When discussing network security, the approach most recommended has several iterations. “Layered Security”, “Defense in Depth”, “Zero Trust” to name a few. What these all have in common, is the idea that it is not good enough to put a firewall at the edge and call it a day. Instead, a multi-layered approach has a better chance to protect critical infrastructure, and provide staged, multifaceted security.
The New Edge Poses a Problem
With cloud adoption becoming prevalent, the infrastructure that is being protected lives not only in a corporate datacenter, but also with cloud providers. Users and devices are far more mobile, and are expected to access resources wherever they are, at any time. The “edge” of the network is no longer a single location – it is everywhere and anywhere a user or device exists.
Traditional VPN clients initially offered a workable solution for this, by ensuring endpoints were connected back to the on-premises datacenter for access. This often means hairpinning traffic through that edge firewall, and back out for access to the internet or cloud services. This isn’t an ideal design.
The transformation of where users and endpoints work, and what they require access to, means what was traditionally defined as “the edge” has moved to every one of those users and devices, and redefined network security and protection. This has now evolved into Secure Access Service Edge, or SASE.
A Layered Architecture
SASE remains a layered architecture. It includes SD-WAN, Firewall, Secure Web Gateway, Zero-Trust Network Access, and Cloud Access Security Broker, all working together to secure and protect endpoints and critical infrastructure, including cloud services, and traditional datacenters.
VMware discussed their SASE architecture at a recent showcase discussion with Tech Field Day. Here they offered two main options for consumption of SASE – single vendor “converged”, or two vendors “integrated”, splitting the key components of SASE into WAN Edge, the SD-WAN component, and Secure Service Edge (SSE) which is comprised of the multiple layers of technology mentioned earlier (SWG, FW, ZTNA, etc.). This provides options for organizations, those who may wish to consolidate their SASE architecture under a single vendor for simplicity, ease of management, and perhaps reduced cost, versus others who may want to handpick each of their SASE layers into a best-of-breed security onion.
The big news from VMware is the SD-WAN component for whichever design chosen, will now include the new VMware SD-WAN client. A VMware SD-WAN appliance makes sense for the branch or satellite office, and even the home office in cases where there may be semi-permanent, multi-device environments that need secure access.
However, for the solo user or endpoint at home, while traveling, or even working from the local coffee shop, the traditional VPN or remote access was typically needed.
This new lightweight VMware SD-WAN client is available for Windows, MacOS, Linux, iOS, and Android, and is managed via the same “single plane of glass” that all other VMware SD-WAN endpoints are managed – VMware SD-WAN Orchestrator.
VMware now offers 3 options to provide consistent, and reliable remote access for any user on any device. The traditional VMware SD-WAN Edge, the VMware Secure Access Client as part of Workspace One, and this new VMware SD-WAN Client, which combines the best of both products to include path optimization and provides access to on-premises datacenters, cloud services, and secured internet. Eventually this client and the VMware Secure Access Client will be one single product.
This new client offers the same zero-touch provisioning found in the rest of the VMware SD-WAN portfolio, including firewall and NAT traversal using the SD-WAN Client Relay. This offers fully encrypted outbound connectivity to join the SD-WAN fabric, allowing the endpoint to seamlessly communicate with the rest of the enterprise infrastructure.
Whether an organization chooses the single vendor option, with a stacked/integrated offering that is end-to-end VMware or handpicks each individual product from a wide variety of vendors to build a best of breed security stack, each of these provide flexibility and options in how an enterprise may leverage their existing partnership with VMware. This, combined with an unprecedented number of third-party vendor integrations, gives VMware the competitive advantage to be at the head of an organizational SASE infrastructure.