Secure access service edge (SASE) and SD-WAN are two networking technologies designed to connect geographically disparate endpoints to a source of data and application resources. 

SD-WAN is an application of software-defined networking (SDN), that uses a virtualized network overlay to connect and remotely manage branch offices. The focus is placed on connecting these branch offices back to a central private network. While SD-WAN can be adapted to connect to the cloud, it is not built with the cloud as its focus.

SASE, on the other hand, does focus on the cloud and has a distributed architecture. Instead of focusing on connecting branches to a central network, SASE focuses on connecting individual endpoints (whether a branch office, individual user, or single device) to the service edge. The service edge consists of a network of distributed points of presence (PoPs) where the SASE software stack runs. Moreover, SASE puts a focus on baked-in security (hence the “secure access” part of its name).

It’s like the difference between sharing files over an intranet versus over Google Drive. Both methods strive to achieve the same end goal, but the two approaches are vastly different.

SD-WAN is a maturing market that has overall seen consistent growth, though the COVID-19 pandemic did hinder it some. SASE is comparatively new since it is a term that was coined by the research organization Gartner in 2019. Despite the SASE market being nascent, many vendors are beginning to enter the market with their own SASE or SASE-like services.

The differences between SASE and SD-WAN can be summarized in three categories:

• Their relationship to the cloud
• Where security and networking tools reside
• How traffic inspection is done

SASE, SD-WAN, and the Cloud

SASE uses one or more of the following: private data centers, the public cloud, and colocation facilities. These PoPsform the architecture’s service edge on which the SASE stack runs. Also, these PoPs are often located in public clouds, or in close proximity to public cloud gateways for secure low-latency access to cloud resources. Whichever node has sufficient resources for what the user is requesting is where the traffic goes. SASE software can determine optimal routes for traffic to use while heading to its endpoint. A distributed architecture is different from SD-WAN’s nature of being centered on its organization’s data center. Gartner contends that having a single private data center as a network’s focus causes inefficiencies when cloud services are increasingly used.

There are SD-WAN offerings that work with the cloud. However, cloud integration is more of a feature of SD-WAN than a key component. In cloud-enabled SD-WANs, users connect to a virtual cloud gateway through the internet, making the network more accessible and supportive of cloud-native applications. This is fairly similar to the SASE approach.

Location of Security and Networking Decisions

SASE’s focus is on providing secure access to distributed resources for the network and its users. The resources can be distributed in private data centers, colocation facilities, and the cloud. As such, security and networking decision-making are baked into the same security tools. SASE products have security tools that reside in a user’s device as a security agent, as well as in the cloud as a cloud-native software stack. For example, the security agent can contain a secure web gateway and a vendor’s cloud can contain a firewall-as-a-service. In a branch office or other location with a collection of people, a SASE appliance is common in order to secure agentless devices like printers.

SD-WAN technology was not designed with a focus on security. SD-WAN security is often delivered via secondary features or by third-party vendors. While some SD-WAN solutions do have baked-in security, this is not in the majority. SD-WAN’s central goal is to connect geographically separate offices to each other and to a central headquarters, with flexibility and adaptability to different network conditions. In an SD-WAN, security tools are usually located at offices in CPE rather than on devices themselves. Networking decisions in an SD-WAN are made in the virtualized networking devices that are spread throughout the network.

SASE vs SD-WAN Traffic Inspection

With SASE networks, traffic is opened up one time and inspected by multiple policy engines at once. The engines run in parallel without passing the traffic between them. This saves time because the traffic isn’t repeatedly accessed as it is passed from one security function to the next as is the case in an SD-WAN. Additionally, these policy engines do as much, if not more, than the security tools in an SD-WAN.

SD-WAN uses service chaining. Service chaining is where traffic is inspected by one security function at a time, one after the other. These individual functions handle one type of threat and are called point solutions. Each point solution opens up the traffic, inspects it, closes it up, and then forwards it to the next point solution until the traffic has passed through all point solutions. 

Similarities Between the Two Networking Technologies

Despite serving similar ends, SASE and SD-WAN do not have many architectural similarities. Some higher-level similarities include how they are both wide-area networks and their virtualized infrastructure.

Both SD-WAN and SASE are designed to cover a large geographic area. What is different is in the infrastructure. SASE’s infrastructure has private data centers, colocation facilities, or a cloud acting as endpoints. These are where the networking, optimization, and security functions run. In an SD-WAN these functions run in boxes at a branch and headquarters. Both SASE and SD-WAN can be controlled from anywhere. In SD-WAN’s case, a DIY approach will usually put control in the organization’s headquarters, a managed solution will be controlled remotely by the service provider, and a co-managed solution is similar to a managed solution but with an organization having some control through a portal

Despite the different formats of the two infrastructures, they are both still virtualized. SD-WAN and SASE do not rely on fixed-function proprietary boxes like a non-virtualized WAN. As previously stated, SASE runs security and networking functions in a cloud or other data center and in a security agent. For SD-WAN, the network nodes, as well as the CPE, are software-defined. In other words, the functions are running as software.

How Vendors are Selling SASE and SD-WAN

SASE is still an emerging technology. And to reflect that, many SD-WAN vendors are beginning to offer a SASE solution in addition to their SD-WAN solution, or at least claiming that what they have is SASE. For example, Cisco, VMware VeloCloud, and Open Systems are all practicing this; among many others.

There are other organizations that have put their resources more into developing and deploying SASE services over SD-WAN. For example, Palo Alto and Cato Networks.

SASE vs SD-WAN: Key Takeaways

1. SASE and SD-WAN are two different networking technologies that use different means to get to similar ends.
2. Both technologies are meant to connect geographically distributed organizations in a flexible and adaptable manner.
3. A SASE network is focused on providing cloud-native security tools and has the cloud at the center of the network.
4. SD-WAN technology is focused on connecting offices to a central headquarters and data center, though it can also connect users directly to the cloud.