back

What is the connection between SD-WAN and SASE?

2023-11-29

SASE combines SD-WAN with network security to provide a holistic network management solution that simplifies access, enhances security, and improves performance. SD-WAN combines the concepts of SDN with traditional WAN technology to provide better traffic routing and network operations. It acts as an overlay network over an organization's existing WAN connection to improve network traffic.

SD-WAN and SASE should not be viewed as substitutes for each other, but rather as complementary and largely independent capabilities that combine to create highly reliable, scalable, performant, and secure remote connection solution.



SD-WAN provides the network foundation for building SASE through network, content and identity security services.

SD-WAN applies SDN technology to wide area networks and separates network control from data transmission. By inserting an abstraction layer between physical and logical networks, SD-WAN platforms can combine multiple physical links into a virtual network and micromanage the packet flow on each virtual network to improve aggregation and application performance , usability and security.

SD-WAN can deliver SDP architecture, combining underlay and overlay into a cloud-based solution. SD-WAN works with any type of wired or wireless Internet connection and provides channel bonding, redundancy, load balancing, and dynamic path selection based on network congestion and quality.


01. Typical SD-WAN security features include

● Use DTLS (using AES-GCM certificate exchange and authentication) or IPSec (using IKE key exchange) for link encryption.

● Zero-touch automatic configuration of remote equipment (CPE) to ensure secure initial setup.

● Supports the insertion of virtual network services (VNFs), such as NGFW and content filters, in the link topology.

● Network micro-segmentation uses virtual networks and firewalls to segment WAN traffic by application, security level, or other criteria. Micro-segmentation also allows SD-WAN to implement simple content control policies using routing/firewall rules specific to users, groups, and applications.

SASE is built on top of the network, and if SD-WAN enables the proliferation of remote working and WFH, then SASE can be seen as supporting it with a set of network, data and user security capabilities. Rather than thinking of SASE as an innovative alternative to SD-WAN, think of it as an evolutionary improvement in layered security on top of SD-WAN.


02.SASE adds four security features to SD-WAN

● Next-generation firewall as a service (FWaaS)

It has been integrated by many SD WAN users through NFV and virtual firewall devices.

● SWG (Secure Web Gateway)

Used to monitor and filter web traffic.

● Cloud Access Security Broker (CASB)

Extend SWG by providing application-level network visibility and policy enforcement.

● Zero Trust Network Access (ZTNA)

Access security using client virtual private networks is replaced with application- and session-specific authentication using fine-grained policies based on the originating device, originating user, and target application or service. ZTNA is the biggest change from traditional remote access security, which requires the provision of user and device credentials (usually certificate-based), a certification authority (CA), an SSO service, and a device access proxy.

SD-WAN uses a centralized management approach to save costs and resources. Branch networks using SD-WAN can be consolidated in the enterprise's data center, so that cheaper Internet connections can be used to replace expensive dedicated line connections, further reducing operating costs.

While a packaged cloud service may be the best SASE delivery vehicle in most cases, it is not required. Some organizations may choose to operate a private SASE infrastructure or contract with an MSP that provides SASE as part of their network infrastructure. In fact, Gartner, which coined the term "SASE," believes that adoption of cloud-based SASE is slowly growing.

Gartner says that by 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA and branch firewall-as-a-service (FWaaS) capabilities from the same vendor, up from less than 5% in 2020. In order to meet users' security requirements, SASE components are increasingly used.