How SASE and the Internet Took Over Wide Area Networks (Part 1)

This blog is part of the ongoing “I&O Perspectives” series, which features insights from industry experts about the impact of current threats, networking, and other cybersecurity trends.

As I embark on a new role with the Netskope Platform Engineering team, I am eager to explore how our company’s vision shapes the evolution of enterprise networking security. This first article in a series is a testament to my technical introspection, introducing the background, challenges, and needs that led to SASE—security access service edge.

Over the past quarter of a century, enterprises have gradually recognized the internet as a reliable means of transporting applications. The COVID-19 pandemic further accelerated this shift, transforming the workspace into a borderless environment. Coupled with the rise of corporate SaaS applications, this has led to a new era of connectivity.

However, in this new era, the internet has become a critical vector for cyber threats. As organizations rely more on the internet for connectivity, they face increased exposure to sophisticated threats, including data breaches, malware, and phishing attacks. SASE emerged as a response to the limitations of traditional networking and security models, driven by the rise of cloud adoption, a dispersed workforce, and the need for a more integrated and coherent approach.

With all of that in mind, let’s take a journey through the recent history of WANs to understand the direction security and networking are heading.

Wide area network evolution shaping our present and future

In 2000, before the internet bubble burst, Cisco Systems had the highest market capitalization worldwide, standing as the unquestioned leader in the enterprise networking industry. Internet security products were negligible in Cisco’s revenue statements, contributing only a tiny fraction of their sales. Overall, cybersecurity was still a relatively small sector. Corporate networks and the internet used to exist as two distinct silos, a separation that inherently provided security without necessitating encryption.

The wide area network (WAN) backbones, which were, by definition, running on private physical infrastructure, relied on legacy dedicated point-to-point lines and protocols, such as frame relay and ATM.

Additionally, cloud applications were not that critical for corporations. Besides email, electronic communications and IT resources were mainly private. Multiprotocol Label Switching (MPLS) virtual private network (VPN), a genuine IP-minded solution, was the rising star.

Some early adopters started using more IPsec site-to-site tunnels for WAN backup and offloading low-priority traffic over the internet. I remember demonstrating such implementation for a large corporation back in 2002, but it didn’t go beyond a proof-of-concept. At that time, best-effort internet was not considered eligible to transport sensitive corporate traffic. Today, this has evolved with intelligent quality of service and orchestration within a graphical interface, representing the SD-WAN part of SASE.

MPLS and VRF: Enhancing IP routing and network isolation

MPLS is a set of core switching protocols designed to speed up IP routing. It combines the advantages of IP and ATM.

Network operators and vendors developed the VPN application of MPLS to provide network isolation at layer 3. On an MPLS-VPN network, each VPN is a private routing context. Customers purchase one or several VPN contexts to segregate their WAN routing environments. Virtual routing and forwarding (VRF) is a technology used in IP-based networks to create multiple virtual routing tables on a single physical router. This allows the router to support various network paths completely isolated from each other, even if they use the same physical infrastructure.

Traffic over MPLS-VPN is generally not encrypted and the network is trusted. In most cases, VRFs naturally became the long-haul extensions of the local area network VLANs. Machines with the same usage profile would sit in the same LAN segments and VRFs.

The Impact of SLAs on Differentiating MPLS-VPN from Internet Services

For corporations (or at least their legal departments), the primary quality metric was SLAs and the penalties that come with them. In other words, how can the penalties be harmful enough to the service providers to care for and match a decent quality of service?

On MPLS-VPN networks, packet delivery, round-trip delays, and service availability are subject to SLAs. These contractual items have been the key argument for telcos to differentiate MPLS-VPN from IPsec over the internet. 

In contrast, most internet services only offer time-to-restore or availability SLAs, unless the link has been broken because of a force majeure event: natural disasters, acts of war, government actions, and pandemics, among others. For example, if an excavator cuts a fiber cable, and even if it’s not considered a force majeure event, it makes no difference whether the service is internet or MPLS-VPN. There’s only a small chance that the provider will restore the link within the SLA time.

Building resilient and capable networks: Meeting SLAs amidst complex constraints

To support SLAs, resiliency and capacity management have always been prevalent themes when designing communication networks. These attributes are fundamentally about ensuring the network is extensive, redundant, fast, and agile enough to meet customer expectations under any network condition. However, achieving this involves navigating a complex set of constraints, such as:

• Multiple routes available between two points.
• Each link has its own capacity management.
• Backup routes must restore fast enough to preserve the ongoing sessions (e.g., a phone call) without the users noticing when a route goes down.
• With IP, not all applications (such as voice) have reserved bandwidth. The network may throttle low-priority applications during congestion events, but not excessively. 

Initial versions of the IP routing protocols had poor capacity management metrics. Even today, BGP, the internet routing protocol, ignores available bandwidth, and its convergence time could be better. Unfortunately, this is the price you pay when there are more than a million routes in the forwarding tables.

The approaches in private backbones like MPLS and the shared internet network are naturally profoundly different. The internet has always been considered “best effort,” while MPLS-VPN guarantees quality of service. However, users expect the internet to deliver a decent service in most network conditions. Competition among internet service providers has driven improvements in quality. Techniques and toolkits for managing internet capacity have significantly advanced

Many efforts have also been invested into enriching the arsenal of traffic engineering techniques in IP protocols and MPLS environments, including online capacity management, bandwidth reservations, application priorities, end-to-end paths policies, fast rerouting, and more.

The good news is that MPLS, as a backbone technology, is now the underlying carrier for everything from mobile networks to the internet, and some of these efforts also benefit the internet, not only MPLS-VPN.

The internet’s rise: From home necessity to corporate backbone

Around 2000, the internet started providing such valuable use cases that it soon became essential to subscribe to an internet service at home. Some of these examples include personal email, online shopping, search engines, encyclopedic content, social media, and instant messaging.

Less than ten years later, the internet conquered the mobile space with the user-friendly smartphone, its ecosystem, and high-speed cellular data. Smartphones made access to these human use cases ubiquitous, causing a seismic growth in the volume of data flows and user counts.

Alongside the growth of traffic volumes, which was multiplied by the growth of internet video services  (see Figure 1), the number of internet users increased dramatically.

Similarly, internet use in the enterprise accelerated too. In addition to consumer-friendly applications, access to SaaS applications, starting with Salesforce, became a significant topic for IT departments. SaaS solutions offered scalable, cost-effective alternatives to traditional on-premises software, reducing the need for extensive IT infrastructure and maintenance.

Some CIOs even decided to backhaul users’ traffic and deploy private and expensive connectivity, such as Secure Cloud Direct Interconnect (SDCI), to reach services primarily available on the (free) public internet. For a long time, we could never fully resolve the conflict between the ubiquity of the internet and the guaranteed quality of service provided by private backbones.

Embracing remote work: The shift to SASE

With the pandemic, remote workers became the norm. They were able to benefit from business applications from their homes as if they were in the private and concealed areas of the enterprise locations and WAN networks. Cloud and particularly virtual meeting applications, such as Microsoft O365/Teams, would be affected in a centralized configuration with a single or few internet breakouts per region. Users require their internet traffic to go through the shortest possible path.

Internet players kept provisioning massive bandwidth to cope with the pace and absorb the additional load. The internet coped very well with the load that suddenly moved from the office building endpoints to home locations.

Naturally, the user’s workstation is the only remaining barrier to the privacy of company data. Intellectual property, secret commercial data, and any information to safeguard must be reached through the employee device and cloud services, which could be anywhere.

Nonetheless, CIOs couldn’t sacrifice service quality and security. Preserving productivity and guaranteeing privacy and data protection are essential. The elimination of the corporate “perimeter” has led to the spread and growth of sophisticated attacks, ransomware, involuntary breaches of confidentiality, and insider threats. This threat landscape requires a ubiquitous and granular security model to protect users and data everywhere, moving from traditional defenses, the castle-and-moat, to a global, always-on security layer. This logically gave birth to SASE. 

In the next part of this blog series, we’ll explore the SASE connectivity paradigm and how Netskope delivers high-grade connectivity in this new landscape.

Stay tuned for the upcoming installments of our I&O Perspective series. Join us at SASE Week 2024 to explore the latest in SASE and Zero Trust, and learn how to enhance your organization’s security and network transformation strategy. Don’t miss the “SASE for Networkers Roundtable” on Sep 25,  where customers will share their digital transformation journeys toward SASE