SASE vs.

SD-WAN
What’s beyond Security
For several years now, the network evolution spotlight
has been on SD-WAN, and rightfully so. SD-WAN
provides big advancements in connecting branch
locations into central data centers in a cost-effective
manner. It is the networking equivalent of a killer
application that allows companies to use a variety of
transport mechanisms besides MPLS and to steer
traffic according to business priorities.

Now the spotlight is shifting to the next evolution of

networking: the secure access service edge (SASE).

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 2
SD-WAN is just one of
SASE features
Like SD-WAN, SASE is a technology designed to connect
geographically dispersed branches and other endpoints to an

SASE
enterprise’s data and application resources.

While there is some overlap in what the two technologies offer –

in fact, SD-WAN is a component of SASE – there are significant
differences in capabilities, not the least of which is network security.
If SD-WAN gained traction for its flexible connectivity options, then
SASE will be defined by its ability to seamlessly deliver full security
to every edge on the network.

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 3
 Enterprises need a
distributed network
architecture
Every enterprise, regardless of industry or geography, has a need
for secure, high-performance, and reliable networking. In a bygone
era, a hub-and-spoke networking architecture centered around
an on-premises data center would have met that need—but not so
today. A distributed network architecture is critical to support the
increasing use of cloud platforms, SaaS applications, and especially
remote and mobile workers.

This last requirement is ever more important in a world still

experiencing a global pandemic. And even as we eventually move
to a post-Covid-19 era, there will be a significant need to support
people who continue to work from home, either permanently or
occasionally, as well as those who return to the office.

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 4
SD-WAN is a step in the
right direction, but... RBI
SD-WAN is a software-based approach to building and managing networks
that connect geographically dispersed offices. It uses a virtualized network
DLP
overlay to connect and remotely manage branch offices, typically connecting
them back to a central private network, though it also can connect users
directly to the cloud. SD-WAN provides optimal traffic routing over multiple
IPS
transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a
combination thereof. However, SD-WAN appliances sit atop the underlying ZTNA
network infrastructure. This means the need for a reliable, well performing
network backbone is left unaddressed by SD-WAN appliances alone.

In general, SD-WAN appliances are not security appliances. For example, to NGFW
achieve the functionality of a Next-Generation Firewall (NGFW), you need to
CASB
add a discrete appliance at the network edge. This only leads to complexity
and higher costs as more security services are added as discrete appliances Broadband Ethernet
or virtual functions. Another option is known as Secure SD-WAN, a solution
which integrates a full security stack into an SD-WAN appliance. In this case, MPLS
the solution’s effectiveness is limited by the deployment locations of the SD-
4G LTE
WAN appliances, which are typically installed at each branch. Security is only
applied for the traffic at the branch. What’s more, in deployments covering Virtualized
multiple branches, each appliance needs to be maintained separately, which Network Overlay

L
DS
provides the potential for out-of-sync policies and out-of-date software.

Another shortcoming of SD-WAN is that by design, networking appliances

are built for site-to-site connectivity. Securely connecting work-from-home
or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN
delivers some important benefits, networking appliances alone are not a
holistic solution. That’s where SASE comes in.
SD-WAN Infrastructure

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 5
 r u e
T SASE is the Future of
Secure Enterprise Networking
SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic
limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and
seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security
that enables IT to provide a holistic, agile, and adaptable service to the digital business.

SECURITY

SASE NETWORK

ACCESS

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 6
 Cato SASE Cloud
Cato’s SASE platform is built on a cloud-native architecture that is distributed globally across 65+ Points of Presence (PoPs).
All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming
a high-performance private core network called Cato SASE Cloud. The global network connects and secures all edges, all
locations, and all users regardless of where they are.

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 7
 Network Traffic Inspection
Cato uses a full enterprise-grade network security stack natively built into Cato SASE Cloud to inspect all WAN and Internet traffic. Security
layers include application-aware firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation
anti-malware (NGAV), and managed IPS-as-a-Service (IPS). Cato can further secure a customer’s network with a comprehensive Managed
Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer
traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because Cato runs a distributed, cloud-
native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling
traffic for security inspection.

Data
Application
Network
Authenticaton
Identity
Device

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 8
 Cato Supports the New Network Perimeter
Importantly, in this age of work-from-home, Cato SASE Cloud easily supports mobile and remote users. Giving end users remote
access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a
secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote
users. Moreover, the platform can scale quickly to any number of remote users without worry.

Cato
SASE Cloud

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 9
 For SASE, it Has to Be
Cloud-Native Security
It wasn’t long ago that networking and enterprise security were different
disciplines. Silos, if you will. But today, with users working everywhere,
security and networking must always go together. The only way to protect
users everywhere at scale without compromising performance is the cloud.

Converging security and networking

together into a genuine cloud service with
a single-pass, cloud-native architecture is
the only way to deliver high performance
security and networking everywhere.
That’s the power of SASE.

Get a Demo

Related content

Secure Access Service Edge (SASE) for Dummies

Get all the SASE basics: why, how, when, what, and so much more. It is
a short, 5-chapter, must-read for every IT leader that wants to be on top
of one of the biggest technological revolutions of the decade.

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 10
 About Cato Networks
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global cloud-native service.
Cato optimizes and secures application access for all users and locations. Using Cato SASE Cloud, customers
easily migrate from MPLS to SD-WAN, improve connectivity to on-premises and cloud applications, enable secure
branch Internet access everywhere, and seamlessly integrate cloud data centers and remote users into the
network with a zero-trust architecture. With Cato, your network and business are ready for whatever’s next.

Cloud Optimization NG Firewall

WAN Optimization Secure Web Gateway

Global Route Optimization Full/Selective Decryption

Dynamic Carrier Selection Advanced Threat Prevention

Cato SASE
WWW
Cloud Edge

Cato
SASE PoP
ckbone
Global Private Ba
et
rn
te
In

Cato SASE
SD-WAN Edge Cato SASE
Device Edge

Branch Remote/Mobile

Datacenter

Cato SASE. Ready for Whatever’s Next

Cato SASE Cloud Managed Services SOC2 Approved

Global Private Backbone Managed Threat Detection and Response (MDR)

Edge SD-WAN Intelligent Last-Mile Management nS

ecurity Ma
na
o
Informati

gem t

ISO 27001 Certified

en

27001
C er
ti fi e d

Security as a Service Hands-Free Management

Cloud Datacenter Integration Site Deployment

GDPR Compliant

Cloud Application Acceleration

Secure Remote Access

Unified Management Application

Contact Us Cato SASE. Ready for Whatever’s Next

SASE vs. SD-WAN | What’s beyond Security 11