What is Fine-Grain Routing? And Why is it the Smarter Choice for Device Security?
By Philip Mustain, CEO | Mobolize
Every IT expert knows that cyber threats have increased dramatically in the past couple of years as attackers are increasingly clever about how to take advantage of vulnerabilities. This is especially true with remote employees using their laptops, tablets and smartphones outside the corporate network. To keep these devices secure, IT professionals are having to upgrade their network security implementations to modern Secure Access Service Edge (SASE) solutions, which primarily consist of Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG). But devices off-premises face a host of issues due to the traffic originating on wireless and Wi-Fi networks versus the Local Area Network on premise. To deal with these issues, fine-grain routing of the traffic at the device is essential.
What is routing without fine-grain? Traditional VPNs tunnel all traffic from employee devices to a firewall that can create serious problems. They break internet links that will not accept anything but direct-to-origin traffic. This affects a wide array of services that won’t accept proxy traffic, including video streaming, banking apps and even CraigsList. The result is broken services on PCs or other mobile devices and can result in lack of employee adoption on their BYOD devices leaving these devices vulnerable to thieves.
A security company utilizing a legacy VPN with their product offering will insist that their split tunneling will solve these problems by configuring data routing of intranet traffic from the endpoint device to the firewall allowing everything else to be bypassed and sent directly to origin. But legacy VPN clients only support simple course-grain routing based upon IP addresses, which might suffice for ZTNA but not for Secure Web Gateways (SWG), where the latter needs to scan all traffic. This requires precise traffic steering to avoid breaking internet services.
Why is fine-grain routing needed? Because with fine-grain routing, traffic is directed selectively based on multiple factors, including protocol (DNS vs VOIP vs TCP), endpoint type (Android vs Windows vs iOS vs Mac), app type (browser vs app, cert pinning, etc.) and server type. This level of routing is a must for SASE and particularly for SWG, because traffic needs to be handled differently for each internet service to avoid breaking them. On some platforms, such as Android and iOS, both ZTNA and SWG must be enabled by a single VPN client and this is not possible without a smarter, next generation client that can provide this selective fine-grain routing within a single unified SASE client.
Mobolize’s Data Management Engine provides a solution to the need for smart device security. It’s resident on each device which enables fine-grain, precision control of data traffic. All data flows through the on-device engine where advanced targeting and routing capabilities enable precision control. By looking at the DNS, hostname, app, port and protocol, our engine decides if the data needs to be encrypted, tunneled (full, split, micro-tunnels) blocked, enhanced or sent direct to origin. All this regardless of whether the network being used is Wi-Fi or cellular.
Our Data Management Engine ensures each application operating within the SASE framework never breaks services, applications or apps while also ensuring that all malware, ransomware and phishing is thwarted by DNS blocking and threat protection services. This happens no matter where employees are working.
A security vendor moving into SASE needs to approach the mobile challenge properly and focus on delivering security at scale across all platforms. While a legacy VPN client utilizing split tunneling gets you in the market quickly, it is not the right security answer for devices being used off the corporate network, including laptops, tablets and smartphones.