Business use of direct internet access and broadband services for remote access began with IPsec tunneling and expanded rapidly with the development and rollout of software-defined WAN. As access methods, these technologies permitted enterprises to securely tunnel their IT traffic over the internet. However, most enterprise security standards required user traffic to the internet to transit via approved security stacks, and these were typically centralized and sitting at corporate data centers.
While user performance was optimized for IT-hosted applications, it did not perform as well for internet access or SaaS applications, such as Microsoft 365 or Salesforce. As a result, enterprises started looking for options that permitted direct access to internet services for users at SD-WAN-enabled branches, while maintaining secure tunnels for enterprise traffic. This resulted in what is best described as a hybrid connectivity model.
Unfortunately, this model distributed security requirements to the edge of the network, and enterprises struggled with the complexity of managing multiple devices or service chaining multiple functions on one or more devices at the edge.
In Gartner's 2019 report outlining the Secure Access Services Edge (SASE) concept, Joe Skorupa and Neil MacDonald outlined the need for convergence between network and security functions at the WAN edge.
This article is part of
As a result, we see three distinct SASE models in the SD-WAN world:
- SD-WAN with SASE overlay
- Native SASE
SD-WAN started as a WAN-only technology with no native security capability. Viptela, VeloCloud and most of the early SD-WAN startups began as network-only vendors. Their initial push was with service providers -- for example, Verizon and Singtel were early Viptela shops, while AT&T went with VeloCloud. These service providers literally sold a managed or packaged offering that they delivered with SD-WAN routers that acted as service provider customer premises equipment (CPE). Service providers were not interested in security because of the complexity and pushed this option to clients.
The SD-WAN-only use case offers the two following use cases for security:
- DIY security. Enterprises with a strict division of labor between network and security teams will be attracted to this model. These enterprises do not permit any direct internet offload at the remote site.
- New service providers. Traditional service providers, such as carriers, stayed away from security and content processing. The developments brought on by SD-WAN have emboldened new carriers to enter this market, such as Masergy and Apcela, that provide SASE options to the SD-WAN product suite. Big content delivery network vendors, such as Akamai and Cloudflare, are relatively new in this space with new offerings as well.
SD-WAN with SASE overlay
As stated, the early SD-WAN vendors were network-only. The SD-WAN and security approach was pioneered by Zscaler and Opaq Networks, now a part of Fortinet, as a security overlay to provide what we now call SASE functions. This cloud model approach used SD-WAN to connect to both the enterprise and the SASE provider. Most of the early SD-WAN vendors offered partnerships with a security overlay vendor to satisfy security concerns, while providing optimal routing for hybrid environments.
Vendors that offer this SD-WAN with SASE overlay model have their own colocation facilities with both ISP connectivity and full security stacks that deliver an as-a-service model. These facilities are distributed worldwide and provide a significant advantage over enterprises attempting a DIY model where the traffic traverses the SD-WAN to an enterprise data center to exit to the internet.
This model also fits organizations where network and security teams are siloed from each other.
However, because Gartner's SASE research called for networking and security convergence, a number of other vendors now claim to offer this type of service. For example, a well-known cloud access security broker vendor now claims it has a SASE offering, in addition to a number of startups in the CASB space. As a result, some colocation and emerging service providers now offer services and call them SASE. Startups such as Alkira and Aviatrix push the envelope with creating networks in a cloud-first environment with virtual security stacks.
Native SASE functionality combines these security and routing functions in either one universal CPE device or a combination of uCPE and cloud services.
While the initial startups focused on SD-WAN only, companies founded later differentiated their product proposals to the venture capital community with native security features. For example, Versa Networks has a full-featured next-generation firewall (NGFW) capability built into its offering. Gartner's research enabled Versa to pivot and adjust its marketing for features it already had, while also adjusting its product pipeline to address those that were missing.
The result of a native SASE model is a broad range of networking and security functions that includes routing, SD-WAN, carrier-grade network address translation, denial of service, IP address management, stateful firewall, NGFW, intrusion prevention system, intrusion detection system, antivirus and malware -- all within a single platform with centralized policy management.
Cisco and Palo Alto Networks moved into this native SASE category through SD-WAN acquisitions and are molding combined product offerings to become full SASE shops. In addition, Fortinet, which had an SD-WAN offering, recently acquired security vendor Opaq Networks to round out its SASE offering.
Cisco's approach was using its router platforms with software combining Cisco's security with SD-WAN technology. However, the integrated IOS XE system was reportedly performing poorly, and it has recently released a new purpose-built platform: the Cisco Catalyst 8000 Edge Series. This has the Catalyst 8500 Series Edge Platform built for aggregation roles at the data center or colocation facility, the 8300 Series Edge Platform built for the branch and a Catalyst 8000V as a software-only version.
Fortinet already had an SD-WAN offering that was low-cost and had security functions. Its acquisition of Opaq Networks provided Fortinet with its own colocation facilities, dedicated security stacks and a back-end network.
Palo Alto acquired CloudGenix in early 2020, giving it the potential to provide one of the most complete SASE offerings when all the integration work is finished. Both Cisco and Palo Alto currently lack a low-cost uCPE device.
How to choose a SASE model
SD-WAN itself is just a connection technology, while SASE brings a number of networking and security technologies together. This convergence simplifies management because it reduces the size of the networking and the security stacks. For that reason, enterprises should move away from SD-WAN-only implementations.
On one side, enterprises can choose from the cloud model that couples SD-WAN capability to a cloud services model. This option typically leaves enterprises with two services to manage versus multiple services. In this case, an SD-WAN vendor or service will provide some level of network as a service. Add a cloud overlay, like Zscaler or Opaq, and SASE can be fully engaged.
The other option is to have a uCPE device that provides more of the networking and security services local to the remote site, although some services could be cloud-based. This model will provide the best performance, but enterprises should take care to examine the vendor implementation.
A uCPE provider that daisy-chains services within the architecture will perform poorly compared to an implementation that does a single pass on traffic for all locally processed functions.