Secure Access Service Edge and SD-WAN

Background
Network security used to be so easy. A company would set up an enterprise data center and hire a handful of competent cyber-security professionals. Employees would show up at work at 8 am (remember those days? Anyone?) and log on to their desktop computers. Any company documents or correspondences would be easily accessible from their data center and as long as usernames and passwords were protected (a surprisingly difficult task) the overall network security remained intact. In fact, not responding to Nigerian princes’ emails was one of the key security policies! (For a more thorough discussion of cyber-security threats and unified threat management, read our recent blog here.)

Times have really changed. The enterprise data center, while not yet obsolete, may in fact be in the twilight of its usefulness as cloud computing and a large number of “Anything-As-A-Service” offerings have revolutionized the cyber landscape and workplace processes. Employees routinely telecommute or work from remote locations for extended periods. Contractors and vendors are located all around the world and need 24/7 access to various company resources. Forcing all of this traffic through a data center on its way to or from the cloud just doesn’t make sense anymore. Even the concept of the data center as some sort of “network edge” is rapidly giving way to the reality of a much more flexible, identity-centric, “distributed edge”, where network access and security are moved away from the data center.

Enter Gartner and SASE

In their recent August 30, 2019 article “The Future of Network Security Is in the Cloud”, Gartner introduces us to the concept of a “Secure Access Service Edge”, which they refer to as “SASE” and (unfortunately) insist we pronounce it “Sassy”. I probably would have gone with SEAS for Service Edge Access Security, but regardless of the pronunciation Gartner lays out a well-reasoned argument for SASE: “Digital business transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center… Complexity, latency and the need to decrypt and inspect encrypted traffic once will increase demand for consolidation of networking and security-as-a-service capabilities into a cloud-delivered secure access service edge (SASE).”

So it appears that SASE makes a lot of sense and is on its way to fundamentally changing the network security landscape. Among other things, SASE highlights the high performance and secure connectivity of the last mile, which is best accomplished with SD-WAN for branch offices.

SD-WAN Remains a Critical Component
Gartner goes on to say:
“The digital inversion of usage patterns will expand further with the growing enterprise need for edge computing capabilities that are distributed and closer to the systems and devices that require low latency access to local storage and compute.

The need to agilely support digital business transformation efforts while keeping the complexity manageable to support the inversion of access patterns will be the primary drivers for a new market. This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge (SASE) and it is primarily delivered as a cloud-based service.”

The digital inversion Gartner discusses refers to the fact that more and more workloads, applications, data and overall traffic are no longer tied to enterprise data centers but rather interact directly with the cloud. This also directly implies smarter, faster and more capable edge computing since the data center is now often excluded from the workload.

SD-WAN routers used in branch offices and other remote locations remain a critical component as the industry transitions to a more SASE-based networking security model. SD-WAN allows enterprises (small/medium/large sized businesses, branch offices, remote work sites, even non-wired sites, mobile enterprises) to optimally leverage multiple WAN and/or cellular resources. This greatly facilitates the secure service edge model as it ensures a rock-solid connection to any cloud resources.

Ideally, the CPE (customer-premises equipment) device defining the service edge utilizes SD-WAN with multiple ISP providers. This allows the device to monitor each WAN link and ensure that traffic always follows the optimal path to the cloud. Often, this may be the link with minimal latency, but other network characteristics must also be taken into account. A low-latency link with excessive jitter or packet-loss may not be the best option at any given time. Other network applications may be more dependent on bandwidth and less so on latency – for example, large file uploads/downloads.

A Few Key Findings

While a complete discussion of SASE is beyond the scope of this blog, let’s consider two of Gartner’s key findings:

• Inspecting and understanding data context will be required for applying a SASE policy.
• To provide low-latency access to users, devices and cloud services anywhere, enterprises need SASE offerings with a worldwide fabric of points of presence (POPs) and peering relationships

Both of these findings implicitly support SD-WAN in their implementations. Inspecting and understanding data context is clearly critical for SASE as the security policies applied will be very different if an authorized user is using Facebook, accessing private financial or medical data, looking for leads on Salesforce, or accessing company proprietary information. Low latency is critical for various applications such as VoIP or live-streaming video.

Some of the more sophisticated SD-WAN devices (such as our Truffle Broadband Bonding Network Appliance, or our wireless Portabella devices) utilize NFV (network function virtualization) to apply various overlay planes onto the network architecture. This allows for implementing customized, secure IP tunnels for specific applications. For example, one tunnel may optimize for low latency, while another tunnel optimizes for high bandwidth. Depending on the application, real-time packet steering is performed to ensure that each packet travels through the optimal tunnel; VoIP packets will always see the lowest latency path, while large file download packets will always get the highest bandwidth path available.

Clearly, the intelligent SD-WAN devices with NFV overlay tunnels must understand data context in order to properly steer packets. These devices would also naturally have a secure tunnel optimized with respect to low latency. Both of these features are fundamental in the above key findings by Gartner. In fact, a SASE environment could actually leverage these functionalities as part of the overall solution. Additional tunnels could be established that facilitates SASE operation – highly sensitive sessions could be routed to highly secure tunnels, while more mundane sessions might remain on less heavily encrypted tunnels. Similarly for latency-sensitive application flows.

NFV Is Dead? Depends on what you mean by NFV

Another recent article discussing the Gartner report is LightReading’s “Gartner: NFV Is Dead – the Cloud Killed It” from last month. While we won’t spend much time summarizing this article, we must take exception to the conclusion.

LightReading states:

“Enterprises are demanding a new generation of cloud-based wide-area networking services that’s swallowing up SD-WAN, killing network functions virtualization (NFV) and challenging existing telco business and technology models, according to Gartner analysts.

NFV proved “incredibly complicated,” and while the telco industry struggled to make it work, application consumption patterns changed and the branch was no longer the center of the universe, and a solution that was non-scalable and hard to maintain and expensive and complex winds up being obsoleted by something that is elastic and easy to maintain and it’s cloud delivered.

There are cases where NFV makes sense. “But by and large the days of NFV have already come and gone. It’s basically stillborn.”

In our minds, this statement is somewhat flawed and really misses the point, unless of course you adopt a narrow description of NFV. If anything, we see SD-WAN and NFV continuing to develop and expand both its market reach as well as overall capabilities. SD-WAN and SDN (software-defined networking) in general are agile and flexible and greatly facilitate the overall network operations of not only branch offices, but of public, private, and hybrid clouds.

So unless one defines NFV within the narrow and very specific telco use case of NFV within the uCPE framework, NFV is more generally defined as virtualized and modular services that can be concatenated (or service-chained as it’s frequently called) with other such NFVs to create end-to-end service offerings. Therefore,  SASE can be looked at as a collection of NFVs that are service-chained in the cloud and delivered to the end user as a managed service.

Regardless of the SASE-specific future, we certainly will see much more emphasis on cloud migration, networking, computing, and security as well as how those services are delivered to end users. We believe SDN, SD-WAN, and NFV will continue to be a fundamental part of the landscape.

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com