Introduction
SASE on SIM is an extension of Versa’s Private SASE solution. The solution delivers SASE features without the overhead of a SASE agent on end user devices and unlike other SASE solutions, as the SASE-ON-SIM solution is tenant aware, for Mobile Network Operators (MNOs), this avoids the creation of per-tenant dedicated APNs.
The solution was originally developed for Mobile Network Operators, hence the term ‘SASE on SIM’ was coined. However, the same solution can be applied to wireline-based access technologies such as DOCSIS and xDSL as provided by Telcos and Service Providers.
To enforce SASE features on agentless devices, traffic towards the Internet flows through Versa SASE Gateways. In addition, Versa’s Smart Aggregator is placed between agentless devices and Versa SASE Gateways to perform tenant-aware load-balancing and resiliency. The SASE Gateway enforces the same set of rich SASE features regardless whether the end user is agent or agentless connected .
Identification of agentless devices occurs through the integration of the SASE Gateways (using Versa Messaging Service) and the provisioning platform of the MNO; Telco or Service Provider. Through this integration, SASE Gateways are aware of the identity, tenant and IP address of agentless devices. For identification purposes either IMSI – International Mobile Subscriber Identity or Wireline ID (circuit ID) is used.
Components
The SASE on SIM solution has two main building blocks:
• SASE Gateway POP: The SASE Gateway POP is responsible for security enforcement. It is composed of Versa SASE Gateways along with Versa Smart Aggregators. The purpose of the Versa Smart Aggregator is to load-share traffic between SASE Gateways belonging to the agentless tenant. The number of SASE Gateway POPs is driven by the required geographical resiliency and latency requirements.
• SASE Headend POP: Versa headend components, required to monitor and manage the Versa SASE Gateways, are deployed in a single or multiple SASE Headend POPs. They provide integration to the MNO provisioning, OSS/BSS Tools and other platforms. The number of Headend POPs is driven by the resiliency requirement. The Headend POPs contain all necessary components to manage and control the SASE on SIM solution in addition to other SSE and SDWAN solutions offered by Versa’s private SASE solution.
SASE Headend POP
In an agentless deployment, the distribution of certificates, required for seamless TLS decryption, is not part of the solution. In an agent-based setup the Versa SASE Client deploys those certificates.Components of a Headend POP:
• Versa Concerto is the overarching orchestration platform
• Versa Director is for service provisioning, activation, and real-time monitoring of SASE networks. Versa Director is a GUI- and RESTful API-based solution that aids in visualizing configuration tasks
• Versa Messaging Service (VMS) receives end user to IP mapping information from the MNO. Data is then relayed to Versa SSE Gateways/Smart Aggregators for Tenant identification
• Versa Analytics is a big-data-based solution that analyzes logs and events and provides reports and analytics
• Versa Controller provides a control plane entry point for SASE Gateways
Figure 1 Headend POP overview
Integration with MNO provisioning platforms happens in Versa Concerto and Versa Messaging Service.
Versa Messaging Service receives the identity (IMSI or circuit ID) and IP address information via Radius or Kafka messages and publishes to the Smart Aggregators and SASE Gateways.
On the Versa Concerto the tenant itself, the device identity (IMSI, circuit ID) and the security policy need to be provisioned. A REST API allows automation of these tasks. From Versa Concerto Administrators can reach Versa Analytics for logs and analytics data.
SASE Gateway POP
The SASE Gateway POP is enforcing the security policy and providing connectivity between agentless clients and the Internet.
Components of the SASE Gateway POP:
• Versa Smart Aggregator provides port aggregation and routing between Versa SASE Gateways and external networks, like the Internet. It is also responsible for tenant-aware load-sharing of traffic between SASE gateways.
• Versa SASE Gateways enforce the configured security policy and routes traffic to the Internet. The gateway is tenant aware and each tenant has its own security policy.
Figure 2 SASE Gateway POP overview with an example flow
Overlay networks
The SASE on SIM solution uses two type of overlay networks:
• Versa SD-WAN. The Versa SD-WAN overlay network is used between the SASE Headend POPs and the SASE Gateway POPs. This provides connectivity for different control plane flows, like Versa Director access to VOS devices.
• EVPN/VXLAN. The industry standard EVPN/VXLAN is used within and between the SASE Gateway POP components to provide connectivity in a scalable way for multiple VPNs (like Internet or cellular network).
Provisioning flows
There are two main provisioning flows which are initiated from the MNO side.
Tenant and security policy provisioning
The tenant and security policy provisioning and maintenance happens through Versa Concerto. Versa Concerto pushes the tenant and security policy configuration through the Versa Directors to the gateways.
Figure 3 Tenant and policy provisioning flow
IMSI provisioning
During IMSI provisioning, the entity information of the agentless device is transferred to the SASE on SIM platform. Without that information the gateways will not be able identify the device and its tenant and the traffic is dropped.
The provisioning happens in the following way:
Tenant Administrator configures an IMSI or circuit ID in the Versa Concerto. Concerto publishes this information along with the tenant information through the Versa Directors to the Versa Messaging Services which store the information in the database.
When the device with the configured IMSI or circuit ID comes online, the MNO must send a message to the Versa Messaging Service with the Identity (IMSI or Circuit ID) information and the actual IP address used by the agentless device. Once the IMSI – IP address mapping is received, VMS updates the SASE Gateways and Versa Smart Aggregators with Identity, Tenant and IP address information. Traffic originating from the agentless device can then be evaluated against the policy hosted on the SASE Gateway.
Figure 4 IMSI or circuit ID provisioning
Data plane traffic flow
The following example demonstrates the data plane traffic flow.
Two wireless mobile devices are connected to the cellular network, and they are subscribed for the SASE on SIM service. One device belongs to customer A and the other belongs to customer B. Internet traffic from the mobile device travels through the cellular network and over a NNI (Network-Network Interface) handed over to the Versa Smart Aggregator in the SASE POP.
Versa’s Smart Aggregator is tenant aware; it knows which tenant is deployed on which SASE Gateways and is aware of the IP-Tenant mappings. Using this information the Versa Smart Aggregator selects one of the SASE Gateways and forwards the traffic. It creates a “reverse flow” entry to ensure return traffic is forwarded to the same SASE Gateway.
NOTE: The Versa Smart Aggregator can load-balance between local and remote SASE Gateways. This allows traffic to be load balanced between SASE Gateway in both local and remote SASE POPs. This also creates resilience in the event of a local SASE POP issue.
In the below drawing three SASE Gateways are shown, one gateway has both customer A and customer B tenants are configured, while on the others only one of them.
The SASE Gateways are also aware of the IMSI-Tenant-IP mappings; hence they place traffic in the correct customer tenant and enforce the tenant’s security policy. After enforcement, the traffic is forwarded to the Internet through the Smart Aggregator.
Figure 5 Example data plane traffic flow
Return traffic from the Internet traverses Versa’s Smart Aggregator. Such a design ensures traffic symmetricity and ensures return traffic is forwarded to the same SASE Gateway that handled the outbound session.
In case the agentless device uses a non-Internet routable address, like RFC1918 or RFC6598, the SASE Gateway performs NAT to a public address.
Network connectivity between POPs
In a typical SASE on SIM deployment, the following networks are used to connect MNO, Headend POPs and SASE POPs
• Headend Northbound Network: This network provides connectivity between the MNO OSS/BSS, provisioning tools and the SASE Headend fabric..
• Headend POP Interconnect: This is a synchronization network between the Headed POPs and used by Versa Concerto, Versa Director and Versa Analytics.
• SASE POP Interconnect: This is an underlay network between the Headend and the SASE POPs.
• Internet: Internet connectivity for the SASE POPs.
• Private APN, Wireless and Wireline Networks. These are the access networks which provide connectivity to agentless devices. Their implementation depends on the MNO provider.
Figure 6 Network connectivity between POPs
Redundancy
Headend POP
The headend POP components can be spread across multiple physical locations. Each component has its own redundancy solution.
• Versa Concerto can be deployed as a 3 or 5-node cluster consisting of Active, Standby and Arbiter nodes.
• Versa Director is deployed in an Active-Standby setup through two physical locations.
• Versa Messaging System is deployed in an Active-Active setup and can be deployed in geo and no-geo resilient topologies.
• Versa Analytics can be deployed as a cluster in a single location or over multiple locations or multiple clusters over multiple locations.
• Versa Controller can be deployed as individual devices across multiple sites.
SASE Gateway POP
The SASE Gateway POP, as an individual building block, can be deployed in multiple sites to achieve geo-resilient redundancy. Within each SASE Gateway POP the components are also deployed in a redundant way:
• Versa Smart Aggregator is composed with a minimum of two Versa CSX switches (for port aggregation) and a minimum of two Versa CSG devices for tenant-aware load-balancing. As an architecture, Versa’s Smart Aggregator is horizontally scalable.
• Versa SASE Gateway: each SASE Gateway POP contains multiple Versa SASE Gateways. Gateways can have an Active or Standby role.
Further documents
1. Configure SASE for SIM – Versa Networks – Requires login.
2. SASE on SIM | Versa Networks – No login required.
