The Need for a Converged SASE Platform. Converging Network & Security Services with Catonetworks SASE Platform

The digital transformation is pushing applications to the cloud, the 2020-2022 pandemic shifted employees to work from home, and the number of resulting new use cases is sending IT leaders scrambling for answers. The number of solutions IT departments have had to adopt to ensure their network's performance and security has continuously grown for over a decade.

The recent trends have greatly accelerated this process. When looking into ways to help mitigate this complexity, one of the leading conclusions is that enterprises should find ways to consolidate their separate, stand-alone, products into a unified solution which can be more easily managed and maintained, and which can provide them with a consistent and a holistic view of all traffic in their network.

Gartner has gone a step further and designed a framework that facilitates this, which they named the Secure Access Service Edge (SASE). SASE is, in essence, an architecture that converges networking and security capabilities into a single solution and goes a long way in reducing network complexity.

Before we talk about the networking and security services that SASE converges, let's first look at the entities and traffic flows they need to serve.

The journey starts at any of the enterprise's endpoints which need to access any of the enterprise's assets or external resources. The origin endpoints are typically users who can connect from any of the enterprise's physical locations or remotely. Physical locations are typically enterprise headquarters or branch offices, which connect between themselves or to other enterprise locations such as physical or cloud-based datacenters. Enterprises typically use an MPLS and/or SD-WAN product to connect their physical locations:

Traditional MPLS VPN Network

Mobile & Remote users will use a remote access solution to connect to their networks. Cloud-based services such as AWS, Azure will require virtual connectors, or other secure tunnel solutions to connect to the enterprise network and remote offices use a private managed MPLS service to connect to the headquaters.

As we can see, a modern digital enterprise needs to connect various types of endpoints that are spread across multiple locations.

So how is it possible to converge network and security services for such a dispersed network topology?

The only real option, as Gartner stated, is to use a cloud service to which all network endpoints can connect and which is capable of delivering all required services. This is precisely what Cato's SASE Cloud platform offers:

SASE Architecture Example

Each endpoint connects to the nearest Cato Point-of-Presense (PoP). All traffic sent from the endpoint is processed by the PoP's full software stack that provides all networking and security services.

The convergence takes place deep inside the PoP, within the Single Pass Cloud Engine (SPACE). SPACE ensures all services are applied with a single, unified, context which provides them with a holistic view, enabling a better-informed decision process. While its implementation takes place "under the hood", convergence, much like justice, must be seen to be done. A solution that doesn't look converged, is probably not.

Another major benefit of the Cato converged SASE network is the reduction of jitter and packet loss, already covered in a previous article using a real scenario.

Related Articles:

• Complete Guide to SD-WAN. Technology Benefits, SD-WAN Security, Management, Mobility, VPNs, Architecture and more
• How To Secure Your SD-WAN. Comparing DIY, Managed SD-WAN and SD-WAN Cloud Services
• SASE and VPNs: Reconsidering your Mobile Remote Access and Site-to-Site VPN strategy
• Converged SASE Backbone – How Leading SASE Provider, Cato Networks, Reduced Jitter/Latency and Packet Loss by a Factor of 13!
• Key Features of a True Cloud-Native SASE Service. Setting the Right Expectations

What Does a Convergence Network & Security SASE Platform Look Like?

Cato's SASE Cloud management console is where we can see the convergence magic can be seen.

Cato’s SASE Cloud Management Console Menu

At the top we can see the five main categories:

• Monitoring - We will talk about monitoring a bit later.
• Assets - This is where we define all the different endpoints and locations for which we will apply our services.
• Network - Is where we define networking services rules.
• Access - Where remote user access is defined
• Security - Covers all of Cat's security services.
• Administration - General configurations (Licenses, alerts, log settings, etc.)

As defined by Gartner, Network and Security are the basic building blocks of the converged SASE architecture, and both are managed and delivered side by side in Cato's SASE platform.

Let's take a deeper look at the network management capabilities.

Cato's SASE cloud security services – Network Menu.

We can see that the Network sub menu covers all aspects of network management. This includes network access rules, bandwidth management, DHCP and IP address administration, DNS definitions, Connection SLAs, Remote Port Forwarding, Link Health reporting  and more.

The security menu covers Cato's SASE cloud security services which include a for both internal and internet-bound traffic flows, Intrusion Prevention System (IPS), Next Generation Anti-Malware (NGAM), Content Restrictions, Application Control, Data Loss Prevention (DLP) and a wide range of additional services and security policies which can be define:

Cato's SASE cloud security services – Security Menu.

By delivering all networking and security services via single management console we can create a unified context for all enterprise definitions. There is no need to define users several times in different systems. This promotes simplicity and reduces operational complexity and improves security. But the advantages of a converged solution are not solely in the management plain. They are also, and possibly even more importantly, in the operation and event management level. The ability to view all networking and security events via a single, unified, monitoring tool provides unprecedented visibility into every aspect of the enterprise's network state. The following is a view of all events:

Cato's SASE cloud security services – Security Events.

At the bottom of the graph we can see all categories included which are: Security, Connectivity, System, Routing and Sockets Management.

As we can see this is a truly converged view which covers all security and networking events. If we observe an abnormal behavior in our network we are provided with clear insight into what caused it.

We can click on any of bars in the chart to see the distribution of events types within it that specific time-frame:

We can of course view only specific event types, such as Connectivity by clicking on the desired category: 

Thanks to Cato’s advanced SASE platform we can easily drill down deeper to look for specific types of events. For example, focusing on Phishing Security events can be easily achieved by clicking on the Security category and then selecting Phishing events:

From here we can analyze all the Phishing related events that took place within a selected timeframe:

Cato's SASE cloud security advanced event logging.

Cato’s Deep Packet Inspection (DPI) technology enables its customers to not only get a full list of all selected events, but drill down further and see granular data extracted for the data streams:

Cato's SASE Deep Packet Inspection Technology in action.

Summary

The SASE promise of simplifying enterprise networks through convergence is fully delivered upon in Cato's SASE Cloud service. It is an inherent part of the management console which enables networking, security, remote access, and endpoint control and visibility via a unified, singe-pane-of-glass system.