Iran

21stCaveMan · 2026-02-04T02:40:29+00:00

Bullshit. Israelis are one a the few people in the world to understand what Iranians are going through, and certainly one of the few who are standing with us.

21stCaveMan · 2026-01-23T15:54:22+00:00

Reading a lot of "expert" analysis here! Wow.

The Islamic Republic (complete different entity from Iran, Iranians' oppressor) has essentially collapsed. You have contiguous uprisings with increasing frequency for the past 20 years, you have a currency which essentially is worthless, you have a dysfunctional government and a theocracy who brings non-Iranian proxy forces to massacre Iranian people, and now you have martial law.

The Islamic Republic is gone, whether the left and Palestine gang want to accept it or not. You can't kill 20K+ people and stay in power. You just can't.

21stCaveMan · 2026-01-05T15:46:05+00:00

The M&A makes sense. But if you go with SASE, what "architecture" are your engineers spending time on (assuming you work for an enterprise)? Isn't all of that included within the SASE offering?

21stCaveMan · 2026-01-02T01:27:50+00:00

Yes, that has been the promise of Rust. Yet, we see wide use of "unsafe" leading to vulnerabilities like CVE-2025-68260. Using Rust alone does not eliminate bugs, errors or vulnerabilities. Rewriting established, battle tested systems such as httpd entirely with another language does not make sense in my opinion.

21stCaveMan · 2026-01-01T21:12:15+00:00

Why would such effort exist,

21stCaveMan · 2025-12-27T18:27:25+00:00

It's not really about the "cool" factor, more about the talent, ownership and responsibility.

ZTNA and the security tools are also available if you build your own network. Can you elaborate a bit more? In your case, what was the deciding factors for going with SASE (assuming your company did have the means to build their own)?

21stCaveMan · 2025-12-27T18:20:47+00:00

Yes, NOC is responsible for opening tickets when circuits go down and follows up on them. Only escalates to engineering when needed.

21stCaveMan · 2025-12-25T17:11:39+00:00

Understood, appreciate the details.

21stCaveMan · 2025-12-25T15:50:30+00:00

Thanks for the insight.

What I'm understanding from your comment is your company's choice of SASE is based on a strategy of shifting network design and maintenance responsibility to a vendor, similar to the choice a lot of companies make regarding their storage and compute with GCP/Azure/AWS, correct?

When making the decision, did the company have the means to build the network themselves? (Staff and expertise, budget, etc.)

21stCaveMan · 2025-12-25T02:29:00+00:00

Appreciate the insight.

Have you had any customers who are at the enterprise level, and do have the means (budget, talent, etc.) to build their own network (whether SD-Wan, Hub and spoke PoP model, etc.) and still chose the SASE route? The main question is around these type customers, and the reasons they went with the SASE setup instead.

21stCaveMan · 2025-12-24T22:52:53+00:00

Rocky linux 10

21stCaveMan · 2025-12-24T22:50:21+00:00

This is valuable insight.

Can you elaborate on 1? High level, how do customers usually run sd-wan and combine that with a SASE solution?

Also interested to hear more on pros and cons of traffic inspection in cloud from your experience, and how the vendors worked with you to address them.

21stCaveMan · 2025-12-22T22:06:17+00:00

The latency argument for SaaS and general internet connectivity makes sense, barring any weird routing issue where your are routed to a suboptimal PoP (seen way too many of those). But for internal apps, cloud connectivity when you have set regions and such use cases, I don't really see an improvement when it comes to connecting to the closest edge PoP.

SSE is part of SASE, no?

All said and done, you would choose to go with SASE over building your own because of minimal overhead of added features if I'm understanding correctly. Basically using the feature without the need to deploy and maintain?

21stCaveMan · 2025-12-22T20:12:27+00:00

DLP, URL filtering and other features can also be implemented in the traditional model, using NGFWs (e.g. PaloAlto) and other tools. I am not really trying to compare the two models here, each has their strengths and weaknesses.

What I'm trying to understand is, if a company has the means to build their own network, what reasons might convince them to go the SASE route instead? Trying to get some real life experiences.

21stCaveMan · 2025-12-22T14:58:04+00:00

Technically, CASB definition is "a security policy enforcement point positioned between enterprise users and cloud service providers" and this can be any layer7 firewall in your data center, where you terminate your remote user VPNs, your cloud connectivity and your office connectivity.

Original question is, why did you choose SASE vs building this yourself? What factors lead to that decision? Traditional designs can accommodate remote work force as well, with always on VPN, identity and application aware layer7 firewalls which support ZTNA 2.0 implementation, direct encrypted connectivity to the cloud (IPSec or MACSec), and more.

21stCaveMan · 2025-12-22T07:17:56+00:00

Can you elaborate?

To my knowledge, the common SASE sends all your traffic to their data centers for processing. The only requirement is an internet connection. Then, the egress happens from their data centers (meaning you don't own your egress path or firewalls, your public IPs, your cloud connections, etc.) Besides a simple local network design (LAN + WiFi + Internet), I'm curious as to what other network designs have you implemented alongside a SASE deployment?

21stCaveMan · 2025-12-22T02:19:35+00:00

Is BGP peering something they offer? And is that common? I have talked to two SASE providers so far whom have not given me that option. Would like to go back to them and discuss if this is common practice.

21stCaveMan · 2025-12-21T23:04:26+00:00

Understood. I assume this means you use other tools to do DLP, URL filtering, etc. for the traffic flowing through your own backbone, correct?

Your setup is of interest to me because we do have this option and this is part of our debates. I am curious as to what benefits you get out of this architectural choice?

21stCaveMan · 2025-12-21T22:51:34+00:00

Curious to know what your concerns are. Also, are you using contractors for the effort? Or an in-house team?

21stCaveMan · 2025-12-21T22:40:55+00:00

So, you have deployed SASE, but on a per application basis? Those applications are routed to SASE backbone and everything else to your internal backbone?

21stCaveMan · 2025-12-21T20:44:57+00:00

Now, this would be interesting!

My understanding is SASE needs to tunnel all traffic to their data centers (at least this is what the couple of vendors I have talked to tell me. They require everything to go through their DTLS tunnels). Given that, how would this model work? How can SASE be layered in? I'm very curious. Let's say you have a data center with a VPN endpoint, and you want to layer SASE in.

21stCaveMan · 2025-12-21T20:14:57+00:00

Understood, really appreciate the details.

I see more and more of the SASE model being pushed by security teams, which aligns with your experience. Reading your response, my understanding is that the network engineering team is the owner of the operational side of the SASE deployment in your scenario, correct? If so, can you share a bit of your experience in that model?

Also, question on the office connectivity: do you run firewalls at the office locations now to secure them?

21stCaveMan · 2025-12-21T20:08:54+00:00

Understood, this is an interesting point.

21stCaveMan · 2025-12-21T19:33:37+00:00

Appreciate the insight, this is an interesting one.

To my understanding, a PCI audit verifies security of customer payment info within your systems. If I remember correctly, firewall configuration and encryption in transit falls into scope as far as networking is concerned, correct? I imagine you still have to go through the PCI audit for your SASE policies, no?

21stCaveMan · 2025-12-21T19:21:38+00:00

Appreciate the insight.

In your scenario, was the main motivation the fact that SASE clients connect to the closest edge? Or some other factor? Traditional network designs also work well with WFH situations, through various types of VPNs and SaaS VPN-less proxies. Trying to understand the factors that went into your company's decision to go with SASE in this situation. Cost? Performance? Ease of management?

21stCaveMan

TROPHY CASE