Dual forces of convergence and Inversion is taking place at the same time In the enterprise networking and security space. The network design as we knew is changing fundamentally as the application landscape is shifting towards hybrid and multi-cloud. The new center of gravity Is not the data center anymore but Its the Cloud around which the new network design patterns is being carved out. Convergence here refers to consolidation of networking and security solutions what the Industry calls as SASE (Secure Access Service Edge). Inversion refers to the shift from datacenter being the center of network architecture towards edge computing that flips the traditional networking service designs.
In this blog, I compare SDWAN and SASE architectures and why we need two different thinking hats while designing and building these architectures.
A radical shift In the traffic pattern
Is it fair to say that the network follows the application and users ? That’s exactly what has happened in the last few years. Applications are re-architected and moved to cloud or developed natively within the cloud. Users have moved away from working from campus, branches and centralized location to working from home, coffee shops and coworking spaces, and pandemic has accelerated this trend. As a result, traffic flows have dramatically changed the majority of remote user traffic now goes to applications residing in the public cloud rather than the on-premise data centers. Another way to put this is, hybrid and multi-cloud strategies for business applications have resulted in new traffic patterns.
From SDWAN to SASE
SDWAN was a result of this shift that delivered a new network architecture and allowed creation of centralized policies to route the traffic to SaaS applications leveraging the broadband Internet rather than the corporate Internet edge. So we saw lots of traffic optimization and cost savings for many businesses. While SDWAN was being rapidly adopted by businesses , the need for Integrating Security features into the solution arose, that included elements like data loss prevention, VPN, identity solutions like Cisco duo, cloud access security broker and so on. The combined solution of SDWAN with these security features what gave birth to SASE (Secure Access Service Edge).
SASE term that was coined by Gartner defined as a suite of security solutions running close to where the end users and devices are located, by building multiple SASE PoP’s (Point of Presence). Many networking and security vendors have actually built these PoP’s across the globe. The suite of security solutions within a SASE PoP includes but not limited to VPN, Firewall as a service, cloud access security broker, data loss prevention, secure internet gateway, identity, etc.,
A rough architectural layout is depicted below for SDWAN and SASE solution. As Indicated SASE combines Networking and Security solution into a unified architecture.
As per Gartner, SASE Inverts traditional Networking and Security service designs. This means that the data center would no longer be the architectural center of the network. The new center would be the identity – of users, devices, IT/OT devices and edge computing locations.
The New Network
As we saw from the two architectures above, SDWAN network design is anchored around data center and SASE design is anchored around cloud and edge. This allows us to fundamentally rethink how the new networks are supposed to be designed and Implemented.
Data center backhauling of Internet traffic from branches or home office is no more a viable option unless mandated by some specific application and security needs. Local internet breakout or through the edge for critical application traffic like office 365 needs to be considered. Security policies for the application traffic needs to be applied either at the branch , edge or the cloud rather than the data center.