The Core Components of SASE
SASE combines various IT functions into a single solution. Some of the key capabilities of SASE include:
- 零信任網路存取 (ZTNA): ZTNA offers secure remote access to corporate resources based on user context (location, time of day, device state) and application-by-application access rules.
- 安全 Web 閘道器(SWG): SWGs protect remote workers against online threats, offering URL filtering, and malicious content detection.
- 防火牆即服務 (FWaaS): FWaaS offers next-generation firewall (NGFW) capabilities via a scalable, cloud-based service.
- 雲端存取安全代理(CASB): CASB acts as an intermediary for traffic to cloud applications and software as a service platforms, allowing access control and enforcement of corporate security policies and data loss prevention (DLP).
- 軟體定義廣域網路 (SD-WAN): SD-WAN intelligently routes traffic over the corporate WAN based on knowledge of the health and performance of available links.
User Access and Security Services
SASE’s integrated ZTNA offers secure remote access to corporate resources. It’s built around the zero trust security model, which requires strong authentication and explicit verification of all access requests.
When a user attempts to access a corporate application or other IT resource, the SASE solution evaluates the request based on access controls and the privileges assigned to the user. Only if the requestor is authorized to use the resource will their traffic be routed to its intended destination.
This architecture provides organizations with greater visibility into their network usage and extremely granular control over access to corporate apps.
Network Security Services
Some corporate network security features that SASE typically offers include:
- Firewall as a Service (FWaaS): FWaaS offers firewall capabilities as a cloud-native, service-based offering. With FWaaS, organizations flexibly and scalably secure on-prem and cloud-based assets.
- Intrusion Prevention Systems (IPS): An IPS can be deployed at the network or host level and can identify and block attempted intrusions. Network IPS provides protection against distributed denial-of-service (DDoS), credential stuffing, and other network-level attacks.
- Threat Intelligence and Advanced Threat Protection: SASE solutions can be configured to ingest threat intelligence feeds. These fuel advanced threat prevention capabilities and enable them to block novel and evolving cybersecurity threats.
- DNS 資安: DNS queries provide hints regarding the websites that remote users or malware are attempting to contact. By blocking or revising responses for malicious domains, SASE solutions can prevent visits to malicious or inappropriate sites.
- Network Traffic Filtering and Monitoring: CASB enables inspection and filtering of web traffic. This inspection can be used to identify and block malicious content and to enforce corporate security and acceptable use policies.
Cloud Connectivity and Security
SASE solutions are hosted in the cloud environments and incorporate the following features:
- Cloud Access Security Brokers (CASB): CASB acts as an intermediary and enforcement point for traffic to SaaS applications and other cloud assets. CASB can be used to implement cloud access controls and enforce corporate security policies.
- Cloud-Delivered Security Stack: SASE is a cloud-native solution that integrates various security functions. This cloud-based deployment model means that SASE’s protection can easily be extended to cloud-based apps without negatively impacting performance and the user experience.
Intelligent Routing and Traffic Optimization
SASE includes SD-WAN and other traffic optimization features to provide the following:
- Intelligent Routing: SD-WAN monitors the current health of network links and routes traffic over the best available medium, optimizing network performance and user experience.
- Granular Visibility and Control: All network traffic passes through a SASE appliance, which has deep application visibility and control. This provides you with insight into WAN traffic and the ability to implement very granular controls.
- 服務品質 (QoS): SASE has traffic visibility and can understand and identify various types of application traffic. Organizations can implement QoS policies and prioritization to ensure the performance of important and latency-sensitive traffic.
- Dynamic Policy Enforcement: SASE solutions have in-depth visibility into application traffic and the usage of the corporate WAN. This enables you to intelligently update security policies based on context, including user and device identity, location, and more.
Comprehensive Visibility and Management
SASE completely integrates a range of networking and security capabilities within a single solution. This enables analysts to use a single dashboard for various tasks, such as:
- Security Policy Management: Security policies for various functions are all managed within a single dashboard. This simplifies the process of defining, monitoring, and updating policies across the corporate WAN.
- Digital Experience Monitoring: All WAN traffic passes through SASE appliances, offering them comprehensive visibility into network usage. Organizations can leverage this visibility to collect user insights to support IT and security operations.
- Continuous Monitoring: Security and networking integration enable continuous monitoring within the SASE platform, which supports corporate cyber defenses and regulatory compliance efforts.