Six reasons why a secure advanced SD-WAN is critical to SASE

Gartner says that “By 2026, 60% of new SD-WAN purchases will be part of a single-vendor secure access service edge (SASE) offering, up from 15% in 2022.”¹ But, what if SD-WAN was not part of SASE (Secure Access Service Edge)? Can organizations implement SASE without SD-WAN? Can users and devices securely access resources from everywhere, including branch locations? In this article, we’ll examine the reasons why a secure SD-WAN is critical to SASE.

A secure SD-WAN provides organizations with two critical capabilities: Application performance and branch security. Let’s first analyze in detail these two capabilities before examining the consequences if SD-WAN wasn’t included in the SASE framework.

Improving application performance with a secure SD-WAN

• Tunnel bonding: Through network virtualization, SD-WAN can combine multiple links including MPLS, Internet, 4G/5G, Satellite. This functionality enables organizations to replace or supplement costly, rigid MPLS networks, but also dynamically select the best path based on network conditions and business intent.
• Network optimization: SD-WAN provides multiple optimization techniques to tackle the adverse effects of internet links and long distance (latency). This includes Forward Error Correction (FEC) that periodically sends parity packets, enabling the solution to rebuild dropped data packets without having to retransmit them. WAN optimization is another technique, that helps reduce the latency effects due to long distance. This feature accelerates the transmission of data by applying TCP protocol acceleration as well as data deduplication and compression algorithms.
• Multi-cloud networking: Advanced SD-WAN supports multi-cloud networking. Virtual instances of SD-WAN solutions can be deployed in cloud service providers such as AWS, MS Azure and Google Cloud establishing a resilient and secure connection from the branch office to the cloud.

Extending the WAN fabric to multi-cloud environments with EdgeConnect SD-WAN

Ultimately, advanced SD-WAN solutions optimize user experience by automatically selecting the best path for each application regardless of how the application traffic is broken out: through local breakout, IaaS providers or SSE Solutions (Security Service Edge).

Improving security with a secure SD-WAN

In addition to improving application performance, an SD-WAN provides advanced security features that enable organizations to consolidate their security equipment in branch offices.

• Secure internet breakout: A secure SD-WAN can identify more than 10,000 applications and more than 300 million web domains on the first packet. With this feature, a secure SD-WAN can perform granular and secure breakout of internet bound traffic to the cloud or to an SSE solution or data center based on security policies. This eliminates the need to backhaul SaaS application traffic to the data center, greatly improving security and application performance. Trusted applications such as RingCentral can be sent directly to the cloud, while suspicious traffic can be sent to the data center for security inspection or to an SSE solution.

Securely break out traffic with EdgeConnect SD-WAN from branch offices

• Next-Generation Firewall: A secure SD-WAN includes next-generation firewall capabilities, including IDS/IPS, and DDoS protection. IDS/IPS uses a signature-based system to monitor network traffic and find patterns that match a particular attack signature. An IDS/IPS inline mode is also available to immediately block traffic when an intrusion occurs. Additionally, DDoS defense detects and prevents attacks such as protocol attacks, SYN floods, IP spoofing attacks and more. In the event of a DDoS attack, a secure SD-WAN limits the number of malicious requests with actions such as rapid aging, drop excess and block source.
• Zero Trust segmentation: A secure SD-WAN supports role-based segmentation to enforce Zero Trust and minimize lateral movements. Each user and device on the network are identified. This identification can be performed through machine learning for unknown devices such as IoT devices. A secure SD-WAN then creates end-to-end zones, from the LAN to the WAN, across any combination of users, devices, application groups and virtual overlays, propagating security policies to all remote sites. It applies least privileged access principles, ensuring that users and IoT devices only communicate with destinations consistent with their role in the business, while reducing unauthorized access and limiting the scope of incidents.

Enable role-based segmentation with EdgeConnect SD-WAN and minimize lateral movements

What if SASE didn’t include SD-WAN?

Let’s now examine what would happen if SASE didn’t include SD-WAN.

In the evolving landscape of network infrastructure and applications moving to the cloud, SASE has reshaped how organizations approach connectivity and security. However, considering the hypothetical scenario where SASE excludes SD-WAN unveils significant implications. It reveals the integral role of SD-WAN within the SASE framework, particularly in branch offices, to optimize application performance, improve security posture, and enhance operational efficiency. Without SD-WAN, organizations would potentially face the following limitations:

1. No bandwidth optimization based on application: If SD-WAN were not part of SASE, branch offices wouldn’t be able to prioritize traffic based on application type. Business-critical applications would share the same bandwidth as non-critical applications. In critical environments, like banking, healthcare, or manufacturing, this could potentially lead to severe consequences and negative business impact.

2. Limited path selection: SD-WAN enables leveraging various network links (MPLS, multiple internet providers, 4G/5G or Satellite connections) based on business requirements. Without an SD-WAN, traffic wouldn’t use the best path. The system won’t be able to exploit the diversity of paths available today and combine them based on business intent, impacting the efficiency and flexibility of network operations.

Always selecting the best path with EdgeConnect SD-WAN

3. Equipment sprawl in branches: Without a secure SD-WAN, branch offices wouldn’t benefit from the routing and security features built into SD-WAN, such as a next-generation firewall. Branch offices indeed rely on disparate devices for security and routing, that are difficult to manage and require local expertise. Additionally, these devices require too many management portals and manual steps to attempt to implement zero trust across multiple vendor solutions. A secure SD-WAN can easily replace these devices, reducing hardware footprint. Additionally, a secure SD-WAN can be centrally administered. Configurations and policy updates are sent to local branch offices within minutes, eliminating the need for locally trained personnel.

4. Poor support of hybrid cloud and on-prem setups: With SSE alone, all traffic would be directed to the SSE system, even traffic that must remain local, affecting user experience negatively. Many organizations, across various industry sectors, not just sensitive sectors like defense and government, operate many applications on-premises or in a private cloud, and therefore needs an intelligent way to steer the traffic on-premises, to private or public cloud, and this is precisely what SD-WAN will bring to these organizations: the ability to operate in hybrid cloud environments.

5. No Zero Trust in branch locations: With a built-in next-generation firewall, secure SD-WANs provide role-based segmentation capabilities in branch locations to prevent lateral movements and protect critical parts of the LAN and the WAN. A secure SD-WAN also helps secure IoT devices that cannot run security agents, by ensuring the IoT traffic remains isolated from mission-critical applications. Additionally, a secure SD-WAN allows for the implementation of unified security policies across the LAN and the WAN. Without it, security policies become more fragmented and challenging, potentially leading to gaps and inconsistencies in security enforcement.

6. Increased security risks in branch offices: Since a secure SD-WAN integrates security functionalities like encryption, firewall, IDS/IPS and DDoS defense, the branch network is less prone to cyber-attacks and security risks are reduced, including unauthorized access, data breaches and malware.

In conclusion, not having secure SD-WAN within a SASE framework can lead to compromised security and performance issues in branch locations. Integrating secure SD-WAN capabilities into SASE is essential to ensure a robust, secure, and efficient network environment.

Moreover, SSE perfectly complements SD-WAN in a cloud-centric world. With ZTNA, remote workers can access private resources seamlessly using least-privilege access principles. Unlike VPNs, the solution grants access to specific resources based on identity instead of all resources. It also improves user experience by providing multiple Points of Presence instead of few VPN concentrators involving long backhauls. SWG (Secure Web Gateway) secures internet browsing by blocking access to websites known for their malicious content and monitoring web traffic in real time. CASB (Cloud Access Security Broker) identifies sensitive data, detects shadow IT, enforces security policies, and prevents the unauthorized transfer of sensitive data in SaaS applications.

EdgeConnect SD-WAN from HPE Aruba Networking is a secure SD-WAN that provides advanced security capabilities including next-generation firewall, IDS/IPS, DDoS defense and role-based segmentation, in addition to multi-cloud networking and WAN optimization capabilities. EdgeConnect SD-WAN is tightly integrated with HPE Aruba Networking SSE to form a unified SASE solution, accelerating SASE deployment, and facilitating network and security operations. The solution also allows organizations to build a Zero Trust architecture with users and devices securely accessing resources from branch offices. EdgeConnect SD-WAN integrates with HPE Aruba Networking ClearPass and Central NetConductor capabilities to propagate security policy information and any updates related to the user, device type, role, and security posture across the entire SD-WAN fabric and apply role-based segmentation. To learn more, please read our business paper on Architecting SASE with a secure business-driven SD-WAN

Other resources:

• Five reasons to adopt a single-vendor SASE approach
• EdgeConnect SD-WAN webpage
• Unified SASE webpage
• HPE Aruba Networking SSE webpage

¹ 2023 Magic Quadrant for SD-WAN, Gartner Sep. 2023