Secure Access Service Edge, or SASE, is a cloud-based service that combines software-defined wide area networking (SD-WAN) with critical network security technologies like CASB, ZTNA, SWG, and FWaaS. SASE technology connects remote, branch office, and edge computing resources directly to web and cloud services, reducing the load on the main firewall while extending enterprise security policies and controls to protect this traffic. In this article, we’ll dive into the specific technology that SASE uses to defend your network edge.
How SASE technology defends your network edge
SASE protects network edge traffic by rolling up an entire network security technology stack into a single, cloud-delivered service. The key security components of a SASE solution include CASB, ZTNA, SWG, and FWaaS.
A cloud access security broker, or CASB, is a software service that sits between your main enterprise network and your cloud-based infrastructure. A CASB allows you to extend your enterprise security policies to the traffic flowing between your WAN and the cloud so you can ensure consistent protection. A CASB is actually a collection of multiple security technologies, such as:
- User and Entity Behavior Analytics (UEBA) – Monitors the behavior of users and devices on the network to detect suspicious activity and enforce security policies.
- Cloud application discovery – Identifies all cloud applications and services in use by the organization and analyzes relative risk levels.
- Data Loss Prevention (DLP) – Applies data governance policies to prevent the exfiltration of sensitive and proprietary information.
- Adaptive access control – Uses session context (e.g., originating location, time, behavior) to determine whether to grant access.
- Malware detection – Scans traffic between the enterprise and the cloud to detect and block viruses and other malware.
Zero trust network access, or ZTNA, connects remote users and devices to enterprise network resources, similar to a VPN. Unlike a VPN, however, ZTNA creates a direct connection to the specific resources requested by the user, rather than granting full access to the network. This prevents remote users from seeing or interacting with any network resources outside of the specific service they’ve explicitly authenticated to.
ZTNA follows the zero trust motto of “never trust, always verify.” It uses technologies like context and role-based identity verification and two-factor authentication (2FA) to prevent unauthorized access. And, since users need to re-authenticate to every enterprise resource, ZTNA is able to prevent malicious actors from discovering valuable systems and data or moving laterally on the enterprise network.
A secure web gateway, or SWG, is a service that sits between your enterprise network and the public internet. All web-destined traffic passes through the SWG, where enterprise web filtering and application control policies are applied. Traditionally, an SWG is a hardware device that sits in the data center, which means all remote, branch, and edge traffic needs to be backhauled through a single appliance. As part of a SASE solution, an SWG sits in the cloud instead, so remote traffic doesn’t need to pass through the data center. This improves overall network performance, reduces or eliminates bottlenecks, and ensures consistent application of acceptable use policies and application security controls.
Firewall-as-a-Service, or FWaaS, delivers next-generation firewall technology as a cloud-based service. That means remote and cloud-destined traffic can bypass the firewall in your data center, reducing bottlenecks and performance issues. At the same time, FWaaS provides the same level of security and protection as an NGFW, including features like URL filtering, intrusion detection and prevention, and deep packet inspection (DPI). FWaaS gives SASE solutions the ability to protect remote, edge, and cloud-destined traffic with the same policies and controls as the main enterprise network to ensure consistent security and optimal performance.
SASE technology uses CASB, ZTNA, SWG, and FWaaS to defend your network edge. However, you still need a way to direct remote, branch office, and edge traffic to your SASE security stack. That’s where SD-WAN technology comes in.
Accessing SASE technology with SD-WAN
While it’s possible to use standard WAN architectures to connect to SASE technology, the most reliable and efficient way to access SASE is with SD-WAN. SD-WAN uses software abstraction to create a virtual overlay management network on top of your WAN hardware. This virtual management network enables the use of automation and orchestration to manage the remote network traffic.
In a SASE deployment, SD-WAN uses intelligent routing to separate all remote traffic that’s destined for the cloud. Instead of backhauling this traffic through the enterprise firewall, SD-WAN routes it through the SASE technology stack, significantly reducing the load on your data center infrastructure. This improves network and application performance for your entire enterprise without sacrificing security.
SD-WAN solutions may sit on top of traditional WAN infrastructure, or they may replace that hardware entirely, using SD-WAN routers provided by the vendor. However, rather than investing in specialized vendor hardware, an even better approach is to use vendor-neutral network management devices that can host or integrate with every piece of your SASE and SD-WAN technology stack.
For example, the Nodegrid line of vendor-neutral serial consoles and network edge routers are the perfect on-ramp for your SASE solution. Nodegrid can directly host or integrate with third-party SD-WAN solutions like Palo Alto Networks’ Prisma SD-WAN, or you can use ZPE Cloud’s SD-WAN app. Nodegrid also supports seamless integrations with your choice of SASE provider, giving you a unified, centralized SD-WAN and SASE orchestration platform.