Zero touch provisioning: 3 drawbacks you need to know

by Jordan Baker | Aug 30, 2021 | Zero Touch Provisioning (ZTP)

It’s Friday morning, and you’re bringing a new site online with zero touch provisioning. Your remote branch devices arrived the night before, and all you want the store manager to do is plug them in. A few minutes later, your job is finished and you’ve still got your entire day left. What are you going to do with all your free time?

This is the picture that’s commonly painted of zero touch provisioning. And why not? When compared to manual provisioning, zero touch brings drastic improvements and efficiency to deploying networks. Its biggest benefits include:

Helping you deploy sites fast, because it’s a plug ‘n play solution
Reducing manual work and errors, because it’s automatic
Supporting on-demand scaling without bogging down your resources

With zero touch, you don’t have to be on site for days or weeks manually configuring individual devices. You also shrink the risk of human error that can unwind all your deployment progress and force you to start over. And when it comes to scaling, it eliminates so many of the shipping costs and technician expenses, and instead lets you spin up new sites in a single day.

So what’s the problem with zero touch provisioning?

The trouble with zero touch provisioning is that it usually comes with hidden obstacles that vendors don’t tell you about. Zero touch promises to make deployments quick and easy, but these obstacles can eat up your time savings and make you vulnerable to attacks.

Here are 3 big drawbacks you need to know about zero touch provisioning.

Drawback: Zero touch provisioning is limited to one vendor

Imagine you’re on location setting up a plethora of devices from different vendors. You plug in your zero touch solution, but you still have to manually configure three other vendor devices that make up your stack. This is the first major drawback to zero touch provisioning.

For the most part, zero touch is limited to one vendor’s solutions and doesn’t extend to devices or solutions from other providers. This is usually to encourage purchasing multiple solutions from or standardizing on one vendor.

Why is this a drawback? This is just another approach to vendor lock-in. It limits your freedom when trying to leverage zero touch provisioning, which can be a major drawback especially in custom, multi-vendor environments. When you’re choosing a zero touch solution, consider how much of your stack it can actually automate and how much time you’ll still have to spend on manual provisioning.

Drawback: Zero touch provisioning isn’t secure

What happens if you set up your site with zero touch provisioning, only to discover that your network is already under attack? You wonder how it could have happened, but then you remember all of the preconfiguring required to make zero touch possible. This is another major drawback.

Most solutions do live up to the promise of being ‘zero touch,’ but only after you’ve performed extensive preconfiguring of your devices. This is a major security concern because you’re loading up your stack with sensitive information about your network. Recent reports show that ransomware claimed a victim every 10 seconds in 2020.

Why is this a drawback? With your network attack surface more distributed now, especially during the pandemic, it’s critical to minimize your exposure to threats. But having to preconfigure your devices for zero touch provisioning makes it easier for you to become a victim. Even if you can keep careful watch over your devices to ensure no physical attacks occur, hackers can easily exploit your systems through something like an open port that one of your employees forgot to close. In a nutshell, preconfiguring puts you at unnecessary risk.

Drawback: Zero touch provisioning limits orchestration

The ultimate goal of using zero touch provisioning is to add convenience to deployments and management. You want to save time and effort all around by eliminating manual work. But another major drawback to zero touch is that it puts a limit on how much and how many of your processes you can orchestrate.

Automation is when you can automate simple tasks, while orchestration is when you can automate entire processes and workloads. Most zero touch solutions allow you to implement a little bit of both automation and orchestration, but limit or simply lack support for orchestrating across devices and environments.

Why is this a drawback? The more manual work you have to perform, the less value you get out of zero touch provisioning. And most solutions require you to manually bootstrap VMs, activate service licenses, run Docker apps, and even update device firmware as new patches are released. Though zero touch might save you time and effort on initial setup, consider how these savings might evaporate in the long run.

Can you avoid these drawbacks?

Imagine you’re setting up a new network. Your environment is tailored specifically to your needs, which includes a custom-built monitoring application, Palo Alto NGFW, data thinning workloads, and a host of other solutions meant to optimize operations. And the best part is, you don’t have to worry about vendor lock-in, security gaps, or limited orchestration. All you need to do is plug in your devices, and the entire environment will build itself in just a matter of hours. Everything just works so you don’t have to.

That is what true zero touch provisioning feels like, and it’s something we’re passionate about at ZPE Systems. That’s why we’ve spent years building zero touch convenience features into our Nodegrid solutions. You don’t have to put up with these major drawbacks any longer.

Nodegrid’s zero touch provisioning extends across vendor solutions, even to devices that don’t support automation. This means that you can automate and push configurations to whatever you connect to Nodegrid — including legacy switches, routers, and other equipment.

Nodegrid’s zero touch provisioning also eliminates the need to preconfigure devices. ZPE Cloud serves as your repository for configuration files and allows you to remotely push these files to 100% factory-default devices. Physical attacks no longer pose a threat, while built-in security features and alerts automatically block and pinpoint attacks.

Because Nodegrid OS is Linux-based, it gives you the freedom to orchestrate across devices and environments, with a rich API library and your choice of tools like Ansible, Chef, Puppet, and REST. You can save time and effort on deployments and ongoing management. This means that you can implement a zero touch provisioning solution that automatically spins up VMs, deploys Docker containers, activates service licenses and configures service chaining, updates firmware, and carries out any number of workloads you need.

Get free resources to help you deploy zero touch provisioning

When you’re choosing a zero touch solution, carefully consider how these drawbacks will impact your deployment and management efforts. To help you, download The Definitive Guide to Zero Touch Provisioning, and when you’re ready to implement your solution, use our 4-Step Checklist for Setting Up Zero Touch Provisioning.

For regular updates to help you streamline enterprise networking, sign up for our newsletter using the form below.

Understanding Key SASE Components & Benefits

by Jordan Baker | Aug 24, 2021 | Improve Network Security, Secure Access Service Edge (SASE)

Vector,Of,Men,And,Women,Using,Mobile,Devices,,Computers,Uploading

SASE—secure access service edge—combines SD-WAN technology with network security functionality into a single cloud-native solution. SASE uses SD-WAN’s intelligent routing to connect remote and branch users directly to cloud services, improving network and application performance for end-users. In addition, it is combined with security features like CASB, FWaaS, and ZTNA to provide a secure and scalable network architecture.

Outstanding right? Still, there’s one unanswered question: What are all these key SASE components, and how do they work? In this article, we will dive deeper into the key SASE components and benefits.

The four key SASE components and benefits

SASE combines SD-WAN networking with advanced security functionality, including cloud access security brokers, firewall as a service, and zero trust network access. Let’s examine each of these features in detail.

1. SD-WAN: Intelligent routing of your WAN traffic

Software-defined wide area network, or SD-WAN, is the critical component of SASE’s networking stack. SD-WAN is a virtualized service that securely and intelligently routes traffic across the WAN. This gives your users a secure and reliable connection to enterprise and cloud-based applications from anywhere in the world.

In a traditional WAN, all remote traffic—even traffic destined for the cloud—gets backhauled to a firewall in a hub or headquarters data center. This causes bottlenecks and delays, impacting network and application performance.

SD-WAN solves this problem using intelligent and application-aware routing to directly and securely connect remote and branch office users to your cloud and software as a service (SaaS) resources. This increases the performance of both your enterprise and cloud applications and improves the end-user experience.

SD-WAN works by separating the control and management processes from the underlying WAN hardware, making them available as software—that’s why it’s called software-defined WAN. If you’ve already implemented an SD-WAN architecture, you can layer SASE’s security stack on top of your SD-WAN backbone. However, SASE simplifies the security aspects of SD-WAN management, so some organizations prefer to implement them simultaneously.

That’s because, in a typical SD-WAN architecture, you still need to install security appliances and solutions at each branch office and data center to keep that traffic secure. SASE takes SD-WAN functionality and rolls it up with network security features into one unified solution, saving you the time and money of deploying security controls at each remote site. Let’s take a deeper look at SASE’s network security functionality.

2. CASB: Extending your security to the cloud

Cloud access security brokers, or CASBs, are software gatekeepers that sit between your on-premises infrastructure and your cloud-based infrastructure and services. A CASB ensures that network traffic between your enterprise network and your cloud provider complies with your organizational security policies.

CASBs typically include the following five components:

User User and Entity Behavior Analytics (UEBA)
A CASB uses UEBA to detect unusual behavioral patterns and enforce security policies on traffic between your enterprise and the cloud traffic.

Cloud Application Discovery A CASB uses UEBA to detect unusual behavioral patterns and enforce security policies on traffic between your enterprise and the cloud traffic.	Data Loss Prevention (DLP) CASBs prevent the exfiltration of sensitive and proprietary data according to your data governance policies.
Adaptive Access Control A CASB analyzes the context of access requests to determine risk, looking at factors such as user location and the time/date of the request.	Malware Detection CASBs use firewall technology to identify and block malware from entering the enterprise network

A cloud access security broker provides cross-platform security policy management and enforcement from one control panel. When CASB functionality is combined with SASE’s other network security features, you gain even more control over your cloud and edge network security.

3. FWaaS: Unlimited scaling of advanced firewall functionality

Firewall as a service, or FWaaS, is pretty much exactly what it sounds like—a firewall solution delivered as a cloud-based service. FWaaS provides next-generation firewall capabilities such as web filtering, advanced threat protection (ATP), domain name system (DNS) security, and intrusion prevention. Since FWaaS is cloud-based, you can quickly and easily scale it up as your network edge expands to include new branch offices and cloud infrastructure.

In addition to typical stateful firewall features like packet filtering, network monitoring, and IP mapping, FWaaS also uses deep packet inspection (DPI) to identify malware and other threats. DPI analyzes the information contained in the header of each data packet and the content of the packet itself to determine whether the packet is malicious.

FWaaS also uses machine-learning tools to analyze network traffic for abnormal behavior, which means it can detect novel and zero-day threats that have never been encountered before. This improves upon traditional signature-based threat detection that relies on a database of previously-encountered threats to determine whether to block a connection.

Since FWaaS is a cloud-based service, your provider is responsible for maintaining and upgrading the hardware infrastructure needed to power your solution. This gives you the freedom to scale up your services on-demand without worrying about provisioning new hardware. For example, FWaaS solutions are typically highly customizable, meaning you can add or subtract some security features as your business requirements change. You can also add new data centers, branch offices, and cloud services to your FWaaS solution with the click of a button.

Essentially, firewall as a service provides all the functionality of a next-generation firewall, without the hassle of deploying and managing any hardware. Plus, all of these features are contained within a single unified control panel, which is why FWaaS integrates so well with SASE architectures.

4. ZTNA: Remote access without sacrificing security

Zero trust network access, or ZTNA, is a cloud-based service that applies the principles of zero trust security (“never trust, always verify”) to your remote traffic. Whenever a remote user, device, application, or service attempts to access a resource within your enterprise or cloud infrastructure, ZTNA verifies their identity and gives them only the specific access they need to perform their function. This enables you to provide remote users a reliable connection to enterprise and cloud resources without sacrificing the security of your network.

Traditionally, remote users connect to enterprise networks using a VPN, which creates a secure tunnel to your LAN. Once a remote user authenticates with your VPN, they gain full access to all the resources on your LAN that they’d have if they were on premises. ZTNA, by comparison, only grants access to the specific applications, services, or resources that the remote user needs to complete their task.

ZTNA prevents remote users from seeing any network resources they haven’t been permitted to access. This decreases your attack surface if a hacker uses a compromised account to access your network remotely. The damage done by such an attack will be limited to the few systems they were granted access to during their remote ZTNA session.

Like CASB, ZTNA can also use context-based access control policies to determine the active risk of allowing a remote user or device to connect. For example, you can implement location-based policies that prevent remote devices from accessing your network if they leave a specific geographic area. Or, you could create device-specific policies that require remote devices to upgrade to a particular firmware or OS version to patch vulnerabilities before they can connect.

ZTNA replaces VPNs by giving your remote users access to the enterprise and cloud resources they need while keeping them isolated from your main LAN. Zero trust network access, cloud access security brokers, and firewall as a service are the key components of the SASE security stack, though individual SASE solutions and offerings may use additional or varying technologies as well.

Implementing the key SASE components for your enterprise

SASE combines SD-WAN and network security into one solution that you can manage from a single pane of glass. In addition to SD-WAN, SASE’s key components include cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network access (ZTNA). Together, this cloud-based functionality gives you greater control over your network, improves your overall network security, and enables easy scaling so your SASE solution can grow with your business.

Putting these key SASE components to work for your enterprise requires a robust and flexible branch edge security and management solution like Nodegrid. ZPE Systems’ Nodegrid is a vendor-neutral platform of hardware and software tools that support SASE deployment and management, including console servers for remote out of band management and zero touch provisioning to automate device setup and configuration.

Learn more about how Nodegrid can help your enterprise put these key SASE components to work.

Schedule a free demo or get in touch with ZPE Systems today.

Out-of-Band Network Management: Fundamental Principles & Use Cases

by Jordan Baker | Aug 12, 2021 | Out of Band Management, Remote Network Management

Out-of-band network management gives enterprises secure and remote access to critical network infrastructure, even during outages and service interruptions. It separates your production network from your management plane, allowing you to remotely troubleshoot, monitor, and administer your infrastructure without relying on a LAN or ISP connection.

Let’s take a closer look at the Out-of-band network management fundamental principles, use cases, and their benefits.

Out-of-band network management fundamental principles

Out-of-band (OOB) network management provides a secure, remote connection to your network that’s available during outages, breaches, and other service disruptions. It does this using a network that’s specifically dedicated to infrastructure management and is completely independent of your primary network. OOB uses serial console servers to create an alternate path to critical network devices with a separate management plane, typically using a 4G LTE cellular connection to provide you with uninterrupted access to your network.

You implement out-of-band network management by deploying these serial console servers at every office, remote branch, data center, and other physical sites. By physically connecting your OOB serial consoles to critical network devices like routers, switches, and servers, you ensure engineers and administrators can always reach those devices without an IP address. That means your management plane is always available, even if your ISP connection goes down.

OOB network management provides higher-level remote access and control capabilities for multiple devices from one pane of glass. If your primary network experiences an outage, you can use OOB to reboot routers, troubleshoot connection problems, or perform device health checks.

The best part is that you can access your out-of-band serial console servers from anywhere in the world – so your team can respond to issues at remote sites just as quickly as at your main office.

Out-of-band network management use cases and benefits

The ability to remotely manage your infrastructure from a dedicated network presents many business advantages. Let’s examine some out-of-band network management use cases and benefits in greater detail.

Remote troubleshooting

Imagine getting a phone call at 3 a.m. because a remote site on the other side of the country has gone dark, and nobody knows why. This scenario is every network engineer’s nightmare for a good reason—in the past, you’d have to pack a bag and hop on a plane just to get any sort of visibility on the infrastructure and what the problem might be. The cost of an outage like this, both in travel expenses and the hours of business downtime, can be devastating. For example, in a recent Information Technology Intelligence Consulting survey, four in ten enterprise organizations said an hour of downtime now costs their firms from $1 million to over $5 million. Now imagine how many hours it would take just to fly to your remote site to get eyes on the problem.

Benefits of out-of-band network management in this scenario

With out-of-band network management, this exact scenario is much easier to manage. As soon as your branch office goes dark, you can use your OOB management solution to connect and begin troubleshooting in a matter of minutes. Using the figure above, three hours of downtime while your technician travels to your remote site could cost up to $15 million. With OOB management, you could potentially avoid those hours of travel and downtime, saving your business a lot of money.

If your enterprise has many remote sites spread out over a wide geographical area, out-of-band network management can simplify remote infrastructure troubleshooting and support. Rather than hiring a technician for each region or paying to fly out your engineers every time there’s an issue, your team can fully support all your remote sites from a centralized location.

Remote infrastructure management

Without any sort of unified infrastructure management, engineers must work with many different devices and interfaces. Needing to learn and configure so many systems and constantly hop from machine to machine and interface to interface increases the potential for mistakes. According to ITIC, misconfigurations and other human errors are the top cause of unplanned downtime, so it’s critical to look for ways to simplify infrastructure management and reduce staff mistakes.

Benefits of Out-of-band network management in this scenario

Out-of-band network management isn’t just for outages—it’s a dedicated network you can use to manage all your critical infrastructure from one unified tool. OOB allows you to monitor, manage, and manipulate servers and appliances remotely. You can check event logs, monitor temperature, and even remotely control the keyboard and mouse to manage server operating systems. In addition, OOB network management consoles can automate some commands and functions, further simplifying your infrastructure management.

Data center admins and service providers need to manage a huge amount and variety of network infrastructure so having a unified out-of-band solution can help them realize many benefits. Using OOB to monitor and manage servers and appliances remotely, engineers can control multiple facilities from one central console, saving time and reducing the number of staff required at each location.

Network isolation and security

With in-band network management, all your administration and management ports are connected to the production network. If an attacker breaches your production network, they could use those ports to access more sensitive parts of your infrastructure. Plus, if your production network goes down, so does your management network. With out-of-band network management, all your administration functions are on an entirely independent network, separating user and management traffic. In the event of a breach, engineers can use their OOB console to isolate parts of the network, restrict access, and secure the management plane.

Another security pain point addressed by OOB network management is keeping colocation infrastructure protected while still ensuring adequate visibility. Often, physical access to colocation hardware is restricted for security purposes, so if there’s an outage or breach, you may not be able to get visibility on the problem.

Benefits of out-of-band network management in this scenario

With out-of-band network management, you can remotely access and manage your colocation infrastructure even when the ISP connection is down. This allows you to fully control your hardware and remediate issues quickly without compromising facility security.

Network security should be on every enterprise’s priority list right now. Cyberattacks are common and can be economically disastrous—according to a recent IBM study, the average cost of a data breach is $3.86 million. Investing in an out-of-band network solution that allows you to isolate your production network from your management plane and gain visibility on physically secure devices could prevent such a breach from occurring and save you money in the long run.

The right out-of-band network management solution

Out-of-band network management provides numerous benefits to any organization seeking to improve its remote infrastructure management capabilities. Using OOB, you can remotely troubleshoot network issues from anywhere in the world, even if the primary ISP is down. OOB solutions also simplify remote infrastructure management by providing a unified control panel to monitor, manage, and manipulate all your servers and appliances.

Finally, you can improve your network security by segregating all device management from your production network while still maintaining remote and colocation hardware. All of this is possible with a unified out-of-band network management solution, like ZPE Systems’ Nodegrid.

Nodegrid is a complete out-of-band network management solution that offers you total network control from any location.

To learn more about how ZPE Systems can help you streamline your remote infrastructure management, contact us online or call 1-844-4ZPE-SYS.

ZPE Systems announces Nodegrid Data Lake, app marketplace, and sensors to help organizations uncover valuable data for edge operations

by Jordan Baker | Aug 9, 2021 | Data Logging, Monitoring & Reporting, News & Announcements, Out of Band Management, Press Releases

Fremont, CA, August 10, 2021 – ZPE Systems launches a new applications marketplace, along with a portfolio of USB-type environmental sensors, meant to help organizations leverage valuable data generated by their IT components. As networks and users become more distributed, it’s imperative that organizations uncover hidden data to optimize availability and user experiences. Nodegrid sensors allow organizations to collect critical data points, for deep insights into their infrastructures, systems, and security logs, among other categories.

Enterprises in telco, content delivery, manufacturing, and other industries can benefit from Nodegrid Data Lake. This application gathers previously uncollected data points to give network admins and engineers visibility into key performance indicators (KPIs). Nodegrid Data Lake helps inspect and visualize data points for:

Infrastructure components, such as power, cooling, relay, dry contact
Environmental conditions, such as temperature, humidity, air flow
System utilization, such as disk usage, processes, memory
User experience applications, such as Office365, Zoom, point of sale
Security, such as system logs, data logs, GPS data
Networking, such as data traffic, application profiling, antenna/tower traffic
Previously hidden server and switch logs from IPMI and RS232 serial console

Gartner considers Nodegrid Data Lake a killer app, as it’s indispensable to maximizing business continuity and avoiding downtime.

ZPE Cloud’s additional applications help enterprises and resellers gain further insights and convenience. These applications include:

Extended Storage — Save time with centralized file management and add disk space via the cloud
Generic Forwarder — Secure distributed users with software-defined perimeter gateways on-prem or cloud-delivered
Reports — Drive smart decision making with comprehensive reports on device availability and other metrics
Palo Alto Prisma Access — Easily manage Palo Alto security solutions using centralized access
ZPE Cloud mobile — Never lose sight of network performance using the ZPE Cloud mobile app, available free on App Store and Google Play

These applications begin an extended product roadmap designed to optimize the configuration, access, and management capabilities offered via ZPE Cloud.

ZPE Systems also launches USB-type environmental sensors, to help ensure optimal utilization of critical physical infrastructure components. These sensors can be managed independently via Nodegrid devices, or via Nodegrid Data Lake for complex event processing. Nodegrid sensors support alert triggers and tracking, and integrate seamlessly with ZPE Cloud’s management interface. Available sensors include:

Temperature and humidity
Airflow and temperature
Smoke
Particulate
GPIO
Relay
Proximity
Beacon (no alarm)
Beacon (with alarm)
Door lock with RFID tag

“IT staff struggle with downtime, yet their infrastructure generates so much valuable data that goes to waste,” says Arnaldo Zimmermann, CEO and Cofounder of ZPE Systems. “Our apps and sensors help capture this information. They can use it to prevent device failures, adjust cooling systems, or pinpoint why their Zoom app is suddenly lagging, for example.”

Nodegrid Data Lake and ZPE Cloud apps are now available. Get a free 90-day trial by visiting the ZPE Cloud Apps page.

Nodegrid sensors are also available. Learn more on the Nodegrid Environmental Sensors page.

Explore ZPE Cloud Apps

Read the official press release

About ZPE Systems, Inc.

ZPE Systems frees enterprises from today’s networking challenges.

Nodegrid’s Intel-based serial consoles & modular services routers deliver power to datacenter & branch applications, while the Linux-based Nodegrid OS replaces vendor lock-in with limitless flexibility. With ZPE Cloud for fast & secure provisioning, this platform streamlines networking using virtualization, prevents downtime using automation, and offers convenience via remote management capabilities.

Intel-based serial consoles & modular services routers deliver unparalleled power to datacenter & branch applications, while the Linux-based Nodegrid OS replaces vendor lock-in with limitless flexibility. With ZPE Cloud for fast & secure provisioning, it’s the only networking platform to streamline the stack using virtualization, prevent downtime using automation, and offer convenience using in-depth remote management capabilities.

ZPE collaborates with best-in-class technology partners, to add value by integrating with SD-WAN, firewall, IoT, and other solutions. The world’s top companies trust ZPE Systems to provide advanced out-of-band management, Secure Access Service Edge (SASE) platforms, and SD-Branch networking.

Top companies trust ZPE Systems to provide advanced out-of-band management, Secure Access Service Edge (SASE) platforms, and SD-Branch networking.

ZPE Systems is based in Fremont, California with offices worldwide. Visit ZPE Systems website at
www.zpesystems.com.

The SASE Model: Key Use Cases & Benefits

by Jordan Baker | Aug 6, 2021 | Improve Network Security, Industry Use Cases, Secure Access Service Edge (SASE)

Secure access service edge (SASE) is the recommended architecture for security and connectivity. SASE combines wide area network (WAN) technology for robust onramp to cloud and network security services into one cloud-delivered connectivity and security software stack. This allows enterprises to connect geographically diverse workforces securely while reducing network latency and performance issues.

Though SASE is a relatively new concept, it’s taking the IT world by storm, partially due to the pandemic forcing companies to adopt or improve their remote work capabilities. In addition, SASE addresses the security challenges of using WAN and SD-WAN (software-defined wide area network) technology for remote and branch office (ROBO) network management.

Let’s examine two essential SASE model use cases and discuss the benefits of integrating SASE into your enterprise network management and security strategy.

SASE model key use cases and benefits

SASE offers numerous benefits for remote and branch office security, performance, and network management, which may be why Gartner predicts that at least 40% of enterprises will have explicit plans for SASE adoption by 2024. Consider these use cases as you decide whether adopting the SASE model aligns with your business goals and network management and security requirements.

SASE use case #1: Replacing VPNs for remote work

The need to pivot to a remote workforce in 2020 has driven many organizations to prioritize SASE adoption. Enterprises use VPNs (virtual private networks) to handle their limited work-from-home traffic. But scaling up a VPN solution with enough licenses and VPN concentrators to meet an entirely remote workforce’s increased demand can be more expensive.

Additionally, not all VPN services include centralized remote management to deploy, monitor, and manage remote connections. This could be a minor issue if you only have a handful of remote employees at any given time, but a substantial logistical challenge when your entire workforce must suddenly pivot to work from home.

If you were relying on a VPN solution for all remote work, you likely found yourself overwhelmed by the need to deploy and troubleshoot hundreds or thousands of new VPN client installations, keep those connections secure without crippling your network performance, and ensure that all your enterprise and cloud applications were tested and supported for VPN access.

SASE model benefits of replacing VPNs for remote work

SASE implementations can solve a lot of these remote work challenges. Instead of creating an encrypted tunnel between each remote workstation and your primary network, like a VPN, SASE connects remote users to nearby points of presence (PoPs) to access enterprise applications and resources in the cloud or the data center.

All traffic to and from a PoP is encrypted, with other security technologies—such as secure web gateways (SWGs), remote browser isolation, and cloud firewalls—layered to monitor and protect system use. SASE provides additional security by using cloud access security brokers (CASBs) to apply enterprise access control policies to resources outside of the data center, such as Software as a Service (SaaS) tools or other cloud applications.

Despite these robust security controls, SASE still reduces network latency and improves application performance for remote workers compared to a VPN. Instead of relying on a limited number of VPN gateways to handle all your remote traffic, SASE uses a wide network of PoPs to connect remote users to the services and applications they need.

If a remote user needs to access a cloud application, a PoP can connect them directly to that service, bypassing your data centers and reducing the load on your network. In addition, many SASE providers house their PoPs in the same facilities as major SaaS providers—Microsoft 365 and Salesforce, for example—optimizing the routing paths to these applications and improving performance for remote workers.

IT teams may find SASE easier to manage than VPNs as well. One of SASE’s big selling points for engineers and security teams is reduced network complexity—SASE seeks to replace the physical and virtual VPN appliances you use for remote traffic with a single cloud-native solution. One main advantage is that the end user experience is at its best since the traffic can reach the destination quickly without tromboning (hairpinning) through the datacenter and competing for bandwidth with increased latency.

This also reduces the amount of time and resources spent on updates and patching, device maintenance, and configuration management for your VPN appliances and other remote and branch network infrastructure. SASE also provides one centralized management platform to control identity management and security policies for the entire enterprise and monitor and manage remote network traffic.

Replacing VPNs with SASE for your remote workforce improves the security of your remote traffic and systems, reduces network latency, increases SaaS and cloud application performance, and simplifies remote network and security management.

SASE use case #2: Optimizing SD-WAN security and performance

Many enterprises have already jumped from VPN and traditional WAN technology to SD-WAN or software-defined vast area networks. SD-WAN improves upon WAN technology—often using existing public and private WAN connections as a backbone or underlay network—to connect remote workers and branch offices to enterprise services and applications.

SD-WAN separates the control and management processes from the underlying WAN hardware and makes those functions available as software (hence the name “software-defined” WAN). This virtualized overlay network creates a private, encrypted WAN to connect branch locations, prioritize and route ROBO traffic, and manage and monitor network performance.

SD-WAN does present some security challenges, however. An SD-WAN implementation requires the use of firewalls, intrusion prevention, and web filtering at each branch office, which could mean installing and configuring hundreds or thousands of security appliances. Cyberattacks are becoming a more significant threat each year, reportedly costing businesses up to $4 billion in 2020, so many enterprises are looking to a security-centric solution like SASE to protect their network edge. SASE essentially combines SD-WAN functionality with network security features and bundles them together as a single solution.

SASE model benefits of optimizing SD-WAN security and performance

SASE allows teams to manage both SD-WAN traffic and security from a single pane of glass. SASE solutions roll up security features like CASB, firewall as a service (FWaaS), and zero trust network access (ZTNA) into a single cloud-native service to prevent, detect and mitigate network attacks without the need to deploy multiple security appliances and solutions for all your branch sites.

For existing SD-WAN implementations, you can layer SASE’s network security features into the WAN appliances at each branch office to provide next generation firewall, intrusion protection, analytics, and unified threat management functionality without purchasing new infrastructure. This means you can manage the security of all your branch locations without needing to install firewalls and other security appliances at each site, reducing network complexity by combining SD-WAN and security into one centrally managed solution.

Plus, since the SASE model connects remote and branch users with SaaS and cloud applications via PoPs, you won’t need to backhaul your branch office traffic through your leading network’s firewall. This means your external-to-external traffic (from branch sites to cloud services and vice versa) bypasses your primary network entirely, reducing bottlenecks and delays and improving network and application performance.

You can use SASE to integrate cloud-based security functionality like CASB, FWaaS, and ZTNA with your existing SD-WAN infrastructure, or you can use SASE’s combined security and SD-WAN service stack to upgrade a traditional WAN architecture. Either way, you’ll reduce network complexity and provide a centralized solution for managing ROBO network traffic and security, all while reducing network bottlenecks and application performance issues.

Take complete advantage of all SASE model benefits

Two of the biggest use cases driving enterprises to adopt SASE include the recent pivot to a remote, home-based workforce and the need to improve the security and management of WAN and SD-WAN technology for branch offices.

The SASE model combines SD-WAN technology with network security features into a unified, cloud-native service stack to provide enterprises with many benefits, including increased security, improved application, network performance, and simplified management for remote and branch office connections.

To realize a SASE architecture organizations need a robust and extensible branch edge device that can be the ‘Access’ on-ramp to the cloud delivered ‘Secure Service Edge’ (SSE.)

ZPE Systems’ Nodegrid family of hardware and software is a modular, vendor-neutral solution that provides innovative features such as 4G/LTE failover to maintain business continuity, remote out-of-band management (OOBM) for greater device visibility, and zero touch provisioning (ZTP) to automate deployment. And our SR family can be the on-ramp to SSE vendors such as zScaler, Netscope, Acreto or similar. Contact us for a deep dive video demo of our solution providing the Access onramp for SSE to flexibly realize the SASE architecture.

ZPE Systems’ Nodegrid platform is a comprehensive branch networking solution that supports a comprehensive SASE model platform.

To learn more about how Nodegrid’s built-in automation and ROBO management features can streamline your SASE deployment, get in touch with ZPE Systems today.

« Older Entries

ZPE Solution Pathways

Discover Nodegrid