Why adopt SD WAN & SASE?
A SASE solution combines WAN services with a range of security functions which include secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and Zero Trust network access (ZTNA).
Businesses are facing a considerable challenge to decrease network complexity and cost at the same time as meeting the demands of ever-increasing data transfer sizes and remote users. SD WAN with SASE security is here to meet the requirements of Enterprise businesses needing to secure their network perimeters.
To keep up with the agility of SD WAN orchestration with Zero-Touch deployment and SaaS cloud applications, security must also offer a capability to deploy fast at the same time as securing any access. The security challenge for today's business is significant as the WAN edge has all but vanished - traffic originates from remote users which could be located anywhere.
Gartner created the SASE (Secure Access Service Edge) to recognise the challenge IT teams now face when deploying WAN services. Covid-19 accelerated the already rapid adoption of home working with the office structure changing forever. And while the office will always have a place in any business, users are now expecting to work across their phones (often BYOD), tablets, PC and Macs wherever they are located.
How does SD WAN change the traditional MPLS VPN?
Only 12 months ago, I would have disagreed that the MPLS VPN is doomed and should be retired. However, as of writing this article, my thoughts on this subject have entirely changed. As Netify continues to research the WAN marketplace, the use case for deploying MPLS is almost non-existent for the end customer. We, of course, understand MPLS traffic engineering remains a component of core backbone service provider infrastructures, but there is simply no need to deploy MPLS as an Enterprise business.
The Internet is now a mature platform and is used by us all on an almost constant basis. With the adoption of public cloud services requiring access on a 24*7 global basis, the Internet is a component of our connected life. Technologies such as IoT (Internet of Things) are the driving force behind adoption since almost every device communicates over an Internet connection.
If we accept that MPLS is no longer a suitable technology for today's network, SD WAN represents the replacement to meet the shift to digital transformation. In between MPLS and SD WAN, the concept of hybrid WAN services was introduced to allow businesses to add additional links such as leased line, Broadband and 4G Internet, VPLS or short-haul private data services. Hybrid WAN recognised the need to distribute applications across multiple links in addition to Layer 3 VPN MPLS circuits.
Traditional WAN technology is built on routing relationships meaning that routing protocols such as OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol) are used to establish routes between your sites. In short, the traditional method of deploying WAN services required propagation across all peers involved in the network. If a misconfiguration occurred, there was a potential risk for complete downtime.
SD WAN is typically transport-independent, this is what we usually refer to as the overlay model. The underlay represents the connectivity which can consist of various types of Internet services. It is the separation of the underlay from the overlay, which makes SD WAN agile, reduces complexity and provides the capability to orchestrate fast deployment.
The Software element of ‘SD WAN’ has also brought about other significant changes. We no longer need to procure expensive Firewalls alongside our WAN routers to deliver security. While not all SD WAN vendors offer SASE with Next-Generation Firewall (NGFW), it is possible to buy a single device with everything required to deliver security across both the SD WAN and the user.
SD WAN offers the flexibility required by the Enterprise. Where the business is migrating from MPLS to SD WAN, the overlay works by tunnelling traffic over all types of transport. So, one of your sites connected to Broadband Internet can communicate with another site using MPLS appearing as a single hop connected network.
How does SASE meet the demands of Enterprise business?
SASE is meeting the demands of both fast deployments together with bespoke policy delivery which is individual to every business or organisation. When deploying WAN services, the traditional Firewall required extensive configuration and expertise requiring time and professional services. Although Firewall management interfaces are now much more GUI based, the Gartner SASE definition describes the essential elements of how SD WAN is positioned to instantly offer a level of security out of the WAN edge box or virtual CPE (vCPE).
SASE (Secure Access Service Edge) addresses the need to deliver security across the entire network from the HQ to home workers and everything in between. In order to secure all elements of the network, SASE concepts include:
- Next-Generation Firewalls - one of the core features of SD WAN capability is deep packet inspection - the benefits surround numerous different aspects including reporting, QoS and Security. With security in mind, Next-Generation Firewalls can classify the traffic which is in turn referenced against a database of applications.
- Secure web gateway - secure web gateways (SGW) positions an Enterprise to monitor, block and generally control access to websites with warnings when necessary. As with the database associated with Firewall traffic classification, automatic categories are selected to block access automatically.
- Anti-malware - anti-malware also uses deep packet inspection to understand both encrypted and unencrypted traffic. Using sophisticated techniques, the packets are identified and blocked regardless of the file extension type.
- Intrusion prevention system - SASE vendors are offering a multi-layered approach to IPS with the examination of signatures, known vulnerabilities and general network behaviour. As an example, IPS auto blocks known countries where the risk of intrusion is high.
Do all SD WAN vendors offer SASE?
Not all SD WAN vendors are offering SASE security with some preferring to integrate partners and integrators into their solutions. While the lack of SASE might appear to be a disadvantage at first, some Enterprise WAN deployments are already in contract or require certain elements not offered by the SD WAN solution.
The challenges are significant, but Gartner has simplified the core elements an Enterprise requires to deliver WAN connectivity with security. SD WAN with SASE offers a business outcome to deploy with agility and simplicity vs traditional WAN services. SD WAN providers are not equal in respect of their capability meaning IT teams must carefully analyse market solutions.