McAfee Ties SD-WAN Security Into SASE Play

McAfee made rolling out its secure access service edge (SASE) platform to enterprises with existing SD-WAN deployments a little easier today.

The company claims to have added native support for "virtually any SD-WAN" platform on the market using industry-standard IPsec or GRE protocols. Cisco Viptela, VMware VeloCloud, Citrix, Silver Peak, Fortinet, and Versa Networks are among the vendors certified to work with McAfee's SASE offering.

However, according to Sadik Al-Abdulla, VP of product management at McAfee, SD-WAN integration is only half the story.

While SD-WAN is necessary for branch connectivity to McAfee's Unified Cloud Edge — what the vendor calls its points of presence (PoPs) — it also opens the door to pushing some of the security stack closer to the customer, explained Al-Abdulla, in an interview with SDxCentral.

"The majority of SD-WAN vendors are fully-featured next-generation firewalls with fully-featured [intrusion prevention systems]," he said. "If you shift inspection, do your control in the cloud, do your policy in the cloud, and do your reporting in the cloud, but do your enforcement out at the SD-WAN endpoint, you really optimize everything for the customer."

This approach, Al-Abdulla argues, allows McAfee to inspect the traffic where it makes the most sense, eliminating the need to send all traffic to a PoP.

"If you're already doing a flow level inspection to make a routing decision, to make a traffic decision, then that's the point at which you can and should make the other flow-level decisions," he said. "For the things that require the deeper policy controls — the [data loss protection] inspections, the malware inspections when we're actually cracking open a file running it through multiple scanners — that's the traffic you really want to move through the SASE PoP."

This approach differs from that of other SASE vendors that drive all network traffic into the SASE PoP before sending it along to its destination.

Al-Abdulla argues that the problem with sending all traffic to the SASE pop is it tends to be unoptimized, and it becomes more difficult to assign inspection levels.

"You're taking traffic several hops away and doing a flow-level inspection on it in order to decide whether to permit it or deny it," he said, adding that this adds latency for traffic that may not require this level of inspection. Since "each of those branches is going to have an endpoint anyway, at the flow-level, it's almost criminal not to take advantage of that. Why should you drag that traffic four hops away to do the exact same level of inspection through it? The inspection is not any better."

"We're letting the customer get the full value out of the SD-WAN without competing in that network stack, but while still delivering the optimized network integration," Al-Abdulla added.

McAfee Ties SD-WAN Security Into SASE Play

Tags

AI Data Centers: Scaling Up and Scaling Out

Advanced Networks for Artificial Intelligence and Machine Learning Computing

DCD>Survey: Data center networking trends

Future-proof your datacenter with DDC S-Series