SASE vs. SD-WAN: Achieving Cloud-Native WAN Security

Dave Greenfield
February 1, 2021

For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.

Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network.

Enterprises Need a Distributed Network Architecture

Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers.

This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office.

SD-WAN Is a Step in the Right Direction

SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud. SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone.

In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions. Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch. What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software.

Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in.

SASE Is the Future of Secure Enterprise Networking

SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business.

The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.

Cato uses a full enterprise-grade network security stack natively built into the Cato Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS). Cato can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because Cato runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection.

Importantly, in this age of work-from-home, Cato’s SASE solution easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry.

For SASE, It Has to Be Cloud-Native Security

It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE.

For more information, contact us or ask for a demo. Get the free e-book Secure Access Service Edge for Dummies.

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.