SASE in the Real World

In the previous article, we explored the evolution of SASE, current trends, and predictions for 2021. There is a lot going on in this exciting phase of the development of a next generation secure connectivity. SASE model has been focused on the cloud and has a distributed architecture for connecting various endpoints (user, device, or branch offices) to the service edge. The service edge consists of a network of distributed points of presence (PoPs) where the SASE software stack is deployed. Interest in the industry is no less in figuring out how the SASE umbrella can help the next generation use cases like 5G, MEC, IoT, etc. As technology continues to evolve and break free from wires, traditional and upcoming wireless technologies are vital to the trends like IoT, 5G, MEC.

5G: The advent of 4G networks has made businesses more mobile, agile, and connected, and now, 5G promises even greater bandwidth, performance, and reliability. We have been seeing network upgrades and new radio deployments throughout 2020 and many service providers now offer 5G connectivity to subscribers especially in the metropolitan cities. As a successor of 4G, it has a lot of promises for both consumers and businesses. The famous triangle of 5G use cases below looks far-fetched but promising as technology stack and services to support these are being developed by various enterprises in almost every vertical right now.

Enterprise networking is still in the early stages of the 5G revolution. Mobile security is not a new concept, yet the number of attacks and attack sophistication from different endpoints is increasing as networks are transforming. Apart from sophisticated 5G network attacks, another security challenge is the lack of visibility due to diverse network entry points and security dependencies on external partners and customers.

An organization’s infrastructure whether it’s on-prem, cloud-driven, or hybrid, needs to securely communicate and pass data between various networks. Additionally, organization infrastructure needs to properly integrate the existing 4G, Wi-Fi, CBRS, Private LTE networks with the new 5G networks.

5G networks will initially connect, communicate, and exchange data with 4G networks through a common core which can result in major security risks from the gaps in network equipment interoperability, misconfigurations, poor network management, and security integrations between intra-networks. Decentralized SDN stacks also lack the ability of centralized points of inspection which makes an end-to-end network visibility a challenge.

Many organizations proactively try to fix 5G security challenges with the latest security solutions, even though they are not truly designed for 5G networks. These solutions might be helpful in the near term but once the scale and complications increase, it can increase the number of attack vectors for infiltration. As a start, organizations should adopt the ZTNA model to ensure appropriate 5G network access. By addressing concerns head-on with ZTNA, organizations can monitor and block the network and user access activity which is further made simple by the use of AIOps.

Organizations need to rethink their entire security strategy when it comes to 5G networks. IT and security teams need to implement the right security policies to secure their network for 5G. Instead of adding multiple security solutions to cover vulnerabilities caused by the 5G implementation, companies should evaluate the SASE model for the complete network and security solution set of their networks. SASE umbrella can help organizations to secure the users, devices, applications, services and data located outside of an enterprise than inside.

Early adopters can utilize SASE secured 5G network that is capable of matching 5G speed, agility and scale.

MEC: Mobile Edge Computing is not a new concept but was a decade ahead of the market’s ability to fully utilize it. New technologies like 5G have added uses cases like enabling faster data processing and decision making for connected devices and IoT. 5G enables data processing close to the connected devices, using ultra-low latency and ultra-high bandwidth, and extends the breadth and variety of supported edge computing use cases.

For MEC, the architectural components of 5G networks like the control-plane elements of the 3GPP 5G standards are delay-sensitive, so they need low-latency hosting, near the 5G edge.

Edge devices have become increasingly important recently with powerful compute and networking capabilities. Edge is the last mile whether it’s the near edge, far edge, or cloud edge, which are the new structure of network edges based on the placement of edge computing infrastructure.

As 5G has started to enable businesses to distribute large amounts of data across the networks, it is getting rapidly impractical to send it to a central infrastructure to process and take actions.

Instead, we will rely on a significantly more powerful edge that sits closer to where all the action takes place. This shift delivers the much-needed value as the MEC edge becomes a hub of MEC edges to form a geographical SASE cloud where nearest or lowest latency edge is selected as the edge gateway to various networks and destinations.

These Edge computing solutions are now complemented by various DevOps toolkits and CI/CD processes that align with automated development and testing improvements in a frictionless manner.

Edge is going to expand the 5G networks even further and SASE is well positioned to provide secure connectivity and security between these intra-networks.

Localized network traffic processing and controls enable more control over localized security, regulatory compliance as well as cloud egress traffic filtering and monitoring. With greater adoption of cloud-based security solutions in business environments, the amount of data being passed through the network will continue to grow dramatically and thus the need for MEC becomes particularly valuable.

In 2021, we should expect more alliances and use cases that take advantage of the ability to combine various forms of edge computing technologies and 5G network architectures.

IoT: Connected devices continue to define and expand numerous industries in 2021, while at the same time, the IoT landscape remains fragmented with prevailing standards, connectivity chaos, and proliferation of use cases. Securing an IoT environment is a challenging task as IoT devices are generally built with no security in mind and are extremely vulnerable. Most IoT devices are shadow IT devices and their activity remains unmonitored while connected to the corporate network. We are now moving applications to the edge, as well as moving the edge itself. Traditional networks that used to connect branches to data centers, now inter connect users, the IoT ecosystem, data centers to the cloud.

There are a variety of connectivity options, and organizations need to think about the use cases and select the connectivity option accordingly. Leading SD-WAN players are now incorporating IoT functionality and support on their edge devices.

As 5G and IoT technologies accelerate a trend of devices residing outside of the enterprise network, there is a need to move the decision-making part of security controls at the edge of the network as well. 5G infrastructure can connect millions of wireless devices and enable machine-to-machine (M2M) connectivity links in the IoT.

MEC and IoT endpoints expand the attack surface exponentially, for example, malicious actors can take over edge devices to form a botnet to perform a DDoS attack to paralyze networks. IoT combined with AI and ML can predict the potential occurrence of network attacks but those models are still in the development phase for any predictive defense strategy.

We can also place security controls at the point of network access, instead of where the data resides, especially by using AI tools to automate threat detection and mitigation. Also, because of the pandemic, having remote controlling and monitoring capabilities became much more prevalent. The powerful combination of 5G, ML/AI, IoT, and edge computing opens up rich possibilities and expands boundaries for businesses as well as consumers.

Egress Filtering: A simple concept of egress filtering can reduce business or technical risks to any organization. Egress filtering is a way to ensure that your device or network does not become the source of any network attack. Too often security administrators perform ingress filtering, but fail to perform egress filtering which puts inter and intra networks at risk.

With the powerful combination of MEC, IoT and 5G in the mix, uncontrolled edges and smart devices can be the new attack vectors without the egress filtering.

Quite often overlooked, SASE also bundles sophisticated egress filtering capabilities from any edge location. By egress we mean not the data that traverses a perimeter in response to a legitimate request, but the data that leaves the perimeter due to the volition of some process within that perimeter. This is the most common direction of data travel that command-and-control (C2) techniques use, as was the case in the recent Sunburst backdoor found at SolarWinds attack. With explicit policies on where egress connections are allowed to, or with monitoring and alerting on such traffic, even sophisticated C2 backdoors can be mitigated for good.

discrimiNAT firewall is a cloud-native solution to being unable to specify hostnames/FQDNs in Google Cloud Firewall Rules and AWS Security Groups for scalable egress filtering. The firewall’s custom Deep Packet Inspection engine works by monitoring and blocking traffic without decryption. It is transparent and fast and deployed inline as a high-availability NAT Instance on the egress of your VPC network. Forward looking attributes include simple configuration and deployment, policy enforcement, cloud native configuration and logging for audits, encryption standards and compliance.