Select Page

Sep 20, 2021

From NGFW to SD-WAN to SASE – A Stepwise Journey


In my first blog in this series, I touched on how SD-WAN and next-generation security solutions were a natural pairing. And in my second, I discussed the importance of zero-touch provisioning (ZTP) in large-scale SD-WAN rollout. This article will examine a common customer journey that we see in the market — from NGFW to SD-WAN to secure access service edge (SASE).

While I’ve briefly mentioned SASE in past articles, I didn’t go into much detail. SASE represents a convergence of SD-WAN and security. The term was defined by Gartner in 2019 and recognizes the shift in enterprise traffic patterns from historical hub-and-spoke with enterprises’ private resources at the core to more complex full-mesh and partial-mesh patterns between enterprise locations. In particular, much enterprise traffic today flows from and into software-as-a-service (SaaS) applications hosted on public cloud platforms.

Expanding SD-WAN with SASE

SASE broadens SD-WAN by incorporating popular security features including:

  • Secure Web Gateway (SWG) proxies that augment layer-3 firewalls by inspecting and filtering traffic to block malware and content that violates enterprise policies.
  • Next-generation firewall-as-a-service (FWaaS) that augment appliance-based firewalls with virtual equivalents that can be inserted anywhere in the network, whether a branch office or an employee’s home access point.
  • Cloud Access Security Broker (CASB) supplements an SWG by enforcing a broader set of enterprise security policies for SaaS cloud applications. These include implementing authentication, usage, and data loss policies while providing logging data for analytics.
  • Zero-trust network access (ZTNA) which adds fine-grained user- and application-specific controls. ZTNA ensures that access to every application and backend service is authenticated, authorized, and encrypted.

ZTNA uses attributes like identity, device posture, access context, and asset type to determine the scope of privileges a connecting device should receive. The goal is to provide the most restrictive access, reducing the enterprise’s attack surface. Note that Gartner’s SASE feature list includes many more security components, but our research shows that the features above are the core capabilities enterprises seek.

Starting at the Beginning

In our conversations with end-users and managed service providers, we’ve observed different paths to modernizing and securing the enterprise. With the focus on security over the past decade, many enterprises have deployed NGFWs in every office location. Once ubiquitous in every remote branch, the branch router has been increasingly replaced by NGFWs with good-enough layer-3 routing capabilities.

However, enterprise requirements have evolved, demanding cheaper and faster bandwidth options (e.g., adding cheaper broadband links to MPLS), increased reliability with multi-link handling, and faster enterprise access to popular SaaS applications and public clouds. SD-WAN meets all these requirements and helps enterprises modernize their legacy WANs.

To the extent enterprises have existing NGFW vendors who are evolving their products into SD-WAN, upgrading or updating the NGFW software is often all that’s required to embark on the SD-WAN transformation. This is a testament that many foundational network functions needed by SD-WAN implementations mirror existing NGFW capabilities: application identification and categorization, efficient blocking of traffic flows, performing encryption and decryption, routing traffic over different interfaces. Often, NGFW appliances are cost-effective and high-performance platforms to run SD-WAN applications.

With ZTP support (which we discussed in our previous article), this transition from NGFW to SD-WAN should be a straightforward and rapid procedure. The potential bonus of migrating to an SD-WAN setup with strong centralized controls is improved manageability and reduced overhead, along with increased consistency and visibility.

Anticipating the Next Step

As discussed in the first article, once the SD-WAN foundation is put in place, improved security capabilities can be added to the journey towards SASE. Not all SASE’s security features come for free. Many will require setting up a set of enterprise-wide policies, which necessitates identifying key resources and assets within the company and classifying them, seeking out identity stores, and figuring out how to tap into them for authentication and authorization — also, determining a unified set of policy stores that represent ground truth for an organization’s security and access policies. This pre-work facilitates the identification of attributes to be used as part of ZTNA policies.

Many NGFW vendors turned SD-WAN vendors are starting to incorporate SASE feature sets into their solutions. Meanwhile, the approach we’ve described above allows enterprises to quickly achieve the benefits of SD-WAN while laying the groundwork to enable fast SASE turn-up as those features become available.

It’s possible to leapfrog straight to a SASE offering from a legacy or no-router setup, especially in a greenfield deployment. However, many enterprises shared they feel more comfortable taking an incremental stepwise approach.

Taking the First Step

For enterprises with a leading NGFW in place, you should have a conversation with those vendors to understand the vendors’ SD-WAN capabilities. Once you feel comfortable, I recommend a pilot with a subset of sites before doing a mass rollout. I would also recommend a simultaneous conversation on their roadmap to SASE and what the vendor intends for the work-from-home users.

The journey from NGFW to SD-WAN to SASE likely won’t take a thousand steps, but it’s critical to get started on the first.

About the Author

Portrait of Roy Chua Roy Chua is founder and principal at AvidThink, an independent research and advisory service formed in 2018 out of SDxCentral’s research arm. Roy was previously co-founder at SDxCentral where he ran both the research and product teams. Roy was formerly a management consultant working with both Fortune 500 and startup technology companies on go-to-market and product consulting. As an early proponent of the software-defined infrastructure movement, Roy is a frequent speaker at events in the telco and cloud space and a regular contributor to leading technology publications. A graduate of UC Berkeley’s electrical engineering and computer science program and MIT’s Sloan School of Business, Chua has 20+ years of experience in telco and enterprise cloud computing, networking and security, including founding several Silicon Valley startups.