SD-WAN vs SASE: Make the Right Choice for Your Organization

Benefits and limitations to consider when choosing a networking technology

Vaughn Eisler
SD-WAN vs SASE: Make the Right Choice for Your Organization

As organizations continue to become more distributed, there’s been an increased demand for anytime, anywhere access to users and applications. This has given rise to a network transformation requiring the delivery of uninterrupted connectivity while maintaining security. To protect anywhere, anytime access, organizations need to provide security closer to the user and at the edge.

Software-Defined Wide Area Networks (SD-WAN) and Secure Access Service Edge (SASE) are two networking technologies that are both used to intelligently connect users, branches and devices for anytime, anywhere access.  As organizations evolve their network, they need to determine whether SASE or SD-WAN is the right approach for them.

Let’s take a look at each of these approaches in a bit more depth to understand the different factors organizations should consider when choosing the optimal networking technology.

Rethink Security as Part of Your Digital Edge Strategy and Architecture

This playbook outlines how industry leaders are distributing security to solve scale and integration challenges. See how using interconnection and colocation enables industry leaders to deliver new command and control capabilities as part of their digital edge strategy.

Read More

SD-WAN directs traffic with a centralized control function

SD-WAN uses a virtualized WAN network overlay architecture to leverage any combination of transport services (MPLS, LTE, broadband internet, etc.) to securely connect different locations (such as branch offices), users and devices to applications and data by using intelligence along with identifying applications.  In other words, SD-WAN uses a centralized control function to intelligently direct traffic across a WAN by providing application-aware routing, where each class of applications receives an appropriate level of Quality of Service (QoS) by determining the optimal transport service based on network conditions.

Unlike a traditional router-centric WAN architecture, the SD-WAN model is designed to fully support applications hosted in on-premise data centers, public or private clouds and SaaS services such as Salesforce.com, Workday, Office 365 and Dropbox, while delivering the highest levels of application performance.

While SD-WAN offers answers to many issues that traditional WAN connectivity has with traffic management for distributed locations, it has certain limitations that organizations need to address. As an example, while SD-WAN can be adapted to connect the cloud, it was not built with the cloud as its focus. To integrate to clouds, SD-WANs must utilize virtual cloud gateways that users connect to through the internet. Additionally, SD-WAN lacks a global backbone. Instead, SD-WAN appliances sit on top of the underlying network infrastructure. This means the need for a performant and reliable network backbone is left unaddressed by SD-WAN appliances alone.  Also, SD-WAN appliances don’t natively support security, which requires enterprises to manage a patchwork of security and networking appliances from different vendors. Lastly, SD-WAN appliances are built for site-to-site connectivity. Securely connecting mobile users is left unaddressed by the SD-WAN architecture.

Enter Secure Access Service Edge (SASE), a new type of architecture designed with the cloud in mind. SASE uses a distributed architecture to address many of these limitations.

Connect to the service edge via the cloud with SASE

First named in a Gartner white paper in 2019, SASE is a network architecture that combines SD-WAN capabilities with cloud-native security functions.  Not surprisingly, SASE is a cloud-native approach to WAN infrastructure that enables service to any edge endpoint.

Instead of focusing on connecting branches to a central network, SASE focuses on connecting individual endpoints (whether a branch office, individual user, or single device) to a service edge. The service edge consists of a network of distributed points of presence (PoPs) where the SASE software stack runs.

A SASE architecture can identify users and devices, apply policy-based security controls, and deliver secure access to the appropriate applications or data. Moreover, SASE focuses on built-in security with capabilities such as:

  • Secure web gateway for decoding cloud and web traffic
  • Firewall-as-a-Service (FWaaS) and intrusion protection
  • Cloud access security brokers for cloud workload visibility
  • Data loss protection for data-in-motion and at-rest
  • Advanced threat protection, including AI/ML, UEBA, sandboxing, etc. (ATP)
  • Software-defined perimeter with zero trust network access, replacing legacy VPNs

The fundamental promise of SASE is simplified WAN deployment integrated with security, all in a single platform, and delivered -aaS from the cloud. Designed properly, a SASE model eliminates perimeter-based appliances and legacy solutions. Instead of determining traffic flows from a centralized, appliance-based control function, users connect to the SASE cloud service to safely access and use web services, applications and data with the consistent enforcement of an organization’s security policy.

Comparing SD-WAN and SASE

SD-WAN and SASE have some similarities. They use virtual overlay networks to route traffic automatically via the most optimal and secure route. Both can cover large geographical areas which makes them especially suitable for global organizations. And both SASE and SD-WAN can be controlled from anywhere.

That being said, SD-WAN and SASE technologies differ in execution.

SD-WAN’s architecture focuses on an organization’s data center based on its centralized control function. SASE, on the other hand, not only uses private data centers, but also the public cloud and colocation facilities. SASE creates edge service nodes where a SASE stack is located, typically in close proximity to public clouds for secure low-latency access to cloud resources.

As mentioned above, security is also an area where their approaches differ. Generally speaking, SD-WAN technology was not designed with security in mind. Security within an SD-WAN architecture is frequently delivered via secondary features and often by third-party vendors. While some SD-WAN solutions do have baked-in security, that has not been the case historically. Security tools are usually located at offices in customer-premises equipment rather than on devices themselves. With SASE, security and networking decisions are made together. SASE solutions have security that sits in a user’s device as a security agent, as well as in the cloud as a cloud-native software stack.

Traffic inspection is another area where the technologies are different. SD-WAN uses service chaining, where traffic is inspected by one function at a time. Each point solution opens up and inspects the traffic and deals with it based on the policies of that individual solution. Whereas with SASE networks, traffic is opened up and inspected one time, without passing the traffic between them. Multiple engines apply their policies at once, without passing traffic between them. This saves time because traffic isn’t repeatedly accessed as it is passed through different functions.

Choosing a networking technology: SD-WAN vs. SASE

Now that there is an understanding of what SD-WAN and SASE are at a high level, we can answer the question of when an organization should choose one versus the other.

Typically, SD-WAN architectures are implemented when an organization needs some form of locally hosted and secured data and appliances. A good example of this might be when an enterprise needs to separate their OT and IT infrastructure at a branch location.

A SASE implementation is ideally suited for an organization that does not want to build their own secure networking and access.  In other words, SASE is great for an enterprise looking for one seamless solution that has users and devices as the focal point and one solution to embed all performance and security policies in.  This will result in reduced costs and complexity because it is a single-vendor network and security solution.

Regardless of which technology you choose, Equinix can help. With the Network Edge solution, enterprises and their partners and customers can share SD-WAN and SASE device instances from leading VNF providers across Platform Equinix™ and only pay for the network bandwidth they consume. Previously, the network owner would own and pay for the Network Edge SD-WAN Edge instance. Network Edge provides access to a whole suite of VNF functionalities from a variety of leading SD-WAN and SASE and providers. With 15 Network Edge locations all over the world, you can choose and mix and match the Network Edge services that are closest to the destination that you want to connect to with reduced latency and improved application performance.

Learn more about setting up secure access for distributed architectures in the Distributed Security Playbook.

Avatar photo
Vaughn Eisler Director, Business Development, Security and Storage
Subscribe to the Equinix Blog