Cloud-delivered Secure Web Gateway (SWG) and Firewall-as-a-Service (FWaaS) are well-known components of SASE. They are deployed by many enterprises to protect users, applications, and even unmanaged endpoints, such as OT and IoT devices, from malware attacks and Internet-based threats. Rather than relying solely on a cloud-delivered set of security capabilities and forwarding all traffic to the cloud for inspection, a unified SASE solution offers a hybridized approach that leverages localized inspection and enforcement on-premises, where and when it makes sense. A hybridized solution that combines localized secure SD-WAN with integrated cybersecurity features alongside cloud-delivered SWG and FWaaS provides the best of both worlds, minimizing latency and delivering an optimal user experience for all traffic.
Comprehensive on-premises branch security with secure SD-WAN
In today’s SASE world, securing users and their connectivity to applications, wherever they are, is of paramount importance. Endpoints and users at sites where an SD-WAN gateway is deployed need to be protected against a variety of cyberthreats, regardless of whether their intended destination is the Internet, other branch offices and private applications, or cloud-hosted SaaS applications critical to the business. Enterprises can no longer rely on the inefficient legacy model of backhauling traffic to the corporate data center and relying on a centralized firewall, when the workforce and applications are distributed across the hybrid cloud. Conversely, the deployment of standalone firewalls in all branch and edge sites to provide localized enforcement is also impractical, resulting in a proliferation of hardware and increasing complexity and cost of management across all of the remote firewall devices.
A better approach to enabling network security on-site is via a secure SD-WAN solution that integrates advanced SD-WAN capabilities along with a comprehensive cybersecurity solution in a single, unified platform that can be orchestrated at scale to ensure consistent application and security policies across the enterprise. The HPE Aruba Networking EdgeConnect SD-WAN platform is a certified secure SD-WAN solution that provides all the key capabilities of UTM, including L3-L7 awareness, zero trust role-based and context-aware segmentation, DDoS mitigation and visibility, IDS/IPS, Web/URL and IP content and reputation filtering. All are managed uniformly via the HPE Aruba Networking SD-WAN Orchestrator. By converging robust branch security capabilities with SD-WAN, enterprises can simplify their branch architecture, while reducing complexity, and administer the integrated solution from a single pane of glass.
Unified cloud-delivered Security Service Edge (SSE)
The other key component of SASE is the Security Service Edge (SSE), HPE Aruba Networking SSE provides all the elements of SSE (ZTNA, SWG, CASB, DLP, FWaaS and Digital Experience Monitoring) in a fully unified, modern cloud-delivered platform that is available globally, ensuring secure access to any business resource. The SSE platform provides a single pane of glass visibility and control over all security policies, making it simple to protect all endpoint types against malware and data leakage, both for the hybrid workforce as well as for servers and unmanaged devices like IoT/OT.
To protect unmanaged devices such as IoT/OT and servers at physical sites against advanced Internet threats, enterprises can utilize HPE Aruba Networking’s SASE SWG bandwidth service to securely transport and protect traffic aggregated from any location. This protects sites from malicious websites and applications, and includes a number of cloud-delivered functions, including dynamic threat protection, URL/IP classification and filtering, Data Loss Prevention, and DNS filtering. When deployed in conjunction with EdgeConnect SD-WAN, the joint solution makes it easy to deploy and provides a streamlined experience, with fully automated end-to-end configuration of location-based SWG services via EdgeConnect SD-WAN Orchestrator. And for enterprises interested in furthering their journey towards unified SASE, additional SSE capabilities can be seamlessly added including ZTNA and CASB functions.
Hybridized security: best of both worlds
With cybersecurity features available both natively within the EdgeConnect SD-WAN platform and delivered via HPE Aruba Networking SSE, enterprises can leverage the best of both worlds. This means enforcement decisions can be localized at any site, such as for intra- and inter-site east-west traffic, without forwarding it to the cloud-hosted security stack. For north-south site traffic destined for the Internet or cloud, utilizing a logically centralized cloud-delivered SWG capability to protect endpoints from Internet-based threats provides high performance along with elastic cloud scalability that can respond to varying demands as needed. Additional cloud-delivered security functions can also be applied as security requirements evolve.
For SASE administrators, the task of deploying a hybridized solution and orchestrating policies around local versus cloud-delivered enforcement is automated. Through comprehensive API integration, SSE service chaining from edge to cloud is fully orchestrated. Integrated prebuilt application policies are tailored to optimize traffic steering decisions, directing which traffic types should be locally inspected versus forwarded to the SSE cloud for inspection. By sharing the load between the distributed edge locations and the cloud-hosted security stack, enterprises can more cost efficiently utilize on-premises gateway solution resources for delivering other SASE capabilities while mitigating latency for optimal performance and enhancing overall user experience.
Conclusion
The availability of cloud-delivered location-centric SWG that can be deployed alongside EdgeConnect SD-WAN’s native security capabilities provides a new level of hybridized protection and enforcement by creating an opportunity to combine the benefits of both distributed and centralized security enforcement. When utilized in conjunction with EdgeConnect SD-WAN’s native network-, role-, and application-aware firewall and threat detection and prevention capabilities, customers can fully replace existing branch firewalls with confidence and reap the benefits of having a hybridized threat protection solution that combines optimal user experience along with scalable cloud-delivered security,
Learn more
To learn more about SD-WAN augmented with SWG, please read this solution overview.
Other resources:
