Unified SASE: The Third Era of Network Security

May 14, 2024

It should come as no surprise that the three largest cybersecurity markets today are endpoint security, network security and identity. While there are other large cybersecurity markets — such as email security, web security cloud security, SIEM and SOC, the former account for over 50% of the cybersecurity market and are a big part of a customer's budget.

Of course, like any market or technology, network security has undergone several cycles of evolution over the past couple of decades, especially as new features have been added or consolidated into a platform. Today, network security has begun its third era of growth — but where did it all begin?

The First Era of Network Security: The Stateful Firewall

Trust everything and connect everything as fast as possible. That original objective of networking remains true today. However, malicious actors quickly made it their job to exploit those connections. So, back in the mid-1990s, the stateful firewall was invented to control access to private networks.

These initial stateful firewalls started to block traffic based on IP addresses, ports and protocols. They created trusted and nontrusted networks and sometimes a demilitarized zone, which is in between both. This was a big improvement from just connecting everything. However, as application ports became well known owing to traffic migrating to application ports such as HTTP and HTTPS, simply allowing traffic on these ports was no longer an effective defense as its Layer 7 filtering was not granular enough. As a result, a lot of traffic would pass through without inspection.

Many firewall vendors also began to add secure remote access via virtual private networks (VPNs). This allowed remote users and branch offices to work as though they were on the network. However, this required them to add an agent to extend secure connectivity to remote endpoints. As users increasingly connected to the internet, a proxy was put in between the user and the internet; the proxy would act as intermediary between users and the internet. In fact, when bandwidth was at a premium, caching devices were incorporated to improve internet performance.

The Second Era of Network Security: NGFWs and UTM devices

As threat actors began to target application traffic, it became critical for security tools to inspect applications and content to assess whether the traffic was malicious. In other words, threat protection was becoming a critical job for the firewall. As a result, stateful firewalls evolved into unified threat management (UTM) devices, later known as next-generation firewalls (NGFWs).

These NGFWs were placed at the network edge, which was usually at the data center perimeter for traffic accessing external applications and the internet. They could identify applications and mitigate most threats in flight, making them critical for in-path communications. Deeper content inspection and understanding of a URL’s application content provided more visibility and granularity to mitigate threats.

However, these additional layers of inspection, including SSL and deep packet inspection, required more security-specific processing power than the off-the-shelf processors powering most NGFW appliances. To address this challenge, Fortinet developed the industry’s first security processing unit, a purpose-built ASIC designed to increase performance by offloading critical security functions.

The Third Era of Network Security: Unified SASE

As we move into the third era of network security, the traditional perimeter has been completely reimagined. To secure today’s highly distributed environment, a new, more expansive type of platform is required — one that can work across the hybrid workforce, distributed edge and multi-cloud environments. It must also expand the convergence of networking and security across all edges by supporting multiple form factors — physical and virtual appliances, multi-cloud platforms and as-a-service. We call this Unified SASE (secure access service edge).

This new approach allows protections to move beyond simply defending against external threats to consistently securing data wherever it might be. To do this, Unified SASE components must be deeply integrated together, and the solution must be AI-based so it can detect, correlate and respond to threats wherever they target the network in near real time.

Unified SASE goes beyond traditional SASE solutions by converging end-user connectivity with critical networking by incorporating a software-defined wide area network (SD-WAN). SD-WAN quickly became a critical technology for replacing simple routers at branches and campuses with faster, smarter and more cost-efficient connections to the rest of the network. Adding SD-WAN to Unified SASE ensures end-to-end visibility and control.

Unfortunately, early SD-WAN solutions did not take security seriously. They needed a separate firewall appliance and security solutions that had to operate as a separate overlay, which diminished the value of the flexibility that SD-WAN provided. Fortinet solved this problem by building enterprise-class Secure SD-WAN directly into the firewall.

As SaaS applications became more popular, a cloud access security broker (CASB) based on API access was also included. When this was added to SWG, the solution became known as security service edge (SSE) and became cloud-based. It plays a critical role in the Unified SASE solution.

So does zero-trust network access (ZTNA), which provides application-specific access. It is used in conjunction with SSE to replace or complement remote access via VPN.

The critical elements of Unified SASE include:

Image

Setting the Stage for the Next Era

By integrating protections designed for clouds, connections, networks and endpoint devices into a unified security strategy, this third era of network security expands security to every edge. The integrated, platform-based approach of Unified SASE enables organizations to build and evolve their networks as they need, allowing them to respond to business demands without compromising security, performance or user experience. Its innate adaptability also provides a path forward to meet the next era of challenges headed our way.