SASE vs. SD-WAN
SASE vs. SD-WAN: An Overview
Organizations connect users and locations to the internet, cloud applications, and the internal network by means of a wide area network (WAN), which consists of multiple local area networks connected together. Initially, this was done via Multiprotocol Label Switching (MPLS), which is a technology that directs traffic across a private network via the shortest available path by using labels rather than addresses. In today’s digitally driven world that is adopting cloud technologies and is undergoing constant digital transformation, MPLS no longer cuts it. It is relatively expensive, has limited bandwidth, and is limited by location.
SD-WAN has been widely used for more than a decade, but there is a newer technology emerging called Secure Access Service Edge (SASE, pronounced “sassy”). It does the same thing as SD-WAN, but its focus is on making the connections more secure.
How do SD-WAN and SASE work, and what are the advantages and disadvantages of each technology? When comparing SD-WAN vs SASE, which technology should your organization use now and moving forward?
What is SD-WAN?
SD-WAN is a technology where software is used to control connectivity across a network. It provides centralized control to govern how nodes, such as remote users, edge devices, branch locations, IoT devices, and so forth, connect to an organization’s system. Its purpose is to optimize traffic in a network, increase bandwidth efficiency, and lower costs.
How Does SD-WAN Work?
SD-WAN works this way: it links all remote users and locations, no matter where they are, back to the organization’s central secure network rather than directly to the internet. To do that, SD-WAN can use new network infrastructure, but it can also leverage existing infrastructure, such as MPLS and LTE, aggregating available technologies to provide the most optimal paths to connectivity. It uses software to centralize control of traffic, encrypting it and using solutions, such as application-aware routing, organizational policies, and dynamic link assessment, to direct and optimize traffic to IaaS and SaaS. When an SD-WAN router receives a connection request, it intelligently decides how to route it based on the following criteria:
- The needs of the application
- The priorities defined by organizational policies
- The availability and health of network links
Pros and Cons of SD-WAN
Consider the advantages and disadvantages of SD-WAN solutions:
- SD-WAN provides centralized control and automation
- SD-WAN meets cloud migration needs
- SD-WAN is almost 50% less expensive than traditional WAN technologies
- SD-WAN provides efficiency and reduces latency in broadband use
- SD-WAN simplifies infrastructure for rapid deployment at scale
- SD-WAN provides reliable connections by leveraging existing connections
- SD-WAN lacks certain security features, meaning a data breach at one location is a threat to the entire network
- SD-WAN solutions may not support WAN routers
- SD-WAN has to be designed and configured properly or else errors and packet loss may result
- SD-WAN devices require regular firmware updates
What is SASE?
SASE is a newer technology launched in 2019. The name was coined by Gartner and accomplishes the same thing as SD-WAN but adds additional layers of security. It addresses the limitations of SD-WAN and takes into consideration the rapidly evolving security needs of organizations in an environment of digital transformation and cloud computing.
How Does SASE Work?
SASE links all endpoints to the edge of an organization’s network, which is where it connects with the rest of the internet. SASE combines the software-driven network optimization of SD-WAN with network security functions. Security is provided as a cloud service, using technologies such as Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Secure Web Gateway (SWG). Instead of forwarding traffic to a control center for inspection and verification, SASE has points of presence (PoPs) or enforcement points throughout the network, so traffic can be sent to the nearest point, distributing the workload. When SASE receives a traffic request, it decides on routing based on:
- The identity making the request
- The context of the request, such as device health and behavior and the sensitivity of the data being accessed
- The pertinent security and compliance policies
- The risk assessment conducted during the session
Pros and Cons of SASE
Consider the advantages and disadvantages of SASE solutions:
- SASE is a single service, resulting in savings and efficiency
- SASE distributes the workload through enforcement points rather than from a control center
- SASE solutions are designed for virtual connections and can replace VPNs
- SASE does not need agent software, making it easier and less expensive to deploy to branch locations
- SASE makes managing connectivity and security simultaneously much simpler
- SASE is a good choice for networks that leverage edge computing and IoT devices
- SASE may not be suited to organizations relying heavily on legacy connections such as MPLS
- SASE is still in the early stages of development
- SASE may result in duplications and inefficiencies if an organization has already implemented SD-WAN
- SASE implementation may require heavy investment in personnel training and retooling
Differences and Similarities Between SASE and SD-WAN
On the one hand, SASE is not necessarily a polar replacement for SD-WAN, nor is it simply an update to existing technology. Both technologies share similarities in their purpose or intent. But there are enough differences between them to make it necessary for organizations to do their due diligence so they can choose the solution that works for them.
Similarities Between SD-WAN and SASE
The similarities between SD-WAN and SASE are mainly found in the way they approach network connectivity.
- Both use virtual overlay networks to automate routing and optimize network traffic
- Both are highly available in various geographies, allowing organizations to expand at scale
- Both can be controlled from any location
Differences Between SD-WAN and SASE
The differences between SD-WAN and SASE are significant, and they mainly have to do with deployment and their approach to security,
- SD-WAN’s centralized approach emphasizes the organization’s data center, whereas SASE deploys using the cloud and various data centers.
- SD-WAN deals with traffic functions one at a time, case by case, whereas SASE examines traffic overall and provides an overall solution.
- SD-WAN’s security features are secondary, whereas SASE combines a security-focused approach with network optimization.
- SD-WAN can leverage the cloud but cannot be managed from the cloud, whereas SASE is provided as a service from the cloud.
SASE vs. SD-WAN: Which Is the Right Choice for Your Enterprise?
While SASE and SD-WAN are different, choosing one over the other is not necessarily easy. For many organizations, it may not be a question of SD-WAN vs SASE, but rather, SD-WAN and SASE in coordination.
SASE can be leveraged as a standalone solution if the organization has:
- No remote or hybrid workers
- An adequate MPLS infrastructure already in place
- Not already implemented SD-WAN
These criteria are pretty specific, and after the pandemic, there are few organizations not leveraging remote workers. So in most situations, any organization that would like to implement SASE would likely be doing so on top of SD-WAN. In effect, SD-WAN becomes the foundation for SASE, and SASE provides layers of security and efficiency to make up for what SD-WAN lacks.
Is SASE the Future of SD-WAN?
The answer in short? Possibly. In the meantime, they will likely exist in parallel and complement each other. But why might SASE eventually replace SD-WAN? Legacy network architecture orbited around a central data center, and although SD-WAN improved network connectivity and efficiency by using virtual overlays, the architecture stayed pretty much the same.
But with the emergence and evolution of new technologies, such as cloud services, digital transformation, edge computing, and the Internet of Things (IoT), backhauling all traffic to a central data center is becoming inefficient and often unnecessary. SASE’s approach of providing secure connections on the service edge and verifying and directing traffic from PoPs solves the problem of inefficiency while bolstering security.
How Fortinet Can Help
Whether your organization decides to use SASE on its own or complement SD-WAN with SASE as a layer, Fortinet can help you design and implement your strategy. FortiSASE is a cloud-delivered secure remote access solution powered by FortiOS and FortiGuard security services, while Secure SD-WAN solution is a security-driven networking approach that consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.
What is the difference between SD-WAN and SASE?
SD-WAN is a technology for directing and optimizing traffic across an organization's network, and any security benefits resulting may be secondary. SASE does the same thing as SD-WAN but with a focus on security. Additionally, SD-WAN uses a variety of connection services, whereas SASE is a single service from a single provider.
Does SASE need SD-WAN?
Not necessarily. However, while there are situations where SASE can be implemented without SD-WAN, it can also be implemented on top of SD-WAN.
Why is SASE the future of SD-WAN and security?
Legacy network architecture orbited around a central data center, and although SD-WAN improved network connectivity and efficiency by using virtual overlays, the architecture stayed pretty much the same. SASE’s approach of providing secure connections on the service edge and verifying and directing traffic from PoPs solves the problem of inefficiency while bolstering security.