SASE endpoint protection and secure remote access

In our previous deep-dive blogs on Secure Access Service Edge (SASE), we covered connectivity aspects like SD-WAN and security functionality provided by Firewall-as-a-Service (FWaaS) and Secure Web Gateway (SWG). In this post we will explore endpoint protection in a SASE environment.

As a reminder, the SASE concept unifies network (WAN Edge) and security (Security Service Edge) components. This article is going to cover remote access, Zero Trust Network Access (ZTNA), and secure internet access (SIA). These are closely integrated in a SASE deployment and typically involve an endpoint software component.

Here’s a simplified look at the SASE networking and security components:

You may have noticed that most of the security features included in a SASE platform used to be deployed as separate products. This is just a natural outcome of the changing requirements and use cases over the last few years. A castle-and-moat architecture with a main office (headquarters) and data center in the middle is no longer sufficient. The perimeter vanished or became software defined. But one thing became much easier: Where we used to see many different networking protocols like FTP and SSH, today almost all end-user traffic is web-based. Whether the traffic goes to publicly available services such as Microsoft 365 or private internal resources like an intranet, the protocol in use is almost always HTTPS.

This shift in how we work exposed a vulnerability that had been overlooked until the pandemic lockdowns brought it to the forefront. There was a lack of sufficient protection at the endpoints, and there was unrestricted trust and access to company resources on the business network VPN. These two conditions, combined with a lack of multifactor authentication (MFA) and poor password security can be fatal. Threat actors can easily exploit technical vulnerabilities or use social engineering attacks to gain access to a victim’s network and workloads.

Secure internet access (SIA)

SIA is the extension of Secure Web Gateway (SWG) to the endpoint. Detailed web traffic inspection provided by the SWG cloud service involves traffic backhauling or redirection and is not always necessary. We avoid this additional step by adding web security capabilities to the endpoint. This allows the device to make simple decisions about web traffic before bringing in the heavy artillery we keep in the cloud. For example, by using simple DNS-based filtering, we can block forbidden and unwanted web categories immediately without further inspection. This could be content that conflicts with regulatory or corporate compliance, corporate ethics and codes of conduct, or websites that are known to be malicious. This filtering can also block the ‘outgoing calls’ of malicious software that is already on the device and trying to phone home to its command-and-control server. There is no reason to send this type of traffic to the cloud for inspection when it can be blocked at the endpoint.

On the other hand, there are trusted apps too, and many of them don’t work well if traffic is redirected and a direct breakout is needed. Microsoft 365 is one example where detailed web traffic inspection might not be necessary. Directing Microsoft 365 traffic to an SWG before connecting to the application can result in performance degradation as well. Endpoint security may be sufficient for this scenario, so the SWG cloud inspection can be avoided.

And there is the category in between: websites that users are allowed to access but maybe the IT department prefers full inspection with SSL inspection. Keep in mind that SSL inspection is required because most web traffic is encrypted. SWG inspection without SSL inspection is not going to meet security requirements.

Web traffic that is allowed and requires full inspection is the perfect use case for SWG and SIA. These two components work together nicely to secure web traffic that is not forbidden but contains a certain risk of malicious content.

Remote access and Zero Trust Network Access (ZTNA)

The advantage of most user traffic being web-based is that modern ZTNA solutions are able to replace many VPN connections. ZTNA can connect users to individual applications, unlike a legacy VPN solution that bridges the device onto the local network without any access restrictions. That’s the security benefit of ZTNA, but the real reason ZTNA is replacing traditional VPNs so quickly is the superior user experience. We all know how cumbersome it was to remotely connect to the company network, especially for those who had to connect to more than one VPN hub.

With ZTNA, all the routing issues, reconnects, and never-ending password entries are gone. A good ZTNA solution does not differentiate whether the user is connecting from a corporate site or remotely, and always enforces compliance by device posture checks. Replacing VPN connectivity with ZTNA moves the company away from unrestricted implicit trust to a continuous security posture evaluation. It also improves the user experience with its simplicity and seamless functionality.

This is not to say that VPNs cannot provide a secure connection. Solutions such as Barracuda CloudGen Firewall can be configured to provide VPN connectivity with equal security, but ZTNA is a more convenient option and should be the preferred remote access solution for cloud and local workloads.  A properly configured VPN can be a secure solution for corner cases such as special protocols that require routed connections. In such cases, additional security inspection with granular Access Control Lists (ACLs) is a must.

Why does this matter?

You have to think in terms of an attacker. If you are trying to break into a system, how far can you get before the network ends or you hit a locked door? If we consider the nonstop attacks and high-profile security incidents, especially in conjunction with insecure remote access, I’m afraid the answer is “straight to the treasury.” We need to rethink security if we are going to defend ourselves against cybercrime. ZTNA and SIA are two important parts of a bigger picture. Together, they help organizations implement security where it is needed — at the edge.

Stop attacks with a fierce defense

There is no doubt that cybercrime will continue to evolve and intensify. Attacks will get smarter as machine learning takes on a larger role in threat development. The best way to defend your company is to deploy a multilayer defense that protects the network edge and the many dispersed endpoints and resources.

SASE gives you the flexibility to meet the requirements of your existing security and connectivity deployments. Industry trends show that standalone solutions are becoming better at meeting those requirements by turning them into features of a SASE environment.

Barracuda offers comprehensive security solutions including Zero Trust Access. Our experts can answer your questions and take you through a demo of these solutions or help you deploy a free trial in your own environment. Visit our website to get started.