Network devices

Securing network devices in SASE architectures

Secure Access Service Edge architectures modernize traditional industries with features such as SD-WAN, centralized network management, network-wide visibility, policy automation, traffic segmentation, service provisioning security and transport independence which includes 5G. While these innovations provide faster connections at higher volume for global cloud-accessing locations, the amenities include overlooked security risks that need to be addressed with an approach that integrates user identity contexts, site data and hardware.

Despite recent rhetoric focused on cloud architectures and virtualization in a way that relegates physical platforms to simple connectivity pipes deployed in central locations, branch offices and colocation facilities, it is becoming increasingly evident that these platforms carry enterprise contextual data delivering valuable, untapped and overlooked offerings. value. Device protections must be included in SASE architectures.

Zeus Kerravala of Network World has spoken at length about SASE architectures, going so far as to show how “cloud-managed on-premises security” works better than models deployed in the cloud. In his research, the on-site approach works best for locations with a large number of employees. While I agree that on-premises deployments can achieve excellent performance benchmarks, I believe the current risks demand a truly secure access service that extends even further.

For example, part of the SD-WAN component in SASE architectures includes remote device activation (often referred to as “contactless provisioning”), an innovation that enables network managers to order, ship, and activate a network device from anywhere in the world without having to find a certified specialist for on-site installation. This is of huge benefit to networking teams. Today, when a forklift or conveyor belt stops working due to a network failure, manual service slows down the average resolution time, which negatively impacts the business. With remote activation and provisioning, all it takes is one on-site employee – technically savvy or not – to receive the device, plug it into the computer closet and lock the door. This is a significant improvement in cost and speed over existing provisioning models.

Confidence is an important factor here. The network manager who controls the device online must be sure that the transaction itself was secure. In addition, the product must be reliable to have secure design and coding, that it is assembled without manipulation, honest about its origins, shipped from the factory without interception, and often stored in customs facilities across the country. world ?? no problem. While many network managers care about speed and reliability (many require same-day shipping and replacement), assuming these processes are operating with integrity networks the organization and all ecosystem partners. in danger.

Additionally, network teams are forced to believe that actual branch office locations, wherever they are, are secure and that their network device is secure when on-premises. Branches could be a busy retail store, government embassy, ​​or pharmacy lab testing new vaccines. The network device will see all data as the primary hub for routing, switching, and security. While it is essential to secure endpoints such as desktops, mobile devices and IoT; the network platform itself should be considered vulnerable to attack as a point of data aggregation. Network segmentation helps protect critical traffic from prying eyes, but it is still a single-layered approach. Cloud-managed on-premise security deployments, such as IPS and NGAV, help strengthen the security of network devices against malicious devices beyond traffic segmentation and make a zero-trust approach more in-depth. And while some vendors offer network security as a cloud service, once the location exceeds a few dozen endpoints, the traffic generated by the security inspection outweighs the cost / benefit of the service. use of the cloud. Onsite security simply delivers the highest levels of performance with the most control.

Additionally, the remote activation process mentioned in this article is to take the control plane of the network device (a function formerly tied to the device itself, thus requiring a certified specialist on-site) and move it to an architecture. hosted in the cloud. Assuming the bare cloud infrastructure hosting the SD-WAN or SASE console itself is secure (many IaaS vendors should have documentation of their efforts here), data transactions that verify and use the device must traverse the Internet. to function and must be securely encrypted.

Building a SASE architecture doesn’t have to be a hopeless endeavor that locks down risky devices in sensitive networks. For years, Cisco has quietly researched and built quality network devices for SASE architectures with verifiable integrity. Our industry leading supply chain process so you can trust the devices on your network. In fact, Cisco Trustworthy solutions include a proprietary Trust Anchor Module (TAm) that secures hardware and reduces operational risk, protecting against counterfeiting and manipulation with hardware-embedded encryption key storage, a secure boot, boot key attestation, secure unlock, Bitstream FPGA defenses and more. Only Cisco provides these hardware-embedded security features to protect network integrity when activating and provisioning remote devices in SD-WAN and SASE architectures.

As more businesses realize the value of deploying SASE architectures, network and security teams across multiple industries need to keep the network device to the same high standards as cloud and virtualized components. Only then can the world truly benefit from the transformation that comes with reliable SD-WAN and SASE architectures. The quality and integrity of the product is important. Here, you can trust Cisco to be one of the few to build a trustworthy SASE architecture.

For more information, please visit:

Cisco SD-WAN

Cisco Trusted Solutions

?? Pat Vitalone, Product Marketing Manager, Cisco Routing and SD-WAN
This content is sponsored by Cisco.


Source link