The SASE Story Pt III: SASE as a solution for remote workers
In collaboration with Jon Heaton and Roel Bernaerts
In the last SASE blog, we outlined our aspiration to migrate to “Unified SASE” for most of our network. This unified approach provides superb integrations between SD-WAN, cloud security, end-point security and zero trust — all available through a unified services portal.
For our third blog in this series, we’re focusing on how SASE is enabling Cisco IT to improve the productivity and work-life balance for our employees who are working from home.
Before the pandemic, close to 25% of Cisco’s workforce was working from home for half of their week. A more recent employee survey suggested that employees expect this to increase to over 75% post-pandemic. Although Cisco IT’s Zero Trust strategy allows an increasing number of employees to do their job without using VPN, most job profiles continue to require VPN access into the corporate network at some point, and some roles still heavily rely on VPN.
This increase in remote workers, both on and off VPN, caused challenges. For instance, we wanted to be able to split off-tunnel traffic directly to the internet for users of all applications — including hundreds of legacy and proprietary applications that are not Zero Trust enabled. However, we have security policies that only allow trusted and well-known applications to be offloaded directly to the internet.
To address this challenge, we made improvements to our network, including upgrading our VPN infrastructure and adding network capacity to guarantee resiliency in case of outages.
This is where SASE enters the picture as a long-term solution for remote employees using our network. We are planning to deploy a SASE solution that can be consumed “as a Service” before we are required to upgrade our existing hardware based on-prem VPN and security infrastructure. This allows us to scale up when needed and scale back down as we enable more Zero Trust access.
Bringing users closer to applications and vice-versa
The new teleworker solution is focused on bringing users closer to applications and data they consume. We utilize the Cisco AnyConnect endpoint client that integrates seamlessly with Cisco Umbrella to steer traffic away from the VPN while keeping Cisco secure.
As a first measure, Umbrella provides DNS Security. Even when a user is off VPN, it blocks DNS requests for records that have been identified as malicious or high-risk.
Secondly, we have options to send data via the most optimal path depending on performance and security requirements. Applications that have passed Cisco security review — i.e. Zero Trust-enabled applications through the Duo Network Gateway: Office365, Box, etc. — are split-tunneled directly to the internet using IP- or domain-based policy. All public web traffic is redirected to the closest Umbrella’s Secure Web Gateway (SWG). This assures a shorter, yet highly secure path. Remaining traffic is forwarded through the VPN to our hardware and colocation based Cisco Secure Firewall.
Replacing our on-prem VPN with cloud delivered SFCN
We are exploring opportunities to replace our hardware based, on-prem VPN infrastructure with Cisco Secure Firewall Cloud Native (SFCN). This would help us avoid the large capital investments that would be required to upgrade our current VPN hardware infrastructure, including having to over-provision resources to cover unforeseen circumstances and potential future growth.
With SFCN, Cisco Remote Access VPN capabilities could be ordered directly from the AWS marketplace and scaled up or down when needed with just a few mouse clicks. The SFCN will integrate with AWS Transit Gateways, and allow us greater flexibility to send traffic where it needs to go — either to other VPCs or to on-prem resources via MultiCloud.
ThousandEyes ties it all together
In the old model, the traffic flow was very deterministic and most of the network path was owned and managed by Cisco IT. However, in the new model, traffic moves to many different locations via different paths. This makes it much more difficult to isolate and troubleshoot issues. To address this, we must be able to monitor the user experience for critical business applications. This is where ThousandEyes enters the equation: with Cisco ThousandEyes, we are able to gain insights into potential issues and to help isolate where exactly issues are. By integrating with Webex Teams users are now able to troubleshoot any potential issues themselves via interactions with a Teams bot.
With this new SASE model, users are able to safely and efficiently work from home or, really, from anywhere, without realizing any major offset in performance.
In our next blog in this series, we’ll explore how we have applied similar logic to our branch offices and how we use Cisco SD-WAN to deliver cost effective Middle-Mile and Hybrid Cloud connectivity.
Resources
Follow Cisco IT on social!
Share: