Our current stack requires a Meraki Firewall with all of the advanced security licensing as part of the site build. We have all of the usual suspect tooling like spam filtering, mdr w SOC, RMM, SIEM with log shippers, and otherwise. Many of our customers do not have any onsite resources like servers or nas storage, making the user-initiated VPN unnecessary to do their daily work via SaaS applications and the like while remote. We have also began picking up customers that have no office presence whatsoever, strictly remote users working from home or shared office spaces we do not control.
Here’s where I’m curious and the possibility begins.
If we were to pickup a SASE/ZTNA toolset, does it make much sense to have a Godzilla firewall at the office when users may or may not connect to it? We would put in an inexpensive network stack, sized to their business requirements, but blanket this technology across every device and create firewall-esque deny all rules in the SASE toolset. It would seem that it now no longer matters where your device goes, your protection is always-on and ready. It also allows us to enforce the security via the always-on vpn style function, something Meraki have - unless maybe you ‘buy’ the Anyconnect licensing. (We’re aware no one actually audits this)
As an added bonus, it sounds like this will also simplify connectivity to resources no matter where the user is. Removing the setup and maintenance of vpn users, tunnels between sites, etc.
We are a todyl shop. Their SASE has been good and upgraded to 1gb throughput last year. The zero trust config is easy to setup and tier1 techs are able to navigate without much oversight.
The bonus for us is todyl is not all or nothing. You can build almost any of their products into a stack. You can have different stacks per client … outside of their mxdr.
This let us bring our entire base over with just their edr product and then go out and add more security features and just drag and drop on the stack updates the clients. So ease of use and options were really good for us.
If you know kql you can make your own alerts on top of what they and the soc team does… i.e. we track every admin login that’s nothing that’s going to alert anywhere but a custom kql query gives it to us.
The one thing that I don’t love is the reporting options. They are okay not great and you can only email reports to existing users . In our case we have a report portal for all clients that we like to send reports to so that’s made a bit more work for us setting up mail flow rules to filter and fwd those everytime we setup a new client.
Honestly we didn’t try anything else we heard good things we evaluated and were happy and just moved forward.
We do still put a firewall at the edge if there’s an office everything in layers. Todyl has a handful of fw logs they will ingest so we stuck within their framework.
I worked at a SASE co for several years so if you want to chat we can talk in depth. I have numerous certs & Case Studies on the true vs bs of SASE. Holler u/Odd_Disaster !
SASE comes in many flavors: cloud based, appliance required (traditional security companies that their stock is reliant on them selling firewalls i.e cisco, palo, fortinet).
I’m trying to something similar, I’m planning to get rid of my old PANs and replace them with Fortigate and deploy Frotinet SASE. I’m still planning to keep the VPN connectivity for remote users as failover. Maybe thats a little overkill as we only have a few servers on prem and + 1 x DC in Azure, haven’t looked any other vendors yet, any idea why Fortinet SASE is not as popular? or if anyone has experience with this vendor any feedback is appreciated.
I have a lot of experience with CATO and Zscaler. We still use a hardware licensed only FortiGate for any sort of unauthenticated traffic within Zscaler. Zscaler is solid and we use the Client connector for all laptop along with tunnel 2.0 (all traffic scanned, not just 80,443).
CATO is also solid. The biggest caveat with CATO is that you pay for leasing of their Gateways and a per site bandwidth fee. Still a solid service but something to take into account. For our use case, CATO works well as we have some remote sites that only have 25/50/75Mbps internet connections.
Most of this is paired with Crowdstrike or Sentinel One/Defender for Endpoint.
We have only had one outage and it was the AWS one a couple of months ago. Now it was only clients connected to one of the eastern datacenters . It did affect us but we were able to push people over to a different datacenter in about 45 minutes to get everyone switched over.
We do use it internally for the whole team. We have techs in Latin America and Philippines as well as the US. We are able to lock down our 365,rmm, datacenter , remote access all to the SASE network.
I do keep our HQ allowed as well, and we have the ability to disable the sase on the endpoint so any issue we can just flip off the tunnel
We saw mentions of multi-day outages recently, issue with AWS impacting lots of other websites too. Did that hit you or your clients at all? Do you use Todyl internally as well?
We heard Zscaler can be pretty expensive, hearsay at least. Do you think it scales down to 5-10 person offices?
The proposed replacement for our Meraki would potentially be a full UniFi stack. We tend to do Meraki FW, Meraki or UniFi switching + APs. Bringing down the objection of a wildly expensive firewall but still providing all of the security via SASE is what is being sold to us as “not a pipe dream.” If it can be just as secure and lower complexity for everyone, seems like a win/win.
That’s exactly what I hoped to hear! Based on our demo and what we heard about the outage, it seemed like why can’t it just be shifted to a different DC, away from the east that appeared to have the issue.
You get what you pay for. Zscaler and Cato have both been solid. Also I don’t have to worry about vulnerability patching my onsite UTM (We still patch the FortiGate’s but we are less concerned with it).
We used to have issues with Ubiquiti and firmware all the time, we have been recently using the Aruba Instant-On for small businesses with success. One could argue the unicorn of IT and a single pane of glass with Meraki, but we don’t see the licensing worth it.
I think you should take a different approach to your SASE vs traditional onsite firewall. CATO and Zscaler will not reduce your costs of your onsite firewall. In your stack deployment the largest reduction is coming from your Meraki licensing.
Because the average msp doesn’t know what they are doing. We have it set to allow people to turn off the sase, in a pinch it works but only from their office ips so it’s a bit annoying if you have it all locked down and don’t have everything in properly.
The only issue with todyl in this scenario is they should have put those sites offline so clients would fail over to other further away locations. I already mentioned it to management
The bridge, as they call the hardware, is not mandatory. We have a few clients that are remote only, and have no bridge for them, but use it for others with offices.
You can purchase directly through them. Once you’re setup, it’s as simple as entering the quantities of each (user, bridge) that you need and you’re off and running. Setup is also stupidly simple.
I don’t know what their current prices are, tbh. We were very early adopters, and got discounted because of that, so don’t want to give bad info on pricing…