Are You Struggling with IT Security and Access? Discover SD-WAN, SSE, and SASE Solutions
Hi. I'm Max Clark. This is part 2 of a, what's turned into a rant on SD WAN, SSE, and Sassy. Part 1, really kind of history networks SD WAN, how we got from point A to point B. And now we're gonna talk about SSC and we're gonna talk about SSC or I'm gonna talk about SSC and SSC because there's only one of me.
Speaker 1:First off, what the heck is SSC and SSC? SSC Secure Service Edge is this idea of encapsulating and moving your security functions from, you know, these like old school appliance, big iron antiquated things into, we'll just say, the cloud delivered applications. And that usually encompasses secure web gateway that will encompass a secure remote access or ZTNA. It'll include CASB cloud access service broker. And then usually you'll see most SSC infrastructure will be firewalls, a service Depending on the SSE provider, these things change a little bit up and down on what they're actually giving you.
Speaker 1:And what's missing from SSE, and this comes back to SD WAN, is the AP. So access. So SASE is SSE plus access and access is SD WAN. So we had SSE and then somebody said, oh, hey. Wait a minute.
Speaker 1:Why don't we just shove the entire network security function together into this one thing? We're gonna call it SSE. And that's how we got SSE. And by the way, I'm not gonna knock either SSE or SSE because I love them both. And you're probably not gonna buy SSE.
Speaker 1:You're probably gonna jump all the way into SASE. There are vendors where you have on premise firewalls are going to try to sell you their roadmap into SASE. What they're really selling you is like an SSE overlay on top of your existing infrastructure because they want you to still spend gobs and gobs of money on what you have at your office. But we're just gonna talk about making the jump all the way into Sassy land. The frustrating thing about Sassy for me is most of the OEM firewall manufacturers want to have to give a Sassy roadmap because they know the entire market is moving there.
Speaker 1:But while they're giving you a Sassy roadmap, they still want you to invest and use their existing SKUs and spend money on their hardware and their renewals. And this is the innovator's dilemma. Right? Because they've got revenue and they've got business. They can't blow up instantaneously and they need to preserve it while also protecting the future from upstarts.
Speaker 1:And there are a lot of upstarts that are pure Sassy players. The thing that's incredible about Sassy, if you haven't experienced it before, and by the way, also with Sassy, with SSC, you see vendors that are SSC. That's a good example. Big ones. Zscaler.
Speaker 1:Right? So Zscaler does not sell you a SD WAN solution. Cloudflare Cloudflare will tell you will use SASE in marketing, but they're not selling you the SD WAN component. They're going to sell you something called Magic WAN, which is software running inside of your network that still has to transit through, hopefully, an SD WAN for circuit selection. Network that still has to transit through, hopefully, an SD WAN for circuit selection.
Speaker 1:So these are SSC infrastructure where you still have to have some sort of SD WAN running on your premise and you have to have something providing really what most firewalls are doing for you is providing a natural reversal. So that way, a private IP address to the inside public IP address, the outside, and you can talk back and forth. When you get into a real Sassy vendor, that Sassy vendor is going to give you the ability to put an appliance on your network. That appliance is gonna provide the the SD WAN function. That appliance is going to build the tunnels to their service, and they're going to give you the firewall.
Speaker 1:The firewall as a service are gonna give you the firewall functionality in their cloud. Right. Basically, a k a they've got servers and data centers that you're connecting to. So their appliances building tunnels to their data centers, their data centers run all the functions in those things. What's awesome about this infrastructure and as you build this out is now you get into a situation where you've got stable SD WAN, stable path and circuit selection with very simplistic architecture and infrastructure at your at your edges, at your network locations, at your offices, at your warehouse, at your desk, whatever you wanna call it.
Speaker 1:And all I need to do is use it to connect to the Internet, provide a VPN tunnel, and do circuit selection. So there's not a lot going on there. Doesn't have to have a huge processor. It's not trying to do deep packet inspection or threat management or all these different things that UTM that these these firewall vendors are gonna try to sell you. And all that function exists within the service providers, infrastructure and cloud.
Speaker 1:And so when they apply updates and when they see stuff, they apply updates to everybody at the same time. So if you've ever had and try to do an update software update, you know, because you've had a critical vulnerability from, you know, I mean, we can pick on everybody. They all have them. You know, Palo Alto has Fortinet had had, you know, Barracuda. They've all had these, you know, Cisco.
Speaker 1:They all have them. If you've got one firewall or you've got a pair of firewalls, maybe that's easy for you to schedule a maintenance window in the middle of the night and do a firmware update as soon as it's available. That's the other key. It may type the, that manufacturer to make it available and push that update out. If you've got a 100 locations, 500 locations, a 1000 locations, now all of a sudden you're talking about you're gonna have, you know, 2,000 devices that you have to update.
Speaker 1:That's not something you do in 1 night. Great thing about Sassy and SSE in those situations is a service provider is maintaining that update on their core infrastructure and the whole thing uplifts at the same time. So much faster response time to events and security issues and networks and people doing nefarious things. The other thing that's amazing about Sassy as I talked about how you have a an appliance that goes for your SD WAN function at your office while your remote users your remote users. Here's the fun part.
Speaker 1:Your remote users are the agent that's gonna run their devices is connecting the same infrastructure. Now it doesn't have to be the same data center. I mean, if you're looking at old old antiquated service providers and usually ISPs, telcos are trying to sell you, like, big iron firewalls usually based on Fortinet. You know, if you're on the West Coast United States, they're going to give you a primary firewall instance on the West Coast United States. But then if you, you know, fly to New York to go have meetings with your investment breakers because you wanna go public and your CEO saw, you know, that laptop and cell phone has to build a tunnel back to the West Coast, and then go to the Internet from there, your CEO is gonna be pissed off at you.
Speaker 1:Right? Not a grip. Not a good position. It's even worse if they're on vacation in Spain. Right?
Speaker 1:Because now it's going from Spain all the way back to the West Coast. But the sassy vendor, what ends up happening is that device connects to the pop that's closest to it. And that pop that's close to it has connections to the pops closest to the other side of it. Right? And you still get the ability to apply the same policy depending on where your users are.
Speaker 1:So it makes no difference. Your user could be on the West Coast. They could go to a Starbucks. They could go home. They could go to a library.
Speaker 1:They could travel to the East Coast. They could travel to Europe. They could go to Asia, whatever it is. And you still have a unified policy and controls that go across everything. And you have the ability to also build private connections between your endpoints as necessary for your applications.
Speaker 1:This is also awesome when you start talking about an application, you can be. So most people are implementing this like has be light. But what is what is basic? You know, what's a good example? Salesforce.
Speaker 1:You have Salesforce. You have Office 365. You have Slack. You have whatever you're running. You can actually go to that software.
Speaker 1:You can go to that SaaS vendor, and you can say only allow connections to my instance from this IP range or from this authentication, for instance. I mean, you can get pretty deep depending on what that actual that that SaaS vendor supports. And you can effectively create a firewall in ever use Salesforce, you go to salesforce.com. Right? You sign in.
Speaker 1:Well, now imagine in order to sign in to your infrastructure inside of Salesforce, it has to come from your authenticated Sassy vendor. Right? In order to log into it. Otherwise, you say, hey, can't you know, you you can't access this. So these things layer on protection for you in terms of, like, even if you had a password disclosure and somebody, your CFO's NetSuite user and password leaked out, somebody couldn't log into it because they have to get behind your CASB in order to authenticate and connect to it.
Speaker 1:Right? So that's those these are all things. The problem with SD WAN WAN and SSE and Sassy is the marketing departments at these vendors. Because when each each time that Gartner or Forrester or somebody creates a new terminology, a new standard, then everybody wants to, you know, just swim downstream. Right follow the current and check into it I'm gonna pick on Cisco Meraki right now now Meraki Cisco bot so it's not necessarily there you know didn't create this but Cisco Meraki will tell you that they have an SD WAN support in their environment Sure.
Speaker 1:By the loosest definition of SD WAN, it's a cloud configured web interface to manage it, and you can do point and click VPN configuration between your MX firewalls. Okay. Sure. It does. That's SD WAN.
Speaker 1:What it doesn't do is performance based path selection and circuit fail over for you. It doesn't IP monitoring with an SLA time out. So unless I mean, you know, at the default profile in a Meraki is a 5 minute fail over between, you know, 22 network circuits. It's not gonna tell you, you know, circuit a is faster than circuit b. Use circuit a or circuit a saturated.
Speaker 1:Stop using it is extremely primitive and they sell it an SD WAN and it freaking sucks because it's not what you want for the net really popular SD WAN way more functionality built into it confusing to configure if you haven't done it before but we'll do path selection will be application aware has the problems of only being one half of the network equation. Right. Doesn't have the other side of the network equation in order to actually give you real QoS and IP survivability. You know, of course, I already already mentioned, like, you know, people that are pushing into and trying to sell a sassy solution that are actually sassy vendors. You know, what's what's another one I can a Palo Alto Palo Alto bought CloudGenics.
Speaker 1:CloudGenics had a just a really cool SD WAN box. In some cases, the CloudGenics software would actually look at all the way down to the TCP session establishing and you know, what was the send and ACK and are there resets being served and what was actually going on the application. So if you had a lingering application on a one circuit, it would be aware of that and actually fail it over to a second circuit for you. So you have very sophisticated circuit failover. Now, the problem with the cloud genics environment was if you wanted any sort of inbound protected failover, you know, again, some people have services that they have to run, that they have to go inbound.
Speaker 1:The cloud genics required you to put appliance into a data center behind a BGP network. So, you know, you still had this other layer of routers and then the evils of BGP that you had to deal with and they didn't really have ever created an answer for this. But now if you were just talking about edge locations and you could pair the Cloudgenics SD WAN with an SC vendor like a Zscaler, it is a really amazing things for you. And there's a great quote. It was basically time to innocence for network teams of, like, oh, no, it's not us.
Speaker 1:Salesforce is having a problem. You know, our network is fine, and I can prove it that it's Salesforce. We have to wait for Salesforce to fix itself. I really like that. Anyways, Palo Alto, when they purchasing Cloudgenix and using Cloudgenix as a foundation for Palos, nasty WAN wants you to push you into our even with Prisma, if you have somebody sit down and diagram out what a Prisma access network architecture looks for you, you know, basically what you end up with is just like, oh, you know, like, we're gonna need a firewall.
Speaker 1:And then behind that, we're gonna put our SD WAN. We're either gonna put that there or maybe we're gonna put it over here to the side because you could put the cloud gen x SD WAN you could put outside the firewall inside the firewall. So I'll just kind of draw this about there. I'm just gonna go like that. But anyways and then you're gonna connect this to the Internet, and then you're gonna have a remote user over here.
Speaker 1:And, oh, by the way, you also have to have your data center. Here's your data center. I'm gonna put lots of boxes. And your data center has to have a BGP connection with 2 networks. So we have 2 two lines coming into your data center or 2 routers.
Speaker 1:And then here's all the Cloudgenix boxes in the data center. And by the way, you still need your big Palo Alto firewalls. And then now we've got this other thing that we call Prisma. And so selectively on the Internet, we're gonna keep create these Prisma gateways, and your remote user can connect to a Prisma gateway, which then can connect to here, which then can come through the router and through this SD WAN box and to the firewall and then terminate this firewall and then come back. You start going to these network architectures, and you're like, who in their right mind would wanna do this?
Speaker 1:Mainly because you probably already have Palo Alto infrastructure and you have to because you can't throw it all out. But here's the difference. If you're greenfielding a SaaS solution and by the way, if you can, this is what you should do. You have an office location. You have redundant SD WAN boxes.
Speaker 1:Here's your SD WAN appliance provided by the SASE vendor. And by the way, this plugs inside into your switches because you have everything redundant. We're gonna do this kind of thing. And you've got your 2 Internet connections. You know, really, this is just the Internet.
Speaker 1:Right? Well, this is what this looks like with your remote users. Right? And if you had another location, maybe it doesn't have high availability, but it's just a single site SD WAN with a bunch of users behind it. Right?
Speaker 1:Way less for you to manage or think about. It's take the leap. Just do it. Or, you know, maybe, you know, the situation you're in, you need, you know, baby step and you're gonna do, you know, if it exists, you know, see when and you're gonna go into an SSC environment and overlay on top of that. That's fine, too.
Speaker 1:You know, it's a I'm gonna share a dirty secret. Most of I'm gonna get a great note from my my people here about this stream of light coming right through that corner of that shade hitting me on on the thing. So anyways, the secret is most of what I do and what my team does and we're talking to enterprises and talking to people it's it's like what problem are you trying to solve? 1st and foremost. Right?
Speaker 1:Are you solving a optimization problem, a performance problem, a QS problem, a failover problem, a saturation problem, a security problem. Like, what problem are you trying to solve? Right? How big is that problem? What are you trying to solve?
Speaker 1:What's the impact to your business? You know, these these kind of things. What do you already have? Right? So there's, like, 1st is problem.
Speaker 1:2nd is what do you already have? Because a lot of times what you already have is gonna force you into directions. I mean, if there's 30 vendors in the market roughly offering what you want and you already are running something that might cut your selection list from like 30 vendors to 5 vendors without even like spending any time. Like, don't spend weeks months doing RFPs and RFPs with people. If you can down select, you know, 95% of the suppliers in the market based on something that you already have and running and knowing like that should should be.
Speaker 1:So we spend most of our time actually there. It's just it becomes a really easy process once you identify what it is, but understanding how to make that decision and what's actually critical. Right. So then it's like, what do you problem do you have? What are you trying to solve?
Speaker 1:And then, of course, you know, who's gonna give you a pricing? Who's not dysfunctional? Who actually has a roadmap? Who has support? Who has, you know, good service?
Speaker 1:I mean, that kind of like the third leg that stole there but chances are you're already in this thing you already have something and you need to put something else on top of it so it's what does that roadmap look like and how do you take baby steps between point a and point b if you have questions comment below send me an email I'm happy to share you know and get into specifics with you on your case right because it's almost impossible to give generic information with this because it's so much of it is like it depends it's you know, it just it depends. But I'm very happy to help you through this process and figuring out, like, what the heck is going on and how to make your life better ultimately. Right? Like, how to make your life better and make this stuff make sense and be easier to manage. And I say that, you know, coming from a background of doing network engineering and dealing with the most spaghetti monster networks you can imagine and trying to, you know, improve them and maintain them and deal with corporate bureaucracy nonsense.
Speaker 1:Anyways, questions or comments, comment below. I'm Max Clark. This was a 2 part rant on SD WAN, SSC, and Sassy. I and I hope it helps you.
