This is the first in a series of blogs that will explain each part of our platform in detail.
The Secure Global NetworkTM (SGN) Cloud Platform is the backbone of our Secure Access Service Edge (SASE) solution. SASE enables fast, secure, and reliable connections to all your data, devices, networks, cloud environments, SaaS apps, and the Internet from everywhere. We built our platform from the ground up based on ZeroTrust principles and unified several different security features.
Alongside the SASE solution, the SGN Cloud Platform unites Security Information & Event Management (SIEM), Governance, Risk & Compliance (GRC), and more into a single platform to deliver comprehensive security at scale. To stay ahead of evolving threats, our Detection Engineering Team works around the clock to:
- Proactively block malicious traffic, implement countermeasures, and support our detection capabilities
- Create new high-fidelity detections around behavioral analysis, zero-day exploits, and emerging threats
- Implement additional capabilities to help prevent malware and ransomware, identify suspicious behavior, and more
What is SASE and How Does It Work?
Our SASE solution unifies many networking and security products together to consolidate, simplify, and improve security posture. With Todyl's SASE, our partners can deliver a defense-in-depth strategy and connectivity in minutes. The section below follows a packet through the SGN to illustrate how each layer comes together in harmony:
- Encrypted Connection: When a packet leaves a device, it travels over an encrypted connection to the SGN cloud. The encrypted connection ensures privacy and security on untrusted networks including hotels, airports, co-working spaces, coffee shops, and more, protecting data and devices against malicious hotspots, data collection, and other attacks.
- Policy Enforcement Module: The initial gatekeeper and first layer the packet enters. It applies configurations such as MSS settings, drops traffic to malicious destinations that our Detection Engineering Team maintains, and performs additional checks to ensure the confidentiality and integrity of packets entering the cloud.
- Deep Packet Inspection (DPI) Engine: The DPI Engine is the next module the packet goes through after leaving the Policy Enforcement Module. It identifies and tags the packet based on the type of application, Office 365 for example, by analyzing it against hundreds of different classifications built into the SGN.
- Next-Generation Firewall: After classification, the packet goes through the SGN Firewall. The SGN Firewall enables you to control access policies down to a user and device level. You set policies using IPs, hostnames, devices, ports, protocols, applications, geographies, and days & times. With our identity integration capabilities, you can also implement multi-factor authentication (MFA). The MFA controls overcome the challenge with a traditional VPN where a user decides whether to connect or not. Now, users are always connected and protected with the option to authenticate to access sensitive resources. For example, Accounting can only access your accounting software after they MFA.
- Intrusion Prevention System (IPS)/Intrusion Detection System (IDS): If a packet is allowed through the SGN Firewall, it proceeds to the SGN Cloud Platform’s IPS and IDS. Our IPS proactively identifies and drops a broad spectrum of malicious traffic, including exploits, toolkits, CNC callbacks, protocol abuse, exfiltration, and more. Our IDS collects and reports potentially malicious activity or policy violations to the SIEM.
- Secure DNS: If the traffic is DNS, the packet is automatically sent to our Secure DNS module, which proactively identifies and redirects malicious hostnames. DNS over HTTPS or DNS over TLS are frequently used by threat actors to evade security controls and can be blocked via the SGN Firewall.
- Web Proxy: If the packet is TLS/HTTP, the next stop before going to the routing engine is our Web Proxy:
- SSL Inspection: We leverage transparent inspection to intercept TLS traffic between client and server, decrypt it, scan for threats, re-encrypt it, and pass it to its destination. We do this on the same node so that a packet is never passed unencrypted.
- Allow/Deny Rules: With the SGN, you can explicitly block or deny specific URLs, down to specific users or groups. For example, you can block everyone from accessing LinkedIn except for the Sales & Marketing groups. Allow rules override Content Filtering policies for more granular control.
- Content Filtering: Content filtering is performed in the proxy layer and considers the entire URL. By inspecting at the URL level, we can deliver more granular classifications. For instance, you can allow or deny access to specific YouTube videos rather than allowing or blocking YouTube as a whole.
- Download Scanning: The final stage of the proxy module inspects a file download to help stop threats before they reach devices. We include one scanning engine, and you can opt-in to scan with multiple engines.
- Routing Engine/Privacy (Privacy VPN): Packets then go to our routing engine that directs them to their destination such as the AWS Cloud, a satellite office LAN, or the Internet. If the packet is destined for the Internet, the IP address is changed to Todyl's to hide you from search engines, advertisers, and other IP-based tracking to deliver privacy.
- SIEM Integration: Throughout the packets journey through the SASE module, telemetry and logs are sent to the SIEM from the various components to support detection and identification of threats automatically.
What You Can Accomplish with Todyl's SASE
The various security layers significantly enhance your security posture. They also allow for highly customizable configurations based on your needs. With the SGN Cloud Platform's customizability, you can set it up to provide:
- ZeroTrust Network Access (ZTNA): ZTNA leverages a deny by default design and integrates with identity to only allow a user to access specific applications or services. ZTNA prevents access from unverified devices and prevents lateral movement.
- Software-Defined Perimeter (SDP): The SGN features a SDP that can be used to control access to applications and services in the cloud or on-premise. It helps prevent attacks by hiding your Internet-connected infrastructure from non-verified users, greatly reducing your attack surface area.
- Conditional Access, Always on VPN: With the SGN, you can implement conditional access where the user needs to authenticate to access sensitive or internal resources. Devices are always connected and protected with granular network access controls. Remote work is simplified and more secure, and you’ll never need to use a VPN again.
- Secure Remote Desktop (RDP): You can deploy Secure RDP in minutes, providing encrypted, ZeroTrust-based device-to-device communication with ease.
In this blog, we focused on our SASE solution. We have several other components including our GRC and SIEM modules that empower you to do even more. If you’d like to learn more about our SASE solution, or any other modules, you can schedule a meeting with us here.