How Do We Safeguard Devices in the Modern Workplace?
Everybody. I'm Max Clark and I wanna talk about a problem that we're seeing in the secure web gateway, secure Internet access, sassy, whatever you wanna call it, acronym space, and a little bit of background. If you've got remote users. So, basically, any device that you have that's not stationary in an office, And even, actually, I would argue if you have a device stationary or in an office, you need to figure out how to protect these devices. Foundationally, you should have an EDR running to provide you endpoint detection response.
Speaker 1:EDR is really a after event almost in the sense that, like, it's gonna prevent a payload from being run, or it's gonna give you information and the ability to identify and recover after something has happened on your endpoint. So if you wanna get into an offensive stance and you wanna actually proactively protect your users and your devices, This is when we get into this other category of service and and tooling. So I'm gonna tell you what the acronyms are, and I'm gonna merge them all together into a concept because it's easier to explain. So we have secure web gateway, SWG. Some people talk about it, secure Internet access.
Speaker 1:You'll hear Sassy, by definition, includes this functionality into it. You'll have security mode access, zero trust network access, CTNA, CASB, a cloud access service broker, a data loss protection, DLP. These things all kinda get mongled into a product or service offering from a provider. At its core basis, when you look at what your options are for a secure web gateway, applicate a service for an endpoint, you could start with DNS based filtering. And the nice thing about DNS based filtering is it produces very little load and overhead on the device and what it needs to do.
Speaker 1:Internet connection is device to internet. There's nothing in between it. And you have phenomenal performance. The problem with DNS based filtering is you cannot implement anything beyond the secure web gateway into that. So you get the ability to filter DNS requests.
Speaker 1:If there's a known malicious URL, you can block traffic to it. Some services allow you to create policies to not let users open up URLs that's never seen before if it doesn't have it. But, ultimately, you're getting an improvement in your stance, but not really a lot of you're missing out in real time. It's it's still reactionary to some degree. So going from DNS based filtering, you go to the next side, which is some sort of gateway architecture.
Speaker 1:And this is where you start hearing people talk about, like, next generation firewall, cloud firewalls, cloud federated firewalls. I mean, you pick your marketing term. Right? And now what's happening is your endpoint is creating a VPN encrypted tunnel to a gateway. And then that gateway is then implementing policy and connecting out to the Internet.
Speaker 1:By having a gateway in place, all of your ACLs, all of your policies, all of your rules, the rules engine, the heuristics engine, the the filtering engine, everything like that is running in this gateway. And all of your devices, all of your end points have to go through it. Or when I say it, I mean, this this environment, this cloud, this platform in order to connect to the Internet. And this is how you then also build additional things. So in the CASB world, it'd be able to say, only allow connections to our CRM from this range of IP addresses that we have allocated to us from our service provider.
Speaker 1:Only, create a a VPN tunnel to this other network. I want a tunnel to my public cloud private network. Right? So I can implement that functionality through this kind of gateway or create a tunnel back into my physical assets, whether it's a data center or an office. You can do that through those kind of gateways.
Speaker 1:If you're running a gateway, you can also do remote browser inspection. So the RBI functionality comes in where you could start expanding payloads and have the gateway run it for you in a in a sandbox environment and take a look at what's gonna happen by that payload before it actually hits your your devices. So functionality gets very sophisticated here very quickly. Here is where these gateway platforms fall down, especially the gateway platforms that that are built around consumer service VPN infrastructure. So there's a bunch of companies are moving into the business space and have a background in the prosumer or consumer markets.
Speaker 1:And by the way, we're seeing this a lot in providers that start as a business to business or business to enterprise focused service provider as well, which is their gateways are absolute complete horseshit garbage dumpster fire crap things. What do I mean by that? The most common example that we see and that we see in testing is the gateways are connected to the Internet at a 100 megabit. And so these providers are going out and purchasing dedicated servers from other hosts and distributing these gateways across the Internet in different regions. And they're just cheap boxes.
Speaker 1:They are cheap boxes. They have cheap Internet connections. They have limited network interfaces. And you find out about this once you start actually using the gateway and trying to send traffic through it. So if you've got users trying to actually do things on the Internet that have faster than 100 meg network connections, all of a sudden, these things start showing up and you realize very quickly that this is a problem.
Speaker 1:And if you're trying to do data transfer or for instance, the other problem is these gateways have a 100 meg total. So if you have a dedicated gateway to your enterprise, a 100 users connected to it, then you find out those 100 users are sharing 100 megabit to the Internet, and they're all being choked. Right? So it's a horrible situation to find yourself in, and it's incredibly frustrating going through evaluation processes with providers and asking them bluntly and blankly as part of our initial survey. What is your network connection speed on your gateways?
Speaker 1:Oh, we run a 1,000 meg. We've got 10 gig, whatever it is. And then you start testing it, and you find out, no. No. No.
Speaker 1:You've got a 100 meg. Now this manifest, and you see this very quickly in a couple things. You connect to the gateway, and you try to download or do something or upload, and you see your network saturate at 80, 90 megabit per second or somewhere around like 10 10 megabytes per second of data transfer if you're actually looking at the the progress bar. The other issue that we see a lot is what you'd see like in in, like, buffer bloat based on weight or quality service or c o s queuing and rate limiting. And the fun one with that one is you'll see the network speed come up and then come up to its maximum or maybe it it passes the threshold where the q s or c o s policy kicks in.
Speaker 1:And what does it do? It does TCP reset and then boom, network drops down. And so you end up with this straight up pattern where it goes like this, but has this, like, sawtooth going going down. And it just absolutely sucks. It's such a stupid problem to have to deal with where it's just don't have 100 meg connected gateways that you're filtering all of your user traffic through.
Speaker 1:Like, this, it's just especially when you claim that you don't. Problem that we see a lot is we'll see service providers that use a mobile client that gets installed on the device. So your laptop endpoints, your phone, and your tablet endpoints. And it connects a VPN session. And then for some crazy reason, it basically sets fire to your battery.
Speaker 1:Very sophisticated terminology here. But if you look at it, as soon as you enable the client, use a client, your battery life just for some reason falls off a cliff, and you go from 8 hours of battery life to, like, 3 hours of battery life while you're using the client. Now I don't understand how something like that gets through any sort of quality assurance program. I also under don't understand how anybody from a sales or marketing or executive overlay within that company. It's like, are you not using your own software?
Speaker 1:You don't realize that you can't use your cell phone anymore when you use your own client in order to get your sassy functionality delivered to your endpoint. And so I get really, I I don't wanna say suspicious. I just wonder about companies that do that and providers that do that because it's just okay. It's great. So you don't use your own software that you're you're you're on platform that you're selling, obviously.
Speaker 1:So if you're in the market and you're trying to evaluate and figure out what to do here, you should absolutely find a SWG or SAP. And by the way, SWG is great. It's a great first step. And if you're doing DNS based filtering, it's fantastic. If you're actually going to a gateway that's saying it's it's even better.
Speaker 1:And the advantage you get with going to a gateway again is that you can get into all the rest of things that you want. You can get into CASB. You can DLP. DLP can get into RBI. You can do ZTNA.
Speaker 1:You can do all these other things if you have a gateway based solution. If you don't have a gateway based solution and you're just dealing with DNS, you're gonna have to overlay some sort of other remote access or ZTNA or CASB or DLP or whatever you're actually looking for into your environment as well. So this is where you get into these issues with, like, how many stacks, how many different vendors, how many different providers do you have to bring in in order to provide that functionality to you that you actually need. So I generally advise people not to implement a solution if there's no next step road map that you can take with that solution. So the chances of you implementing as an SWG and then wanting to have CASB d l p r b I z t a is pretty high.
Speaker 1:It's very high. Like, you're gonna probably be a 100% doing one of those things in the next 12 to 18 months. So don't pick an SWG that doesn't give you that ability to layer onto it and do it. This is an argument for bundling. This is just an argument for sanity in terms of vendor evaluation and by the way there are great options for dni space filtering that you can get for free so if you do not have budget for an swg today and you want to provide some additional overlay and protection to your endpoints just configure quad 9 on your on your fleet you can shout props and shout out to quad 9 it's dna space filtering it is free as a nonprofit and they've got great threat intel fed into them it is a an excellent way for you to improve the posture and stance of your devices and protect your users without spending a penny.
Speaker 1:You just have to configure a DNS profile and make sure it gets pushed out to your endpoints with your MDM. And you've got an MDM. Right? So it's easy for you to make this change and deploy it. Open DNS still has free options.
Speaker 1:Cloudflare has a free option. I would just say use Quad 9. It's a nonprofit. They do this. It's wonderful.
Speaker 1:It's great. You support them. Send them money if you can. So now some OEMs, especially in the firewall space, have gone out and acquired or added on SD WAN functionality, wants you to do crazy stuff with your remote users where they want your remote users to still pin back through their firewalls on premise or they've got some cockamamie gateway set up themselves that then effectively sends some it does a split tunnel and some of the traffic goes through their gateway to the internet. Some of the traffic goes back to the firewalls, but you have to have the firewalls in place in order to get the functionality that you need.
Speaker 1:And depending on whether you're using the Internet access or the web gateway product or sorry, a remote access product, you end up in these really crazy like, nobody would actually stand in front of a whiteboard, describe what they need, and end up with that architecture. So if you're staring down that remember the incentive of a hardware man of a hardware manufacturer firewall vendor is to sell you hardware firewalls and if you want to move away from hardware firewalls in your locations, that is probably not a great architecture or plan for you from a road map or purchasing decision either. If you wanna keep those devices for the rest of attorney and pay the pay the incredible price it is to purchase them and incredible price is to support them and and refresh them absolutely have at it. I would not spend my money on that personally. So so then you get into maybe we talk about the last thing here, which is, like, how do you transition from one to the other?
Speaker 1:And, I mean, that's just situationally dependent on what you need and and where you're at. If big problem and a big miss I see with a lot of technical teams trying to go out and do these sorts of things is they don't really have a clearly defined user use case that they're trying to solve for. So then when they go to the organization and say, we need to do x, y, and z, and they can't answer the why behind it. Well, why are we trying to do this? Why do we need to spend money?
Speaker 1:What's wrong with what we currently have? So if you wanna go out and acquire this stuff, start with the use case and work your way backwards into technology. We need to we need to protect our users when they're browsing the Internet so that way they don't download malware or ransomware or something along those lines. We need to, prevent phishing attacks. We need to provide we need to prevent unauthorized access to our CRM and ERP systems by pro disconnecting it from the public Internet.
Speaker 1:We need to it's like, why do we need to do that? Oh, because we're required to by our compliance framework that we're using. Customers dictated to us that we have to ensure that corporate owned or sorry, that that customer data cannot be on non corporate owned devices. I mean, there there's I guarantee you there is a use case that you can find very easily that'll justify improving your security posture if you actually talk to people in the organization and you're looking for what you need. Just when you do it, make sure that you're not deploying one of these garbage gateway systems, that's gonna limit your end users to a 100 megabit because now what you've done is you've just created a problem that you're gonna have to dig yourself out of and usually with a contract attached to it.
Speaker 1:And that's not gonna be a a situation you wanna get into. So moral of the story here is gateway based SWG is great. Crappy providers are bad. Make sure you're getting a good one and not a bad one. If you have any questions, reach out.
Speaker 1:We're happy to help you walk through this. If you wanna tell me that I'm completely wrong, hit me up in the comments below, and I'll ignore it.
