MEF – Think About It

SASE: The Fusion of SD-WAN and Cybersecurity

By: Ralph Santitoro | January 27, 2021

SD-WAN services have evolved networking to focus on what is important for organizations, namely, applications and policies. Rather than working with low level networking constructs and functions such as IP packets and access control lists (ACLs), SD-WAN services enable network administrators to focus on creating policies for the specific applications used in the business, e.g., Office365, instead of its IP address, e.g., 52.165.129.203. This also simplifies setting policies per application such as which applications to allow or block, prioritize based on business importance and readily identify applications using the application name rather than a nondescript, obscure IP address or port number.

Since SD-WAN services typically use the public Internet network as one or more of its WAN connections, some basic security functions are required, e.g., a stateful firewall providing IP port and protocol filtering, domain name filtering, network and port address translation (NAT/PAT), etc. This approach no longer provides sufficient protection for users, devices and applications for three key reasons:

Application migration to the cloud
Users connecting from anywhere
Accelerating volume of threats

Application Migration to the Cloud

As part of organization’s digital transformation, applications have steadily migrated from running ‘on-premises’ in an organization’s data center to running in the cloud. This means that users will no longer predominantly connect to their applications via a private network, e.g., MPLS, to the data center but will more commonly connect to the cloud via a public Internet connection. According to the Gartner 2019 report “Future of Network Security Is in the Cloud”, more workloads (applications) are running in the cloud using cloud computing (infrastructure-as-a-service or IaaS) or consumed via software-as-a-service (SaaS) than running or consumed in the organization’s internal data center.

Users Connecting from Anywhere

Users have been connecting from anywhere rather than within the confines of an organization’s office building. The network perimeter, from which users connect, has vastly expanded due to the COVID-19 pandemic with many users connecting from home. This perimeter has been growing for several years with users connecting their laptops or smartphones remotely from the office. Furthermore, the number of users who use their own devices a.k.a. BYOD (Bring Your Own Device) has also significantly increased over the past several years. Such assets, not owned by the organization, cannot be controlled, e.g., the organization cannot limit which applications can be installed which subsequently introduces cybersecurity challenges. Just as users are no longer required to connect to the network from the office, organization must adapt to support more devices that are user owned.

Accelerating Volume of Threats

Business is booming for threat actors as we all have seen from the successful ransomware attacks that have shut down businesses and municipalities until payments have been made. While there have been several high profile payment card breaches over the past few years, ransomware attacks have also increased which have an immediate impact to business continuity. Organizations need to think of such breaches as they do trying to recover from a natural disaster, e.g., hurricane, where they have the disaster recovery processes in place for a cybersecurity attack similar to how they would restore business operations in the event of a natural disaster.

An increasing number of tools are becoming available to automate the production of threats so individual people are no longer needed to create and delivery various threats as this is often done now using artificial intelligence (AI) and machine learning (ML) software. Threat prevention needs to be continuous and adaptive to not only protect against currently known threats but also protect against evolving and unknown threats outpacing the rate in which the threats are created.

Increasing Importance of Cybersecurity

When the network perimeter was confined to an organization’s office buildings, i.e., users, devices, and applications operated within the building and private network, cybersecurity was manageable. Now that the perimeter is boundless, each organization’s cybersecurity policies, architectures and frameworks must be revisited and be an integral part of their network architectures and implementations. The network can no longer be designed independently from cybersecurity considerations. Furthermore, cybersecurity can no longer be considered separately from organizational processes and technologies. Cybersecurity must be woven into the fabric of an organization. Hence the importance of SASE.

What is SASE?

SASE melds the comprehensive WAN capabilities of SD-WAN with a comprehensive set of cybersecurity functions to address the migration of applications to the cloud, users working from anywhere, and the accelerating volume of threats.

Typical SD-WAN capabilities provided by SASE Services

SASE services utilize capabilities commonly provided by SD-WAN services listed below.

Over-the-top (OTT) service
- Operates over any type of underlay connectivity (WAN) service, e.g., broadband, MPLS, LTE, etc.
Inherent High Availability
- SD-WAN services typically deployed over two or more underlay connectivity services, e.g., MPLS + Broadband
Secure Transport of Application Flows
- SD-WAN services encrypt all IP packets in transit over underlay connectivity services
Supports Multiple Virtual Topologies
- Can construct unique topologies based on application requirements, e.g., hub & spoke, full mesh, etc.
Application-aware networking
- SD-WAN services enable users to focus on business applications, e.g., Office365, Zoom conferencing, Skype call, etc. rather than IP packets
Policy-based networking
- Provides intent-based policies and policy actions, e.g., allow, block, or prioritize, to determine how IP packets associated with each application are treated by the network rather than defining ACLs using low level, obscure network constructs
Encrypted Internet Breakout to Cloud-based Applications and Services
- Connects to public cloud services and SaaS applications via encrypted TLS (HTTPS) or IPsec VPN tunnels
Application Flow Cybersecurity Functions
- SD-WAN services typically provide an integral set of foundational cybersecurity functions. Such functions include:
  - Stateful firewall
  - Network/port address translation (NAT/PAT)
  - IP Address, Port Number, and Protocol Filtering
  - Domain name filtering (block known malicious domain names or quarantine those with a bad reputation)
  - Security middlebox function to decrypt encrypted application flows to apply security policies and then re-encrypt

Note that some of the aforementioned Cybersecurity functions are part of Secure Web Gateway (SWG) functionality which provides protection against web-based threats. As SD-WAN services and solutions evolve to SASE, they continue to incorporate more cybersecurity functions.

Typical Cybersecurity capabilities provided by SASE Services

SASE services add additional cybersecurity functions to the aforementioned foundational cybersecurity functions provided by SD-WAN services.

Security Policy Management
- Provides intent-based policies that define policy actions, e.g., Allow, Block, Quarantine, or Sandbox, to apply to IP packets associated with an application
Malware Detection and Removal
- Identify, clean (then allow) or remove (block or quarantine) malware from application flows
URL Filtering
- Block or Quarantine suspicious (or known to be malicious) URLs for an allowed domain name
Data Loss Prevention (DLP)
- Identify and block application flows containing confidential, sensitive, privacy-related and personally identifiable information (PII), e.g., social security numbers, drivers license number, payment card numbers, biometric information, etc.
Anti-Phishing
- There are many types of phishing attacks, some of which may be addressed via other security function such as URL Filtering, Malware Detection, and DLP
- A phishing attack uses social engineering to entice the user to click on a URL or submit PII via what appears to be a legitimate email
Threat Detection, Prevention and Response
- Using AI and machine learning, identify suspected threats based on anomalous behavioral patterns, block the threats or threat actors, and subsequently monitor and report them to a security information and event management (SIEM) system
- Note that this functionality appears under different names in the industry:
  - EDR (Endpoint Detection & Response)
  - NDR (Network [Intrusion] Detection & Response)
  - TDR (Threat Detection & Response)
  - XDR (Extended/Cross Layer Detection & Response)
  - NIDS/NIPS (Network Intrusion Detection System/Network Intrusion Prevention System
  - IDS/IPS (Intrusion Detection System/Intrusion Prevention System)
Identity Management
- Identify the different users, devices and applications that want to access the network or networked resources for use by access control policies and mechanisms.
- An organization will often use several Identity Providers (IdP) for identity management (IdM). IdM may be performed internally and via external 3rd-party IdPs.
- It is important to consider a federated approach to IdM to ensure security policies can be effectively managed and controlled when your organization uses a multiple cloud providers
Adaptive Access Control
- Ability to modify security policies that determine the amount of access a user, device, or application is granted ranging from full to partial to no access
Continuous Threat Monitoring
- The continuous monitoring of application flows from users, devices, and applications wanting to access the network and networked resources to identify anomalous behavior

Note that the first six aforementioned cybersecurity functions are commonly provided by a cloud access security broker (CASB) service and may also be provided by services using terms such as NGFW (next generation firewall), UTM (unified threat management), and ATP (advanced threat prevention/protection). The last three functions listed are part of a Zero Trust Framework (ZTF) which provides least privilege access to users, devices and applications. Zero Trust cybersecurity functions play a key role in SASE services.

Cloud-based SASE Security Services

There are many reasons to use cloud-based SASE security services versus using premise-based SASE security services.

Easier and quicker to Deploy
- Setting up a cloud-based SASE security service only requires you to do two things to begin using the service.
  1. Setup a primary and secondary IP VPN connection from your WAN router or SD-WAN Edge to the SASE security service
  2. Enter your SASE security service account credentials
Simpler and More Cost Effective to Scale Up or Scale Down
- SASE security services leverage cloud infrastructure so you can scale up or scale down just like you do with other cloud-based services such as AWS EC2 cloud compute services where you can, in minutes, add or remove compute capacity
Stop Internet-based Threats before they reach you
- A cloud-based SASE service sits between you and the Internet so you are protected from Internet-based threats before they reach your site, device or application

Premise-based versus Cloud-based SASE Services

Since a network perimeter continually changes as users now work from anywhere, you must ensure that the WAN and cybersecurity functionality is sufficiently flexible to support this new reality. Whether a user is connecting from an office, at home, at an airport, at a hotel, etc., they need the same level of threat prevention wherever they connect. When away from the office, users will connect via the Internet using broadband, Wi-Fi or LTE/5G cellular data services. A cloud-based service enables a common approach for these use cases.

From the office, a user may connect to the organization’s data center via a private network connection, e.g., MPLS VPN, in addition to connecting to the public Internet. For the private network, premise-based SASE cybersecurity functions are sensible and could be centralized at the data center as well as distributed at each office. However, some organizations run all of their applications in a virtual private cloud or via a cloud-based SaaS offering all connected via the Internet in which case, a cloud-based SASE cybersecurity service may be more appropriate.

Some parts of a SASE service require functionality to be performed on premises, specifically where the users are located. SASE services could be provided via software installed on the personal device or by a SASE device on premises. Below are some examples that necessitate SASE functions to be located on premises.

If your business location uses multiple WAN connections (since the WAN connections terminate on premises)
If you need to provide threat prevention over the private network between business locations
If you need to protect internal networked resources from threats that could be introduced by personal devices (BYOD)

The need for on premises SASE services will diminish as more applications migrate from on premises servers to the cloud and more users work from anywhere and connect via the Internet.

What makes up a SASE Service?

SASE services currently consist of a both WAN and cybersecurity functionality as previously discussed. However SASE services are evolving to also support LANs, Wi-Fi, and Endpoints (IoT devices, laptops, smartphones, etc.).

You might ask “Is there a minimum amount of WAN and cybersecurity functionality for something to be called a SASE service?”. Unfortunately, because of the lack of an industry-accepted or standardized SASE service definition, different offerings are referred to as SASE services. For example, is the WAN connectivity part of the service limited to a single IP VPN or can it also support multiple underlay connectivity services such as Dedicated Internet Access (DIA) + MPLS or broadband + LTE, over which SD-WAN virtual connections (SWVCs) operate and provide additional network resiliency? Often the aforementioned cybersecurity functionality is packaged in different service offerings. Just as it took a few years (plus MEF Forum standardization) before SD-WAN services had a well-defined, baseline set of functionality, SASE services will take a few more years to achieve such baseline functionality.

The Need for Industry Clarity around SASE

While no industry standard exists for SASE, MEF Forum is developing a new standard “MEF W117 SASE Service Attributes and Framework” to augment its other related standards work on SD-WAN and Cybersecurity including the industry’s first SD-WAN service standard, “MEF 70 SD-WAN Service Attributes and Services“, “MEF W88 Application Flow Security for SD-WAN Services”, and “MEF W118 Zero Trust Framework and Service Attributes” – the latter two currently under development. These standards will play a key role in providing clarity in the marketplace.

Conclusions

Many services and products use the term SASE to define their offerings and without an industry standard, capabilities vary widely. This lack of standardization makes it challenging to evaluate different offerings and requires that you understand the different WAN and cybersecurity functions to ensure they address your organization’s business objectives for digital transformation. Given the many SD-WAN and cybersecurity options, don’t hesitate to reach out to industry experts to obtain guidance to help you make the optimal choices for your business.

About the Author

Ralph Santitoro has expertise that spans the assessment, definition, design, integration, operations, marketing, and sales of multi-vendor solutions and managed services using Edge Cloud, SD-WAN, SASE, Zero Trust, Cybersecurity, Private 5G, and Work-from-Home technologies that facilitate the enterprise digital transformation. Ralph is a founding member of MEF Forum where he developed the industry’s first SD-WAN standard and is leading a new standard developing a comprehensive Zero Trust Framework to continuously protect users, devices and applications from threats both known and unknown.

In 2014, Ralph was awarded the Distinguished Fellow title at MEF Forum for his outstanding, long time leadership and contributions to shape the telecom industry. In 2016, he was awarded the MEF Excellence Award for Best Consulting Practice. In 2018, Ralph was named one of the top 25 movers & shakers in the telecom industry by Fierce Telecom Magazine and in 2020, he was awarded the MEF Outstanding Contributor award for SD-WAN leadership and the driving force behind SD-WAN standardization. Ralph also co-authored 4 books and regularly lectures on leading-edge technology topics at industry events.

MEF addressing SD-WAN industry challenges to accelerate Enterprise Digital Transformation

By: Ralph Santitoro | October 25, 2018

SD-WAN plays an important role in the enterprise digital transformation. When enterprise applications ran exclusively on site or in private data centers, traditional WAN services interconnecting enterprise sites and data centers were sufficient. However, as enterprise applications migrated to the public cloud as SaaS or workloads running in Virtual Private Clouds (VPCs), traditional WAN services proved inadequate to address these new application requirements. This led to the rise of SD-WAN services.

An SD-WAN service is an overlay network service that operate over-the-top of traditional WAN connectivity (underlay) services. Unlike traditional WAN services, SD-WAN services also cognizant of subscriber applications and thus can apply policies, e.g., QoS, Security, WAN cost policies, etc., to unique application flows rather than indiscriminately on packets for all application. SD-WAN services also leverage local and remote Internet access connections to dynamically select the path with optimal performance to connect to SaaS applications.

A major industry challenge today is the lack of a formal definition of an SD-WAN service. In other words, what are the minimum set of capabilities required for one to be able to claim that a service as an SD-WAN service? Without an industry standard definition, buyers need to be very meticulous when comparing services branded as ‘SD-WAN’. Sellers also must expend an excessive amount of time explaining their SD-WAN service capabilities as part of the pre-sales process. If an industry definition existed, one could simply refer to that definition thus saving time and effort for buyers and sellers as they evaluate, sell and compare SD-WAN service offerings.

MEF is creating an SD-WAN service definition to do just that – describe the core, baseline capabilities of such a service to help buyers and sellers of SD-WAN services. In the spirit of agile development methodologies, MEF plans to define the requirements for a ‘minimum viable service’ – the fundamental capabilities for an offering to be considered an SD-WAN service. This work will be augmented frequently through MEF’s new agile standards development process. The MEF standardization of an SD-WAN service will accelerate industry growth as MEF has exemplified with its work standardizing Carrier Ethernet services.

As part of this SD-WAN work, MEF is defining the core capabilities and components that encompass an SD-WAN service as they have done for Carrier Ethernet, IP and Optical Transport service definitions. Below is a preview of the MEF’s SD-WAN Service definition work in progress that will be discussed at the MEF18 event in Los Angeles on October 29th.

Core SD-WAN Service Capabilities

Secure, IP-based Virtual Overlay Network
Operates over any Underlay Network (MPLS, CE, Broadband, LTE, etc.)
Real-Time QoS Performance Monitoring of Underlay Networks
Application-aware Networking
Underlay Network Bonding to utilize all Underlay Network Bandwidth
Higher Availability via Multiple Underlay Networks from Multiple Service Providers
Policy-based Packet Forwarding (or blocking) by Application versus indiscriminately on all IP packets
Local and Remote Internet Breakouts for optimal SaaS and Public Cloud Performance

Figure: MEF 3.0 SD-WAN Service Illustrating Service Components

SD-WAN Service Components

SD-WAN UNI
SD-WAN Virtual Connection
Underlay Connectivity Services
Tunnel Virtual Connections (TVC)
Local Internet Breakout
SD-WAN Edge

SD-WAN UNI

As with all MEF service definitions, the UNI provides the demarcation of responsibility between Service Provider and Subscriber. However unlike other MEF connectivity services, an SD-WAN Service UNI will often be delivered inside a Subscriber’s virtual private cloud via a virtual interface delivered via a VLAN or IP address rather than a physical interface.

SD-WAN Virtual Connection

As with all MEF service definitions, the Virtual Connection (VC) describes the interconnection between all UNIs participating in the SD-WAN Service. Unlike other MEF connectivity service VCs, the SD-WAN VCs, operating strictly as an over-the-top service and can extend to the subscriber’s workload running in their virtual private cloud (VPC).

Underlay Connectivity Services

SD-WAN Services operate over existing underlay WANs. MEF refers to these WANs delivered by a service provider as Underlay Connectivity Services. These underlays often consist of different technologies, e.g., MPLS and DSL Broadband Internet, and an SD-WAN Service typically operates over at least two underlays.

Tunnel Virtual Connection (TVC)

TVCs are the tunnels created over the Underlay Connectivity Services between each physical site and VPC interconnected by the SD-WAN Service. An SD-WAN Service can bond TVCs across each underlay creating a higher capacity connection whose bandwidth is the sum of each bonded underlay. A TVC inherits the properties of the Underlay Connectivity Service over which the TVC operates. This simplifies Service setup by abstracting the Underlay Connectivity Service as a set of properties to which policies can be applied, e.g., flat-rate vs. usage-based bandwidth costs, public vs. private WAN, etc.

Local Internet Breakout

As more enterprise are being consumed as SaaS running in a public cloud, rather than private data centers, local Internet breakout becomes more critical. Backhauling all traffic to a central Internet connection at the data center or headquarters will result in diminished application performance. Local Internet breakout at each site enables the SD-WAN service to select the best performing path to the SaaS application

SD-WAN Edge

The SD-WAN Edge delivers the SD-WAN UNI and provides set of network functions between the SD-WAN UNI and the Underlay Connectivity Services. Such functions include:

Application flow classification
Real-time QoS performance measurements over each Underlay Connectivity Service for making packet forwarding decisions based on individual application flows
Encrypting packets before sending over a particular WAN
Determining whether application flows should be sent over a TVC or over a local Internet breakout connection based on bandwidth cost, security, QoS, SaaS application in public cloud, etc.
Enforcing Policies on different application flows before forwarding over a TVC.

SD-WAN Services are typically deployed over existing Underlay Connectivity Services at the subscriber site. The SD-WAN Edge is placed between the Subscriber’s network and the WAN demarcation devices provided by the WAN Service Provider. Such devices include Ethernet NIDs, DSL/Cable/LTE Modems, MPLS CE routers and IP routers which provide the service termination for Carrier Ethernet (CE), Internet and LTE services.

The SD-WAN Edge functionality may be placed in a VPC operating in a public cloud provider’s infrastructure, e.g., AWS, Azure or GCP. The SD-WAN Edge virtual network function (VNF) running in the VPC enables the enterprise subscriber to use an SD-WAN service to securely interconnect their physical sites with workloads in their VPC dynamically and seamlessly over multiple operator networks. This is what makes an SD-WAN service unique when compare to traditional WAN connectivity services.

Looking Ahead

As enterprises increasingly move their workloads to VPCs, they need their physical office locations to connect to their VPC securely and reliably. Unlike a physical SD-WAN Edge operating a subscriber location, the SD-WAN Edge VNF operating in the enterprise subscriber’s VPC needs more sophisticated onboarding and lifecycle management by the service provider delivering the SD-WAN service. This requires ETSI MANO functionality used in conjunction with the SD-WAN service orchestration and control provided by MEF’s LSO. Additionally, MEF has several active LSO projects from business operations, e.g., service quotations, through service activation, e.g., network resource provisioning that are readily extensible to SD-WAN services. MEF’s holistic approach to services, from service ordering through service delivery and lifecycle management, will accelerate enterprise digital transformation through SD-WAN service growth and market adoption. To learn more about MEF’s SD-WAN work attend the upcoming MEF18 event (Oct. 29-Nov. 1) or visit mef.net/services/sd-wan.