We Re-Wrote the Security Service Edge Story

Photo of author

By admin


In our previous blog post, we discussed how Cisco has reimagined Zero Trust, delivering an in-office experience for users and things from anywhere accessing resources everywhere. You’re probably thinking “Ok, but how? How exactly has Cisco reimagined Zero Trust Access?” You’re in the right place to get a look into the technical details.

In this blog post, I’ll unpack some of the technological components that allow us to leapfrog legacy approaches, and in doing so, avoid many of the limitations of last generation ZTNA and Security Service Edge (SSE) solutions. If this piques your interest, I would like to invite you to dig deeper and get your hands on the capabilities, in one of the upcoming Cisco Secure Access Hands-on Introductory Labs.

Unlocking next-generation efficiencies with MASQUE, QUIC and VPP

As exponential growth in web, SaaS and private application traffic continues unabated, so does the demand for Zero Trust Access (ZTA) based on more efficient and secure networking protocols. To maintain not just a good — but excellent — end user-experience, we need seamless, fast and secure data transport. This has led to the development of cutting-edge technologies and protocols like MASQUE, QUIC and VPP. Each of these protocols is poised to significantly impact how we handle network data and when put together, they are a serious game changer.

Let’s dive into how they work and what their combined potential can offer for network efficiency and performance.

What is QUIC (Quick UDP Internet Connections)?

An easy way to think of QUIC is to envision a new high speed rail system. QUIC is the underlying track system that enables high-speed custom designed trains to move various types of cargo (all ports/protocols as the payload). QUIC is a transport protocol initially designed by Google and later adopted by Internet Engineering Task Force (IETF). It operates on top of UDP and brings several performance advantages compared to traditional TCP.

Key performance benefits include:

  1. Connection establishment: Unlike TCP, which requires multiple round trips to establish a connection, QUIC minimizes the connection setup time by combining the handshake and encryption setup into one step. This drastically reduces latency.
  2. Built-in security: QUIC integrates Transport Layer Security (TLS) to provide encrypted connections by default, improving both privacy and security.
  3. Multiplexing streams: QUIC allows multiple independent streams of data within a single connection, preventing head-of-line blocking — a common problem with TCP. This feature improves user experience by making data delivery faster and more reliable, especially for applications like streaming, gaming and web browsing.
  4. Connection migration: This allows us to seamlessly migrate connections without requiring IP renegotiation in low connectivity environments or with a workforce that’s on the move.

By leveraging UDP instead of TCP, QUIC sidesteps many inefficiencies related to congestion control, retransmissions, and connection management, ultimately making it an ideal companion to MASQUE for modern network traffic optimization.

Lastly, if QUIC is blocked in an organization, which can be the case for a variety of reasons, there is a built-in fallback capability to HTTP2 if required.

What is MASQUE (Multiplexed Application Substrate over QUIC Encryption)?

Continuing with our high-speed rail analogy, consider MASQUE to be the high-speed trains designed to run on those efficient tracks that we laid down. From a technical perspective, MASQUE is a new standard developed to efficiently tunnel network traffic over QUIC. It aims to enhance privacy and reduce overhead while providing seamless support for different protocols.

The key benefits of MASQUE are:

  1. Encryption: MASQUE operates on top of QUIC, inheriting its strong built-in encryption.
  2. Multiplexing: MASQUE allows different kinds of traffic (e.g., HTTP/3, VPN traffic) to be carried over a single connection without needing multiple protocols.
  3. Performance: MASQUE reduces latency and overhead, particularly in mobile and constrained environments, by eliminating the need for multiple TCP connections.

The integration of MASQUE and QUIC into existing applications, such as web browsers and mobile devices, is expected to improve end-user experience by making network operations more transparent and reducing the complexity of traffic routing and encryption. A real-world example of MASQUE and QUIC can be seen in iCloud Private Relay. It enhances privacy and performance by securely routing internet traffic through multiple relay servers, ensuring users’ data remains private. These technologies are seamlessly integrated into iOS and Samsung devices, providing robust, secure connectivity for users across both platforms.

Diagram showing how MASQUE and QUIC improve the security of Cisco Secure Access

What is the role of VPP (Vector Packet Processing)?

Given the global footprint of Zero Trust Access by Cisco, we need a high-speed, high-performing packet processing engine and that is exactly what VPP delivers. VPP is an advanced, high-performance packet processing framework that operates on a software-based network stack. Unlike traditional processing, which handles packets one at a time, VPP processes vectors (or batches) of packets. This vectorized approach increases throughput by utilizing the CPU cache more efficiently.

Key benefits of VPP include:

  1. Speed: VPP can achieve multi-million packets per second (pps) processing rates, making it ideal for high-performance, low-latency environments.
  2. Scalability: VPP’s ability to handle large volumes of traffic with low latency allows it to scale up in environments like data centers and ISPs, where handling massive amounts of data efficiently is crucial.
  3. Flexibility: VPP supports a wide range of protocols and can be customized for different use cases, such as VPN acceleration, network function virtualization (NFV), and software-defined networking (SDN).

Combining MASQUE, QUIC and VPP for a future-ready network

Each of these technologies represents a significant improvement in network design. But their true power comes when used together. Here’s how they complement each other:

  1. MASQUE over QUIC: MASQUE tunnels network traffic over QUIC to improve security and efficiency, especially for mobile users and private applications. With QUIC’s fast connection establishment and strong encryption, MASQUE can offer high performance without sacrificing privacy.
  2. VPP optimizing QUIC: VPP’s high-performance packet processing allows networks to handle QUIC’s UDP-based traffic efficiently at scale. As more applications and services adopt QUIC, VPP ensures that the network can process the increased load without bottlenecks.
  3. Unified end-user experience: For end-users, the combination of MASQUE, QUIC and VPP will result in faster, more reliable connections that are inherently secure, an absolute requirement for high-demand environments.

Reimagining Zero Trust: Powering a secure, in-office experience, for an anywhere workplace

Zero Trust Access by Cisco is available easily via our User Protection Suite licensing, which includes Cisco Secure Access. With the industry-leading technologies outlined in this blog post and an identity-first approach, Cisco Zero Trust Access (and Cisco Secure Access) provides an easy-to-manage and deploy SSE platform. Whether your organization is remote-first or hybrid, you can now deliver consistent in-office experience everywhere, ensuring that security does not hinder productivity.

Diagram showing Cisco's identity-first SSE program

Discover more about Cisco Zero Trust Access, and how it can transform your security approach, by registering for an upcoming workshop or exploring a product tour of Cisco Secure Access.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link

Leave a Comment