How SonicWall Cloud Secure Edge (CSE) Works
Description
A generalized diagram that depicts all the SonicWall Cloud Secure Edge components is shown below. The components work in concert to deliver a zero-trust platform, across which access control policies can be centrally managed.
Banyan Architecture
Cloud Secure Edge #
The Cloud Secure Edge mediates access from your users to their corporate resources. SonicWall supports a flexible edge deployment model where you can use SonicWall’s infrastructure and/or use your own. For access to private resources, you need to deploy one of the Cloud Secure Edge’s Server Components - Access Tier or Connector - in the De-Militarized Zone (DMZ) of your data centers and cloud environments.
Access Tier #
The Access Tier is an identity-aware proxy and gateway that mediates access between entities on the internet and your internal services. Each Access Tier has a public IP address that is reachable from the internet and accepts inbound connections, typically on ports 443 (web services), 8443 (infrastructure services) and 50482 (Service Tunnels).
The Access Tier is responsible for:
- Mediating access between users and internal resources.
- Enforcing the user’s and the device’s security posture, called a Trust Level, when accessing protected resources.
Global Edge Network & Connector #
The Connector is a dial-out component that establishes a secure tunnel with the Global Edge Network, which comprises of Access Tiers hosted and managed by SonicWall for your organization. We use Google Cloud Platform (GCP) as our edge infrastructure provider, enabling us to use one of GCP’s 25+ global regions to provide fast and reliable connections to users around the world. The Connector can be deployed in any location that has connectivity to your internal services and connects outbound only. Traffic will flow from entities on the internet to a Access Tier in the Global Edge Network, and then through the Connector to the internal service.
The Connector is responsible for:
- Maintaining a connection from to the Global Edge Network
- Mediating access to internal resources
App #
The app is a cross-platform endpoint client, installed on desktop and mobile devices.
The app is responsible for:
- Device Registration for device authentication
- Device Trust Scoring for device posture checks
- Providing a services catalog of internal websites, infrastructure, and service tunnels to connect to
- Enabling Internet Threat Protection policies
Clientless #
SonicWall also supports clientless access to resources for scenarios where the desktop or mobile app cannot be installed. This is beneficial for third-party vendors and contractors as well as temporary access use cases.
There are three flavors of clientless SonicWall supports:
- User authentication with Layer 7 policies
- Device registration and compliance checks via validating a device certificate deployed by an endpoint manager
- Device posture checks and continuous evaluation to websites with a lightweight browser extension
Cloud Command Center #
The Cloud Command Center is a central management console for IT Administrators and Security teams to manage the Cloud Secure Edge solution. You can interact with the Command Center via the web portal or the RESTful API, to develop and enforce policies based on user/device, configure alerts for security events and visualize real-time connectivity.
The Command Center includes two subcomponents that we sometimes call out explicitly:
- Shield is a coordinator, deployed to create logical groups of Access Tiers. Shield manages a Private PKI (Public Key Infrastructure) to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.
- TrustProvider is a federated authentication manager that uses OpenID Connect / OAuth-based workflows to authenticate end users and devices. TrustProvider integrates with your enterprise identity provider to deliver short-lived cryptographic credentials to authenticated end users on approved devices.
The Cloud Command Center is delivered as a Software-As-A-Service (SaaS) offering.