SASE & SD-WAN: How they work together

Discover how Software-Defined Wide-Area Networking (SD-WAN) and Security Service Edge (SSE) combine to create Secure Access Service Edge (SASE)—the cloud-native platform that ensures secure, agile cloud networking.

8 minute read time

With SD-WAN at the foundation, SASE connects remote users and branch sites to a company’s network, cloud applications and the Internet. Let’s find out how SASE and SD-WAN work separately, and how they work together to secure cloud networking. Here’s what we’ll look at:

SASE explained

SASE is a layered, interwoven fabric of network and security technologies that ensures users and devices have secure cloud access to applications, data and services at any location. By combining network connectivity and Security Service Edge (SSE) features, SASE enables distributed organizations to deliver protected networking and security services consistently to branch sites and remote users, anywhere and anytime.

60% of enterprises will have explicit strategies and timelines for SASE adoption by 2025

The SASE market will reach $11.29B by 2028.

Gartner’s SASE definition

According to Gartner, SASE is an emerging offering combining comprehensive networking and security functions—such as SD-WAN, Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA)—to support the dynamic secure access needs of organizations.3 For more details on Gartner’s definition of SASE, see Gartner’s definition

SD-WAN explained

SD-WAN routes traffic dynamically across distributed branches and remote locations. Using software-defined network (SDN) technology, an SD-WAN separates network logic and configuration from physical connections and hardware to create a centrally managed virtual WAN that connects remote branches and locations regardless of the connection type, access point or carrier. SD-WAN’s overlay is built on top of an organization’s existing WAN connections to improve how data travels across the network.

90% of enterprises that purchase public cloud IaaS will do so from an integrated IaaS and platform-as-a-service.

IT manages SD-WAN through a centralized controller that sends data and policy information to connected devices on the network. The controller also enables IT teams to remotely manage and program connected resources, and configure routers as well.

Key SD-WAN benefits include:

  • Increased available bandwidth
  • Optimized application performance
  • Maximized uptime from automatic failover

Differences and similarities between SD-WAN and SASE

SD-WAN and SASE are deployed differently. SASE is fully cloud-based, whereas SD-WAN is deployed over physical appliances. Here are some important differences to note.

Architecture Based on an overlay network, builds on the foundational network’s design Cloud-based, distributed as a service in a mesh configuration
Dependencies Operates independently as a solution Requires the Security Service Edge (SSE) components to function as a SASE solution
Transport function Connects branch office traffic to networks and follows an organization’s traffic routing policies Sends traffic through distributed points-of-presence (PoPs) without backhauling to data centers
Security features Can be supplemented with unified threat management, IPSec encryption and next-generation firewall Security components are built in, including Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB)
IT expertise required Requires software-defined networking skills Requires software-defined networking, security programming and cloud skills

Similarities between SD-WAN and SASE

SD-WAN and SASE share common attributes such as:

Virtualization: both technologies are software-based and centrally managed

Wide coverage: they extend beyond traditional physical network perimeters

Ubiquitous connectivity: they connect sites and users beyond corporate headquarters using a variety of connection types

Scalability: adding users and sites can be done with a minimal IT lift

Why it’s not SASE vs. SD-WAN but SASE and SD-WAN


With Virtual Private Network (VPN) connections into the data center, these networks aren’t equipped to serve a remote workforce that’s more geographically distributed.


Traditional network security models were designed to accommodate employee devices and systems that were located within a physical perimeter, assumptions that no longer hold true.


These networks also aren’t built to scale with the increased volume of traffic that traverses public, private, hybrid and multi-cloud environments en route to its destination.


Constantly routing traffic to and from data centers through a static centralized security stack and ultimately out to the Internet creates network congestion.


All these factors and the resulting congestion combine to hinder application performance, which affects end users’ experiences and productivity.

Traditional hub-and-spoke networks and their associated security architecture were built for a set purpose: using Multiprotocol Label Switching (MPLS) made them an ideal way for organizations to run multiple business-critical applications from their own data centers. However, in today’s environment, the “data-center-centric” approach is showing its limitations.

A comparison of SASE and SD-WAN, where SD-WAN supports the security components that make up SASE.

SASE leverages SD-WAN’s capabilities to provide optimized application performance, network routing, global connectivity, WAN and Internet security, cloud acceleration and remote access. Together, they form a complete solution that spans an organization’s entire network and user base, wherever and whenever they access network applications and resources.

How to choose the best SASE and SD-WAN solution provider

For a smoother transition away from traditional networking, a provider should be well versed in legacy networking technologies like MPLS, as well as in software-based security and networking. Depending on your provider’s ability to deploy SASE technologies with SD-WAN, you may face these barriers to adoption.

Vendor focus

Your provider’s capabilities and offerings may be focused exclusively on networks or on security, but it’s possible they aren’t proficient in both areas.

Vendor approach

Well-integrated features, in-line proxy experience and context awareness are all key to successful SASE implementation. If a vendor lacks them, it can increase costs and decrease performance.

Vendor history

Your provider’s legacy experience may be with on-premises hardware in the “data-center-centric” approach, which can create resistance to a cloud-native mindset.

5 questions to ask a SASE vendor

  1. Do you provide complete visibility and control for all traffic and all edges (users, branches, data centers, cloud)?
  2. Does your solution allow users to seamlessly transition from corporate offices to other locations and back?
  3. What is the global presence of your service?
  4. Is your service architected for resiliency and self-healing?
  5. Can all aspects of your solution be accessed and managed from a single management application? What co-management rights will you have?

To explore these questions in greater detail, download 5 Questions to Ask Your SASE Provider from Cato Networks.

A new type of network for a new era

More than ever, the landscape driving digital transformation is increasingly complex. The acceleration of cloud-based application adoption and the rising risk of cybercrime create new challenges for enterprise IT teams who need to ensure easy access and absolute security for an often dispersed, remote workforce.

Through its five components—which include SD-WAN—SASE dynamically extends the edge of the private network right up to multiple cloud service providers and to popular SaaS applications. For end users, this provides a virtual on-ramp to those cloud providers’ services.

The computing and communications devices in the hands of those end users are also protected end-to-end by a full set of network security technologies. The policies for those technologies can be managed and orchestrated by the organization from the cloud using an intuitive self-service portal, reducing complexity and simplifying management.

In short, SASE offers a unified, secure connectivity solution that is available anytime and anywhere.

Fully converged SASE. Single pane of glass. Just one.

Together with Cato Networks, Windstream Enterprise is the first and only North American managed service provider to converge cloud-native network and security into a fully integrated SASE solution. This comprehensive architecture enables businesses to adapt to constantly shifting users, applications and work environments while keeping all application and security policies synchronized with these changing endpoints—all from a single pane of glass.

For more information on our approach to SASE, see our thought leadership series.

Trusted market leader

More than 4,000 enterprises rely on our SD-WAN solution to enhance network resilience and optimize application performance, while accelerating cloud adoption at more than 32,000 of their critical locations. Here are just a few SD-WAN case study examples

Unrivaled experience

Clients can further streamline operations and improve productivity, leveraging the seamless integration of our award-winning OfficeSuite UC® solution and management of all access connections—backed by a team of technology experts.

Are you ready for SASE?

Take our assessment