Understanding the Benefits of SD-WAN, SASE, and ZTNA for Zero Trust

A 3-line summary of this article

• Dedicated lines guarantee security, provide high line quality, and allow for fault isolation, but they are expensive and have limited scalability. Achieving zero trust requires a review of network configuration.
• SD-WAN allows for flexible configuration changes and visualized traffic management, but there are issues with security considerations due to local breakouts and a shortage of engineers. Zero trust requires the introduction of security products.
• SASE is a cloud-based connection method that allows for cost reduction and flexible deployment, but it can be affected by the quality of the Internet connection. Zero trust requires the introduction of a communication monitoring product.

Introduction

Recently, SD-WAN, SASE, ZTNA, etc. have been attracting attention, and an increasing number of customers are considering introducing them.

This time, we will focus on the connection method between overseas bases and DC (data center) and explain the available connection methods.
​
Previously, when connecting to an on-premise DC environment from an overseas base, it was necessary to use a VPN or prepare a dedicated line.

In this article, we will discuss connection methods from overseas bases and how to consider them, including new technologies and connection methods.

We hope this will help you decide which connection method is best for your company.

Table of contents

• Characteristics, advantages and disadvantages of new connection methods such as SD-WAN, SASE, and ZTNA, and perspectives required for zero trust
• Summary of the features of each connection method: Dedicated line, SD-WAN, SASE, ZTNA
• SD-WAN, SASE, ZTNA and other connection methods and security
• How to choose between dedicated lines, SD-WAN, SASE, and ZTNA based on your communications environment
• summary

​

Characteristics, advantages and disadvantages of new connection methods such as SD-WAN, SASE, and ZTNA, and perspectives required for zero trust

There are several methods for connecting to overseas bases.
​
First, we will look at the configurations, advantages and disadvantages of each, and the perspectives required for zero trust.
​

1. Dedicated Line
2. SD-WAN (Software Defined-Wide Area Network)
3. SASE (Secure Access Service Edge)
4. ZTNA (Zero Trust Network Access)​ 　​

1. Dedicated lines　

merit

• Security is guaranteed because the line is used only by the company.
• The communication bandwidth is guaranteed, and the line quality is high and stable.
• Easier to isolate when a problem occurs

Demerit

• High cost per communication bandwidth
• Communications are concentrated in the DC, so the load is concentrated on the equipment and lines.
• Since it is necessary to prepare physical lines, it is not scalable and takes time to expand overseas.

Perspectives necessary for zero trust

• In boundary defense, the firewall is only located at the DC, so if malware is infiltrated, there is a risk of the infection spreading to the internal network
  . ⇒ To achieve zero trust, in anticipation of intrusions, the network configuration is reviewed to limit the range of communication between bases and to the DC.

2. SD-WAN (Software Defined-Wide Area Network)

merit

• Zero-touch provisioning allows for flexible configuration changes
• You can visualize traffic and check the usage status of web applications, etc.
• Local breakout of internet-bound communications reduces the load on the DC

Demerit

• Since local breakouts can lead to security holes, it is necessary to consider security measures for Internet-facing communications.
• Because it is a new technology, there is a shortage of engineers who can operate it.

Perspectives necessary for zero trust

• If malware invades your company, there is a risk that the infection will spread to your company's internal network.
• Local breakout communications pose a high security risk because no security measures are implemented.
  To achieve zero trust, it is necessary to introduce a security product that secures Internet-bound communications and a security product that limits the communication range of each terminal for site-to-site communications.

3. SASE ( Secure Access Service Edge )

merit

• Since the cloud has its own backbone (dedicated line), it is possible to eliminate the dedicated line and reduce costs.
• Cloud-based system allows for easy deployment of new locations and high flexibility/scalability
• Network and security functions are integrated, and operations are simplified as vulnerabilities and other issues are addressed on the cloud side.

Demerit

• Since the connection to the backbone requires an Internet line, it is affected by the quality of the line.
• When implementing the system, it is necessary to migrate the on-premise firewall policy to the cloud.
• A single product handles both network and security functions, which can lead to vendor lock-in
• Since communication always goes through PoP, there tends to be a large delay when communicating between bases.

Perspectives necessary for zero trust

• Because it is a cloud product, it is not possible to monitor communications between locations
  ⇒ To achieve zero trust, it is necessary to introduce products such as NDR (Network Detection and Response) that monitor communications within locations.

4. ZTNA ( Zero Trust Network Access)

merit

• Security is guaranteed because terminal authentication is performed for each communication.
• Vulnerabilities are handled on the cloud side, reducing operational costs.
• Moving away from perimeter defense

Demerit

• Depending on the type of ZTNA, some only work with http(s).
• It is necessary to cover all access points before implementation
• Server-initiated communications are not supported
• Security products need to be considered for Internet communications

Perspectives necessary for zero trust

• ZTNA is sometimes provided together with security products (SWG or CASB) and sometimes with just the ZTNA functionality, so it is necessary to combine it with other products to take advantage of the product's features.

Summary of the features of each connection method: Dedicated line, SD-WAN, SASE, ZTNA

The features of each connection method are summarized below.

	Leased Line	SD-WAN	SASE	ZTNA
cost	△	〇	◎	〇
Ease of implementation	△	〇	〇	△
Ease of operation	△	◎	◎	◎
Scalability	△	△	◎	◎
Supports server-originated communications	◎	◎	◎	×
Security	◎	〇	◎	〇
Line Quality	◎	◎	Yes ( For ISP line)	Yes ( For ISP line)
Communication Delay	◎	◎	〇	◎

SD-WAN, SASE, ZTNA and other connection methods and security

We have explained various connection methods, but in terms of security, dedicated lines are secured by the DC's firewall, while SASE is secured by the cloud.
​
SD-WAN and ZTNA specialize in network functions, and it is necessary to consider the security of Internet-facing communications separately.

We will further organize information on which connection method is most appropriate for each environment, while also taking security into consideration.

How to choose between dedicated lines, SD-WAN, SASE, and ZTNA based on your communications environment

When deciding which connection method is appropriate, the first thing to do is to identify the communication content between the base and the DC.
​
When doing so, pay attention to whether there is any communication that must never be stopped in the course of your company's business.

① Dedicated lines are recommended when communication requires high reliability

If constant synchronization between core systems is required and even momentary interruptions cannot be tolerated, we recommend a dedicated line.
​
Communications to the Internet are conducted via the on-premises firewall at the DC, ensuring security.

②SD-WAN is recommended when there is a need for highly reliable communications and there is a lot of internet-based communications such as SaaS.

As with pattern ①, if you have communications that require high reliability and also have a lot of SaaS and other communications, and your bandwidth is constrained or expected to become constrained, we recommend SD-WAN.

Bandwidth congestion can be addressed by using local breakouts, and the security of local breakout communications can be ensured by using them in combination with SSE products.
​
The SSE products we handle include Skyhigh Security and Menlo Security, both of which have SWG and CASB functions. Skyhigh Security excels at detailed control through application identification, while Menlo Security excels at sanitizing web communications. Both products can ensure the security of Internet-facing communications, so we recommend using SD-WAN and SSE products together.

③SASE is recommended when there is no communication that requires high reliability, but communication between servers is required.

If communication is required from a server in the DC to a server in a branch office, we recommend SASE.

If there is no communication that requires high reliability, a dedicated line is not necessary.
Because SASE products have a backbone on the cloud side, customers do not need to prepare a dedicated line, and only need to prepare an Internet line, which reduces costs and time.

SASE products provide security functions on the cloud side, so a major feature is that they provide network and security functions integrated into one product. One of the SASE products we handle is Cato Networks, which develops its network and security functions in-house, so the advantage is that it can be managed and all settings can be made from a single GUI.

In addition, SASE products can be used in combination with dedicated lines and internet lines. For example, communications that require reliability can be routed only through dedicated lines, or the lines can be used as backup lines in case the internet line becomes unstable.

④ZTNA is recommended when there is no communication that requires high reliability and no need for server-to-server communication.

If this condition applies to you, we recommend ZTNA.

Although you only need to prepare an Internet line at the branch office, security measures are necessary just like SD-WAN.
​
For information on ZTNA security measures, please refer to the blog What is ZTNA? Advantages and disadvantages, and how to configure it .

summary

We have focused on and introduced the connection method from overseas bases to DC.
The ideas introduced in this article are just examples, so we hope that you will use them as a reference when considering the optimal connection method for your customers.
​