Do It Yourself SASE with SD-WAN

SASE (Secure Access Service Edge) has been one of the most hyped buzz word in network security over the last couple of years and continues to gain traction and capabilities. It has also generated some confusion, especially when considered relative to SD-WAN. Some online discussions seem to think that SASE is a replacement technology for SD-WAN, while in fact it can be thought of as a natural complimentary technology to SD-WAN, where network security can be integrated combined with optimized WAN performance.

SASE can be thought of as a suite of cloud-based security services that protects the traffic that is proxied through the SASE gateway. Four of the major (cloud-delivered) security components of SASE include:

• Secure Web Gateway (SWG)
• Next-gen Firewall (FWaaS)
• Cloud Access Security Broker (CASB)
• Zero-trust Network Access (ZTNA)

While many vendors are also claiming that SD-WAN is a fundamental part of their SASE solution, this remains largely aspirational, as the mechanics and difficulty of implementing a highly performing and robust SD-WAN overlay fabric are typically not core competencies of SASE solution providers.

SD-WAN appliances provide tremendous capabilities in terms of network optimization and utilization, as well as many solid security features. By bonding or aggregating multiple WAN transports (cable, DSL, MPLS, cellular 4G/5G, satellite, and others) into single high-performing pipes, SD-WAN allows for optimized traffic steering and routing, using combined bandwidth of the individual WAN links to improve throughput and prioritize critical traffic. Intelligent real-time monitoring of the individual WAN links allows real-time applications to be steered onto the optimum path, and any network issues on any of the WAN links (brownouts, increases in latency, jitter, packet loss) can be completely shielded from the end user by migrating traffic away from problematic links in real-time. This becomes in effect, a self-healing network on autopilot that ensures rock-solid performance despite large variations in the underlying network.

Do It Yourself and Have the Best of Both Worlds

Most SASE solutions do not provide SD-WAN capabilities and do not care how you connect to the SASE cloud, while SD-WAN solutions easily facilitate funneling all, or any custom subsets, of your traffic into any SASE cloud service. This allows for a customized “do-it-yourself” security solution, which also provides for a “best-of-breed” overall network, as you can mix and match your preferred SD-WAN solution with your preferred cloud-based security solution.

For a company with a head office and several local branch offices, the combined solution might be to use a SASE cloud attached to the head office where all traffic would be funneled. Branch offices would be connected to the head office, and perhaps to each other as well (using a hub-and-spoke or mesh network topology) using high-performance, encrypted and secure IP tunnels. Backhauling all traffic through the head office would then ensure that overall network security was fully SASE compliant and secure. If one or more of the branches was responsible for a disproportionate amount of traffic, a direct connection to a SASE cloud could easily be implemented from the desired branch(es) to reduce overall congestion on the corporate network.

Alternatively, depending on the desired network topology, each branch office of an organization can uses an SD-WAN tunnel into the SASE cloud. This may become more appropriate network design for geographically distributed branches.

For large international companies with many branches located all over the world, a similar “do-it-yourself” approach would be appropriate. For relatively close locations, traffic can easily be backhauled to the (local) head office or data center with a SASE cloud connected directly to the head office. For geographically distant locations, it’s important to use a SASE provider that has a robust, international, dedicated backbone with many points-of-presence so that once your traffic hits the cloud, it is routed quickly and efficiently through the Internet to its final destination. The flexibility of a corporate SD-WAN overlay easily accommodates any cloud-based SASE solution, so using different vendors in different countries or regions (based on POPs and underlying network infrastructure) is straightforward.

Bottom Line

SASE and SD-WAN are complementary technologies that both large and small companies can use to manage and secure network traffic. While SASE ensures rigorous security throughout the cloud, as well as the endpoints, SD-WAN guarantees that the first/last mile will be optimized to ensure that maximum bandwidth, minimum latency, and maximum reliability will always be available.

Modern SD-WAN routers provide sophisticated features including advanced layer-7 routing, monitoring portals, dynamic quality of service (QoS), deep packet Inspection (DPI) and application performance optimization for various flow types including live video, VoIP, cloud apps and others. Many of these routers also provide significant security features built-in, such as a primary firewall/router with strong encryption (up to AES 256), website blocking, DNS redirection, and advanced filtering, all based on field-proven secure platforms.

Combining an SD-WAN network with cloud-based SASE security can be accomplished very simply enabling an SD-WAN tunnel into the SASE cloud, and configurations can be easily pushed to specific devices throughout the network. This results in a “best-of-both-worlds” solution, where state-of-the-art SD-WAN capabilities can be realized while also adhering to the SASE security models.

For more information on these topics, please check out these recent blogs:

• Network Security Solutions – From Firewalls to SASE
• Secure Access Service Edge and SD-WAN

Rob Stone, Mushroom Networks, Inc. 

Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.

https://www.mushroomnetworks.com