With the accelerated development of the digital transformation of enterprises, business migration to the cloud has gradually become a rigid demand.  Under the general trend of cloud-network integration, more and more enterprises hope to find efficient and flexible networking solutions to quickly intercons and branches and use the cloud to lay a solid foundation for digital transformation.  In this context, SD-WAN has become one of the wide area network technologies that have attracted much attention in recent years.

At the same time, the popularity of multiple interconnection scenarios and mixed online and offline office models has increased the digital security threats faced by enterprises.  In addition to networking capabilities, how to build a comprehensive security protection system has also become thousands of a industries must face.  The integration of SD-WAN and SASE security architecture has attracted much attention.

At the 5th SD-WAN & SASE Summit recently held, Xiong Xuetao, director of Internet Technology Network Products Division, shared with the guests the technological innovation and industry practice of the first line in cloud network security integrated services.

What is the overall development trend of SD-WAN?  How do you view the relationship between SD-WAN and SASE?  How does SASE solve the pain points of industry users?  How will the front line promote professional services integrating cloud and network security in the future?  After the meeting, 51CTO interviewed Xiong Xuetao and conducted a full discussion on the above issues.

MPLS VPN or SD-WAN?  this is not a problem

For a long time, MPLS VPN has been the preferred networking choice for enterprise organizations. However, since the emergence of SD-WAN, especially with the continuous improvement of the quality and bandwidth of the last mile of the Internet, more enterprises have begun to face the choice of "MPLS VPN or SD-WAN". Now, with the gradual maturity of SD-WAN technology, its advantages in network management and control have been fully demonstrated, and users' recognition of it has also increased significantly.

Xiong Xuetao believes: "At present, SD-WAN has entered a mature stage of development and has a high penetration rate in enterprises. From the perspective of recent years, its annual compound growth rate is also considerable, and it continues to lead the enterprise networking service market. With the The demand for enterprise cloud access continues to grow, remote office scenarios continue to emerge, and SD-WAN applications will become more and more extensive, helping enterprises achieve efficient interconnection and cloud access. As a result, SD-WAN will usher in faster development in the future."

Regarding the dispute between MPLS VPN and SD-WAN, Xiong Xuetao believes that the relationship between the two is not an either-or relationship. Both have their own advantages. MPLS VPN has reliable data packet transmission capability and can be applied to the interconnection between headquarters and large data centers. SD-WAN has the characteristics of fast provisioning, cost saving, and agile access to the cloud, which meets the needs of enterprises to quickly expand branch stores and conduct unified management. Enterprises need to weigh according to their own conditions, whether to choose SD-WAN or MPLS VPN, or combine MPLS VPN and SD-WAN reasonably.

Xiong Xuetao introduced that the first line started with MPLS VPN, and it is also the first network service provider to launch SD-WAN services in China. It currently serves more than 6,000 domestic and foreign companies and provides MPLS VPN+SD-WAN hybrid networking solutions. Relying on 200+ POP node resources in 100+ cities, it provides one-stop networking services for various scenarios of enterprise headquarters-branch-cloud-IDC, and fully meets the diverse needs of enterprise digital transformation through the complementarity of the two.

The Evolution of Cloud-Network Security Convergence: SASE=SD-WAN+SSE

Although SD-WAN is becoming the darling in the field of enterprise networking services, in practice, it is difficult to effectively solve the existing pain points of users by relying on a single networking capability. Xiong Xuetao pointed out that more and more enterprises hope for network integration and security, so as to meet their needs in the process of transformation in one stop. The emergence of SASE provides a new solution to this problem to a certain extent.

According to Gartner's definition, SASE (Secure Access Service Edge, Secure Access Service Edge) is an emerging product that integrates wide-area networking network functions and network security functions, and provides subscription-based security services for digital transformation and upgrading of enterprises.

"SD-WAN did not put much emphasis on security from the beginning of its development. However, under the new situation of continuous extension of enterprise network boundaries, increasingly complex IT architecture, and increasing threats of network attacks, users' demand for security has gradually increased. Today, SASE The definition of SASE is relatively clear. SASE is the integration of SD-WAN and SSE (Security Service Edge) functions, which itself is a combination of network + edge cloud security."

In a nutshell, first of all, SASE is the re-evolution of SD-WAN network capabilities, and it is also a re-innovation for edge cloud networks. Furthermore, the SD-WAN network is the cornerstone supporting the implementation and development of the SASE architecture. Widely distributed SD-WAN POP nodes have the basis for evolution to edge cloud native security SASE POP points. The diversified digital application scenarios of enterprises require the security guarantee of SASE to be on demand. In the deep integration of the two, SASE integrates SD-WAN and network security access into the edge cloud network service infrastructure, realizing a security architecture that can adapt to the current enterprise network traffic model.

Xiong Xuetao said: "Now SASE is mainly promoting the one-stop delivery of network and security services to enterprises. This is why SD-WAN manufacturers pay special attention to the evolution of SASE. As enterprise needs are becoming more and more comprehensive, it is necessary to solve all problems as much as possible. If you only focus on networking without security, you will not be able to meet the new requirements.”

Based on this understanding, the first line has created a one-stop cloud network security integration solution, promoted the SD-WAN integration SASE security architecture, and provided enterprise-level security services at the POP nodes closest to the enterprise; created an integration of SD-WAN and SASE The management platform helps enterprises visualize and manage network and security; promotes the integration of SD-WAN network with front-line OCD edge cloud and public cloud, and helps enterprises quickly connect to multiple clouds through one network and build a hybrid cloud architecture.

The Essence of SASE: Dynamic Reconstruction of the Logical Security Boundary of the Enterprise

From the definition of SASE itself, it includes SWG secure web gateway, CASB cloud access security agent, FWaaS firewall as a service, ZTNA zero trust network, etc., and its functions cover almost all scenarios of enterprise networking.

Xiong Xuetao said: "If you study the details of SASE carefully, you can find that its original intention is to cover all security challenges with comprehensive protection capabilities. Of course, not all enterprises need all its functions. For example, for secure access to remote offices, you only need to subscribe to Zero Trust Just serve."

In Xiong Xuetao's view, customers who have used cloud services will have a relatively high acceptance of SASE services. Because it has the same characteristics as cloud applications, on-demand subscription, and elastic scaling. Specifically, SASE is based on edge cloud deployment. When customers add certain security capability requirements, they do not need to add any hardware facilities, and they can directly subscribe and use it immediately.

So how does SASE play its role? Xiong Xuetao explained the application scenario of ZTNA zero trust network access.

Take a manufacturing company as an example, which has factories in China and Southeast Asian countries. Business personnel who travel frequently will access the private cloud of the enterprise in multiple network environments such as the Internet and 4G/5G, and perform operations such as accessing design drawings and calling OA systems. In terms of security, the company hopes that factory and business personnel can access key enterprise resources and applications in a secure manner.

The ZTNA solution of the first-line SASE will conduct a series of systematic security monitoring and restrictions on factories and mobile office workers from before access to after access, to protect customers' key resources and application security and control. Implemented in specific scenarios, the performance is as follows:

• Personnel login and terminal access authentication (remote and mobile office scenarios). ZTNA will perform multi-factor identity and terminal security authentication on the access personnel/equipment. The ZTNA proxy client installed on the authorized device will send multiple information such as the current security environment and identity to the cloud control system for verification. After passing, it is allowed to connect to the security gateway for the next step.
• Secure access to enterprise applications and data. After people/devices are connected, whether accessing intranet applications and data or accessing cloud applications and data, ZTNA can provide good protection . Based on the characteristics of ZTNA micro-segmentation, corporate headquarters, factories, and mobile workers/devices will be granted minimum access rights to specific devices, applications or resources after authentication. If they need to access other devices, resources or data, they need to Perform authority authentication or authority escalation again, and the person cannot see, access, or copy other unauthorized applications or resources. At the same time, after the visit of this person is completed, the authority will be cancelled. In addition, ZTNA will continue to check and verify the operation of personnel/equipment accessing the network, and make dynamic policy adjustments. If non-compliant operations are detected, ZTNA can immediately downgrade the permissions of the corresponding personnel and terminals to cut off further illegal access.

Xiong Xuetao concluded that with the SASE architecture, the enterprise boundary is no longer a location, but a set of dynamically created, policy-based secure access service edges. Relying on the characteristics of centralized orchestration and decentralized execution of security policies, SASE will focus on each edge cloud network POP point to provide the required security guarantee for complex scenarios such as remote office, multi-cloud, and hybrid cloud, and prevent blind spots of security threats. At the same time, enterprises can conduct global centralized management and threat analysis on the network through a unified control platform, so as to respond and deal with security issues more accurately and quickly. So on the whole, SASE is a very complete security solution.

Vision: Accelerate cloud-network integration and build a computing power network

SASE is still an emerging concept, but Xiong Xuetao believes that the integration of SD-WAN and SASE must be the general trend. The emergence of the SASE concept not only pushes network service providers to focus on the evolution of security capabilities, but also encourages security service providers to start focusing on their own network capability building.

Xiong Xuetao said, "The first line hopes to further develop security capabilities based on its own network capabilities, and provide customers with simple and comprehensive services. Simple means lightweight, easy to deploy, and easy to operate and maintain. Comprehensive means the first The first line hopes to be as comprehensive as possible and have the opportunity to cover more scenarios and functions. The first line's vision is to become an overall solution service provider of 'network + cloud + security + computing power'."

In the future, the overall evolution strategy of the first line is to pursue the continuous extension and improvement of SD-WAN networking capabilities. The second is to fully upgrade the edge network POP to SASE POP based on the network capabilities and cloud-network integration capabilities accumulated over 20 years to provide a network + security solution. The third is to keep up with the trend of computing power network construction and development, and constantly explore the integration of SD-WAN+SASE+computing power.

write at the end

According to Gartner's forecast, by 2024, the SASE market size will climb from US$1.9 billion in 2019 to US$11 billion. The SASE track will surely usher in competition from traditional IT vendors, cloud vendors, security vendors and other forces. The front line continues to explore and practice the integration of SD-WAN and SASE, which is the epitome of the era of manufacturers' efforts to lay out and build a computing power network under this general trend. We will wait and see how to upgrade from multiple dimensions such as products, resources, and services in the future to help enterprises quickly obtain high-quality network + security + computing power services.