Unveiling SASE: The Ultimate Hack for Cybersecurity
I'm Max Clark. This is 20 minutes max, and I'm gonna go on a rant about Sassy. No. Not I'm so Sassy, I guess, but I am. Talking about secure access service edge.
Speaker 1:What is Sassy? Well, it's a bunch of things. It's actually everything. Sassy is a definition of basically the, you know, everything in the kitchen sink thrown in together into one one blah, you know, that's just become sassy. Right?
Speaker 1:Thank you, Gartner. And actually, you know, something that people don't talk about that I actually really love about sassy is sassy is the best hack towards better security for your network. I'll talk about that in a in a moment but first off okay what's Sassy? So on your network function when you talk about, you know connecting an a location a premise to the internet or to to, you know, applications that are not a premise, or you're gonna talk about remote access, remote users connecting back, either connecting to the Internet and working or connecting back to your application locations, right, whether those offices or data centers, everything that gets involved in that. Right?
Speaker 1:So SASE is your SD WAN, your next generation firewall, secure secure web gateway, your z t and a, your remote access function, if you have CASB and DLP, everything that is involved in doing those things for your company get looped together grouped together into this thing that is now referred to as Sassy. So you can go out and you can buy point solutions, and you can say, okay. We need a firewall, and we need a VPN, and we need some sort of, CASB or DLP solution. And I wanna secure a gateway, and I want this. I want that.
Speaker 2:And you can go out
Speaker 1:and you can buy them all independently. Or you can, you know, find a vendor with a sassy architecture, and you can get them all from one source. And then you can have all the benefits of having 1 vendor, 1 throat to choke, and everything integrated and working properly together. And, you know, and then the clouds park and the sky, you know, the the the sunshine raids through and everything's wonderful, and then you have Sassy. I I said earlier that Sassy is a phenomenal hack, one of my favorite hacks to improve network security and cybersecurity for an organization.
Speaker 1:And why is that? If we're doing an SD WAN project. Right? So now every SD WAN vendor has a Sassy component to it or has a Sassy endpoint in mind. Right?
Speaker 1:Because it's not just SD WAN. SD WAN is too limiting. Sassy in order to be a a modern SD WAN vendor and have any, you know, a future survival right in the in the marketplace. Well, there you go.
Speaker 2:Go out and you buy
Speaker 1:your SD WAN, but it's got the sassy functions into it. Now you can put a next generation firewall on top of it or secure web gateway or, you know, RBI or you know, it sounds like I'm I'm doing baseball stats. Right? So secure web gateways, SWG, remote browser inspection, RBI, cloud access service brokers, CASB, data loss prevention, DLP, ZTNA, 0 trust network access. Right?
Speaker 1:I I actually know what these acronyms mean. That's, you know again such a nerd sometimes anyways looking at these things in terms of evolutions of companies right you're not going to go from like we've got all this stuff on-site and we're gonna rip it all out we're gonna replace it usually it's we've got all this stuff on-site but we've got something that we're not getting that we need. Right? We've got some requirement that got passed down to us from a business, and usually that could I mean, what's what's a good example? We need better audit of our remote user access to our secure data environments right to our cloud right we've got a VPN right now but we we don't get granular level audit or we've got a requirement supply chain audit a requirement for one of our clients that says that we have to ensure that only company owned equipment can access company can access data that houses our, you know, our client data right so when you start solving these problems you could solve them in a really narrow limited way you get no long term benefit out of it or you can solve them in ways that give you expansive benefit out of it that give you into these architectures and infest and and approaches where you can you can do something next.
Speaker 1:Right? Because why would you wanna solve something for day today and then 3 months later find out, hey. I've got this other requirement, and I've gotta go out and figure out how to solve it as well. Or do you wanna just say, hey. I solve this requirement today and then in 3 months they say hey we need this other thing you go okay great great we just have to go and check that box and it turns on that is it's a beautiful thing let's talk about SD WAN and Sassy in a little more detail because the marketing machine has gotten a hold of this animal thing.
Speaker 1:You know, again, thank you, Gartner. Creating a term that everybody now has to adhere to. So everybody's trying to figure out how to claim they adhere to it. So, you know, I I start with let's start with SD WAN. Let's let's let's just brag on SD WAN for a moment.
Speaker 1:I don't wanna start with this. First off SD WAN is magic. I love SD WAN. You know, we should talk about, like, the differences between SD WAN for a moment. So, you know, SD WAN by definition could just be you've got a web interface to configure, you know, our you know, a cloud hosted web interface to configure your your network edge, your your router, and your firewall, which is usually kind of one function now for a lot of environments.
Speaker 1:You know? And and you might say, well, why is that important? Well, if you've never configured an ASA firewall VPN from scratch in the command line, you do not appreciate how wonderful being able to go, I wanna fire I wanna VPN from here to here. Go. And it just turns on for you.
Speaker 1:And it's just like, holy smokes. There's a VPN now. You know? Now you don't get the joy of the CLI of a finally having a VPN come online where you get to do a dance. You get to do the engineer happy dance and celebrate that you've got this VPN working, and you have no real idea why it's working or why it wasn't working beforehand.
Speaker 1:And what any of this junk actually means because you've been copying out of, like, 15 tech notes on on Cisco's website. You know, SD WAN can just be, you know, point and click configuration. Right? So Meraki is a great SD WAN. So, by the way, Cisco bought Meraki because they're great switches and great access points and and pretty decent firewalls.
Speaker 1:And, you know, it's blah blah blah. It's SD WAN. Cisco has purchased a lot of different SD WAN trying to figure out their SD WAN story. I think they're still trying to figure it out. You know, point being there is is you're not purchasing a Meraki MX to provide SD WAN for real time circuit health latency and path selection.
Speaker 1:Right? You're not you're not doing it with that because it doesn't do that. If you didn't know that, now you know that. Meraki does not do that type of SD WAN at all. So don't buy it in Meraki if you want that.
Speaker 1:Palo Alto purchased CloudGenics. Phenomenal SD WAN box. There's just some really cool stuff. Really sophisticated, you know, path selection. Really sophisticated and in, application aware, you know, traffic routing.
Speaker 1:Hey. This this network link seems fine, but this application has really, really, you know, slowed the TCP handshake. But this other link is much better, so we're gonna use that other link as well. Really super sophisticated stuff. Problem with you know, I don't say it's a problem.
Speaker 1:Just the architecture when you look at what Palos is trying to do with CloudGenics, still requires you to have physical firewalls, you know, from Palo Alto in a lot of places. You know, the yeah. I mean, that's just the way the architecture works. You know, you can put Prisma on top of it, but guess what? You're still running, you know, Palo Alto firewalls all over the spot.
Speaker 1:You know, it assumes a hub and spoke configuration. It assumes that you're gonna have some sort of data center with, the SD WAN sitting in that data center in order to go back to your remote locations. And if you've got, you know, an application infrastructure that is designed around that, then it's great. Absolutely. You should totally look at using it.
Speaker 1:If you've got an application infrastructure that doesn't assume that, then it's not so good. Or if you've got stuff running in your remote locations that need to be accessed directly from the Internet. I mean, when does that ever happen? There's some random FTP site. It's critical to, you know, a $100,000,000 line of business running in some place that you can't turn off or change or move anywhere else in the world because that would make, you know, obvious sense.
Speaker 1:Right? Maybe not great architecture for you. Ariaka, phenomenal SD WAN for, you know, low latency, high packet loss links, you know, common application, of course, dealing with, you know, cross continent, you know, infrastructure. You've got manufacturing in Brazil with an ERP in the United States or even China or or, you know, EMEA. You know, these sorts of things, or even domestically in the United States.
Speaker 1:You've got a lot of locations, and some of those locations might not have a lot of bandwidth. You know, Ariak has a phenomenally interesting application for this. You know, probably the most common box out there in the market today, the VeloCloud. Why is it so so VeloCloud what was VeloCloud? VeloCloud was built to be an MPLS replacement SD WAN, you know, instead of having private networks.
Speaker 1:You could overlay you know, it's effectively VPN tunnels that are dynamically created and routed by this Velo, you know, VeloCloud box And, you know, either replace your MPLS or in a lot of cases, people augment their MPLS. They still maintain an MPLS circuit, and they they run an over the top, you know, overlay on, you know, with a Velo to provide redundancy if that MPLS link goes down. So you don't have to have, you know, dual network MPLS. You can get go down to single network MPLS, which just saves you a boatloads of money. That's it's great at doing that.
Speaker 1:Again, when you look at how the Velo routes to the Internet, configuration for Velo is it does not have, you know, ingress traffic. Right? So you've gotta deal with, you know, maybe double NAT ing in certain situations. You've got, net boundary changes. Velo deals with this with their public gateways or if you're dealing with a service provider, the provider gateway.
Speaker 1:So that way, you know, for your VoIP traffic or your interactive applications or your VPN endpoints, they can they can go to, they can go to IP addresses hosted in that gateway and come ingress. But not all your traffic is gonna, you know, go between that gateway. This could be good for you. It could be bad for you. It just depends on your application.
Speaker 1:You know, all these organizations are are running and chasing, the sassy definition as aggressively as possible. And, you know, part of the reason why Velo is so popular and you see it all over the place is because they have a really strong reseller program, and they really attack the, you know, service provider in the reseller market. If you talk to just about all of the telcos or cable companies on the market and you ask them about their SD WAN or they try to sell you an SD WAN, it's probably gonna be VeloCloud based. That's just, you know, what they're go to market was and and what, you know, what they came about with. And, again, this might be good.
Speaker 1:It might be bad. It kinda really just depends on what you need. You know, these are all it depends answers. Some service providers, you know, went went Fortinet. You know?
Speaker 1:Fortinet doesn't give you ingress IP, you know, resiliency. It just can't. It's a firewall. It's on premise. Does it do decent, like, path selection failover?
Speaker 1:Yeah. Of course. It does way better than Meraki. I mean, phenomenally well better than better than Meraki. You know?
Speaker 1:If you're in a MSSP and you're trying to do firewall maintenance, you know, sorry, maintenance, firewall management for, you know, downstream customers, well, now you can offer and say that you're doing SD WAN as well because, that Fortinet can give you enough of that that solves enough of their problems. I see a lot of people partnering right now with with Check Point. Hey. You know, it's good, probably. You know, it's a good answer.
Speaker 1:It's also you know, it has a reseller program that support you know, works for them. So they can take their their existing SD WAN, and they can say now we're Sassy because we've got, you know, the firewall, the SWG, the z t n a, everything else. You know, it just happens to be provided by by dual entities. You know, the ideal with with Sassy becomes one vendor. You know, this one throat to choke.
Speaker 1:There is a really oh, I forgot I forgot to mention 1. Cato, you know? So, I mean, Cloudflare Cloudflare is is trying to chase. They're not a sassy vendor. They don't provide the on premise infrastructure.
Speaker 1:They don't have an SD WAN function, but you can get a lot of the you get the next generation firewall, RBIs, ETNA, all these functions out of Cloudflare. You know? So, like, are you what are you gonna maintain on-site? And does Cloudflare then work for you or not? It depends.
Speaker 1:Cato Networks, Cato Networks, next generation firewall can I mean, can give you all the stuff soup to nuts, and they provide their own SD WAN? They've got a, an appliance called a socket. It's not designed to be an MPLS replacement. Could it be? It could be.
Speaker 1:You know, it has, single instance firewalling, a lot of functions. They include down to, like, MDR functions within within their infrastructure. Is it right for you? It could be. It depends.
Speaker 1:See, these things all really depend. The point here is is also, you know, just kinda like understand and know what you're buying and why you're buying it. You know, if you think you're getting a single vendor, a single console, a single admin, and you go to a Cisco Meraki based solution, just know that you're not getting, you know, circuit fail over SD WAN. And you're gonna have a Meraki console, and you're gonna have an open DNS console. And then if you go and get Duo, you're gonna have a Duo console.
Speaker 1:Right? And, you know the same thing is true with Palo. You know, you're gonna have different interfaces to do different things in. If you're with with a service provider that is, using VeloCloud and then is overlaid, checkpoint on top of it, you know, you've got 2 interfaces. If you're purchasing and you're leveraging the MSP to actually maintain this stuff for you, then you definitely don't care.
Speaker 1:You're looking for, you know, the MSP that can provide this in the best way possible for you that actually fits your needs that you need to be. And if you're looking to do this yourself, you know, how how different screens do you wanna be looking at and and tracking through. These are all considerations and things you know that we talk about that we get into we're looking at I mean we start what is the problem what is the objective that you're actually trying to do You know? Are you having a problem with your network? Do you have a limiting thing on your network?
Speaker 1:What is a business use case and objective that you are trying to resolve? Now if you told me that you had, you know manufacturing in South Africa and you had bandwidth constrictions for traffic leaving the continent and you needed to be selective on what was going out and you needed to do TCP d deduplication and you need to do x y. We we we and, you know, we went through that with an you know, with you in a workshop and this is what we we dug out. It's actually a really easy selection process. There's not very many options.
Speaker 1:There's, like, 2 options. There's 2 options that'll solve that problem for you in the SD, in the SD SD WAN world. You know, if you told me that you were looking that you wanted to keep your existing firewalls because you've got an investment in them and you need to maintain them and you needed to provide access to applications running on the premise, and you wanted inbound survivability of your IP addresses. So if your circuits failed over that your IP is persisted. Again, there's really only 2 options for you on the market that will do this.
Speaker 1:It's not a complicated selection process. We don't need to go out and send an RFP out to dozen different people. Like, I know peep I know organizations that do that. But, honestly, that selection process, you know, the decisions already been made for you. You've already decided who you're using.
Speaker 1:You just don't realize it yet because your needs dictate it. Anyways, back to the beginning here. Take this thing full circle. Love sassy and love what sassy provides and love the sassy, idea within companies because we find cases where, you know, we've already solved 4, 5, 6, 7 problems for an organization. They just don't realize it yet.
Speaker 1:When they find out, they get really excited. It's like, wait. I don't have to do anything else. It's just here. You're like,
Speaker 2:yeah.
Speaker 1:All you gotta do is just just enable that feature. Nothing is quite as exciting when you're dealing with IT staff that's overwhelmed. And they think it's gonna be just as grueling agonizing multi month process to go through discovery and selection and evaluation and RFPs and procurement and legal and implementation integration, all that other stuff in order to solve some business requirement that was just handed to them. And you can say, hey. You've already got it.
Speaker 1:Just check a box. So, you know, big big fan of Sassy for that. And, also, big fan of SD WAN. SD WAN is magic when implemented properly. It is just as of from an old network guy, it is just phenomenally amazing when, when you get the right one and, just all your promises to go just just are just are gone.
Speaker 1:Anyways, I'm Max Clark, and that was 20 minutes. Have a great
Speaker 2:day.
