was reachable. The VLAN was a performance construct to break up broadcast domains but was pushed into the security world, but it was never meant to be there.  Its prime use was to increase performance. However, it was used for security in what we know as traditional zone-based networking. The segments in zone-based networks are too large and often have different devices with different security levels and requirements.

 

Logical-access boundary

SASE enables this by creating a logical-access boundary encompassing a user and an application or set of applications. And that is it—nothing more and nothing less. Therefore, we have many virtual micro perimeters specific to the business instead of the traditional main inside/outside perimeter. Virtual perimeters allow you to grant access only to the specific application and not the underlying network or subnet.

 

sase and zero trust
Diagram: SASE and micro perimeters

 

 

Reduce the attack surface

The smaller micro perimeters reduce the attack surface and limit the need for excessive access to all ports and protocols or all applications. These individualized “virtual perimeters” encompass only the user, the device, and the application. They are created and are specific to the session and then closed again when the session is over or if there is a change in the risk level and the device or user needs to perform setup authentication.

 

Software-defined perimeter (SDP)

Also, SASE only grants access to the specific application at an application layer. The SDP part of SASE now controls which devices and applications can access specific services at an application level. Permitted by a policy granted by the SDP part of SASE, devices can only access specific hosts and services and cannot access network segments and subnets. Broad network access is eliminated, reducing the attack surface to an absolute minimum.  SDP provides a fully encrypted application communication path. However, the binding application permits only authorized applications, so they can only communicate through the established encrypted tunnels, thus blocking all other applications from using those tunnels.

This creates a dynamic perimeter around the application, including connected users and devices. Furthermore, it offers a narrow access path—reducing the attack surface to an absolute minimum.

 

Zero Trust SASE architecture requirement: Identity-driven access control

Traditional network solutions provide coarse-grained network segmentation based on someone’s I.P. address. However, someone’s I.P. address is not a valid hook for security and does not provide much information about user identity. SASE enables the creation of microsegmentation based on user-defined controls enabling a 1-to-1 mapping. Unlike with a VLAN, where there is the potential to see everything within that VLAN.

 

Identity-aware access

SASE provides adaptive, identity-aware, precision access for those seeking more precise access and session control to applications on-premises and in the cloud. Access policies are primarily based on user, device, and application identities. The policy is applied independent of the user’s physical location or the device’s I.P. address, except where the policy prohibits it. This brings a lot more context to policy application. Therefore if a bad actor gains access to one segment in the zone, they are prevented from compromising any other network resource within that zone.

 

sase and zero trust

Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)

Comments are closed.