SASE—secure access service edge—combines SD-WAN technology with network security functionality into a single cloud-native solution. SASE uses SD-WAN’s intelligent routing to connect remote and branch users directly to cloud services, improving network and application performance for end-users. In addition, it is combined with security features like CASB, FWaaS, and ZTNA to provide a secure and scalable network architecture.
Outstanding right? Still, there’s one unanswered question: What are all these key SASE components, and how do they work? In this article, we will dive deeper into the key SASE components and benefits.
The four key SASE components and benefits
SASE combines SD-WAN networking with advanced security functionality, including cloud access security brokers, firewall as a service, and zero trust network access. Let’s examine each of these features in detail.
1. SD-WAN: Intelligent routing of your WAN traffic
Software-defined wide area network, or SD-WAN, is the critical component of SASE’s networking stack. SD-WAN is a virtualized service that securely and intelligently routes traffic across the WAN. This gives your users a secure and reliable connection to enterprise and cloud-based applications from anywhere in the world.
In a traditional WAN, all remote traffic—even traffic destined for the cloud—gets backhauled to a firewall in a hub or headquarters data center. This causes bottlenecks and delays, impacting network and application performance.
SD-WAN solves this problem using intelligent and application-aware routing to directly and securely connect remote and branch office users to your cloud and software as a service (SaaS) resources. This increases the performance of both your enterprise and cloud applications and improves the end-user experience.
SD-WAN works by separating the control and management processes from the underlying WAN hardware, making them available as software—that’s why it’s called software-defined WAN. If you’ve already implemented an SD-WAN architecture, you can layer SASE’s security stack on top of your SD-WAN backbone. However, SASE simplifies the security aspects of SD-WAN management, so some organizations prefer to implement them simultaneously.
That’s because, in a typical SD-WAN architecture, you still need to install security appliances and solutions at each branch office and data center to keep that traffic secure. SASE takes SD-WAN functionality and rolls it up with network security features into one unified solution, saving you the time and money of deploying security controls at each remote site. Let’s take a deeper look at SASE’s network security functionality.
2. CASB: Extending your security to the cloud
Cloud access security brokers, or CASBs, are software gatekeepers that sit between your on-premises infrastructure and your cloud-based infrastructure and services. A CASB ensures that network traffic between your enterprise network and your cloud provider complies with your organizational security policies.
CASBs typically include the following five components:
User User and Entity Behavior Analytics (UEBA) A CASB uses UEBA to detect unusual behavioral patterns and enforce security policies on traffic between your enterprise and the cloud traffic. |
Cloud Application Discovery A CASB uses UEBA to detect unusual behavioral patterns and enforce security policies on traffic between your enterprise and the cloud traffic. |
Data Loss Prevention (DLP) CASBs prevent the exfiltration of sensitive and proprietary data according to your data governance policies. |
Adaptive Access Control A CASB analyzes the context of access requests to determine risk, looking at factors such as user location and the time/date of the request. |
Malware Detection CASBs use firewall technology to identify and block malware from entering the enterprise network |
A cloud access security broker provides cross-platform security policy management and enforcement from one control panel. When CASB functionality is combined with SASE’s other network security features, you gain even more control over your cloud and edge network security.
3. FWaaS: Unlimited scaling of advanced firewall functionality
Firewall as a service, or FWaaS, is pretty much exactly what it sounds like—a firewall solution delivered as a cloud-based service. FWaaS provides next-generation firewall capabilities such as web filtering, advanced threat protection (ATP), domain name system (DNS) security, and intrusion prevention. Since FWaaS is cloud-based, you can quickly and easily scale it up as your network edge expands to include new branch offices and cloud infrastructure.
In addition to typical stateful firewall features like packet filtering, network monitoring, and IP mapping, FWaaS also uses deep packet inspection (DPI) to identify malware and other threats. DPI analyzes the information contained in the header of each data packet and the content of the packet itself to determine whether the packet is malicious.
FWaaS also uses machine-learning tools to analyze network traffic for abnormal behavior, which means it can detect novel and zero-day threats that have never been encountered before. This improves upon traditional signature-based threat detection that relies on a database of previously-encountered threats to determine whether to block a connection.
Since FWaaS is a cloud-based service, your provider is responsible for maintaining and upgrading the hardware infrastructure needed to power your solution. This gives you the freedom to scale up your services on-demand without worrying about provisioning new hardware. For example, FWaaS solutions are typically highly customizable, meaning you can add or subtract some security features as your business requirements change. You can also add new data centers, branch offices, and cloud services to your FWaaS solution with the click of a button.
Essentially, firewall as a service provides all the functionality of a next-generation firewall, without the hassle of deploying and managing any hardware. Plus, all of these features are contained within a single unified control panel, which is why FWaaS integrates so well with SASE architectures.
4. ZTNA: Remote access without sacrificing security
Zero trust network access, or ZTNA, is a cloud-based service that applies the principles of zero trust security (“never trust, always verify”) to your remote traffic. Whenever a remote user, device, application, or service attempts to access a resource within your enterprise or cloud infrastructure, ZTNA verifies their identity and gives them only the specific access they need to perform their function. This enables you to provide remote users a reliable connection to enterprise and cloud resources without sacrificing the security of your network.
Traditionally, remote users connect to enterprise networks using a VPN, which creates a secure tunnel to your LAN. Once a remote user authenticates with your VPN, they gain full access to all the resources on your LAN that they’d have if they were on premises. ZTNA, by comparison, only grants access to the specific applications, services, or resources that the remote user needs to complete their task.
ZTNA prevents remote users from seeing any network resources they haven’t been permitted to access. This decreases your attack surface if a hacker uses a compromised account to access your network remotely. The damage done by such an attack will be limited to the few systems they were granted access to during their remote ZTNA session.
Like CASB, ZTNA can also use context-based access control policies to determine the active risk of allowing a remote user or device to connect. For example, you can implement location-based policies that prevent remote devices from accessing your network if they leave a specific geographic area. Or, you could create device-specific policies that require remote devices to upgrade to a particular firmware or OS version to patch vulnerabilities before they can connect.
ZTNA replaces VPNs by giving your remote users access to the enterprise and cloud resources they need while keeping them isolated from your main LAN. Zero trust network access, cloud access security brokers, and firewall as a service are the key components of the SASE security stack, though individual SASE solutions and offerings may use additional or varying technologies as well.
Implementing the key SASE components for your enterprise
SASE combines SD-WAN and network security into one solution that you can manage from a single pane of glass. In addition to SD-WAN, SASE’s key components include cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network access (ZTNA). Together, this cloud-based functionality gives you greater control over your network, improves your overall network security, and enables easy scaling so your SASE solution can grow with your business.
Putting these key SASE components to work for your enterprise requires a robust and flexible branch edge security and management solution like Nodegrid. ZPE Systems’ Nodegrid is a vendor-neutral platform of hardware and software tools that support SASE deployment and management, including console servers for remote out of band management and zero touch provisioning to automate device setup and configuration.
Learn more about how Nodegrid can help your enterprise put these key SASE components to work.
Schedule a free demo or get in touch with ZPE Systems today.