Cisco Software-defined WAN solution offers a lot of security features geared toward the wide-area network and the branch. However, it is important to understand from the very beginning, that the SD-WAN security portfolio is only one piece in the broader security strategy of most organizations.
This lesson will explore the most modern security framework organizations adopt these days and see where Cisco's Software-defined WAN fits into the big picture.
What is Secure Access Service Edge (SASE)?
Secure Access Service Edge (SASE) is a new approach to an enterprise's wide-area infrastructure that combines software-defined WAN with advanced cloud-deliver security features. The SASE framework aims to combine the network, security, and identity (and likely NetOps and SecOps) functions into a single, unified solution delivered as a service.
SASE is the industry's response to the ongoing major technology shift to decentralized networks and security. Organizations are rapidly transitioning their infrastructure from a centralized data center model to a decentralized cloud model and mobile workforce. However, the technology needed to support this transition is still not clear and mature – which in turn has created the Secure Access Service Edge (SASE) framework. Figure 1 illustrates the main technologies that SASE incorporates at a minimum:
- Networking
- Software-defined WAN and Cloud Networking
- Router-based Security
- Analytics and AppQoE
- Security
- Cloud-delivered DNS security
- Cloud-delivered Secure Web Gateway (SWG)
- Firewall with application recognition
- Cloud access security broker (CASB)
- Identity
- Zero-trust Network Access (ZTNA)
- Duo
- Cisco SD-Access
- Cisco Anyconnect
- NetOps
- SecOps
What SASE is not
These days, SASE is the new buzzword that every company will try to exploit in their product and sales presentations. However, it is important to realize that SASE is not a specific product, solution, or feature. It is a framework or philosophy that combines a package of different technologies. Therefore, it does not directly compete with any solutions nor does it replace any particular product.
So, if you are being told or read that SASE will replace one of your products or solutions, well, think again.
Why do we need SASE?
There is enormous complexity related to networking and security at the moment. Cisco realizes that customers stopped buying from them just because it is sooo complex to choose, buy, deploy and operate every piece of technology that the organization needs to have a reliable network and be complimented with all security standards.
- It is complex to choose - there are multiple different networking and security solutions (Meraki, Viptela, Umbrella, ThousandEyes, Duo, and so on).
- It is complex to buy - there are multiple different licensing models.
- It is complex to deploy - each separate solution has a steep learning curve and requires a high level of expertise when deploying.
- It is complex to operate - each separate solution requires a separate set of engineers to operate it.
- It is complex to scale/update/refresh - with many solutions glued together, it becomes very hard to make architectural changes.
With SASE, Cisco will try to converge everything into one solution and lower the overall complexity on every possible level.
What can't SD-WAN deliver alone?
Ok, at this point you may be wondering - "Ok, we now have the long waited SD-WAN. Isn't it enough to provide a wide-area network and security?" Well, in technology, the answer to every question is always "it depends". Most likely, for many organizations, SD-WAN alone is simply not enough to cover all network and security requirements that the new decentralized cloud infrastructure and remote workers impose on the WAN infrastructure.
The Software-Defined WAN isn't designed to address all challenges the network and security infrastructure face when transitioning to the decentralized cloud model and the expanding network edge. Some of the notable shortcomings are as follows:
- SD-WAN needs reliable underlay. The software-defined wan solutions build an overlay fabric on top of an underlying wide-area network infrastructure. Organizations still need to have a reliable underlay network backbone. Managing and securing the underlay infrastructure in large-scale, multi-regional deployments might still be difficult and expensive. SD-WAN alone does not address the underlay challenges.
- Remote Worker / Remote Access. The software-defined overlay fabric provides secure and reliable site-to-any-site and site-to-any-cloud connectivity. However, the solution is not designed to provide remote SSL VPN to the mobile workforce nor to protect sensitive corporate data from remote access. SD-WAN alone does not address the remote worker / remote access challenges.
- Lack of complete security portfolio. The primary focus of most software-defined wan solutions is to help automate and scale the wide-area network infrastructure. Yes, the Cisco SD-WAN portfolio includes many security capabilities. However, SD-WAN alone can not solve all security challenges that organizations face when adopting decentralized cloud infrastructure and remote access. It can integrate with cloud security providers such as Umbrella and Duo.
Cisco SD-WAN and SASE
The current Cisco Secure Access Service Edge framework has three core components:
- Cisco Software-defined WAN
- Cisco Umbrella
- Cisco Duo
Figure 2 shows a high-level diagram of the complete integration of the three core solutions.
SD-WAN
Software-defined WAN is a set of features designed to deliver secure site-to-site and site-to-cloud connectivity from any location. The solution ensures optimal performance for business-critical applications by rerouting around performance degradations across the WAN. Additionally, Cisco SD-WAN provides an automated deployment model that can extend the network edge (the overlay fabric) to any environment - either on-prem or in the cloud. One of the key features of the solution is enabling direct internet access (DIA) at branches and the automated integration with the Umbrella SIG, which allows cloud-delivered security to be deployed to hundreds of branches in minutes, instantly gaining protection against Internet threats.
Umbrella
These days most of the organization's network traffic occurs at branches and remote locations and is destined to the public cloud via the Internet. Subsequently, organizations need to separately manage security settings at thousands of branch locations.
Cisco Umbrella Secure Internet Gateway (SIG) unifies multiple security functions in a single cloud-delivered solution that traditionally required on-prem security appliances (FW, IPS, proxy). Umbrella combines a cloud firewall, secure web gateway (SWG), DNS-layer inspection, cloud access security broker (CASB), data loss prevention (DLP), and remote browser isolation (RBI) into one cloud-delivered service that integrates seamlessly with Cisco SD-WAN.
Duo
Cisco Duo Network Gateway (DNG) allows end-users to access on-prem resources without having to worry about managing VPN credentials, while also adding security with Duo Multi-factor Authentication (MFA). Due provides granular access control per application and user group. It ensures that only trusted users and endpoints can access the organization's internal resources.
The Journey to SASE
Each organization's journey to SASE would be different. However, the three milestones that SASE defines are shown in figure 3 below.
- With the legacy traditional WAN architecture, all traffic from branches was backhauled to a regional data center before being sent out to the Internet and back.
- At present, with the adoption of software-defined wan, most branches directly access SaaS and IaaS applications via site-local Internet access and cloud-delivered security.
- In the future, SASE providers want to unify network and security into one cloud-delivered solution with one web portal for managing everything, one policy framework across all products, and one unified thread intelligence across all tech domains. We are not really there yet.
SASE: Key Takeaways
The key takeaway of this lesson is that Cisco's Software-defined WAN alone is simply not enough to provide complete network and security functionalities that organizations require moving into the decentralized cloud model.
Secure Access Service Edge (SASE) aims to unify the network and security into one solution that will make the wide-area network easier to consume, faster to deploy and simple to manage. We are still not there yet so the journey has just begun.