What is Fine-Grain Routing? And Why is it the Smarter Choice for Device Security?

Posted June 15, 2022

By Philip Mustain, CEO | Mobolize

Every IT expert knows that cyber threats have increased dramatically in the past couple of years as attackers are increasingly clever about how to take advantage of vulnerabilities. This is especially true with remote employees using their laptops, tablets and smartphones outside the corporate network. To keep these devices secure, IT professionals are having to upgrade their network security implementations to modern Secure Access Service Edge (SASE) solutions, which primarily consist of Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG). But devices off-premises face a host of issues due to the traffic originating on wireless and Wi-Fi networks versus the Local Area Network on premise. To deal with these issues, fine-grain routing of the traffic at the device is essential.

What is routing without fine-grain? Traditional VPNs tunnel all traffic from employee devices to a firewall that can create serious problems. They break internet links that will not accept anything but direct-to-origin traffic. This affects a wide array of services that won’t accept proxy traffic, including video streaming, banking apps and even CraigsList. The result is broken services on PCs or other mobile devices and can result in lack of employee adoption on their BYOD devices leaving these devices vulnerable to thieves.

A security company utilizing a legacy VPN with their product offering will insist that their split tunneling will solve these problems by configuring data routing of intranet traffic from the endpoint device to the firewall allowing everything else to be bypassed and sent directly to origin. But legacy VPN clients only support simple course-grain routing based upon IP addresses, which might suffice for ZTNA but not for Secure Web Gateways (SWG), where the latter needs to scan all traffic. This requires precise traffic steering to avoid breaking internet services.

Why is fine-grain routing needed? Because with fine-grain routing, traffic is directed selectively based on multiple factors, including protocol (DNS vs VOIP vs TCP), endpoint type (Android vs Windows vs iOS vs Mac), app type (browser vs app, cert pinning, etc.) and server type. This level of routing is a must for SASE and particularly for SWG, because traffic needs to be handled differently for each internet service to avoid breaking them. On some platforms, such as Android and iOS, both ZTNA and SWG must be enabled by a single VPN client and this is not possible without a smarter, next generation client that can provide this selective fine-grain routing within a single unified SASE client.

Mobolize’s Data Management Engine provides a solution to the need for smart device security. It’s resident on each device which enables fine-grain, precision control of data traffic. All data flows through the on-device engine where advanced targeting and routing capabilities enable precision control. By looking at the DNS, hostname, app, port and protocol, our engine decides if the data needs to be encrypted, tunneled (full, split, micro-tunnels) blocked, enhanced or sent direct to origin. All this regardless of whether the network being used is Wi-Fi or cellular.

Our Data Management Engine ensures each application operating within the SASE framework never breaks services, applications or apps while also ensuring that all malware, ransomware and phishing is thwarted by DNS blocking and threat protection services. This happens no matter where employees are working.

A security vendor moving into SASE needs to approach the mobile challenge properly and focus on delivering security at scale across all platforms. While a legacy VPN client utilizing split tunneling gets you in the market quickly, it is not the right security answer for devices being used off the corporate network, including laptops, tablets and smartphones.

Data Management Engine, fine-grain routing, mobile, mobile security, Mobolize, problems with legacy VPNs, SASE, Work from home, ZTNA

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.