SASE vs. SD-WAN: Achieving Cloud-Native WAN Security

From our Partners
5 Min read

For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network.

Enterprises Need a Distributed Network Architecture

Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers.

This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office.

SD-WAN Is a Step in the Right Direction

SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud. SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone.

In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions. Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch. What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software.

Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in.

SASE Is the Future of Secure Enterprise Networking

SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business.

The SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the SASE Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.

SASE uses a full enterprise-grade network security stack natively built into the SASE Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS). SASE can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because SASE runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection.

Importantly, in this age of work-from-home, SASE easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry.

For SASE, It Has to Be Cloud-Native Security

It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE.

Originally published in https://www.catonetworks.com/blog/sase-vs-sd-wan-achieving-cloud-native-wan-security/

Latest Articles

Watch: SASE helps AMF Group to boost performance & security while reducing TCO

“Thanks to GlobalDots’ agile and efficient cloud-native innovation, we now have more than a dozen sites connected in various locations in Italy and around the world”. Through this case study, Enrico Fietta, IT Manager at AMF Group, explains how GlobalDots helped the organization to boost performance, improve its security posture, and reduce TCO with SASE.  […]

GlobalDots
23rd January, 2023
You’ll Need Zero Trust, But You Won’t Get It with a VPN

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]

Eyal Webber Zvik Cato Networks
12th January, 2023
Case Study: GlobalDots Cuts Complexity & Cost For a Top University with SASE

Located in Tokyo, Waseda University is one of Japan’s top private institutions of academic research and higher learning. Classes were once conducted primarily in-person; the teacher’s whiteboard was one of the most useful learning aids. Network downtime had almost no impact on the students’ quality of study, but Waseda University had already noticed the benefits […]

GlobalDots
24th October, 2022

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential