SASE vs. SD-WAN: Which one do you pick?

SASE (Secure Access Service Edge) and SD-WAN are two network technologies designed to connect geographically diverse endpoints to data sources and application resources.

SD-WAN - Software Defined Wide Area Network, which uses a virtualized network overlay to connect and remotely manage branch offices. SD-WAN focuses on connecting these branches back to a central private network. While SD-WAN can connect to the cloud, it is not built with the cloud in mind.

[[347872]]

SASE, on the other hand, focuses on the cloud and has a distributed architecture. Rather than focusing on connecting branches to a central network, SASE focuses on connecting individual endpoints (branches, individual users, or individual devices) to the service edge. The service edge consists of a distributed PoP network running the SASE software stack. In addition, SASE focuses on inherent security.

The difference between the two is similar to the difference between using an intranet and using Nutstore to share files. Both methods achieve the same end goal, but the methods are completely different.

SD-WAN is a maturing market that has maintained steady growth despite the pandemic, which has hampered its development. SASE is relatively new, as it is a new term coined by Gartner in 2019. Although the SASE market is still in its infancy, many vendors have begun to enter the market with their own SASE or SASE-like services.

1. Differences

The differences between SASE and SD-WAN can be summarized into three categories:

• Relationship with the cloud
• Security
• How to perform flow inspection

1. SASE, SD-WAN, and the cloud

(1) SASE

SASE uses private data centers, public clouds, or hosting facilities as POPs. These POPs form the service edge of the architecture where the SASE stack runs. In addition, these POPs are typically located in the public cloud or close to a public cloud gateway to enable low-latency, secure access to cloud resources. No matter which node has sufficient resources to satisfy the user's request. SASE software determines the best path to use when traffic reaches its endpoint. Unlike SD-WAN's data center-centric architecture, SASE uses a distributed architecture. Gartner believes that when cloud services are increasingly used, using a single private data center as the focus of the network will lead to inefficiencies.

(2) SD-WAN

For SD-WAN, cloud integration is just a feature, not a key component. In a cloud-enabled SD-WAN, users connect to a virtual cloud gateway over the internet, making the network more accessible and supporting cloud-native applications. This is very similar to the SASE approach.

2. Security

Security is a key factor in the competition between SASE and SD-WAN.

IDG recently released a survey on SASE and SD-WAN. The data showed that 91% of respondents were interested in SASE solutions, and the key point of their consideration was the security that SASE could provide. Similarly, among companies considering adopting SD-WAN, 70% of them also emphasized the importance of security.

(1) SASE

SASE focuses on providing secure access to distributed resources for the network and its users. These resources can be distributed across private data centers, colocation facilities, and the cloud. Security agents can include secure web gateways, and the vendor's cloud can include firewalls as a service. SASE devices are often used to secure agentless devices such as printers in branch offices or other places where people gather.

(2) SD-WAN

SD-WAN technology was not designed with a security focus. SD-WAN security is typically provided through ancillary features or third-party vendors. While some SD-WAN solutions do succeed in terms of security, they are a minority. The central goal of SD-WAN is to connect geographically diverse offices to each other and to a central headquarters, with flexibility and adaptability to varying network conditions. In SD-WAN, security tools are typically located in the office at the CPE, not in the device itself. Network decisions in SD-WAN are made in virtualized network devices distributed throughout the network.

3. SASE and SD-WAN traffic inspection

(1) SASE

In a SASE network, traffic is opened once and can be inspected by multiple policy engines at once, and the engines run in parallel without passing traffic between engines. This saves time because traffic is not passed from one security function to the next, as it is in an SD-WAN, and there is no repeated access. In addition, these policy engines do as much as the security tools in the SD-WAN, or even more.

(2) SD-WAN

SD-WAN uses service chaining for traffic inspection. Service chaining refers to the inspection of traffic by one security function at a time, one after another. These individual functions handle one type of threat and are called point solutions. Each point solution opens the traffic, inspects it, closes it, and then forwards it to the next point solution until the traffic has passed through all point solutions.

[[347873]]

2. Similarity

Although SASE and SD-WAN have similar ultimate goals, they don't have many architectural similarities. At a high level, they have one thing in common: they are both wide area networks and virtualized infrastructure.

Both SD-WAN and SASE are designed to cover a large geographic area. The difference lies in the infrastructure, with SASE having private data centers, colocation facilities, or clouds acting as endpoints. These are where the networking, optimization, and security functions run, with SD-WAN these functions run in boxes at branch offices and headquarters, both SASE and SD-WAN can be controlled from anywhere. In the case of SD-WAN, a DIY approach typically places control at the organization’s headquarters, a hosted solution would be controlled remotely by the service provider, and a co-managed solution is similar to a hosted solution, but the organization has some control through a portal.

Despite the differences between the two infrastructures, they are still virtualized. SD-WAN and SASE do not rely on fixed-function proprietary appliances like non-virtualized WANs. As mentioned earlier, SASE runs security and network functions in the cloud or other data centers and security agents. For SD-WAN, both the network nodes and CPE are software-defined. In other words, these functions are run as software.

3. Suppliers

1. SASE is still in its infancy

Many SD-WAN vendors are now also starting to offer SASE solutions. For example, Cisco, VMware VeloCloud and Open Systems are all implementing this solution.

Still others have directed their resources more toward developing and deploying SASE services over SD-WAN, such as Palo Alto and Cato Networks.

Gartner has compiled a list of vendors that either already offer SASE or are considering offering SASE:

"The major IaaS providers (AWS, Azure and GCP) are not yet competitive in the SASE market," Gartner said. "We expect that over the next five years, at least one company will enter the SASE market in a significant way as they all expand their edge networking businesses and security capabilities."

2. There are many participants in the SD-WAN ecosystem

Gartner predicts that the proportion of enterprises deploying SD-WAN will increase from 30% in 2019 to 90% in 2023.

According to IDC data, the global SD-WAN market space was US$2.3 billion in 2019, and the compound growth rate is expected to reach 35% from 2019 to 2021.

There are many domestic SD-WAN players, including start-ups, network equipment vendors, network operators, IDC manufacturers, public cloud operators, security vendors, etc.

Conclusion

SASE and SD-WAN are two different network technologies that use different methods to achieve similar goals. Both technologies are designed to connect geographically distributed organizations in a flexible and adaptable way. SASE networks focus on providing cloud-native security tools and use the cloud as the center of the network; SD-WAN technology focuses on connecting offices to central headquarters and data centers, but it can also connect users directly to the cloud.

At present, although only a few SD-WAN vendors, security providers, etc. are launching SASE solutions, Gartner predicts that by 2024, at least 40% of enterprises will adopt SASE strategies, which means that more SD-WAN vendors will transform to SASE in the future.