As an Amazon Associate I earn from qualifying purchases from

The SASE story III: SASE as an answer for distant staff

In collaboration with Jon Heaton and Roel Bernaerts

Within the final SASE weblog, we outlined our aspiration emigrate to “Unified SASE” for many of our community. This unified method offers very good integrations between SD-WAN, cloud safety, end-point safety and nil belief — all out there by a unified companies portal.

For our third weblog in this collection, we’re specializing in how SASE is enabling Cisco IT to enhance the productiveness and work-life steadiness for our workers who’re working from dwelling.

Earlier than the pandemic, near 25% of Cisco’s workforce was working from dwelling for half of their week. A more moderen worker survey urged that workers count on this to extend to over 75% post-pandemic. Though Cisco IT’s Zero Belief technique permits an growing variety of workers to do their job with out utilizing VPN, most job profiles proceed to require VPN entry into the company community in some unspecified time in the future, and a few roles nonetheless closely depend on VPN.

SASE For Remote Work Model

This improve in distant staff, each on and off VPN, brought on challenges. As an illustration, we needed to have the ability to cut up off-tunnel site visitors on to the web for customers of all purposes — together with a whole bunch of legacy and proprietary purposes that aren’t Zero Belief enabled. Nonetheless, we’ve got safety insurance policies that solely enable trusted and well-known purposes to be offloaded on to the web.

To deal with this problem, we made enhancements to our community, together with upgrading our VPN infrastructure and including community capability to ensure resiliency in case of outages.

That is the place SASE enters the image as a long-term answer for distant workers utilizing our community. We’re planning to deploy a SASE answer that may be consumed “as a Service” earlier than we’re required to improve our present {hardware} based mostly on-prem VPN and safety infrastructure. This permits us to scale up when wanted and cut back down as we allow extra Zero Belief entry.

SASE For Remote Work Model

Bringing customers nearer to purposes and vice-versa

The brand new teleworker answer is concentrated on bringing customers nearer to purposes and knowledge they eat. We make the most of the Cisco AnyConnect endpoint shopper that integrates seamlessly with Cisco Umbrella to steer site visitors away from the VPN whereas holding Cisco safe.

As a primary measure, Umbrella offers DNS Safety. Even when a person is off VPN, it blocks DNS requests for data which were recognized as malicious or high-risk.

Secondly, we’ve got choices to ship knowledge through probably the most optimum path relying on efficiency and safety necessities. Functions which have handed Cisco safety assessment — i.e. Zero Belief-enabled purposes by the Duo Community Gateway: Office365, Field, and so forth. — are split-tunneled on to the web utilizing IP- or domain-based coverage. All public net site visitors is redirected to the closest Umbrella’s Safe Internet Gateway (SWG). This assures a shorter, but extremely safe path. Remaining site visitors is forwarded by the VPN to our {hardware} and colocation based mostly Cisco Safe Firewall.

SASE For Remote Work Model

Changing our on-prem VPN with cloud delivered SFCN

We’re exploring alternatives to interchange our {hardware} based mostly, on-prem VPN infrastructure with Cisco Safe Firewall Cloud Native (SFCN). This might assist us keep away from the massive capital investments that will be required to improve our present VPN {hardware} infrastructure, together with having to over-provision assets to cowl unexpected circumstances and potential future progress.

With SFCN, Cisco Distant Entry VPN capabilities may very well be ordered instantly from the AWS market and scaled up or down when wanted with just some mouse clicks. The SFCN will combine with AWS Transit Gateways, and permit us higher flexibility to ship site visitors the place it must go — both to different VPCs or to on-prem assets through MultiCloud.

ThousandEyes ties all of it collectively

Within the outdated mannequin, the site visitors move was very deterministic and a lot of the community path was owned and managed by Cisco IT. Nonetheless, within the new mannequin, site visitors strikes to many alternative places through completely different paths. This makes it rather more tough to isolate and troubleshoot points. To deal with this, we should have the ability to monitor the person expertise for important enterprise purposes. That is the place ThousandEyes enters the equation: with Cisco ThousandEyes, we’re in a position to acquire insights into potential points and to assist isolate the place precisely points are. By integrating with Webex Groups customers at the moment are in a position to troubleshoot any potential points themselves through interactions with a Groups bot.

ThousandEyes Bot

With this new SASE mannequin, customers are in a position to safely and effectively work at home or, actually, from wherever, with out realizing any main offset in efficiency.

In our subsequent weblog on this collection, we’ll discover how we’ve got utilized comparable logic to our department places of work and the way we use Cisco SD-WAN to ship value efficient Center-Mile and Hybrid Cloud connectivity.



Comply with Cisco IT on social!



We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart