kras99 - stock.adobe.com
Evaluate the components of Cisco SASE
Cisco's SASE platform, Umbrella, has all the components of a SASE architecture, but it has a lot of integration complexity and a reliance on appliances.
Editor's note: This article is part four in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.
Cisco is, arguably, the most familiar name in networking. As a result, most enterprises likely have Cisco Secure Access Service Edge on their shortlist of SASE options. While Cisco's SASE looks great in a presentation, network teams need to dig deeper to see just how many appliances and components are needed to form a SASE architecture.
As part of an ongoing series that explores SASE offerings, this article takes a closer look at how Cisco's SASE platform compares with other vendors.
Ideally, SASE offerings are cloud services that securely connect enterprise users everywhere with enterprise resources anywhere. They're meant to be as simple and cost-effective to deploy and maintain as any cloud service, a sharp contrast from the headaches of appliance-based, legacy network architectures.
SASE architectures converge networking and security. SASE services use the following components for connectivity:
- software-defined WAN (SD-WAN) devices to connect sites;
- mobile clients, or clientless access, to connect remote users; and
- shared gateways or points of presence to connect cloud resources.
All these components should connect via a global private backbone for optimum worldwide performance. They should also be protected by a security suite built into the SASE fabric that includes a next-generation firewall (NGFW), secure web gateway (SWG) and intrusion prevention system (IPS).
Most SASE vendors, however, are not currently delivering cloud-native SASE. It's a strategy or roadmap, not a product.
The genius of SASE isn't about new features. Most, if not all, features in a SASE platform already exist in some form in the market. The genius of SASE is the packaging of those features into a single, global cloud service. Switching from appliances and discrete services to a SASE cloud is as revolutionary and beneficial as the shift from servers to cloud computing.
Read the other articles in this series
The pros and cons of Palo Alto Networks' SASE platform
A deep dive into Fortinet's SASE platform
A review of Cato Networks' SASE Cloud platform
A review of Zscaler SASE architecture
The pros and cons of Netskope SASE
Components of Cisco SASE
Cisco makes it clear that SASE isn't a product, but an architecture. In this case, the SASE architecture is offered under the branded name Cisco Umbrella, which follows the Gartner-defined services of SASE:
- cloud access security broker (CASB)
- cloud-delivered firewall
- zero-trust network access (ZTNA)
The Cisco Umbrella architecture is built from already existing products developed through partnerships.
Cisco connects sites, remote users, SaaS applications and IaaS resources using the following SASE edges:
- Sites. Sites are equipped with Cisco Meraki SD-WAN or Cisco Viptela SD-WAN appliances that integrate with built-in, cloud-native security. Cisco SD-WAN can be deployed on a variety of platforms and with Cisco routers.
- Remote users. Remote users connect through Cisco AnyConnect and Duo. This strategy relies on multifactor authentication and a zero-trust security model.
- IaaS. IaaS resources can be connected via the CSR 1000V or Catalyst 8000V routers for the Viptela option and Virtual MX for Meraki.
- SaaS applications. SaaS applications are not specifically supported, so there's no optimized access from Cisco Umbrella to SaaS applications.
Cisco delivers the following security services:
- Basic firewalling through access control lists in Cisco routers and Viptela SD-WAN appliances;
- NGFW in Cisco Firepower, Cisco AnyConnect or certain models of Cisco Viptela SD-WAN appliances;
- SWG in Cisco Umbrella;
- CASB through Cisco's CloudLock acquisition;
- ZTNA through Duo; and
- IPS through Cisco Secure Endpoint.
Management for Cisco SASE depends on the area.
For security management, Cisco offers the following options:
- Cisco Meraki for Meraki management only;
- Cisco Umbrella for Umbrella management only; and
- Cisco SecureX for security management of all options, excluding SD-WAN.
Cisco requires multiple platforms for network management, including the following:
- Cisco Meraki for Meraki management only;
- Cisco Command-Line Interface for device configuration and monitoring;
- vManage, which is a dashboard where admins define and manage WAN communication policies, as well as NGFW for routers that support this function;
- vSmart, which is the cloud-based controller for the Viptela SD-WAN network;
- vBond to initiate processes on edge devices and coordinate with vSmart and vManage; and
- Cisco AnyConnect for remote and mobile user support.
Strengths of Cisco SASE
So, what are Cisco's strengths? The obvious one is that Cisco is, well, Cisco. It's a well-established technology company that, if teams like it, can provide a foundation of products and services that are used in the SASE architecture. These services integrate with each other and with multiple platforms, so Cisco can build an end-to-end program at scale.
Weaknesses of Cisco SASE
The Cisco approach is also its weakness, however. If SASE is about the convergence of networking and security into a cloud service, it's hard to see how Cisco's approach currently qualifies as SASE.
Cisco's SASE approach is complex, comprising its many product lines. It's a platform that many companies will find challenging to run without large IT departments or support from a managed service provider.
Cisco SASE requires the resources to deploy different appliances and to coordinate management of multiple platforms. It looks like what it is: many individual products that must be integrated into a company's current architecture. Let's break this down.
Cisco is integrating Cisco SD-WAN and Umbrella in a shift Cisco calls "unifying cloud security and networking with SD-WAN automation." It uses IPsec, enabling teams to create up to 50 IPsec Internet Key Exchange version 2 tunnels from network devices to Umbrella. Tunnels, however, make poor use of bandwidth, which is itself a weakness.
Cisco Viptela SD-WAN consists of the four following elements:
- vBond, which has to be fully connected with every device;
- vSmart, which is the cloud-based controller for the network and manages all data and control policies;
- vEdge, which is the router that gets its information from vSmart; and
- vManage, which is the centralized portal that manages it all.
Umbrella is supposed to be deployed across the SD-WAN, but it has limitations. Devices must use DNS for security and policy enforcement. Sending queries through a web proxy or using an IP address directly will bypass Umbrella's protection.
In addition to the vManage console, teams will need a second console for the Cisco Umbrella GUI. Even though SASE is about unifying security and networking, Cisco SD-WAN and Umbrella are managed separately.
Teams also need to budget extra for the Viptela SD-WAN and Umbrella package because it is expensive. It requires a Cisco DNA Premier term license package. And, because of the number of needed appliances, teams should expect more maintenance costs.
Slow network and dashboard performance
As mentioned, Cisco Umbrella is unable to govern IP-based destinations. Tunnel bandwidth is also limited with a top throughput of 250 Mbps per tunnel. This potentially means slow network performance.
Slow performance is especially noticeable on the Umbrella dashboard, where data can take up to an hour to load. This delay will likely hinder teams' use of the dashboard for incident response and mitigation.
Even when data does show up on the dashboard, it might not be the data that teams need to see. This could be a problem of having the wrong subscription tier. Having multiple tier options to choose from is a plus, until teams realize the one they bought doesn't meet their needs. Having the wrong subscription will prevent teams from getting the most important data into their dashboard.
One other concern with Umbrella is the need for extra licenses. While Umbrella does a great job of identifying where threats are coming from, teams only get the most complete information with the Roaming Client tool. The problem is that Roaming Client is an additional license for each user, adding to the already high cost of using Umbrella.
Reliance on appliances means regular upgrades
IT teams will be busy with multiple appliances, upgrading and scaling them as bandwidth increases and new features are activated. Not all the appliances are going to be ideal in a SASE platform.
Cisco Meraki, for example, is considered one of the best options in cloud-controlled networking. While it's good as an all-in-one offering, problems arise when it is used as part of a larger SASE deployment. Line failover is poor and can take up to five minutes to converge. Failover between IPsec tunnels to Umbrella has only a slightly faster failover at 60 seconds.
Meraki is CPU-intensive, which affects its overall performance. And, despite having a VPN client, the way it works -- calling back to a Meraki device -- increases the latency. Overall, Meraki is in the slow lane of fast-moving network traffic.
While Cisco SD-WAN does a better job at scaling than Meraki, it also has issues with integration complexity. The four elements of Viptela also lead to complexity issues within the management infrastructure. And both Cisco's SASE and SD-WAN have a similar problem: They have too many options and features to manage, leaving them open to potential security vulnerabilities because something could get missed.
The platform also has too many options for secure remote access. Duo is used for secure internet and SaaS access. AnyConnect is used for accessing internally hosted applications. Duo is cloud-based, while AnyConnect requires investment in and deployment of appliances. No integration is available between their remote access capabilities, which again sets up the possibility of teams missing important information surrounding security issues.
Cisco SASE is more like a marketing brand
On paper or in a PowerPoint, Cisco SASE looks great. It can check all the right boxes because of the numerous offerings grouped under the Umbrella brand.
But, when teams dig deeper, they'll find Cisco SASE is not quite where it should be. Deployment is complex. Integration is lacking. And appliances bring none of the elasticity, cost savings, rapid deployment, easy management and global accessibility for users or sites that are the hallmark of cloud services.
Cisco SASE is the same appliance-based strategy that has plagued IT, which, in the long run, will be costly and complex. Yes, Cisco's SASE evolution is underway. But it's not clear if it's in Cisco's interest to create a single cloud service that will effectively replace the many revenue lines driving Cisco's bottom line.
In short, enterprises committed to Cisco may take heart in its SASE marketing. But, for enterprises looking to benefit from SASE today, other options offer a better approach.