SD-WAN and SASE both build on traditional network models, such as those used to connect a company’s offices. While the two models share some features and advantages, they have different structures and approaches. In the simplest terms, an SD-WAN inspects and routes data more efficiently, while a SASE combines networking and security functions into a single service. Here’s what you need to know.
What is SD-WAN (software-defined wide area network)?
A wide area network connects devices in multiple locations, usually meaning some data goes over the Internet rather than solely through dedicated cabling. The network usually routes data between any two points through a specific device to allow analysis, filtering, and security checks. This process, called backhauling, can slow performance.
An SD-WAN breaks the link between the security/control process and the network’s physical hardware. Inspecting the data in the cloud allows more efficient routing.
Key characteristics of an SD-WAN include:
- A central control interface accessible from anywhere (with the right authorization)
- The SD-WAN can work with multiple connection types, such as fixed line connections, LAN cabling, and cellular connections.
- Dynamic path selection means the network can prioritize specific data types in different ways — for example, to reduce latency or maximize security.
- SD-WANs can comprise a combination of cloud services, locally hosted software, and on-site physical hardware.
What is SASE (secure access service edge)?
At first glance, SASE may appear similar to SD-WAN, but it is a different concept and architecture. It rethinks the design of a network to eliminate the need for a central inspection and filtering point. In other words, there’s no backhauling.
A SASE setup treats every user device as being at the network’s edge (hence the “service edge”). SASE works by viewing these as endpoints rather than as devices. The data inspection occurs at these “Points of Presence,” meaning the data can be routed here as efficiently as possible.
SASE can also carry out parallel traffic inspection, meaning multiple filters or checks are carried out simultaneously and then combine the results to determine the next steps. That contrasts with SD-WAN, which chains together individual inspection elements in series, requiring more time.
In effect, SASE combines networking and security into a single service.
Key characteristics of SASE include:
- Networking features include WAN optimization, caching, content distribution networks, and bandwidth aggregation.
- Security features include firewall as a service and zero trust network access (which controls access based on the user, device, and application, not location and IP address.)
- SASE is entirely cloud-based.
- SASE is usually offered as a single service rather than separate components.
What’s the relationship between SASE and SD-WAN?
Exactly how to describe the relationship between SASE and SD-WAN depends on your perspective. For example, some people see it as an evolution, with SASE being SD-WAN plus “security as a service.” Others consider it a complete rethinking, with SD-WAN being just one component in the overall SASE package.
Perhaps the easiest way to think of it is like this:
- SD-WANs use the same structural concept as traditional WANs but with a different physical technology;
- SASE uses a different structural concept from traditional WANs and SD-WANs.
Consider this analogy: in place of data inspection on a computer network, imagine if the US Postal Service (USPS) had to inspect every parcel. They would have to check the address, check the size and weight, or check for illegal or dangerous contents.
A traditional WAN model would mean every package, no matter its origin or destination, had to go to the USPS headquarters in Washington, DC, for inspection. This would greatly slow down deliveries, even if the sender and recipient were close to one another.
Switching from WAN to SD-WAN would mean the USPS could now inspect the packages at any post office or even in trucks that could go anywhere. This would speed up deliveries by allowing more efficient routing while inspecting every package.
In both cases, the analogy works by likening individual devices to cities across the US. This analogy doesn’t translate to the SASE model. Instead, imagine the network as the US and every device as a border city in Canada or Mexico. The network inspects data like the local immigration and customs checkpoints on either side of the border. People and vehicles are inspected at the point they enter or leave the country in the same way that SASE inspects data at the very edge of the network.
What are the key differences in practice?
- Security is an inherent feature of SASE. With SD-WAN, you will need to add security measures.
- SASE offers more customization options but is also more complex.
- Businesses may handle SD-WAN components in-house, outsource some components, or have an external supplier handle everything. For now, at least, SASE is most commonly offered as a complete single service by external suppliers.
What are the typical use cases for SD-WAN and SASE?
While every business is different, some use cases are more suited to one technology over the other. For example:
- Businesses with established IT departments and relatively straightforward networking needs (such as connecting multiple offices) may find an SD-WAN an adequate improvement on traditional WANs.
- Larger businesses with more complex needs (such as requiring precise, granular user access controls) may find SASE a more flexible and scalable option.
- Businesses that use hybrid and remote working may find the access controls of SASE more useful. The costs may also work out lower than using an SD-WAN that requires additional security components to suit remote working.
- Growing businesses may prefer a hybrid approach. This could involve using or maintaining an SD-WAN for straightforward connections between sites but incorporating this into SASE to add new users and locations.
What’s the next step?
If you’re still uncertain whether SD-WAN or SASE is best for your needs, or if you want more advice on making the transition, we’ll be happy to help. Contact us today.