VMware SASE and Cloud Web Security

What is SASE and CWS and why do i need it?

Let’s start with the basics! SASE is a Gartner term and is an abreviation of Secure Access Service Edge. Still not much help right? Well lets start explaining this by looking at how people typically work, espeically remotely, and how their traffic is secured. Most of you that ever work remotely will most likely use a device level VPN. This uses software on your device to create a tunnel into your company data centre and allows you to remotely access internal resources. This is how most companies have done it for many years, and it really dates back to the days when all a companies resources were in their own data centre. Tunnelling all the traffic back into the data centre was the perfect way to reach everything a remote user would need.

These days though things are a little different. In recent years we’ve seen a huge increase in the consumption of public clouds, SaaS applications and collaboration tools. All of these reside on the internet, not inside the company data centre. So end users utilising the old device VPN model are essentially tunnelling in, then breaking back out. This is inefficient when it comes to the routing of traffic, especially when it comes to things like Teams and Zoom meetings. The hairpinning of the traffic in and back out adds latency and can cause poor user experience with users experiencing poor frame rates and jitter on voice and video.

The location of the services wasnt the only reason to send all traffic into the data centre though. Security was another reason. By sending all the traffic into the data centre, companies can send it via security appliances such as proxies and apply policies to it, controlling what can and cannot be accessed for example.

SASE removes the need for the device level VPN. Instead of terminating the connection in the company data centre, instead we terminate it one of VMware’s many worldwide distributed ‘POPS’ or points of presence. From here, we can route the traffic in a much more optimum route to where it needs to go, to destinations like public clouds, SasS and web resources or even back into the company data centre. What’s more, your device can connect to the closest POP available, meaning wherever you may be travelling your traffic will always be routing via the closest route.

Devices can be connected into the SASE POPs in different ways too. Managed devices can have the VMware Tunnel application deployed and the tunnel can create either application level connections or a full device connection into the SASE POPs (depending on the OS type), and you can choose what to send and what to bypass, so you can ultimately choose which traffic goes via the POP and which does not need to.

But what about these security services that we using internally i hear you say. Well thats where Cloud Web Security comes in. CWS is a range of web security features contained in the SASE POP, so not only is all your traffic going via an optimised route, but we also apply all the security policies to the traffic in flight as it goes through the POP.

VMware SASE also works great with the VMware SD-WAN solution, Velocloud too. Velocloud device can be instructed to send office data to the SASE service, and for users working in offices and remotely, the Tunnel agent is intelligent enough to know when it is connected to trusted SD-WAN network and can disable itself. This means whether your users are working remotely or in the office you can be sure that all their traffic is being routed and secured effectively.

Configuration of SASE and Cloud Web Security

In the video i’ll show you at a high level how to configure a SASE and CWS. Hopefully you’ll see how simple it is, and see what the end users experience is like when the CWS policies are applied