Video suggestion: Future of network security with Security Service Edge (SSE)

Here in the UK most comms providers are heavily discounting highspeed internet services to the property rather than links back to a DC and then out to the internet. Added to this, Microsoft’s SSE (Global Secure Access) is changing the way we can secure devices.

So, are we about to see a shift in how we design and secure our networks? Do we still need to centralise our traffic through to a DC and have a single management point or if we think SSE is going to work, are distributed firewalls capable of being centrally managed with such ease that we can make the change?

(Background: I manage a small Not-for-profit with 26 locations. Cost savings are a substantial driver i.e. network links but security if always required as is the ease of management. We have aging Firebricks deployed at each location today and links back to a DC for centralised management of the Firewall. With Unifi having just released their Gateway Ultra and Microsoft their Global Secure Access…are we about to make a change in how we deliver and manage our networks?)

I would say solutions based on overlay VPN setups are going to be a better solution that makes more sense to me.

OPNsense Business has a centralized management option, not sure if PFsense offers this (but I’d guess yes).

But as Tom suggested, an overlay system might be the best and easiest for you to maintain control over all your locations.

I should have qualified our situation a little better.

We are in a situation (along with many SMB’s) that we have moved to an almost 100% cloud based environment. We only have one application server in the DC and that’s moving to Azure, along with a recent move to M365…we have no need for an overlay vpn network if we use Global Secure Access (GSA).

From what I understand, that can grant access to the Azure application server and manage what clients can do on our provided PC’s. We still need AP’s and a few different SSID’s along with a captive portal for guest access and that needs to be managed as efficiently as possible.

The technology seems to be changing so quickly. Hence an open conversational video from Tom on where things are going, what to look-out for, are there migration steps that should be considered, is GSA just an overlay network with extras’, vendor tie-in etc etc.

I’ve been following Tom’s YouTube videos for a while now, Proxmox, TrueNAS, pfsense etc etc, all of which are running away nicely in the home lab. It’s his ease of covering complex subjects that’s got me tinkering again. I’m a bit long-in-the-tooth, lets’ just say I remember when thick wire ethernet was new, vamp-taps gave you a connection and the last time I was playing in the DC, Cisco 6509’s where the in-thing and NUMA was only mentioned in the same breath as Sequent. So the speed of change in recent years is breathtaking.

I would be interested in his views on how things are changing, even if it’s a negative perspective…he’s been doing this for years so his concerns carry weight for some of us.

Now I understand that you are talking about this:

In their current status Microsoft DOES NOT CARE about security, they care about selling you things and doing just enough security to keep them from getting placed in front of a congressional hearing.

A task they are barely achieving at this point:

Not really sure what a video would look like on that topic but Microsoft exists in the ecosystem and talking about how to secure their ever changing Azure system from their not very secure default settings is a bit off topic form my channel and what I do. We do employ staff and have commercial software at CNWR that helps with setting up things, but not sure it’s really a fit as a video topic.


Thanks for the prompt and honest reply.

1 Like

I like the disdain for Microsoft Azure (or whatever it is called today) that I read in Toms post. Putting everything in a Microsoft cloud makes it absolutely certain that you pay your fee, or they shut you off. It’s about control and profit, and there’s no profit in the desktop OS. Though I did read a rumor that Windows 12 is going to be a subscription, haven’t tracked that down to verify yet and tracking anything Windows 12 is going to be hard since they haven’t officially named an OS as 12.

I’m not defending them and I agree they want their profit, but then they are a company, so that shouldn’t come as a surprise to anyone.

As a Not-for-Profit(NfP), we do get a healthy discount but every penny counts. I keep saying to our MSP that someone needs to setup a business that specialises in knowing their license model and making it work for you. It’s a full time job trying to keep up to date and picking the best license deal. An example of which is we can get free Office licenses but need to pay extra’s for MFA. By the time you add all the ‘bits’ you need to make it work, you would have better off with the discounted Buss. Prem. license.

As an NfP, we have a lot of volunteers and they are of an age where they are used to the MS product line and I need them to be productive with the limited time they can provide. Most of the user base are in the same boat but I am seeing a change. Many of the younger generation coming into the organisation are more familiar with GSuite and primarily working in a browser. Things change…

And Gsuite isn’t free either, so what can you do?

And you are right, the MS licensing requires a full time person or more. If you are buying the licenses from Dell or HP, their people are pretty sharp when you get to talk to a licensing specialist (if they still have them), I haven’t talked to them in a long while, after I started to piggyback on my organization’s E3 or E5 account.