A comparison between SASE & SD-WAN
Secure access service edge (SASE) and SD-WAN are two networking technologies designed to connect geographically disparate endpoints to a source of data and application resources.
In August 2019, Gartner analysts Neil MacDonald, Lawrence Orans and Joe Skorupa, released a new research report titled ‘The Future of Network Security is in the Cloud’. The report released a new offering, labelled as Secure Access Service Edge (SASE, pronounced “Sassy”), which single-handedly changed what the future landscape for IT and networking professionals looks like.
What is Secure Access Service Edge (SASE)?
In the Future of Network Security report, Gartner outlined the key findings and recommendations from their research, which converged into an offering answering to the ‘increased demand for consolidation of networking and security-as-a-service capabilities into a cloud-delivered secure access service edge (SASE, pronounced “sassy”). This new SASE offering has been positioned as a ‘digital business enabler’ which, if the recommendations and findings are applied correctly, will bring speed and agility to digital transformation projects.
Gartner defined Secure Access Service Edge (SASE) specifically as: The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises. SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.
SD-WAN is an application of software-defined networking (SDN), that uses a virtualized network overlay to connect and remotely manage branch offices. The focus is placed on connecting these branch offices back to a central private network. While SD-WAN can be adapted to connect to the cloud, it is not built with the cloud as its focus.
SASE, on the other hand, centres on the cloud and has a distributed architecture. Instead of concentrating on connecting branches to a central network, SASE focuses on connecting individual endpoints (whether a branch office, individual user, or single device) to the service edge. The service edge consists of a network of distributed points of presence (PoPs) where the SASE software stack runs. Moreover, SASE puts a focus on baked-in security (hence the “secure access” part of its name).
It’s like the difference between sharing files over an intranet versus over Google Drive. Both methods strive to achieve the same end goal, but the two approaches are vastly different.
SD-WAN is a maturing market that has overall seen consistent growth, though the COVID-19 pandemic did hinder it some. SASE is comparatively new since it is a term that was coined by the research organization Gartner in 2019. Despite the SASE market being nascent, many vendors are beginning to enter the market with their own SASE or SASE-like services.
The differences between SASE and SD-WAN can be summarized in three categories:
Their relationship to the cloud
Where security and networking tools reside
How traffic inspection is done
SASE, SD-WAN, and the Cloud – Location of security and networking decisions
SASE’s focus is on providing secure access to distributed resources for the network and its users. The resources can be distributed in private data centres, colocation facilities, and the Cloud. As such, security and networking decision-making are baked into the same security tools. SASE products have security tools that reside in a user’s device as a security agent, as well as in the cloud as a cloud-native software stack. For example, the security agent can contain a secure web gateway and a vendor’s cloud can contain a firewall-as-a-service. In a branch office or other location with a collection of people, a SASE appliance is common to secure agentless devices like printers. SD-WAN technology was not designed with a focus on security. SD-WAN security is often delivered via secondary features or by third-party vendors. While some SD-WAN solutions have baked-in security, this is not in the majority. SD-WAN’s central goal is to connect geographically separate offices to each other and to a central headquarters, with flexibility and adaptability to different network conditions. In an SD-WAN, security tools are usually located at offices in CPE rather than on devices themselves. Networking decisions in an SD-WAN are made in the virtualized networking devices that are spread throughout the network.
SASE vs SD-WAN traffic inspection
With SASE networks, traffic is opened one time and inspected by multiple policy engines at once. The engines run in parallel without passing the traffic between them. This saves time because the traffic isn’t repeatedly accessed as it is passed from one security function to the next as is the case in an SD-WAN. Additionally, these policy engines do as much, if not more, than the security tools in an SD-WAN.
SD-WAN uses service chaining. Service chaining is where traffic is inspected by one security function at a time, one after the other. These individual functions handle one type of threat and are called point solutions. Each point solution opens the traffic, inspects it, closes it up, and then forwards it to the next point solution until the traffic has passed through all point solutions.
Similarities between the two networking technologies
Despite serving similar ends, SASE and SD-WAN do not have many architectural similarities. Some higher-level similarities include how they are both wide-area networks and their virtualized infrastructure.
Both SD-WAN and SASE are designed to cover a large geographic area. What is different is in the infrastructure. SASE’s infrastructure has private data centres, colocation facilities, or a cloud acting as endpoints. These are where the networking, optimization, and security functions run. In an SD-WAN, these functions run in boxes at a branch and headquarters. Both SASE and SD-WAN can be controlled from anywhere. In SD-WAN’s case, a DIY approach will usually put control in the organization’s headquarters, a managed solution will be controlled remotely by the service provider, and a co-managed solution is similar to a managed solution but with an organization having some control through a portal.
Despite the different formats of the two infrastructures, they are both still virtualized. SD-WAN and SASE do not rely on fixed-function proprietary boxes like a non-virtualized WAN. As previously stated, SASE runs security and networking functions in a cloud or other data centre and in a security agent. For SD-WAN, the network nodes, as well as the CPE, are software-defined. In other words, the functions are running as software.
How vendors are selling SASE and SD-WAN
SASE is still an emerging technology. And to reflect that, many SD-WAN vendors are beginning to offer a SASE solution in addition to their SD-WAN solution, or at least claiming that what they have is SASE. For example, Cisco, VMware, VeloCloud, and Open Systems are all practicing this, among many others.
SASE vs SD-WAN: Takeaways
SASE and SD-WAN are two different networking technologies that use different means to get to similar ends.
Both technologies are meant to connect geographically distributed organizations in a flexible and adaptable manner.
A SASE network is focused on providing cloud-native security tools and has the cloud at the centre of the network.
SD-WAN technology is focused on connecting offices to a central headquarters and data centre, though it can also connect users directly to the cloud.
Different enterprises will always have specific security needs that need to be tailored to regulatory, compliance and overall enterprise architecture needs.