Network Security, Security Strategy, Plan, Budget

How SD-WANs can integrate into SASE

Today’s columnist, Etay Maor of Cato Networks, writes that Gartner may come up with innovative new terms, but companies need to decide which option works best for them: SSE or SASE? (Credit: Gartner)

Modern enterprises need secure, high-performance networking to connect branches and remote users to corporate resources and applications, wherever they are. Software-defined wide area networks (SD-WANs) served the purpose well back when enterprises started shifting their resources to the cloud, and Multi-protocol Label Switching (MPLS) networking had effectively become a bottleneck for heavy north-bound traffic. 

But can SD-WAN adequately fulfill the growing security, reliability, and high-performance needs of enterprise networks as the cloud meets mobility in the ongoing flexible and remote working era? Or conversely, does it set businesses up for failure with unmet performance, simplicity, and mobility needs? 

SD-WAN: A step in the right direction 

We consider SD-WAN a software-based approach to building and managing the network. It virtualizes WAN connections, typically between a central private network and geographically dispersed offices, sometimes between users and the cloud as well. SD-WAN reduces costs by being transport-agnostic – it supports several transport mechanisms – MPLS, broadband Ethernet, 4G LTE, DSL, and their various combinations.

SD-WAN improves performance and agility through application-aware, dynamic traffic routing, reserving the best routes for business-critical applications. However, on the downside, SD-WAN appliances still ground the otherwise cloud-embracing enterprises because they simply sit atop the underlying network infrastructure. No amount of automation and dynamic routing can fix an outdated, weak network infrastructure. 

Reliability and performance suffer when SD-WAN uses the internet for long-haul connections to remote areas with bad internet and no private backbone. SD-WAN appliances alone do not address the need for a global, reliable, and well-performing network backbone. SD-WAN appliances are also purpose-built for site-to-site connectivity. Inherently, they aren’t designed to provide secure connectivity to remote and mobile users. 

In addition, SD-WAN appliances also don’t address network security needs on their own. Enterprises need to deploy discrete security devices along with their SD-WAN appliances to achieve security functionalities such as that of a next-generation firewall (NGFW), intrusion prevention system (IPS), and data loss prevention (DLP). Complexity and costs rise with every new security service. 

Even with a secure SD-WAN, a solution that integrates a full security stack into an SD-WAN appliance, the security perimeter is limited to the deployment sites. It doesn’t extend to home-based or remote users connecting from outside branch offices. Furthermore, each piece of equipment also widens the attack surface. Security teams must configure and maintain all SD-WAN appliances individually at each branch location, potentially risking out-of-sync policies and unpatched, outdated software. 

Instead of running security controls within networks, secure access service edge (SASE)  brings the security access framework closer to the user, assisting in the establishment of a more secure approach to preventing unauthorized access, according to Valuates Reports. Security teams can synchronize this process with an organization's business rules, allowing IT professionals to dynamically grant or deny access to users. These features are in turn expected to drive the growth of the secure access service edge market.  

The need for SD-WAN and diverse security tools  

SD-WAN’s true value lies in its ability to mix and match several networking protocols and smart traffic routing. What it lacks in security can be addressed to some extent by converging SD-WAN with a firewall, IDS/IPS, anti-malware, and other security tools. As separate tools, though, each security product that’s added on top of SD-WAN brings new issues, compounding the problems of integrations, encryption, correlations and more. 

Even then, businesses will have to move the capabilities of secure SD-WAN to the cloud to eliminate geographical limitations and the operational overhead that comes with the appliance lifecycle, and to gain a single-pane-of-glass into their global network and security infrastructure. Even so, enterprises will still need the reliability and performance of a private backbone without hindering scalability and driving costs and complexity. 

The technologies that enterprises need for the new cloud and mobility paradigm are already there. So, true network innovation now consists of how enterprises can optimally leverage all these technologies –  SD-WAN, multi-cloud networking, WAN optimization, NGFW, and zero-trust network architecture. That’s the challenge that Gartner sought to address when it coined the term secure access service edge (SASE) back in 2019. It has since piqued the interest of research analysts who’ve ascribed a $5.4 billion market potential by 2027

In a nutshell, SASE extends perimeter security controls to edge security. SASE aims to bring together and deliver known networking and security technologies across all the network edges, including the cloud and mobile users. In a single, integrated cloud service, these converged security capabilities can essentially enable secure access to data on the go. 

SASE has adopted SD-WAN’s flexible and hybrid transport options and seamlessly integrated it with a full security stack in a cloud-based solution to connect and deliver complete security to every edge on the network. In this, SD-WAN functions as a component of SASE, so it's not really a question of one versus the other. 

That said, these two are functionally different in that SD-WAN is a virtualized overlay network that backhauls traffic to data centers. It gained traction for its flexible connectivity options, whereas SASE proposes a third-party, cloud-based infrastructure of global points-of-presence for inspecting traffic at the network edge instead of backhauling to a central location, making it suitably ideal for remote and mobile users. 

SASE: A journey, not an end point 

SASE promises a one-stop shop for all networking and security needs. But can SASE solve all enterprise networking woes? Such sweeping assertions are premature. The definition leaves room for flexibility, thus quite a few SASE flavors, each with its unique propositions. And that’s the beauty of SASE, it’s not a static architecture. It’s fluid enough to meet the individual needs of today and incorporate the technologies of tomorrow. 

Yet, at its heart, security teams should build the network of the future around  cloud, convergence, and convenience. Enterprises must check all these boxes while painting their SASE future if they want a holistic, agile, and adaptable network for their present and future digital needs. 

Etay Maor, senior director of security strategy, Cato Networks 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.