Evolving SD-WAN for the Secure Edge with SASE
Jan 19, 2021
The majority of corporate workloads and applications today have migrated to public cloud services like AWS, Azure, Google or Oracle. In fact, many enterprises access an average of five clouds on a daily basis, which raises the need to extend the security sphere beyond the centralized firewall that has become a performance bottleneck to cloud-based apps.
The result of these trends is that a big percentage of wide area traffic is no longer passing just between internal company locations. A recent study by Nemertes Research reported that less than 40% of WAN traffic originating from an internal source is headed for another internal site.
17% of WAN traffic is now outside-outside, connecting a source outside of the enterprise firewall to a destination also outside the security perimeter. And, over 50% of companies are using their SD-WANs to connect clouds to other clouds, otherwise known as the multi-cloud environment.
These new external traffic patterns, in which so much of an organizations traffic is passing outside of the traditional security perimeter, underscore the need for SD-WANs centralized control and visibility, as well as enhanced security features that can detect and warn of unusual traffic flows or malicious behavior.
Enter the Secure Access Service Edge
This is where SASE offers the potential of merging networking with security into a converged cloud-based solution known as the Secure Access Service Edge.
SASE (pronounced sassy) seeks to combine network security with SD-WAN by incorporating security functions that are delivered on a cloud-scale, although premises based equipment may continue to play a role in this architecture when necessary for optimal performance.
SASE describes a core set of cloud-delivered security/networking technologies, including:
- Cloud Access Security Broker (CASB)
- Secure Web Gateway (SWG)
- Zero Trust Network Access (ZTNA)
- FireWall as a Service (FWaaS)
- Domain Name System (DNS) security
- Data Loss Prevention (DLP)
The inclusion of SD-WAN in this model reflects the broader use case SASE is intended to address, which is lack of integration between wide area networking and security services. A SASE compliant platform would have unified management and visibility into all networking and security components. According to a leading security vendor, the main benefits for an organization employing SASE concepts include:
- Protection from advanced security threats, data loss and data theft
- Greatly reduced cost of deploying security at scale
- Streamlined network management
- Complete visibility and precise control over their entire network
The goal is to provide a unified system that protects end users and network traffic, company data and applications, from a single cloud-based platform, instead of the multiple point products that are commonly chained together today. A SASE platform should have the ability to protect against malicious websites, decrypt content at line speed, identify sensitive data or malware, and to continuously monitor for risk and trust levels.
The SASE Roadmap
For many SD-WAN vendors, to achieve a complete SASE architecture, there are a number of elements that will need to converge.
For example, Zero Trust Network Access will become the entry point to a companys Software Defined WAN, and an alternative to traditional VPNs for remote users. A zero-trust security model focuses on identity to ensure the authentication of employees and their devices. ZTNA also maps users to policies that define the corporate applications they may access.
In addition, Secure Web Gateway functionality (often combined with CASB) is being integrated into SD-WAN so branch office users can connect directly and securely to the Internet and Cloud, without backhauling traffic to a centralized firewall. SWGs are designed to prevent remote and mobile users for accessing inappropriate websites or content, prevent malware downloads, enforce corporate security policies, and protect data against unauthorized exfiltration. Some vendors have added SWG features to the SD-WAN edge appliance, to augment an integrated firewall capability. In other cases, SWG will be achieved through integration with third party providers.
The SASE Choice
Enterprises now have a choice they didn’t really have before keep security on the premises, or move it to the cloud. The traditional premises firewall approach will persist for those organizations with the highest security and compliances requirements typically banking and financial services firms, or defense contractors, for example. But the rapidly growing use of cloud services will drive most other organizations to adopt a cloud-scalable security posture. Whichever approach is taken, QOS Networks has a secure managed solution that can be tailored to fit the most demanding enterprise applications.
The QOS Networks SASE Story
The QOS Networks secure solutions can be adapted to the needs of diverse enterprises in any industry category as well as for academic and government organizations. QOS Networks offers a full security stack through leading edge SASE platforms, including an application-aware NGFW with advanced capabilities such as IPS, URL Filtering, Anti-Malware and Unified Threat Management.
The QOS secure managed edge can be deployed through a network of cloud-based gateways, or through an appliance in a corporate hub, branch office or remote home office, and can also work through a remote software client for the mobile laptop.
To meet the needs of the new work-from-home (WFH) environment, QOS can extend the SD-WAN edge and security perimeter to the remote workers, through an SD-WAN edge device or a software client. The benefits include ensuring secure connectivity and application performance for both WFH and the mobile WAN environments, with full-featured next-gen firewall protecting every home office and every traveling laptop, all fully integrated into the corporate security structure.
This ensures that employees access to the corporate network and applications is always just one hop (to the cloud) from anywhere they happen to be, thanks to the unified, always available Secure SD-WAN managed solutions from QOS Networks.
To learn more about SASE and Secure SD-WAN from QOS Networks, visit: