Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Levine
Contributor

Difference between SASE and SSL VPN

Hi All,

After hearing about the Odo acquisition, I went to their website to learn more about them and their technology. To be honest, while I have heard the acronym SASE before I am not very familiar with it. So watching some product videos on Odo's site, it seems to me that there is a lot of similarity with web-based or SSL VPN portals that have been around for some time.

It appears that this is similar in that you would use a browser to navigate to a secure HTTPS portal, log in, and then be presented with a set of applications that can be tunneled through that HTTPS connection. This is a somewhat limited set of applications - things like RDP, web apps, etc. To access other types of applications or services (such as SMB file shares / mapped drives, and other Win32 client / server based applications) you would need to have SNX or a client based SSL (or IPSEC) RAVPN connection.

So, how does SASE differ from the traditional 'SSL VPN Portal', and can it address more traditional capability (ok, legacy maybe) that client based VPN connections can?

Thanks much;
~D

0 Kudos
Reply
8 Replies
Dale_Lobb
Collaborator

  After a cursory look, I got the impression that the SASE portal is kind of like a citrix connection.  That your connection to the SASE portal is strictly HTML5 video, not a full tunneled network connection, and that the SASE cloud based portal actually makes a network remote vpn connection to your site.

  This was just a quick look, so I may be entirely mistaken. YMMV.

0 Kudos
Reply
David_Levine
Contributor

Thanks for the reply;

I also came across the following whitepaper on SASE; Good stuff...

https://community.checkpoint.com/t5/General-Topics/White-Paper-SASE-Architecture/m-p/96575#M19006

Cheers,
~D

0 Kudos
Reply
PhoneBoy
Admin
Admin

Web application access is similar to Mobile Access Blade (ie browser based).
The RDP functionality is definitely HTML5 based, similar to Mobile Access Blade plus Guacamole.
SSH and Database Access (possible thru Odo) are more like application specific reverse proxies (as I understand it).

So yes, similar to Mobile Access Blade except nothing like SNX or an IPSec VPN for arbitrary applications.
You also don’t need an accessible device on your perimeter to provide this access, just a “proxy” that runs in a Docker container and has outbound Internet access to connect to the cloud to enable access.

We do plan to do a TechTalk on the Odo technology in the coming weeks.

0 Kudos
Reply
David_Levine
Contributor

Thanks for the reply;
Learning about the "proxy" service that would run in the corporate datacenter clears a lot up... Will be interesting to see how SASE can be extended to support additional applications / services and have the full compliment of threat prevention added;

Thanks,
~D

0 Kudos
Reply
PhoneBoy
Admin
Admin

I do want to make one clarification: SASE can also include a traditional remote access VPN component as well.
Our plan is to integrate the Odo Security offering as part of CloudGuard Connect, which will have a roaming user offering in the near future.

However, the Odo Security solution already serves some use cases in its current form, and is planned to be made available prior to this integration.

0 Kudos
Reply
Marcos_Vieira1
Contributor

Well, I think they are different solutions to different needs. When someone is looking for a Portal Based solution they are thinking about clientless, and trying to create a solution that permits anyone from any device to have access. What ODO adds to the "traditional" MAB Portal is that it has the RDP, SSH and SQL proxies (if I can call them so), and so creates another oportunities to the Clientless solution. Usually I think that clientless is to external users, and in this case usually Web Applications are sufficient. For internal users, thinking yet in Clientless solutions, ODO creates the oportunity of using the RDP without a client (and without the need of someone administering a RDP proxy) and so the internal user can access any application through the local computer accessed remotely. To the internal users with company owned laptops the traditional client based VPN solves all the problems. For the Clientless / anyone / anydevice solution, it is a good idea to restrict the interaction between the user and the data, to avoid creating a channel to Data Loss. If the idea is to share files through the remote connection we should use something like the SecureWorkspace available with the MAB, but it will require the installation of a client. 

0 Kudos
Reply
David_Levine
Contributor

Yes - it is much more clear to me now after reading / watching these:
https://community.checkpoint.com/t5/General-Topics/White-Paper-SASE-Architecture/m-p/96575#M19006

https://click.checkpoint.com/z0ki39i0004QfprDDad1H00

The explanation about deploying the docker app in the datacenter and the datacenter being "blackened" from the client clicked with me. Certainly can see how this would be hugely beneficial from a usability and security perspective for contractors, 3rd party support or consulting scenarios, etc. Using it for employees would be fantastic - but we do rely on SMB "mapped drive" filesharing, which it seems would require a proper RAVPN still. 
The roadmap with Odo SASE and CloudGuard Connect looks pretty cool so far... 

 

0 Kudos
Reply
PhoneBoy
Admin
Admin

We also have a dedicated TechTalk coming up on Odo Security where we’ll show it off in more detail and you’ll be able to ask questions.

0 Kudos
Reply