SASE Cisco

SASE | SASE Solution

SASE Solution

In the realm of network security, the rise of SASE (Secure Access Service Edge) solution has been nothing short of revolutionary. Combining the capabilities of networking and security into a single cloud-based service, SASE has transformed the way organizations manage and protect their digital infrastructure. In this blog post, we will explore the key components and benefits of SASE, shedding light on how it is reshaping the landscape of network security.

SASE, an acronym for Secure Access Service Edge, is a comprehensive framework that converges network and security services into a unified cloud-native architecture. By merging wide area networking (WAN) and network security functions, SASE enables organizations to simplify their infrastructure while enhancing security and performance. This convergence is achieved through the integration of various technologies such as SD-WAN (Software-Defined Wide Area Networking), firewall-as-a-service, secure web gateways, and more.

1. SD-WAN: SD-WAN technology lies at the heart of SASE, providing agile and scalable connectivity across geographically dispersed locations. It offers centralized management, intelligent traffic routing, and dynamic path selection, optimizing network performance and reliability.

2. Cloud-native Security: SASE leverages cloud-native security services, including firewall-as-a-service (FWaaS), secure web gateways (SWG), data loss prevention (DLP), and zero-trust network access (ZTNA). These services are delivered from the cloud, ensuring consistent and robust security across the entire network infrastructure.

3. Identity-Centric Access: SASE incorporates an identity-centric approach to access control, focusing on user identity rather than network location. With zero-trust principles, SASE ensures that only authorized users and devices can access the network, regardless of their location or network connection.

Section 3: Benefits of SASE 1. Simplified Infrastructure: SASE eliminates the need for multiple point solutions by consolidating networking and security into a single cloud-based service. This simplification reduces complexity, streamlines operations, and lowers costs associated with managing disparate security tools.

2. Enhanced Security: With its cloud-native security services, SASE provides advanced threat protection, real-time monitoring, and granular access control. This ensures that organizations can defend against emerging threats while maintaining compliance with industry regulations.

3. Improved Performance: SASE leverages SD-WAN technology to optimize network traffic, enabling faster and more reliable connectivity. By dynamically routing traffic based on application and network conditions, SASE minimizes latency and maximizes performance for end-users.

Conclusion: In conclusion, the emergence of SASE solution has revolutionized network security by converging networking and security services into a unified cloud-native architecture. With its key components such as SD-WAN, cloud-native security, and identity-centric access, SASE offers simplified infrastructure, enhanced security, and improved performance for organizations of all sizes. As the digital landscape continues to evolve, embracing the power of SASE becomes imperative to stay resilient against ever-evolving cyber threats and ensure seamless connectivity across the network.

Highlights: SASE Solution

What is SASE?

SASE, which stands for Secure Access Service Edge, is an innovative networking architecture that combines network security and wide-area networking (WAN) capabilities into a unified cloud-based solution. It shifts networking and security functionalities to the cloud, eliminating the need for traditional hardware-centric approaches. By converging these services, SASE offers a holistic and scalable solution that adapts to the ever-evolving demands of modern businesses.

1. Enhanced Security: SASE provides robust security measures, such as integrated firewalling, data loss prevention, and secure web gateways, to safeguard networks and data from emerging threats. Organizations can streamline their security operations and reduce complexity with a unified security framework.

2. Improved Performance: SASE optimizes network performance and minimizes latency by leveraging cloud-native infrastructure. It enables efficient traffic routing, intelligent application steering, and dynamic bandwidth allocation, ensuring a seamless user experience even in geographically dispersed environments.

3. Simplified Network Management: Traditional networking architectures often involve managing multiple vendors and complex configurations. SASE simplifies network management through centralized policy-based controls and automation, reducing administrative overhead and enhancing operational efficiency.

The Benefits of SASE

By adopting a SASE solution, businesses can unlock a plethora of benefits. Firstly, it provides secure access to applications and data from any location, enabling seamless remote work capabilities. Additionally, SASE eliminates the need for traditional hardware-based security appliances, reducing costs and complexity. The centralized management and policy enforcement offered by SASE ensures consistent security across the entire network, regardless of the user’s location or device.

Understanding its key components is essential to fully grasping the power of SASE. These include secure web gateways (SWG), cloud access security brokers (CASB), firewall-as-a-service (FWaaS), data loss prevention (DLP), and zero-trust network access (ZTNA). Each element is crucial in fortifying network security while enabling seamless user connectivity.

While the benefits of SASE are enticing, organizations must approach its implementation strategically. Assessing the existing network infrastructure, defining security requirements, and selecting a reliable SASE provider is crucial. A phased approach to performance, starting with pilot projects and gradually scaling up, can help organizations ensure a smooth transition and maximize the potential of SASE.

Example Product: Cisco Meraki

#### Simplified Network Management

One of the standout features of the Cisco Meraki platform is its simplified network management. Traditional network management often involves complex configurations and constant monitoring. Cisco Meraki, on the other hand, offers a user-friendly dashboard that provides a centralized view of your entire network. This dashboard is accessible from anywhere, allowing IT administrators to manage, troubleshoot, and optimize network performance with just a few clicks. The intuitive interface reduces the learning curve, making it easier for teams to adopt and utilize the platform effectively.

#### Advanced Security Features

Security is a top priority for any organization, and Cisco Meraki excels in this area. The platform includes built-in security features such as firewalls, intrusion detection systems, and advanced malware protection. These features work together to protect your network from a variety of threats. Additionally, the platform supports automatic updates, ensuring that your security measures are always up-to-date. With Cisco Meraki, you can have peace of mind knowing that your network is safeguarded against cyber threats.

#### Scalability and Flexibility

As businesses grow, their networking needs evolve. Cisco Meraki is designed to scale with your organization. Whether you’re managing a small office or a large enterprise, the platform can accommodate your needs. Its cloud-based nature allows for easy expansion without the need for significant hardware investments. Moreover, Cisco Meraki supports a wide range of devices and applications, providing the flexibility to adapt to different environments and use cases. This scalability and flexibility make it an ideal choice for businesses of all sizes.

#### Enhanced Visibility and Analytics

Understanding network performance and user behavior is crucial for optimizing operations. Cisco Meraki provides enhanced visibility and analytics through its comprehensive reporting tools. These tools offer insights into traffic patterns, device usage, and application performance. By analyzing this data, IT teams can make informed decisions to improve network efficiency and user experience. The platform’s real-time alerts and notifications also help in proactively addressing potential issues before they impact the network.

Example Technology: Understanding Network Scanning

Network scanning examines a network to identify active hosts, open ports, and potential vulnerabilities. It provides valuable insights into the network’s structure, allowing administrators to assess possible risks and fortify their defenses accordingly.

Network scanning is a proactive measure to ensure the security and integrity of a network. By regularly conducting scans, system administrators can stay one step ahead of potential threats, identify misconfigurations, and promptly address any vulnerabilities before they are exploited.

Example SASE Technology: IPS IDS

Understanding Suricata

Suricata is a powerful open-source network threat detection engine that combines the features of both IPS and IDS. It offers real-time traffic analysis, signature-based detection, and protocol analysis, making it a robust solution for network security. With its multi-threaded architecture and support for various rule formats, Suricata provides enhanced network visibility and threat detection capabilities.

Suricate IPS/IDS has many powerful features, making it a formidable defense mechanism for your network. Some of its notable features include:

1. Intrusion Detection: Suricate continuously scans network traffic, analyzing it for any signs of malicious behavior or suspicious activities. It can identify various attacks, such as DDoS attacks, SQL injections, and malware intrusions.

2. Intrusion Prevention: Suricate IPS is a proactive shield that prevents potential threats from infiltrating your network. It can block malicious packets, unauthorized access attempts, and suspicious traffic patterns, effectively neutralizing potential risks.

3. Real-time Alerting: Suricate instantly alerts network administrators or security teams whenever it detects a potential threat. These alerts provide valuable insights and allow for immediate response and mitigation, minimizing the impact of an attack.

Critical Components of SASE Security

One must grasp its key components to comprehend the power of SASE security. These include secure web gateways, cloud access security brokers, zero-trust network access, firewall-as-a-service, and data loss prevention. Each element is vital in creating a comprehensive security framework that extends across the entire network infrastructure, from the edge to the cloud.

SASE security offers a plethora of benefits for organizations of all sizes. Firstly, it simplifies security management by consolidating multiple functions into a single platform, reducing complexity and streamlining operations. Secondly, it provides granular visibility and control, enabling organizations to enforce security policies consistently across all network traffic. Additionally, SASE security enhances user experience by optimizing connectivity and application performance, regardless of the user’s location.

SASE converges the networking and security pillars into a single platform. This allows multiple security solutions to be integrated into a cloud service that enforces a unified policy across all corporate locations, users, and data. SASE recommends that you employ the zero-trust principles.

The path to zero trust starts with identity. Network access is based on the identity of the user, the device, and the application, not on the device’s IP address or physical location. And this is for a good reason. There needs to be contextual information.

The user/device’s identity must reflect the business context instead of being associated with binary constructs utterly disjointed from the upper layers. This binds an identity to the networking world and is the best way forward for policy enforcement.

Therefore, the dependency on IP or applications as identifiers is removed. Now, the policy is applied consistently regardless of where the user/device is located, while the identity of the user/device/service can be factored into the policy. The SASE stack is dynamically applied based on originality and context while serving zero trust at strategic points in the cloud, enforcing an identity-centric perimeter.

Example Product: Cisco Secure Network Analytics?

Cisco Secure Network Analytics, formerly known as Stealthwatch, is an advanced network security solution that leverages machine learning and behavioral modeling to detect threats across your entire network. Unlike traditional security measures, Cisco SNA provides real-time insights and analytics that help identify, mitigate, and respond to potential vulnerabilities.

#### Key Features and Benefits

**1. Comprehensive Visibility:** Cisco SNA offers unparalleled visibility into network traffic, enabling you to monitor everything from data flows to user activities. This comprehensive view helps in quickly identifying anomalies and unusual patterns.

**2. Threat Detection and Response:** Utilizing machine learning algorithms, Cisco SNA can detect a wide range of threats, including malware, insider threats, and advanced persistent threats (APTs). The solution also provides actionable intelligence to respond swiftly.

**3. Scalability:** Whether you’re a small business or a global enterprise, Cisco SNA scales effortlessly to meet your network security needs. Its architecture is designed to handle vast amounts of data without compromising performance.

**4. Integration:** Cisco SNA seamlessly integrates with other Cisco security products, enhancing your overall security posture by providing a unified view of your network landscape.

#### How Cisco SNA Works

Cisco SNA uses a combination of flow data and behavioral analytics to monitor network traffic. By collecting and analyzing data from various points within the network, the solution can create a baseline of normal activity. Any deviation from this baseline triggers an alert, allowing security teams to investigate and respond to potential threats. Additionally, Cisco SNA employs machine learning to continuously improve its detection capabilities, adapting to new types of threats as they emerge.

#### Real-World Applications

**1. Financial Sector:** In the financial industry, where data breaches can result in substantial financial loss and reputational damage, Cisco SNA provides the necessary tools to safeguard sensitive information.

**2. Healthcare:** With the increasing digitization of medical records, the healthcare sector faces unique security challenges. Cisco SNA helps protect patient data and ensures compliance with regulations like HIPAA.

**3. Education:** Educational institutions often have vast, open networks that are susceptible to various cyber threats. Cisco SNA offers the visibility and control needed to secure these environments effectively.

Example Technology: Understanding Performance-Based Routing

Performance-based routing refers to the dynamic selection of network paths based on real-time performance metrics. Unlike traditional static routing, which relies on fixed paths, performance-based routing optimizes traffic flow by considering latency, bandwidth, and congestion levels. By leveraging this intelligent routing approach, organizations can enhance network performance, minimize bottlenecks, and ensure a seamless user experience.

Real-Time Monitoring: To implement performance-based routing effectively, real-time monitoring of network conditions is crucial. Organizations can make informed routing decisions and adapt to changing network conditions on the fly by continuously collecting performance metrics such as latency, jitter, and available bandwidth.

Intelligent Routing Algorithms: Sophisticated routing algorithms are vital in performance-based routing. These algorithms consider various performance metrics and select the most optimal path based on predefined policies. Organizations can choose from multiple routing protocols, including BGP (Border Gateway Protocol) and OSPF (Open Shortest Path First), to implement performance-based routing.

The Role of SASE Security

In this post, we will decompose the Zero Trust SASE, considering the SASE fabric and what a SASE solution entails. The SASE security consists of global PoPs. With network and security functions built into each PoP, they are operated with a single management plane. This post will examine the fabric components while discussing the generic networking and security challenges that SASE overcomes, focusing on Cisco SASE.

Cisco Approach with Umbrella

The Cisco SASE definition is often deemed just Cisco Umbrella; however, that is just part of the solution. Cisco SASE includes the Umbrella but entails an entirely new architecture based on the CSP 5000 and Network Function Virtualization (NFV) and a series of Virtual Network Functions (VNFs) such as virtual firewalls. We will touch on Cisco SASE soon.

As the SASE solution has many dependencies, you, as an enterprise, know how far you are in your cloud adoption. Whether you are a public cloud first, hybrid, multi, or private cloud path affects the design of your DMZ. SASE security is all about optimizing the DMZ to enable secure methods.

Related: For pre-information, you may find the following posts helpful:

  1. SD-WAN SASE
  2. SASE Model
  3. Cisco Secure Firewall
  4. Ebook on SASE Capabilities

SASE Solution

SASE directs to a concept incorporating cloud-based software-defined wide area networking (SD-WAN) with a range of security services and unified management functionality for delivering security and SD-WAN capabilities to any edge computing location. A prime use case for SASE is to address the performance bottleneck issues of traditional networks that rely on traffic backhauling. Further, by integrating identity, business context, and real-time risk assessment into every connection, SASE architectures pledge to control a variety of cyber-attacks.

SASE explained
Diagram: SASE explained. Source Fortinet.

The DMZ: Calling a SASE Solution

First, the SASE architecture updates the DMZ, which has remained unchanged since the mid-90s. The DMZ, often called the perimeter network, is a physical or logical subnetwork whose sole purpose is to expose an organization’s external-facing services to untrusted networks.

The DMZ adds a layer of security so that potentially insecure external networks can only access what is exposed in the DMZ. At the same time, the rest of the organization’s network is protected by a security stack.

As a result, the DMZ is considered a small, isolated network portion and, if configured correctly, will give you extra time to detect and address breaches, malware, and other types of attacks before they further penetrate the internal networks. 

The critical factor here is that it’s a layer that, at best, gives you additional time before the breach to the internal network. The central pain point with the current DMZ architecture is that the bad actor knows it’s there unless you opt for zero trust single packet authentication or some other zero-trust technology. This post will examine how SASE can secure and update the DMZ to align with the current trends we will discuss in this post.

SASE security and SD-WAN

This is similar to updating the WAN edge with SD-WAN to optimize performance per application with SDWAN overlays. Both SASE and SD-WAN are updating, let’s say, the last hardware bastions in your infrastructure: SD-WAN with the WAN edge and SASE with the DMZ. 

The DMZ is a vital section, but it needs to be secure from a perimeter firewall with a port and our traffic flow. It also needs good visibility, the ability to detect and attack, and respond appropriately, and quick reaction time—speeds achievable only with secure automation.

A perfect DMZ: SASE Solution

These new DMZ designs need to be open. It must support API and open standard modeling languages like XML and YANG. This will allow you to support various network and security devices, physical, virtual, and hybrid, via secure API. Not only does it need to be open, but it also needs to be extensible and repeatable. So, we can allow new functionality to be added and removed as the architecture evolves and react to dynamic business objectives.

SASE also needs to scale up and down, out and in, with little or no disruption to existing services. It should be able to scale without adding physical appliances, as physical devices can only scale so far. The SASE solution needs Network Function Virtualization ( NFV ) with a series of Virtual Network Functions (VNFs) chained together. Cisco CSP 5000 can be used here, and we will discuss it briefly.

You want to avoid dealing with the device’s CLI. The new SASE fabric needs to be well-programmable. All functional elements of the architecture are fully programmable via API.

The APIs cannot just read data but can change behavior, such as network device configurations. So you will need an orchestrator for this. For example, Ansible Tower could automate and manage configuration drift among the virtual network functions. Ansible Tower provides end-to-end team automation with features such as workflow templates and integration into the CI/CD pipelines.

Example: What is IPSec VTI? 

IPSec VTI is a virtual interface that simplifies the configuration of IPSec tunnels. Unlike traditional IPSec configurations that rely on static and complex policies, VTI abstracts these complexities, allowing for a more straightforward, interface-based approach. This makes it easier to manage and scale secure communications across various network environments.

**Benefits of Using IPSec VTI**

One of the primary advantages of using IPSec VTI is its simplicity. By treating the IPSec tunnel as a virtual interface, network administrators can apply routing policies and other configurations in a manner similar to physical interfaces. This streamlines the process of integrating IPSec into existing network architectures. Additionally, VTI supports dynamic routing protocols, such as OSPF and BGP, enhancing the flexibility and scalability of secure network designs.

**Setting Up IPSec VTI**

Setting up an IPSec VTI involves a few straightforward steps. First, you need to create a virtual tunnel interface on your network device. Next, configure the IPSec policies to secure the traffic passing through the VTI. Finally, apply the necessary routing configurations to ensure that traffic is directed through the tunnel. Most modern network devices, including those from Cisco, Juniper, and other leading vendors, offer comprehensive support for IPSec VTI, making the setup process even more intuitive.

SASE Security and SDN

Network segmentation is essential to segment the data and control plane traffic. So, the control plane configures the devices, and the data plane forwards the traffic. The segmentation aspect is sufficient for the scalability and performance of resolutions. To manage SASE security, you will need to employ software-defined networking principles. The SDN controller is not in the forward path. It just sets up the data plane. The data plane should operate even if the control plane fails. However, the control plane could have some clustering to avoid failure.

Standard Data Center Design

There will be the consumers of services. So, they can be customers, remote users, partners, and branch sites. These consumers will have to access applications which are hosted in the network or cloud domain. So, the consumers will typically have to connect to a WAN edge for applications hosted in the network. On the other hand, if consumers want to connect to cloud-based applications, they can go directly to, let’s say, IaaS or the more common SaaS-based applications. Again, this is because access to cloud-based applications does not go via the WAN edge.

For consumers to access network applications not hosted in the cloud, as discussed, they are met with the WAN edge. Traffic will need to traverse the WAN edge to get to the application, which will have another layer of network and security functionality deeper in the network.

At the network’s edge, we have many different types of network and security functionality. So, we will have standard routers, a WAN optimization controller, Firewalls, Email Gateways, Flow collectors, and other types of probes to collect traffic.

Then, a network will have to switch fabric. So, the old days of the 3-tier data Center architecture are gone. All primary switching fabrics or switching fabrics that you want IP forwarding to scale are based on the spine leaf architecture, for example, the Cisco ACI with ACI networks. The ACI Cisco has good Multi Pod and Multi-Site capabilities.

Then, we go deeper into the applications and have app-tier access. So, we have application-hosted Internet for internal users. Each one will have its security, forwarding proxy devices, and load balancers. All these are physical wires tied to the fabric and will have limited capacity.

For global data center design. These will commonly connect over MPLS, which provides the Global WAN. Each data center would connect to an MPLS network and will usually be grouped by regions such as EMEA or AMERICAS. So, we have distributed networks, such as the MPLS network label switches. You can also have Segment Routing to provide this global WAN, which improves traffic engineering.

So, some common trends have challenged parts of this design. Many of these trends have called for the introduction of a new network area called the SASE fabric, commonly held in a CNF or a collocation facility. This fabric already has all the physical connectivity and circuits for you.

Common Trends: SASE Architecture

In a cloud-centric world, users and devices require access to services everywhere. These services are now commonly migrated to SaaS and IaaS-based clouds. So we have an app migration from “dedicated” private to “shared” public cloud. These applications became easy to change based on a microservices design. The growth was rapid, and now you must secure workloads in a multi-tenant environment.

Identity is the new perimeter.

As a result, the focal point has changed considerably. Now, it is the identity of the user and device, along with other entities around the connection group, as opposed to the traditional model focusing solely on the data center. Identity then becomes the new perimeter. 

Another major trend is that capacity requirements and bandwidth for public clouds doubled. Now that applications are hosted in the cloud, we also need to make changes on the fly to match the agility of the cloud.

When migrating these applications, we must rapidly upgrade internet-facing firewalling, for example, due to remote user access demands. Also, security teams demand IPS/AMP appliance insertions. In a cloud environment, it’s up to you to secure your workloads, and you need the same security levels in the cloud as you would on-premises.

These apps are not in our data center, so we need to ensure that these migrated applications have the same security policy that would be housed in the AWS or Azure clouds. So we need more services in the current infrastructure. Now we have more wiring and configuration, what is the impact on an extensive global network? You have a distributed application in several areas and want to open a port. These configurations need to be done and monitored in many places and with many teams.

Internal data applications are becoming less important than those that run in public clouds. More apps are in the cloud, and the data center is becoming less important as the prime focal point. The data center will always be retained, but the connectivity and design will change with the introduction of an SASE solution.

SASE Security

Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks for networking and security, not to mention the failover requirements between them, we are embedded with high complexity and overhead.

The legacy network and security located in the DMZ designs increase latency. The latency is even with service chaining, but it will expand and become more challenging to troubleshoot. In addition, the world is encrypted. This needs to be inspected without degrading application performance.

These challenges are compelling reasons to leverage a cloud-delivered SASE solution. The SASE architecture is a global fabric consisting of a tailored network for application types typically located in the cloud: SASE optimizes where it makes the most sense for the user, device, and application – at geographically dispersed PoPs. Many will connect directly to a colocation facility that can hold the SASE architecture.

The significant architecture changes you have seen in the past are that consumers, remote users, customers, branches, and partners will connect to the WAN edge, Internet, or IaaS via a colocation facility. Circuits migrated to selected “central hubs” connectivity and colocation sites from the data center.

The old DC will become another application provider connecting to the colocation. Before addressing what this collocation looks like, we will address the benefits of redefining the network and security architecture. Yes, adopting SASE reduces complexity and overhead, improves security, and increases application performance, but what does that mean practically?

Problems with complexity/overhead/processing/hardware-based solutions

Traditional mechanisms are limited by the hardware capacity of the physical appliances at the customer’s site and the lag created for hardware refresh rates needed to add new functionality. Hardware-based network and security solutions build the differentiator of the offering into the hardware. With different hardware, you can accelerate the services and add new features.

Some features are available on specific hardware, not the hardware you already have on-site. In this case, the customer will need to do the heavy lifting. In addition, as the environment evolves, we should not depend on the new network and security features from the new appliance generation. This inefficient and complex model creates high operational overhead and management complexity.

Device upgrades for new features require significant management. From experience, changing out a line card would involve multiple teams. For example, if the line card ran out of ports or you need additional features from a new generation, 

This would involve project planning, on-site engineers, design guides, and, hopefully, line card testing and out-of-hours work. For critical sites to ensure a successful refresh, team members may need to be backed up. Many touches need to be managed.

SASE  architecture overcomes tight coupling/hardware-based solutions.

The cloud-based SASE enables updates for new features and functionality without requiring new deployments of physical appliances. A physical appliance will still need to be deployed, but it can host many virtual networks and security functions, which has an immediate effect on ease of management.

Network and security deployment can now occur without ever touching the enterprise network, allowing enterprises to adopt new capabilities quickly. Once the tight coupling between the features and the customer appliance is removed, we have increased agility and simplicity for deploying network and security services.

Cisco SASE: Virtualization of Network Functions

With a Cisco SASE platform, when we create an object, such as the virtualization of Network Functions. The policy in the networking domain is then available in other domains, such as security. Network function virtualization, where we de-couple software from hardware, is familiar.

This is often linked to automation and orchestration, where we focus on simplifying architecture, particularly on Layer 4 – Layer 7 services. Virtual machine hosting has enabled the evolution of a variety of virtualized workloads. The virtualization of network and security functions allows you to scale up, down, and in and out at speed and scale without embedding service.

Let’s say you have an ASAv5 as a virtual appliance. This virtual appliance has, for example, 1 Core. If you want more cores, you can scale up to support ASA v50, which supports eight cores. So we can scale up and down. However, what if you want to scale out?

Here, we can add more cloud service providers and ASAv to scale out virtual firewalls with equal-cost multipath load balancing. You want to buy something other than a physical appliance that will only ever do one function. The days of multiple physical point solutions are ending as sase gains momentum. Instead, you want your data center to scale when capacity demands it without physical limitations.

For Example, Cisco SASE Architecture.

NFV network services can be deployed and managed much more flexibly because they can be implemented in a virtualized environment using x86 computing resources instead of purpose-built dedicated hardware appliances. The CSP 5000 Series can help you make this technology transition.

In addition, with NFV, the Cisco SASE open approach allows other vendors to submit their Virtual Network Functions (VNF) for certifications to help ensure compatibility with Cisco NFV platforms.

This central location is a PoP that could be a Cloud Services Platform that could provide the virtualized host. For example, the Cloud Services Platform CSP-5000 could host CSR, FTD, F5, AVI networks, ASAv, or KVM-based services. These network and security functions represent the virtual network appliances that consist of virtual machines. 

Cisco SASE and the CSP 5000

Within the Cisco SASE design, the CSP 5000 Series can be deployed within data centers, regional hubs, colocation centers, the WAN edge, the DMZ, and even at a service provider’sprovider’s Point of Presence (PoP), hosting various Cisco and third-party VNFs. We want to install the CSP at a PoP, specifically in a collocation facility. If you examine the CSP-5000 for a block diagram, you will see that Cisco SASE has taken a very open ecosystem approach to NFV, such as Open vSwitch. 

It uses Single Root I/O Virtualization (SR-IOV) and an Open vSwitch Data Plane Development Kit (OVS-DPDK). The optimized data plane provides near-line rates for SR-IOV-enabled VNFs and high throughput with OVS DPDK interfaces.

The CSP has a few networking options. First, the Open vSwirch ( OVS) is the Software layer two switches for the CSP-500. So, the CSP internal software switches bridge the virtual firewall to the load balancer to the ToR switches. You can also use SR-IOV Virtual Ethernet Bridge Mode (VB), which performs better. As a third option, we have SR-IOV, virtual Ethernet Port Aggregators Mode (VEPA)

Cisco SASE Security Policies 

With the flexible design Cisco SASE offers, any policies assigned to users are tied to that user regardless of network location. This removes the complexity of managing network and security policies across multiple locations, users, and devices. But, again, all of this can be done from one platform.

SASE  architecture overcomes the complexity and heavy lifting/scale.

I remember from a previous consultancy. We were planning next year’s security budget. The network was packed with numerous security solutions. All these point solutions are expensive, and there is never a fixed price, so how do you plan for this? Some new solutions we were considering charge on usage models, which we needed the quantity at that time. So the costs keep adding up and up.

SASE removes these types of headaches. In addition, consolidating services into a single provider will reduce the number of vendors and agents/clients on the end-user device. So we can still have different vendors operating a sase fabric, but they are now VNF on a single appliance.

Overall, substantial complexity savings will be from consolidating vendors and technology stacks, pushing this to the cloud away from the on-premises enterprise network. The SASE fabric abstracts the complexity and reduces costs. In addition, from a hardware point of view, the cloud-based SASE can add more PoPs of the same instance for scale and additional capacity. This is known as vertical scaling, and also, in new locations, known as horizontal scaling.

SASE overcomes intensive processing.

Additionally, the SASE-based cloud takes care of intensive processing. For example, as much of internet traffic is now encrypted, malware can use encryption to evade and hide from detection. 

Here, each PoP can perform deep packet dynamics on TLS-encrypted traffic. You may not need to decrypt to fully understand the payload. Still, partial decryption and examining payload patterns to understand the malicious activity seem enough. The SASE vendor needs to have some Deep Packet Dynamic technologies.

Traditional firewalls are not capable of inspecting encrypted traffic. Therefore, performing DPI on TLS-encrypted traffic would require extra modules or a new appliance. A SASE solution ensures the decryption and inspection are done at the PoP, so no performance hits or new devices are needed on the customer sites. This can be done with Deep Packet Dynamic technologies.

Problems with packet drops/latency

Network congestion resulting in dropped and out-of-order packets could be better for applications. Latency-sensitivity applications such as collaboration, video, VoIP, and web conferencing are hit hardest by packet drops. Luckily, there are options to minimize latency and the effects of packet loss.

SD-WAN solutions have WAN optimization features that can be applied on an application-by-application or site-by-site basis. Along with WAN optimization features, there are protocol and application acceleration techniques.

In addition to existing techniques to reduce packet loss and latency, we can privatize the WAN as much as possible. To control the adverse and varying effects the last mile and middle mile have on applications, we can privatize with a private global backbone consisting of a fabric of PoPs.

Once privatized, we have more control over traffic paths, packet loss, and latency. A private network fabric is a crucial benefit of SASE, as it drives application performance. So we can inspect east-west and north-south traffic.

Traffic engineering and performance improvement are easy since we have a centralized fabric consisting of many hubs and spokes. When you centralize some of the architecture into a centralized fabric, it is easier to make traffic adjustments globally. The central hub will probably be a collocation facility and can be only one hop away, so the architecture will be simpler and easier to implement.

We discussed PoP optimization – Routing algorithms, and TCP proxy.

Each PoP in the SASE cloud-based solution optimizes where it makes the most sense, not just at the WAN edge. For example, within the SASE fabric, we have global route optimizations to determine which path is best and can be changed for all traffic or specific applications.

These routing algorithms factor in performance metrics such as latency, packet loss, and jitter. I am selecting the optimal route for every network packet. Unlike internet routing, which favors cost over performance, the WAN backbone constantly analyzes and tries to improve performance.

Increasing The TCP Window Size

As everything is privatized, we have all the information to create the largest packet size and use rate-based algorithms over traditional loss-based algorithms. As a result, you don’t need to learn anything, and throughput can be maintained end-to-end. As each PoP acts as a TCP proxy server, techniques are employed so that the TCP client and server think they are closer. Therefore, a larger TCP window is set, allowing more data to be passed before waiting for an acknowledgment.

Example Technology: TCP Performance Parameters

Example Product: Cisco Secure Workload

**Understanding Cisco Secure Workload**

Cisco Secure Workload, previously known as Cisco Tetration, is a workload protection platform that provides unparalleled visibility and security for your applications. It monitors and protects your workloads across on-premises, cloud, and hybrid environments. By leveraging advanced analytics and machine learning, Cisco Secure Workload identifies and mitigates threats before they can cause significant damage.

**Key Features of Cisco Secure Workload**

One of the standout features of Cisco Secure Workload is its ability to provide comprehensive visibility into your entire IT environment. This visibility is crucial for identifying potential vulnerabilities and ensuring compliance with security policies. Key features include:

1. **Micro-Segmentation**: Allows for granular control of network traffic, limiting the spread of threats within your environment.

2. **Behavioral Analysis**: Utilizes machine learning to detect abnormal behavior that could indicate a security breach.

3. **Automated Policy Enforcement**: Ensures that security policies are consistently applied across all workloads, reducing the risk of human error.

4. **Application Dependency Mapping**: Provides a clear understanding of how applications interact, helping to identify potential points of vulnerability.

**Benefits of Implementing Cisco Secure Workload**

The implementation of Cisco Secure Workload brings numerous benefits to an organization, including:

1. **Enhanced Security Posture**: By providing comprehensive visibility and control, Cisco Secure Workload significantly improves your overall security posture.

2. **Reduced Risk**: Automated detection and response capabilities help to reduce the risk of security breaches.

3. **Operational Efficiency**: With automated policy enforcement and advanced analytics, your IT team can focus on more strategic tasks rather than manual security management.

4. **Scalability**: Cisco Secure Workload is designed to scale with your business, ensuring consistent security as your organization grows.

**Implementation Strategies**

Implementing Cisco Secure Workload requires careful planning and execution. Here are some strategies to ensure a smooth deployment:

1. **Assessment and Planning**: Conduct a thorough assessment of your current IT environment to identify potential vulnerabilities and areas for improvement.

2. **Pilot Deployment**: Start with a pilot deployment to test the platform’s capabilities and identify any potential issues before a full-scale rollout.

3. **Training and Education**: Ensure that your IT team is well-trained on the features and functionalities of Cisco Secure Workload.

4. **Continuous Monitoring and Improvement**: Regularly monitor the performance of Cisco Secure Workload and make necessary adjustments to optimize its effectiveness.

Summary: SASE Solution

In today’s rapidly evolving technological landscape, traditional networking approaches are struggling to keep up with the demands of modern connectivity. Enter SASE (Secure Access Service Edge) – a revolutionary solution that combines network and security capabilities into a unified cloud-based architecture. In this blog post, we explored the key features and benefits of SASE and delve into how it is shaping the future of networking.

Understanding SASE

SASE, pronounced “sassy,” represents a paradigm shift in networking. It converges wide-area networking (WAN) and network security services into a single, cloud-native solution. By integrating these traditionally disparate functions, organizations can simplify network management, improve security, and enhance overall performance. SASE embodies the principles of simplicity, scalability, and flexibility, all while delivering a superior user experience.

The Power of Cloud-native Architecture

At the core of SASE lies its cloud-native architecture. By leveraging the scalability and agility of the cloud, organizations can dynamically scale their network and security resources based on demand. This elasticity eliminates the need for costly infrastructure investments and allows businesses to adapt quickly to changing network requirements. With SASE, organizations can embrace the benefits of a cloud-first approach without compromising on security or performance.

Enhanced Security and Zero Trust

One of the key advantages of SASE is its inherent security capabilities. SASE leverages a Zero Trust model, which means that every user and device is treated as potentially untrusted, regardless of their location or network connection. By enforcing granular access controls, strong authentication mechanisms, and comprehensive threat detection, SASE ensures that only authorized users can access critical resources. This approach significantly reduces the attack surface, mitigates data breaches, and enhances overall security posture.

Simplified Network Management

Traditional networking architectures often involve complex configurations and multiple point solutions, leading to a fragmented and challenging management experience. SASE streamlines network management by centralizing control and policy enforcement through a unified console. This centralized approach simplifies troubleshooting, reduces administrative overhead, and enables organizations to maintain a consistent network experience across their distributed environments.

Conclusion:

As the digital landscape continues to evolve, embracing innovative networking solutions like SASE becomes imperative for organizations seeking to stay ahead of the curve. By consolidating network and security functions into a unified cloud-native architecture, SASE provides simplicity, scalability, and enhanced security. As businesses continue to adopt cloud-based applications and remote work becomes the norm, SASE is poised to revolutionize the way we connect, collaborate, and secure our networks.

Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)
Tags: No tags

Comments are closed.