SASE and PoPs protect us against next generation cyber attacks

Networks, mobile working and the Internet play an increasingly important role in our society. Every year, more and more devices are connected to the Internet, controlling many things in our daily lives. The IoT devices are connected to the Internet in doors (smart locks), smart homes, baby monitors, security cameras, and many other places, making them vulnerable to attack.

At the same time, Internet-connected enterprise networks and even entire manufacturing plants continue to grow, often forming a hybrid global infrastructure of cloud services, software-as-a-service, and locally hosted applications or networks. These require protection that goes beyond what a simple virus scanner or firewall can provide. Traditional security architectures are too cumbersome because they are designed to store data in local data centers (on-premises) and cannot handle the comprehensive requirements of the cloud. But solutions already exist.

As defined by Gartner in 2019 (The Future of Network Security is in the Cloud), SASE connects and secures all enterprise entities : branch offices, data centers, remote users, IaaS and SaaS resources. Security and network processing run primarily in the SASE cloud, with each « edge » relying on the appropriate technology to connect to the SASE cloud. This protects production facilities as well as networks of surveillance cameras, mobile users, and small or large branch offices.

The network infrastructure security approach is a state-of-the-art approach to the security challenges of networks communicating over the Internet. SASE uses advanced cloud-based firewalls and security solutions to provide maximum security. SASE is an architectural transformation that fundamentally changes the way common network and security functions are delivered to users, sites and applications worldwide.

The security platform is operated by a specialized service provider that protects its customers’ networks with state-of-the-art technologies. SASE is not a technology product in itself, but a concept for building a security fabric that reliably protects a network against all types of attacks.

A protective shell for enterprises in the cloud and on-premises

This protective shell spans the network while also protecting areas in the cloud and on the Internet. The security engines include a next-generation firewall (NGFW), a secure web gateway (SWG) with URL filtering, a next-generation anti-malware service, and an intrusion prevention system (IPS). The security engines are the foundation of a comprehensive Managed Threat Detection and Response (MDR) service. They are scalable and can handle all encrypted and unencrypted traffic without requiring customers to patch or upgrade devices and solutions.

SASE protects remote offices as well as corporate headquarters, mobile workers and home office users, or even customers who network a manufacturer’s products and rely on the Internet. Examples include smart door locks and security cameras. More and more users are working on the move and need to be able to access the applications and data they need without compromise. A traditional security model based on the local data center can no longer keep up.

This is the advantage of the SASE approach: protection is pervasive and not limited to the data center. Experts see SASE as the next step in digital transformation. By merging security and networks and moving them to the cloud, robust security services will be available everywhere, reliably operated, monitored and continuously optimized by service providers. With SASE, security becomes a service, hardware becomes software, and hardware firewalls become a modern security WAN based on software-based components.

PoP is an important factor in deploying SASE

Because SASE relies on the cloud to build the security infrastructure, there must be connection nodes that connect individual users, groups, branch offices, and larger sites in the cloud. In SASE, these are called « Points of Presence » (PoPs). These PoPs are the nodes of the SASE network that connect to the Internet. For maximum security, the individual nodes should of course be as close as possible to the objects that connect to the SASE network.

This is also because a short path to the Internet promises significantly more speed and less latency. However, the number of PoPs does not say anything about the performance of the network, mainly because there are different types of PoPs. Most customers of cloud providers, including those in the SASE space, assume that a PoP represents a provider’s data center, with all the features, servers, services, and everything else that is part of a data center.

For simplicity, we refer to these PoPs as data center PoPs. This is also the case for providers that place a high value on transparency and performance. A well-known example is SASE specialist Cato Networks. Its software stack handles all network functions. This includes global route optimization, dynamic path selection, traffic optimization and end-to-end encryption, as well as inspection and enforcement functions.

On the other hand, there are connection PoPs. Unlike full-featured data center PoPs, connection PoPs are PoPs light, with lower performance and higher latency. The reasons for this are simple. To increase the sheer number of PoPs, some vendors operate PoPs that are only access points to the network. These PoPs often have no servers or services at all; instead, the PoPs are just access points to the SASE network. All requests must first be routed to a data center PoP, which is usually far away.

This has several drawbacks. First, of course, latency increases significantly because the node provides no or limited services. Another drawback is security. The SASE approach in the secure PoP does not immediately protect access perfectly, but the data packets first have to go through another, unnecessary path on the Internet. For this reason, data center PoPs play a key role in the deployment of a SASE network. However, there are differences in data center PoPs that customers should be aware of before signing a contract. With some providers, not all PoPs can be used by all customers. In this case, the sheer number of PoPs does not help the customer; instead, it is important to know which customers have access to which PoPs.