A true unified SASE platform should use a single operating system, a unified client, a single analytics engine, and a single policy engine that can run on physical and virtual appliances, in the cloud, and as-a-Service.
Network security is one of the largest sectors of the cybersecurity market today. As with any technology, network security has undergone several evolutions over the past couple of decades, especially as new features have been added or consolidated into a platform.
Today, network security is in its third era of development—the Unified SASE Era. To fully understand the current era and where the technology may be going next, let’s back up to the beginning and review. Then we can talk about where it’s going in the future.
First era of network security: The stateful firewall
In the beginning, networking was created on the principle of trusting everyone and connecting everything as fast as possible. In a perfect threat-free world, that original objective of networking would be easily achieved. However, cyberattackers quickly made a mess of networking by exploiting unsecured connections. In the mid-1990s, the industry’s response was to create the stateful firewall, designed to control access to private networks. So, we’re calling the first era of network security: The Stateful Firewall.
The first stateful firewalls stopped traffic based on IP addresses, ports, and protocols. They created trusted and nontrusted networks and sometimes even a demilitarized zone, which sits in between both. This was a significant improvement over just connecting everything. However, as application ports became well known owing to traffic migrating to application ports such as HTTP and HTTPS, simply allowing traffic on these ports was no longer an effective defense as its Layer 7 filtering was not granular enough. Consequently, a lot of traffic would pass through without inspection.
Many firewall vendors also began to add secure remote access via virtual private networks (VPNs). This allowed remote users and branch offices to work as though they were on the network. However, this required them to add an agent to extend secure connectivity to remote endpoints.
As users increasingly connected to the internet, a proxy was put in between the user and the internet; the proxy would act as an intermediary between users and the internet. When bandwidth was at a premium, caching devices were incorporated to improve internet performance.
Note that while network firewalls have evolved, traditional stateful firewalls will not disappear completely. Use cases such as internal segmentation remain essential to protecting networks against the lateral movement of threats.
Second era of network security: NGFWs
When cybercriminals began to target application traffic, it became critical for security teams to have application and content inspection tools to determine if traffic was malicious. In other words, threat protection was becoming a critical job for the firewall. As a result, stateful firewalls evolved into unified threat management (UTM) devices, later known as next-generation firewalls (NGFWs).
NGFWs were placed at the network edge, which was usually at the data center perimeter for traffic accessing external applications and the internet. They could identify applications and mitigate most threats in flight, making NGFWs critical for in-path communications. Deeper content inspection and understanding of a URL’s application content provided more visibility and granularity to mitigate threats.
However, these additional layers of inspection, including SSL and deep packet inspection, required more security-specific processing power than the off-the-shelf processors powering most NGFW appliances. To address this challenge, Fortinet developed the industry’s first security processing unit, a purpose-built ASIC designed to increase performance by offloading critical security functions.
Concurrently, intrusion prevention systems (IPS) became a security tool used by InfoSec teams to protect endpoints from attack, with different IPS signatures for different types of applications. Because IPS and NGFW devices were usually deployed on the same edge, it became apparent that inspection and enforcement worked just as well—and sometimes even better—as part of the NGFW.
As attacks from the internet increased, additional security was also added to the traditional proxy and became known as the secure web gateway (SWG). This technology included URL filtering, antivirus, data leakage protection, and SSL inspection.
Third era of network security: Unified SASE
We are now in the third era of network security. The traditional perimeter has been completely reimagined. To secure today’s highly distributed environment, a new, more expansive type of platform is required—one that can work across the hybrid workforce, distributed edge, and multi-cloud environments. It must also expand the convergence of networking and security across all edges by supporting multiple form factors, physical and virtual appliances, multi-cloud platforms, and as-a-Service.
In 2019, at the beginning of the third era of network security, new solutions were being developed. Gartner® coined the term SASE to refer to these solutions: “Secure access service edge (SASE) delivers converged network and security as-a-Service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch office, remote worker, and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”*
When introduced to the market, SASE solutions were comprised of the core components of security service edge (SSE) and software-defined wide area network (SD-WAN). Then the unified SASE approach was launched. It allows protections to move beyond simply defending against external threats to consistently securing data wherever it might be. To do this, unified SASE components must be deeply integrated, and the solution must be AI-based so it can detect, correlate, and respond to threats whenever they target the network.
Unified SASE goes beyond traditional SASE solutions by converging end-user connectivity with critical networking by incorporating an SD-WAN. SD-WAN quickly became a critical technology for replacing simple routers at branches and campuses with faster, smarter, and more cost-efficient connections to the rest of the network. Adding SD-WAN to a unified SASE solution ensures end-to-end visibility and control, resulting in more optimal performance and faster access to applications for customers.
Unfortunately, early SD-WAN solutions did not seriously consider security. They needed a separate firewall appliance and security solutions that had to operate as an independent overlay, which diminished the value of the flexibility that SD-WAN provided. Cybersecurity vendors like Fortinet solved this problem by building enterprise-class secure SD-WAN directly into the firewall.
As SaaS applications became more popular, a cloud access security broker (CASB) based on API access was also added. When CASB was tied to SWG, the solution became cloud-based and known as SSE. SSE plays a critical role in the unified SASE solution.
Zero-trust network access (ZTNA) is also a key component of unified SASE. It provides application-specific access, replacing implicit trust with explicit access based on user and device identity, context, continuous endpoint posture monitoring, and adaptive granular access to specific applications. ZTNA is used in conjunction with SSE to replace or complement remote access via VPN.
With unified SASE, network security and endpoint security must be intrinsically connected. VPN, SASE, and ZTNA ensure that endpoint devices function as an extension of the network. There also needs to be a digital experience monitoring (DEM) element to measure end-to-end experience. And, of course, it should include an endpoint protection platform (EPP) and endpoint detection and response (EDR) functionality along with agentless options.
The critical elements of unified SASE
Unfortunately, most vendors are not taking an integrated approach to SASE. Instead, they are building their platforms by acquiring companies and bolting on their technologies. While this may look attractive on the surface, it’s not really a platform underneath, which means things don’t really work together in the way they need to, making end-to-end visibility and control very difficult to achieve. Indeed, not all platforms are equal.
A true unified SASE platform should use a single operating system, a unified client, a single analytics engine, and a single policy engine that can run on physical and virtual appliances, in the cloud (including all major cloud-provider platforms), and as-a-Service. It should also be powered by integrated threat intelligence and AI.
By integrating protections designed for clouds, connections, networks, and endpoint devices into a unified security strategy, this third era of network security expands security to every edge. The integrated, platform-based approach of Unified SASE enables organizations to build and evolve their networks as they need, allowing them to respond to business demands without compromising security, performance, or user experience. Its innate adaptability also provides a path forward to meet the next era of cybersecurity challenges.