HPE Aruba Networking Blogs

Advanced SD-WAN and SSE enable best-in-class SASE

In August 2019, Gartner defined “Secure Access Service Edge” (SASE) as the combination of WAN edge network capabilities with network security functions such as SWG, CASB, FWaaS and ZTNA delivered in the cloud. Gartner indeed observed that as more applications and workloads migrate to the cloud, the role of the corporate data center has been significantly reduced. Additionally, with the work-from-anywhere trend, a defined security perimeter from which all employees connect is no longer viable. A SASE architecture brings a more secure and flexible way to connect by not backhauling application traffic to a data center before forwarding it to the cloud, but rather, performing advanced security inspection directly in the cloud.

SASE makes the initial assumption that no user can be trusted by default and supports least privileged access through Zero-Trust Network Access (ZTNA) capabilities. It protects sensitive data by enforcing security policies with Cloud Access Security Broker (CASB) capabilities. Additionally, a Secure Web Gateway (SWG) protects organizations from web-based threats using several techniques such as URL filtering and malicious code detection. Firewall as a Service (FWaaS) provides next-gen firewall functionality in the cloud to analyze the traffic from multiple sources. Other security features such as Remote Browser Isolation (RBI) isolates web users from the internet by rebuilding web pages free from malicious codes.

It should be noted that Gartner defined SASE before the COVID crisis. Since then, the pandemic has accelerated the need for more security with remote working being one of the main drivers. Over time, the line between these different security practices has blurred, creating overlaps as vendors add more functionality to the core capabilities. In response, Gartner has defined a new category called “Security Service Edge” (SSE) to describe these core security features.

This is how Gartner defines SSE: “Security service edge (SSE) secures access to the web, cloud services, and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.

Cloud security vendors that offer multiple security capabilities are now unifying all these services into a single SSE platform, eliminating overlaps and leveraging the benefits of a single platform by deduplicating and harmonizing security policies and providing greater visibility into security threats.

SSE defines the set of security services that helps achieve the security vision of SASE, while SD-WAN defines the WAN edge networking functionality requirements of SASE.

SD-WAN is a critical foundational component of a SASE architecture and helps organizations accelerate their digitization efforts by supporting cloud-first strategies and modernizing network infrastructure. Even though the trend of working-from-anywhere persists, organizations will continue to operate branch offices requiring SD-WAN capabilities and will even extend SD-WAN services to home offices and small offices. Organizations must continue their efforts to transition to an SD-WAN architecture but must also factor in SSE capabilities in the WAN transformation process.

The combination of an advanced SD-WAN and SSE allows organizations to implement a SASE architecture, and therefore some security vendors have integrated basic SD-WAN functionalities in their offerings. However, these vendors often lack the critical capabilities of an advanced SD-WAN solution. SD-WAN and SSE indeed focus on two different objectives and lifecycles: SD-WAN is about establishing a robust yet flexible connection while SSE must constantly adapt to new cybersecurity threats. An advanced SD-WAN solution enables organizations to build a robust SASE architecture by tightly integrating with best-of-breed SSE capabilities without compromising on performance or security.

Below are three reasons why organizations should select an advanced SD-WAN when defining their cloud-first SASE architecture.

1. An advanced SD-WAN steers application traffic intelligently

An advanced SD-WAN is critical to intelligently steer application traffic based on its destination and security policy requirements. Even though the cloud is the primary destination, not all the traffic goes exactly to the same place:

  • Advanced SD-WANs can direct traffic seamlessly between private or public cloud, with a hybrid cloud being the most popular infrastructure model used by organizations today.
  • Through API-based integrations, advanced SD-WANs can automatically connect and setup connections to cloud providers supporting services such as AWS transit gateway and Azure virtual WAN, improving performance and security. In multi-cloud environments, workloads can easily be moved from one cloud provider to another.
  • Advanced SD-WANs can also accelerate the traffic to reach cloud applications by always selecting the best performing route based on advanced network health and performance measurements as well as local DNS resolution. Additionally, they can connect to the nearest point of presence of trusted cloud applications such as Microsoft 365, by sending the traffic directly to them, again improving performance.

2. An advanced SD-WAN is tightly integrated to SSE

Although security vendors may provide basic SD-WAN capabilities, they are not necessarily well integrated with other security capabilities. An advanced SD-WAN solution provides native integration with SSE capabilities through automated orchestration. In other words, these solutions are able to identify the application on the first packet and automatically route the traffic to an SSE service based on the security policies set by organizations. Additionally, the same security policies are pushed seamlessly to each branch using centralized orchestration so that organizations keep a consistent security approach across each of their locations. By tightly integrating with cloud-delivered security vendors, advanced SD-WAN solutions provide organizations with the ability to select the best-of-breed SSE services depending on their needs and security policies.

3. An advanced SD-WAN incorporates leading-edge security features

An advanced SD-WAN provides essential security features to protect branch offices, such as unified threat management with integrated IDS/IPS and a zone-based firewall to support micro-segmentation. These security features allow organizations to protect their branch offices from malicious threats. They also allow organizations to go beyond SASE by mitigating the risks associated with the exploding number of IoT devices and building a zero-trust architecture. Whereas IoT devices, in most cases, have no security agents and use a simple architecture, micro-segmentation isolates specified parts of the network to block the spread of malware. Finally, with built-in security features, organizations can also reduce equipment sprawl in branch offices by removing existing security devices, reducing maintenance and operating costs.

Implement an advanced SD-WAN solution with best-of-breed SSE capabilities

Aruba EdgeConnect SD-WAN is the foundational component of a SASE architecture. It provides a tight integration with best-of-breed security vendors such as Netskope, Zscaler, McAfee, Check Point and Palo Alto Networks, and automates the orchestration to these third-party security capabilities. A virtual instance of Aruba EdgeConnect can be deployed in any of the four public cloud providers making multi-cloud environments more efficient and secure. Aruba EdgeConnect accelerates the connection to SaaS applications by routing SaaS services to their closest point of presence. It also embeds a zone-based firewall with micro-segmentation and IDS/IPS capabilities allowing organizations to prevent the spread of malware and cyberattacks.

To learn more, please visit our website on Aruba EdgeConnect SD-WAN.

 Related Resources: