《5G Redcap輕量化通用模組技術(shù)要求白皮書(shū)》

Version:v.0.4DocumentntialLeveloGTIOperatorMembersGTIPartnersWorkingGroupskTaskTPMPJ5GEndogenousSecuritycemembersrtmembersJiaChen(CMCC),LiSu(CMCC),KaiYang(CMCC),PengRan(CMCC),CancanChen(CMCC),YuhangZhao(CMCC),HaiyangSu(CMCC),HaiyanZhao(CMCC),XinmiaoYang(CMCC),DongjieLu(CMCC),YiJiang(CMCC),MingXiaBo(CT),BanglingLi(CMCC) (06-08-2023)ApprovalDate2onfidentialityThisdocumentmaycontaininformationthatisconfidentialandaccesstothisdocumentisrestrictedtothepersonslistedintheConfidentialLevel.Thisdocumentmaynotbeused,disclosedorreproduced,inwholeorinpart,withoutthepriorwrittenauthorizationofGTI,andthosesoauthorizedmayonlyusethisdocumentforthepurposeconsistentwiththeauthorization.GTIdisclaimsanyliabilityfortheaccuracyorcompletenessortimelinessoftheinformationcontainedinthisdocument.Theinformationcontainedinthisdocumentmaybesubjecttochangewithoutpriornotice.機(jī)密性:本文件可能包含機(jī)密信息，而對(duì)該文件的訪問(wèn)權(quán)限僅限于機(jī)密級(jí)別的人員。在TI改，恕不另行通知。ry31SASEOverview42ScenarioRequirementsAnalysis63OperatorSASEFramework84TelecomOperatorsSASEApplicationCases5Outlook6Summary41SASEOverview1.1BackgroundWiththewidespreadadoptionofmobilenetworksandcloudcomputing,enterprisedigitaltransformationisaccelerating.Thecorebusinessandcriticaldataofenterprisesarebeingtransferredfromtraditionaldatacenterstothecloud.Atthesametime,theoperationmodeandworkstylesofenterprisesarebeingchangedsignificantly,withthepopularizationofmulti-pointofficeandremote/mobileoffice.Traditionalnetworksecurityarchitectureisnolongersuitableforthetrendofbusinessdigitizationandcloudization.Forexample,traditionalsecuritystrategiesareprimarilybasedonboundaryprotection,whichsetsupsecuritydevicesatthenetworkboundaryoftheenterprisetoprotectitsnetworkanddata.Howeverbusinessdigitizationandcloudizationhaveblurredtraditionalnetworkboundaries,andstackingmultiplesecuritytechnologiesmayincreasethecomplexityofenterprisesecuritysystems,leadingtooperationaldifficultiesandedefficiencyIntheprocessofbusinessdigitaltransformation,enterprisesneedtoflexiblyconfiguretheirnetworkandsecurityservicestocatertovariousnetworkaccessscenarios,andprovidesecuritythatmeetsexperienceandpolicyrequirements.In2019,GartnerintroducedSASE(SecureAccessServiceEdge)intheirreport"HypeCycleforEnterpriseNetworking2019",whichtheybelievedwasthesolutiontothisproblem.1.2DefinitionAccordingtotheGartnerreport‘TheFutureofNetworkSecurityIsintheCloud’,thesecureaccessserviceedgeisanemergingofferingcombiningcomprehensiveWANcapabilitieswithcomprehensivenetworksecurityfunctions(suchasSWG,CASB,FWaaSandZTNA)tosupportthedynamicsecureaccessneedsofdigitalenterprises.SASEsupportsbranchoffice,remoteworkerandon-premisessecureaccessusecases.SASEisprimarilydeliveredasaserviceandenableszerotrustaccessbasedontheidentityofthedeviceorentity,combinedwithreal-timecontextandsecurityandcompliancepolicies.1.3BenefitsWithSASE,enterprisescaneliminatetheeffortandcostsrequiredtomaintaincomplexandfragmentedinfrastructuremadeofpointsolutions.SASEalsoobtainsmoreflexible,efficient,andsecurenetworkandsecurityservicestobettercopewiththegrowingchallengesofmodernnetworksplicitySASEintegratesnetworksecurityservicesintocloudplatforms,providingidentity-centeredsecurityprotection.Itdeterminesroutingselectionandaccesslevelbasedoncomprehensivetrustevaluationofroles,deviceinformation,userbehavior,location,andother5features,andformulatesaunifiedsecuritypolicyfortheentirenetwork,protectingenterprisenetworksandachievingnetworksecurityanddatasecurityinablurrednetworkboundaryenvironmentwithoutanydeviceorlocationrestrictions.2.EfficiencyTheSASEsecurityframeworkcansinksecurityandnetworkcapabilitiestoPoP,CPEs,orcontrolledterminals.Branchesanduserscanaccessnearbyaccordingtotheirneeds,reducingthemiddlelinkofdatatransmission,therebyreducingnetworklatencyandpacketlossandimprovingnetworkperformanceandefficiency3.SecuritySASEintegratesmultiplesecurityfunctionsononeplatformwithabundantservices.Byusingintelligentproxytechnology,alldataflowsthroughunifiedsecuritycontrolanddetection,therebyimprovingsecurityandreliabilityandreducingtheriskofdataleakageandattacks.4.FlexibilityWithSASE,enterprisescanflexiblyexpandandcustomizecloudoredge-sidesecurityfunctionsaccordingtotheirbusinessscenariostomeetthenetworksecurityneedsofdifferentbusinesses.1.4AdvantagesforTelecomOperatorsAsprovidersofnetworkinfrastructure,telecomoperatorshavesignificantadvantagesinbuildingSASEcomparedtootherindustries,specificallyintermsofthecomprehensivenetworkinfrastructure,thestrongstandardpromotioncapability,andthehighbrandinfluenceadvantageOperatorsalreadyhaveanetworkinfrastructurethatcoverstheworld,providinghigh-reliabilityandhigh-performancenetworkservicesglobally,savingotherindustries'investmentcostsinconstructingandmaintainingthenetworkinfrastructure.Inaddition,operatorshaveyearsofexperienceandresourcesinthesecurityfieldandcanprovidecomprehensivesecuritysolutionsforenterprisestoensuretheirnetworksecurity.Also,SASEPoPscanreusenetworkaccesspointsandcloudresourcepoolsdeployedbyoperatorsinvariouslocations,andSASEedgedevicescanreusenetworkCPEsofoperators,therebyreducingtheimplementationcostofSASE.2.StandardadvantageBypromotingthedevelopmentofenterpriseandindustrystandards,operatorscanintegratethenetworkandsecuritycapabilitiesofvariousmanufacturers,andprovideenterprisecustomerswithafull-stack,optimalnetworkandsecuritycapability.3.BrandadvantageOperatorshaveawiderangeofindustrycustomerbaseandstrongbrandeffect.SASEservicespromotedbyoperatorsaremoreeasilyacceptedbyenterprisecustomers.Inaddition,addingsecuritycapabilitiestoexistingnetworkservicesmakesiteasierforuserstoaccept.6InternetWideAreaNetworkBranch1RemoteUserCustomerCloudDataInternetWideAreaNetworkBranch1RemoteUserCustomerCloudDataCenter2ScenarioRequirementsAnalysis2.1Scenario1:WideAreaNetworkInterconnectThetraditionalenterprisenetworkiscenteredaroundtheheadquarter,withcommunicationbetweenbranchesandaccesstotheinternetgenerallypassingthroughtheheadquarterwhereunifiedsecuritymeasuresaredeployed.Inawideareanetworkscenario,itisnecessarytoachieveflexibleinterconnectionamongmultipleentitiesacrossthenetwork,andthereisagreaterneedforinterconnectionbetweenbranchesandthecloud.Directbranchaccesstotheinternetisalsobecomingmorecommon.Enterprisesshouldstrengthennetworksecurityprotection,performsecuritydetectiononendpoints,andensuredatasecurityinservers.Enterprisesneedtodedicateencryptedtransmissionchannelstopreventdatatheftandtampering.BoundarysecuritydevicesneedtobedeployedtoprotectagainstDDoSattacksandnetworkintrusionsfromtheinternet.Inaddition,topreventunauthorizedaccesstobranches,clouds,andheadquarters,anidentityauthenticationmechanismshouldbedeployedamongbranches,clouds,andheadquarters.BranchBranch2eanetworkinterconnect2.2Scenario2:Mobile/RemoteAccessWhenemployeesworkremotely,andwhencustomersorthirdparties(contractors,partners,etc.)accessenterpriseservices,theyneedseamlessaccesstoenterpriseapplicationslocatedinthecloudanddatacenters,whilealsobeingabletoaccesstheinternet.Enterprisesneedtoprovidesecurityprotectionstrategiesattheendpoints,inthecloud,andattheenterpriseheadquarters.Enterprisesshouldstrengthensecurityprotectionfromtheterminal,network,andserver.Topreventtheaccessterminalfrombeingusedasaspringboardtoattacktheinternalnetworkandapplications,enterprisesshouldprotectthesecurityofemployees'officeterminals,suchaspreventingvirusesandintrusions.Accessfromclientendpointsandthird-partyendpointsshouldberestrictedtopreventingnetworkthreats,suchasdeployingwebprotectionfacilitiesandantivirusfacilities.Afteraterminalaccessesthenetwork,itisessentialforenterprisestoauthorizetheidentityoftheusersandmonitortheirbehaviortoensuresecurity.Moreover,enterprisesalsoneedtomonitorencrypted/non-encrypteddatastreamstoprevententerprisedatafrombeingleakedortampered,anddetectenterprisedatadownloadedbyaccessterminalstopreventdatafromdownloadingorobtainingunauthorized.7InternetWideAreaNetworkBranch1RemoteUserCustomerInternetWideAreaNetworkBranch1RemoteUserCustomerInternetWideAreaNetworkBranch1RemoteUserCustomerInternetWideAreaNetworkBranch1RemoteUserCustomerCCloudDaDataCenterBranchBranch2reMobileremoteaccess2.3Scenario3:BusinessMigratetotheCloudIncertain5GandIoTusecases,lowlatencyandhighreliabilityareessential.Toachievethis,trafficmustbeforwardedtolocaledgecomputingnodesforrapidcomputationandprocessing.Besides,oncethedataisprocessedbytheedgecomputingnodes,theresultscanbeuploadedtothecloudordatacenter.Enterprisesneedtostrengthenendpointsecurityandprotectdatasecurity.Whentheprivatenetworkisconnectedtothepublicnetwork,accessdevicesneedtobeauthenticatedtopreventspoofeddeviceaccess;DDoSattacksandnetworkintrusionfrommassiveprivatenetworkdevicesneedtobeprevented;addressobfuscationforprivatenetworkdevicesisneededtopreventsensitiveinformationleakage.Edgecomputingnodesneedtoimplementsecurestorageofdatatopreventuserdataleakage;toensureedgedevicesfromdifferentindustriescanaccesstotheindependentnetwork,computing,andstorageresources,resourceisolationshouldbeimplemented;encryptionsecurechannelsneedtobeestablishedbetweenprivatenetworkdevicesandedgecomputingnodes,andbetweenedgecomputingnodesandcloud/datacenters,toprotectdatasecurity.Inactualcommercialoperatingenvironments,singleaccessscenarioisgenerallyunabletomeetenterpriseneeds.Enterprisenetworksoftenoperateinmixedscenarioscomposedofmultiplebasicaccessscenarios,forexample,amultinationalcateringcompanyhasbranchesaroundtheworldthataccessthecentraldatacenter,andemployeesorthirdpartiesneedtoaccessitremotely.CCloudDatDataCenterBranchBranch2gurebusinessmigratetothecloud2.4Summary8SD-WANWideAreaInterconnection TLS/IPSec...SD-WANWideAreaInterconnection TLS/IPSec...WGTelecommuting/RemoteAccessZTNARBIPrivateNetworkAccessaSWAF/CASBBasedontheaboveapplicationscenarios,thecorrespondingsecurityrequirementsandcapabilitiesofthescenariosundernewbusinessaresummarizedinFigure2-4.siesAntiDistributedDenialofServiceNetworkNetworkRoutingTrafficEncryptionProvidedifferentQualityofServiceaccordingtothebusinessauditeuser'sonlinebehaviorTerminalTerminalSecurityAccessControlSecurityprotectionforUnmanageddeviceaccessprocessContinuousassessmentoftrustManytypesofcontentfiltering,suchasemail,FTP,IM...AnonymizationofuserandterminalprivacydatainformationleakagepreventionServerprotectapplicationandAPIsTrafficfiltering,intrusiondetectionandpreventionSecuredatastorageDataIsolationinaMultitenantSystemAntivirusandMalwareProtectionFigurerequirementsandcapabilitiesofthescenarios3OperatorSASEFramework3.1SASEKeyCapabilitiesvesfivekeycapabilitiesincludingSDWANZTNASWGCASBand?SD-WANisthefoundationoftheentireSASEarchitecture,providingtrafficorchestration,unifiednetworkmanagement,on-demandnetworkserviceactivation,andtheabilitytointegratenetworkandsecuritytoachievedynamicroutingandsecureaccesscontrol,tomeetnetworkconnectivityandsecurityrequirements.?ZTNAisthemostcriticalsecuritytechnologyinSASE,which,basedonuseridentity,userbehavior,deviceinformation,networkpackets,andapplicationinformation,usesdynamicpermissionmechanismstomeetthedemandforsecureaccess.?SWGisusuallydeployedonthegatewaythatprovidesexternalaccessforinternalusersinacompany,toachievetrafficinspection,filtering,andbehaviorcontrolforinternalemployees,avoidsensitivedataleakage,toprovideprotectionforusers.?CASBisusuallydeployedonthecloudservicesidetomonitorcloudresources,ensuredatasecurity,detectandrespondtomaliciousaccess,andpreventsensitivedataleakage,tomeettheprotectionrequirementsofcloudservices.?FWaaS(includingIPS/IDS)isusuallydeployednearthecriticalnodesthatstoredataresourcesindatacentersandbranchoffices.Basedonuserprotectionpolicies,itfiltersnetworkpacketsandapplicationdata,tomeettheprotectionrequirementsofcriticalpositions.9?Othersecuritycapabilities,suchasWAAP,SDP,RBIandNetworksandbox,areusedtomeetthedemandsforwebapplicationprotection,networkinvisibility,browsersecurity,andotherrequirements.3.2SASEFunctionalFrameworkTomanagetheabovenetworkandsecuritycapabilities,acompleteSASEarchitecturemustincludenetworkandsecuritycapabilitymanagement,orchestrationandconfigurationmanagementfunctions,capabilityconfiguration,datavisualization,andtenantmanagement,aswellasinfrastructuretodeployallfunctions.Therefore,thebasicfunctionalframeworkofSASEisasfollows:TenantmanagementSecurityalertSASETenantmanagementSecurityalertCapaCapabilityconfigurationDatavisualizationNetworksecuritycollaborativeorchestrNetworksecuritycollaborativeorchestrationNetworkfunctionmanagementSecurityfunctionmanagementBBusinessorchestrationSASEkeycapabilitieslayerSD-WANTLS/IPSecSWGZTNAaaSWAF/CASBServerresourcelManServerresourcelManagedendpointCCPEigureSASEFunctionalFramework?TheSASEmanagementpresentationlayeristheinterfacethatSASEpresentstousers,providingfunctionssuchascapabilityconfigurationanddatavisualizationtousers;?TheSASEorchestrationsupportlayerisresponsiblefortheorchestrationandmanagementofnetworkandsecuritycapabilities.Itanalyzesuserbusinessrequirements,collaborativelyorchestratesandmanagesnetworkandsecurityfunctions;?TheSASEkeycapabilitylayerprovidesnetworkandsecuritycapabilitiesforvariousriodemandsintheSASEframeworkASEinfrastructurelayeristhesoftwareandhardwareinfrastructurefordeployment,operationandmaintenancemanagement,keytechnologies,andbasicsupport,includingbutnotlimitedtoCPEs,PoPs,resourcepools,controlledterminals,servers,andotherdevices.3.3OperatorSASEDeploymentArchitectureOperatorscanusetheirexistingnetworkstobuildanoperatorSASE.ThedeploymentarchitectureofoperatorSASEisasfollowsCASBPoPFWaaSSWGFWaaSInternetSASEedgedevices:SD-WANCPEInternet/MPLSSASEedgedevices:UserterminalZTNACASBPoPFWaaSSWGFWaaSInternetSASEedgedevices:SD-WANCPEInternet/MPLSSASEedgedevices:UserterminalZTNA HybridcloudPoPPrivatecloudPoPPPoPSASEcloudecPoPCompanyemployees/BranchDatacenterCustomers/thirdpartiesFigureSASEDeploymentReferenceFrameworkSASEPoPsarepartoftheSASEinfrastructurelayer,controlledbytheSASEorchestrationsupportlayer,andcarrytheSASEkeycapabilitylayer.SASEPoPscandeployvariousnetworkandsecuritycapabilitiesondemandandarethemainimplementationpointsforSASEnetworkandsecurityfunctions.SASEPoPscanreusenetworkaccesspointsandcloudresourcepoolsdeployedbyoperatorsinvariouslocations,therebysavingtheconstructioncostofSASE.SASEcloudisamulti-tenantcloudcomposedofSASEPoPs,whichintegratesvariousnetworkandsecurityfunctionsofoperatorsandprovidesthemtoaccessusersunderthecoordinationandmanagementoftheSASEmanagementplatform.SASEedgedevices,includingcontrolledterminalsandCPEs,arepartoftheSASEinfrastructurelayer,controlledbytheSASEorchestrationsupportlayer,andcarrytheSASEkeycapabilitylayer.SASEedgedevicescanintroduceusertrafficintotheSASEcloudthroughencryptedchannels,andcanalsodeployvariousnetworkandsecuritycapabilitieswithlowerresourcerequirementsondemand,thusensuringtheflexibilityoftheSASEframework.SASEedgedevicescanreusenetworkCPEsofoperatorstosavethecostofSASEconstruction.TheSASEmanagementplatformisaunifiedvisualandmanageablecontrolplatformthatcarriesthemainfunctionsoftheSASEorchestrationsupportlayerandthemanagementpresentationlayer.Itisresponsiblefortheunifiedmanagementofnetworkandsecuritycapabilities,theconfigurationofnetworkandsecuritypolicies,visualization,andoperationandmaintenancefunctions.Customerscansubscribetonetworkandsecurityservicesasneededandselectivelyenableconfigurationservices.TheSASEmanagementplatformcanbeintegratedasapartoftheoperator'snetworkmanagementplatform,reducingthecostofSASEconstructionandusage.WhencarriersbuildtheSASEframework,theyusuallyusethefollowingtwomodes:debasedonpublicnetworktunnelInternetUserSASECloudTargetUserSASECloudreSASEmodelbasedonpublicInternetTheoperatorestablishesatunnelonthepublicnetworktodivertusertraffictoSASECloudfornetworkandsecurityprocessingandthendivertsittothetargetbusiness.Thecommonimplementationmethodisthattheoperatordeployssecurityandnetworkcapabilitiesinpublicclouds,networkclouds,andotherlocationstoestablishmultipleSASEPoPsthroughoutthenetworktoformSASECloud.Then,throughtheSASEmulti-tenantmanagementplatform,theoperatorcancallandmanagethesecapabilities.UsersinstallSASEAgentontheirPCsandmobiledevicestoestablishapublicnetworktunnelwiththenearestSASEPoPtoaccessSASECloud.Whenusersaccessthetargetbusiness,theaccesstrafficisdivertedtoSASECloudthroughthepublicnetworktunnelfornetworkandsecurityprocessing,andfinallydivertedtothetargetbusinesstocompletethesecureaccessprocess.Thismodeltargetssmallandmedium-sizedenterprisesandindividualusers,focusingonprovidingcost-effectivesecurityandnetworkservices,achievingflexiblemobile/remoteaccess,andaccessingtargetbusinessesacrossoperators.TheSASEserviceunderthismodeldoesnotrequireassociationwithleasedlinesorSDWANandothernetworkservices.SASEmodelbasedonleasedline/SD-WANSASECloudTargetbusinessdelbasedonleasedlinesSDWANTheoperatordivertsusertraffictoSASECloudfornetworkandsecurityprocessingughleasedlinesSDWANandthendivertsittothetargetbusinessThecommonimplementationmethodisthattheoperatorcustomizesthedeploymentlocationofnetworkandsecuritycapabilitiesandtheSASEmanagementplatformbasedonuserneeds.Thesecuritycapabilitiesandmanagementplatformcanbedeployedinedgeclouds,userintranetservers,privateclouds,networkclouds,andotherlocationsclosetotheuser.UsersaccesstheleasedlinesthroughCPEdevicesandconnecttoSASECloud.Whenusersaccessthetargetbusiness,theaccesstrafficisdivertedtoSASECloudthroughtheleasedlinefornetworkandsecurityprocessing,andfinallydivertedtothetargetbusinesstocompletethesecureaccessprocess.Thismodeltargetslargeenterprisesorgovernmentagencieswithmultiplebranches,focusingonprovidinghigh-qualityandefficientnetworkandsecurityservices.TheSASEserviceunderthismodelisassociatedwithleasedlinesorSD-WANandothernetworkservices.Therefore,thismodelcandeploynetworkandsecuritycapabilitiesandSASEmanagementplatformslocally,inedgeclouds,privateclouds,etc.,andcustomizeusertrafficpologytomeetuserneedsinsecurityprivacyandnetworkqualityofserviceInspecificimplementations,operatorscanmixtheabovetwomodels.Forexample,theycanusemodel1whenusersworkremotelyormove,andusemodel2whentheyworkwithintheenterpriseoraccesscorebusinessestomeetthedifferentiatedneedsofusersinmultiplescenarios.4TelecomOperatorsSASEApplicationCases4.1Case1:WANInterconnectionofMultinationalCorporationBackground:Duetonationalpolicies,multinationalcorporationneedtoconvergetheirexposureAndtheyneedtofilterandmonitorthetrafficonthedatasinknodetoensureonlinebehaviorcompliance.Requirement:ConstrictaccesstotheInternet.TrafficisaggregatedtounifiedInternetexportsintheregionalcenterthroughaleasedWANlineinalargebranchorheadquarterstomeetthetrafficcollectionrequirements.Protectthecommunicationbetweenbranchesandtheheadquarter.ProtectandregulatetheaccessofbranchesandtheheadquartertotheInternet.Preventmalware,maliciousconnections,anddataleakage,andunauthorizedaccesstoresourcesAndimplementonlinebehaviorcompliance.tionSolutionforWANInterconnectionofMultinationalCorporationThissolutionisbasedonSD-WANtrafficdiversion.TheusertrafficisdivertedtotheSASEservicesystemthroughtheroutingdevicesontheInternetexportsandPoPsinworksecurityprocessingDeployenoughFWaaSsthatmatchtheperformanceoftheInternetexports.RoutingdevicesontheInternetexportsprovidetrafficdiversiontotheFWaaSsbytenants.Usesecuritycapabilities,suchasapplicationfirewall,intrusionprevention,virusfiltering,URLfiltering,andbandwidthmanagement,toensurethesouthboundandnorthboundsecurityoftheFWaaSsDeployenoughFWaaSsthatmatchtheperformanceonPoPs.RoutingdevicesonPoPsprovidetrafficdiversiontotheFWaaSsbytenants.Usesecuritycapabilities,suchasapplicationfirewallandintrusionprevention,toensuretheeastboundandwestboundsecurityoftheFWaaSs.lFWaaSsaremanagedbytenantsinacentralizedmannerOperators’Advantages:Foronething,operatorshaveanationwidewideareanetwork.AndtheyhavetheinfrastructureneededforacompleteSASEsystemandtheinherentadvantagesofworkingwithvarioussecurityvendors.TheycandeployFWaaSsandvarioussecuritycapabilitiesattheInternetexportsandPoPs.Foranotherthing,operatorshaveawidercustomerbaseandaremoretrustedbygovernmentandenterprisecustomerstoprovideenientlyandsecurely4.2Case2:MobileOfficeandRemoteOfficeofInsuranceindustryBackground:Themobile/remoteaccessterminalsoftheemployeemaybecometheentrypointforattackersandthechannelforenterpriseinformationleakage.Requirement:Enterprisesneedtodeployunifiedmanagementandsecurityprotectioncapabilities,suchasmaliciouswebsitefiltering,mailsecuritydetection,andanti-virus,foremployees’terminals.Enterprisesalsoneedtoidentifyemployees,monitortheirbehaviorsandcontinuouslyconductreal-timetrustevaluationsbasedontheirbehaviors.Enterprisesneedtoencrypttransmitteddatatopreventdataleakageandtampering.utionFigureSASESolutionforMobileRemoteOfficeofInsuranceindustryThissolutionisbasedonpublicnetworktunneltrafficdiversion.TheusertrafficisdivertedtotheSASEcloudthroughasecuretunnelonthepublicnetworkfornetworkrityprocessingThecontrolcenterofSASEissetinthecloud,andtheuseredgedeploysmultiplePoPsondemand.OfficeterminalsdeploySASEclientwithdrainagefunction,whichisresponsibleforestablishingasecuretunnelonthepublicnetworkanddivertingemployees'InternettraffictoPoPs.SASEPoPsdeploymultiplesecuritycapabilitiestoensurethesecuritythroughoutthemobile/remoteaccessprocess.PoPsprotectagainstunknownthreatsthroughadvancedthreatdetectionandprotectionmodule,loadEDRmoduletorealizefasteventresponse,loadzerotrustonlinebehaviormanagementmoduleandDLPmoduletoensureenterprisesecurityThetrafficofemployees’mobile/remoteaccessterminalsisdivertedtotheedgePoPsthroughtheSASEclient.TheidentitymanagementmoduleonPoPsverifiesthereal-timeidentityinformationtomaintaintheminimumemployees’accessrightsandpreventthemtoaccessanyunauthorizedresources.atorsAdvantagesOperatorshavethenecessaryinfrastructureforacompleteSASEsystem,andcanprovideenterpriseswithSASEequipmentleasingservicesontheenterpriseside.Userscanrentequipmentfromoperators,anddonotneedtopurchaseenterprise-sidehardwareequipment,whichreducesusercosts.4.3Case3:Multi-CloudDeployedBusinessAccessingBackground:Theenterprisecloudgraduallymovestothehybridmulti-cloudmode,andtheenvironmentdeploymentismoreandmorediversified.Networkboundaryblurringleadstothefailureofsecuritypolicy,whichbringsnewchallengestoenterpriseinformationcurityRequirement:Realizenetworking,cloudandmulti-cloudinterworkingofaccessusers,andindependentnetworkplanning.Realizethenetworkintegrationinvolvingmultipledevicesandmultipleoperators.Establisheffectivesecurityprotectionmeasuresforthebusinesssystems.tionSASESolutionforMultiCloudDeployedBusinessAccessingThissolutionisbasedonoperatorsleasedline/SD-WANtrafficdiversion.TheusertrafficisdivertedtotheSASEcloudthroughtheleasedlineorSD-WANfornetworksecurityprocessing.Operatorsaggregatezero-trustaccessandservicesystemsecurityprotectioncapabilitiesatthePoPsoftheintelligentcloudnetworkandprovideexternalsecurityservicesthroughSAASproducts.Operatorcloudprivatenetwork,basedontheSRv6standard,realizesend-to-endultra-lowlatencythroughFullMeshnetworking.EnterprisescanaccessitthroughlocalPoPsnearby,convenienttoenterthecloud.Anditbuildsedgecloudstocomplementthecentralcloud.Edgecloud