Evolution of SASE Architecture
You may have heard of different architecture principles within the context of security for networks generally and SASE specifically. The most common software architecture principles utilized by the industry in the SASE context include:
Single-pass Architecture
One-proxy Architecture
Run-to-completion Architecture
Scale-out architecture
Single-pass parallel processing Architecture
Create your security functions using the built-in
Cloud-nativeve Architecture
Isolation Architecture
API first Architecture
Slicing (E2E segmentation) Architecture
A lot of these design principles aren't new. Single-pass, One-proxy, Single-pass-parallel-processing, and Run-to-completion architectural principles have been popular since UTM (Unified Threat Management) days in the early 2000s, though they are known by different names before.
The primary purpose of these design principles is to create
Increased throughput through efficient use of resources.
Lower end-to-end latency
Lower jitter
Higher elastic (Scale-out) as well as Resiliency in the case attacks like DDoS threats to security companies
New security functions are introduced more quickly (Agility)
Integration of multiple security vendor functions, without introducing inefficiencies (Integration of the most effective technology)
Adoptability (Run anyplace)
Single-pane-of-glass
Evolution
One of the great things about the field of network security is the fact that it is ever-changing. It is constantly incorporating newer technology and deployment principles in each new version of its products. It also provides security against attackers with their advanced techniques.
However, the market for security in networks is typically dispersed. There are a variety of security companies that offer various security features. This is great for innovation, and should be encouraged and will continue. It is important to note that one vendor might not be able to perform every aspect of security.
As you will see If each vendor has an entire stack of security functions, there would be huge inefficiencies and that means huge costs. Furthermore, it may create delays, which could be an issue for certain applications. This is why it is essential to understand the more modern architectural concepts and practices. Software architecture should be designed so that it eliminates inefficiencies, but allows integration of different technology vendors for the highest security.
Before Convergence
Figure 1 as well Figure 2 represent two examples of examples of security in networks prior to SASE. Figure 1 illustrates Secure Internet Access, and Figure 2 illustrates an instance for Secure Private Access. Be aware that the sequence of security functions shown in these images is undetermined, and the order of execution is usually dependent on the deployment.
Secure Internet Access is traditionally obtained by using various security solutions as shown in Figure 1. This is because it's the Enterprise that purchases these security features, and places them in a chain of services. Because certain security functions require the proxying of links, it is known as chaining. It process is sometimes referred to as Proxy Chaining in the Industry.
Because each security system is independent and is available from multiple vendors, the functions are common across all solutions. Commonly, the functionality is traffic policing at ingress, shaping traffic at the exit point, traffic filtering to make sure that only the relevant traffic is sent to the proxies TCP termination of the client connection, a new TCP connection towards destination SSL/TLS interception (which also requires an on-demand certificate generator that emulates the certificate of destination) which comprises TLS encryption, decryption and TLS encryption as well as the authentication of proxy servers (Kerberos, the NTLM protocol, OIDC), HTTP 1.1/2.0 decoding. This is a common feature in every box/virtual appliance, by an estimate, consumes 50% of the computing power used by security solutions.
Secure Application Access is also done in a similar fashion by linking the security solution that is discrete, as illustrated in Figure 2. The common functions are the same for different security options. It's similar to the basic functionality of security products that are used to create Secure Internet Access. Some differences are the termination of SSL/TLS, instead of interception, and authenticating users using traditional methods, not proxy authentication.
The cost of common functions within security solutions can be as high than 50% of solution. The latency resulting from this type of architecture could increase by just a few milliseconds due in the use of chaining functions.
Another challenge that is faced by Enterprises using both virtual and physical appliances is scaling. The scaling issue was initially solved through the use of larger appliances or by assigning greater memory and CPU power to the security solutions based on VM. This is known as scale-up. In the case of demand constant in volume, it's logical for companies to invest for larger hardware and software. However, if the volume is high, Enterprises don't like to find money spent. Imagine a scenario where two days per year, traffic is more. What is the reason why Enterprises prefer to pay for these spikes throughout the year? That was the reason for the next step, when security companies began to provide the scaling of architecture with cloud-based services. This is similar to the rationale behind IaaS for IaaS in the Cloud applications. In the scale-out architecture that includes more instances of security software are created automatically when they detect the increased traffic or in response to DDoS attack , and brought down as demand drops. Image 3 illustrates the scale-out architecture.
It is clear that the ability to scale out is needed. But, it requires an load balancer for every security solution. The load balancer will be required to distribute the load across different instances of the security solutions. Multiple load balancer traversals demand more resources and can also increase the latency from end to end of traffic sessions.
The next evolution of the security architectures for network security addresses issues of
The need for more compute resources
Higher latency
With
One proxy architecture
Single pass architecture
Single-pass architecture and one-proxy architectural (Converged Architecture)
As illustrated in the figure below, each security function is combined with proxy and other commonly used functions coming into the picture just once. Each security function is executed one at a in a run-to completion fashion. In the end, this architecture uses up compute resources quickly. Since all functions are run within the same context of user space memory copies are omitted. Additionally, a single user space process architecture can reduce operating system context switching dramatically. A single proxy can manage multiple sessions simultaneously by using multi-threading, with each thread processing a portion of sessions, thus utilizing multi-core CPUs to the fullest extent. Multi-threading also permits certain security functions to be performed in parallel, instead of sequentially for a particular traffic session, thus reducing the speed and latency. This type of architecture is known as Single Pass Parallel Processing.'
To deal with unanticipated load and to address DDoS scenarios, an auto-scale-out architecture is implemented by utilizing a load balancer that is that is in the way of load balancing sessions.
In this design the proxy exposes an interface API. All security functions are connected to this API. Proxy invokes the relevant security functions in the course of traffic session processing. The security functions cannot implement through SASE Solution developers. SASE solution developers collaborate with technology providers by connecting technology supplier engines and feeds to the proxy servers. This way, customers of SASE service providers enjoy the all the benefits of technology suppliers - high performance SASE with the best security solutions.
However, certain technology providers may not offer Engine to users in SDK form to develop security functions in the proxy. It could be because they offer it as a cloud-based service. DLP is a prime example of how several technology providers offer it as a cloud-based service. In some instances it could be the case it is the SASE solution provider might not wish to incorporate certain security features within the user space context of proxy , for reasons such as memory restrictions and license compatibility and to avoid creating a weak user space and so on.
Unified Architecture & Bring Your Own Security Functions
The next step in the SASE structure is illustrated below. Three key points are as shown in Figure 6 below.
The support for security features using ICAP (Internet Content adaptation Protocol): Enterprises may use or want to make use of security services provided by other suppliers. ICAP specifications from IETF define how proxies are able to connect to external content adaption services, such as security services. In allowing external security services, SASE solution providers enable enterprise owners to choose from a variety of security solutions.
Make your own secure features: According to the IBM security report titled "Cost of a Data Breach Report 2022" organizations have an average of 277 days to discover and prevent a breach of data. Although SASE offers a very effective policy management, it may be that some data breaches control requires the use of programming rules. The organizations that are able to analyze the breach are in the best position to create these programs. Based upon SASE suppliers or other security solutions, the vendors could delay their product releases as they require the entire life cycle of software development. To prevent these delays and re-use the existing technology, new SASE architectures offer a means to allow Enterprises security teams to create programsmatic rules on their own and then deploy these rules. Because they won't cause instability for your proxy SASE designs provide WASM runtimes that allow the creation of programmatic rules in WASM modules. Because WASM runtime is a Sandbox, any issues that arise with WASM modules won't cause the hosting user space as well as other security function plugins to malfunction or fail.
Uniform proxy A single proxy that works for the two functions of Secure Internet Access as well as Secure Application Access will help reduce the amount of memory required. Engines and feeds for certain security features, like Anti-Malware and DLP can be memory-hogging. Setting up two proxy servers for an Enterprise site, therefore, can be expensive. Additionally, having one proxy that can support three modes (forward reverse, reverse as well as transparent) is a good development technique from a efficiency perspective too.
DIGITAL DEVICES LTD
Long before Apple set an average consumers mindset to replacing their handheld gadgets in two years, Digital Devices Ltd believed in Moore's law that computing will double every two years. With our heritage from the days of IBM Personal Computer XT, our founders have gone through the technology advancements of the 1990s and 2000s realizing that technology is an instrumental part of any business's success. With such a fast pace industry, an IT department can never be equipped with the tools and training needed to maintain their competitive edge. Hence, Digital Devices has put together a team of engineers and vendor partners to keep up with the latest industry trends and recommend clients on various solutions and options available to them. From forming close relationships with networking and storage vendors like Juniper, SolarWinds and VMWare to high-performance computing by HPE or AWS Cloud solutions, Digital Devices Limited offers the latest technology solutions to fit the ever-growing needs of the industry.
Our experts can guide you through the specifications and build cost efficiencies while providing high end, state-of-the-art customer services. We research and analyses market and its current demand and supply chain by offering wide range of bulk supplies of products like AKG C414 XLII, Shireen Cables DC-1021, Shireen Cables DC-2021, Dell p2419h monitor, Dell U2419H, Dell P2719H, Dell P2219H, Lenovo 62A9GAT1UK, LG 65UH5F-H and Complete IT Infrastructure products and services.










