SASE Convergence or Integration? It’s Not the Same Thing

August 17, 2020

Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then bolt on security to protect data and devices. The widespread adoption of Gartner’s secure access service edge (SASE) architecture all but debunked that notion, and today it’s widely accepted that networking and security must come together.

For Cato, of course, this is nothing new. We’ve always viewed networking and security as two sides of the same coin. The Cato software converges security and networking functions together and into one cloud-native platform. The same software running QoS and path selection of SD-WAN, WAN optimization, and other networking functions is also the same software doing security inspection and policy enforcement.

But for those vendors rushing to join SASE, solution integration has become the answer. Using service chaining or some other method, vendors will connect their networking and security point solutions or with those of third parties. Such an approach, though, is fraught with problems. Deployment involves rolling out multiple appliances or solutions. IT is left juggling multiple management consoles, which complicates troubleshooting. The disparate policy frameworks remain another hurdle.

Let’s take a closer look at the differences between convergence and integration during the deployment, operation, and management phases of the network.

Deployment

Simplified Deployment of Secure SD-WAN

Opening new offices become much simpler and quicker because convergence allows for the deployment of a very, thin edge. With most functionalities converged into the cloud, the connecting software or device can be very light, running as an SD-WAN device, a virtual appliance, or even a small piece of software, like a mobile client. All “edges” of the enterprise are interconnected by one, predictable global backbone.

By contrast, integrating security and networking solutions, enterprises have to deploy and install separate solutions, such as SD-WAN and firewall appliances. Rolling out security appliances at all the branches is cumbersome and expensive—and sometimes even impossible. Additional solutions are needed for remote access and reliable, high-performance, global connectivity further complicating deployment (and fragmenting visibility, as we’ll discuss).

Rapid Network Expansion Enabled by Software-only Deployment

Convergence also enables providers to expand their network’s geographic footprint very rapidly without compromising on the services offered at a location. There are no proprietary appliances to wait on, configure, and ship to a distant location. As such, within a few short years, Cato’s network has surged to more than 50 PoPs worldwide, nearly doubling the coverage density of service providers twice its age.

Cato PoPs

With its cloud-native software platform, Cato has been able to rapidly expand its network, reaching 50+ PoPs in a few short years, the most of any independent, cloud-native backbone.

Operation

Improved Performance with Single-pass Processing

Having converged networking and security enables Cato to decrypt and inspect the packet once, performing all security and networking processing in parallel. As such, traffic, even encrypted traffic, can be inspected at wire speed regardless of the needed security policies or optimizations. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected, and re-encrypted multiple times. It adds unnecessary latency to the network.

One-Pass Architecture

Holistic Intelligence Deepens and Broadens Security Capabilities

Once traffic enters the Cato PoP, Cato captures, stores and analyzes the network metadata of those packets. The metadata is further enriched with threat-intelligence feeds and other security-specific information. More than 1 TB of traffic metadata across hundreds of customer networks is captured every day. The metadata is stored in a cloud-scale, big data architecture. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks.

It’s the kind of context that can’t be gleaned from looking at networking or security domains distinctively, or by examining just one organization’s network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time.

By contrast, with separate security and networking appliances, data is stored in different databases in different formats. The result is a fragmented view of the environment and then often only for one customer. Adding a SIEM doesn’t help much because it’s only processing logs and missing out on the raw metadata that provides such deep insight, particularly for security analytics.

Cato Managed Detection and Response (MDR) Service

Cato Managed Detection and Response (MDR) Service

Management

Converging Management Makes Network Planning More Accurate, Simplifies Routine Work, Eliminates Errors

Convergence also makes network and security management simpler, more effective with less investment. The most obvious example is the management interface. From one platform, enterprises can monitor, report on, and manage their networking, remote access, and security infrastructure. Accounting for all traffic leads to a more accurate understanding of what’s happening on your network everywhere. Network planning becomes more accurate.

Convergence also makes day-to-day interactions easier, more painless. The objects, such as users and sites, created in one domain, are available in the other, shortening configuration times and reducing the number of configuration errors. All too often it’s those errors that increase the attack surface and create the vulnerabilities attackers can exploit to penetrate an organization.

Cato Management console

From a single console, Cato customers can monitor and manage their sites (1), as well as remote users and security infrastructure (2). They have overall visibility (3) that can be drilled into at a click.

Visibility Shortens the Time to Resolve Problems

Convergence also reduces troubleshooting times. Under the hood, all networking and security management data is already stored in a common database. As such, from one interface, IT can correlate network and security events to investigate a problem. It’s a powerful capability long sought after by IT best understood by looking at the alternative.

Take, for example, the case where users across offices periodically complain about call quality. Once you’ve validated the UC/UCaaS system is in order, you start investigating the network.

What might that look like? Well, for one, you’ll check last-mile line quality at the user locations. The last-mile jitter and packet loss metrics lines may not be available for past events, though. You’ll probably need to capture the data and wait till the next time the event occurs. But, for the purposes of this discussion, let’s assume you have the data right now.

So, you jump to your provider’s monitoring console and extract the relevant information. It’s not available from the provider? Maybe you can connect to each edge device to pull the data. Another console will be needed to check your backbone’s performance as well. Still, another console might be needed to ensure QoS and bandwidth rules aren’t throttling the line. And a fourth interface will need to be consulted to be sure a misconfigured firewall rule isn’t blocking access for some users.

Your IT team has had to juggle four or five consoles, already. With each one, they had to master the product set and interface nuances to extract the needed information but there’s more.

For complex problems, you’ll want to correlate event data across the platform. This means exporting the data, assuming that’s possible, into a common platform for analysis. You’ll need a tool that can ingest the various data sources, store the data into a data warehouse, normalize the data into a common format, graph the events out onto a timeline, and then give you the tools to filter and query appropriately.

Or you can just use Cato Instant*Insight, a feature of the Cato management console, and available to all Cato customers. With Cato Instant*Insight security, routing, connectivity, system, and device management event data for the past year (and longer, if required) is available, correlated, and mapped onto a time frame for analysis. From a simple Kibana-like interface, customers can drill down to analyze problems from across their network (see figure below).

Cato Instant*Insight

By converging security and networking data into a common database, Cato was able to quickly introduce Cato Instant*Insight. This SIEM-like capability allows users to see all routing, security, routing, connectivity, system, and device management events (1). They can even drill down into a site to see network health events, such as packet loss metrics (2).

The Strategic Advantages of Convergence

We’ve identified the benefits convergence brings across the network and security lifecycle. Faster and simpler deployment and rapid network expansion. Better network performance and deeper network visibility. Easier routine management and faster troubleshooting. These are all important, of course, but convergence has even greater, strategic implications as well.

For too long, the sheer complexity of the enterprise networks has burdened IT with hidden costs at every level. Capital costs, for example, remain high. They’re dictated, in part, by the licensing fees companies pay to their suppliers. And although networking solutions will share some functionality, such as packet processing, (de)encryption, and deep packet inspection (DPI), each must redevelop the technology for itself, failing to pass potential savings onto the customer.

Operational costs also increase in every part of the lifecycle with each new solution. For every new product adopted, IT must learn about the markets, evaluate their options, and then deploy, integrate, and maintain solutions. The whole process consumes precious staff resources.

Staffing requirements remain high. IT must find individuals who have first mastered the arcane commands needed to extract the necessary data from their various IT solutions. This leads to IT teams that are built based on vendor and appliance expertise, rather than on broad network and security administration and leadership skills. It’s like requiring people to master car mechanics before receiving their driver’s license. Is it any wonder IT faces a staffing problem?

And each solution increases the risk to the company. Attackers are no longer only targeting government or the largest of companies. They’re going after everyone and none can afford to leave infrastructure unprotected. Yet with each new solution deployed, there comes another opportunity for penetration. IT must spend more time and effort of highly-skilled, and expensive, technical experts to ensure infrastructure is patched and kept current. Too often that’s not the case, which had led to attacks through VPN servers, routers, and, yes, third-party SD-WAN appliances.

Convergence changes the IT operations paradigm. With one set of code, one data repository for all event data, a seamless interface becomes possible for the entire network. It presents IT with the tools to do what they need to do best and not sweat the grunt work.

Trying to achieve that by piecing together existing devices and solution is impractical if not impossible. The technical problems are immense but don’t discount the business disincentives. The management console is too important for vendors to expect them to give up on their interface. It’s a major tool for differentiation from the competition. Which is one major reason why, beyond any technical challenges, forming a single-pane-of-glass into networking and security has been so challenging for so long.

Only a platform built for convergence can deliver the benefits of convergence.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.