SASE 101:

Getting Started Guide

 About this Guide

In August 2019, the research and analysis firm Gartner

Table of Contents
published a report on a new technology it called Secure
What is SASE (Secure Access Service Edge)? . . . 1 Access Service Edge, or SASE for short. By August
2020, a slew of vendors had begun selling SASE
SASE vs SD-WAN: A Comparison . . . . . . . . . . . . . 3
services. Some were primarily SD-WAN vendors, others
The Cato Networks SASE Platform . . . . . . . . . . . . 5
were primarily network security vendors, and still others
The Cisco SASE Platform . . . . . . . . . . . . . . . . . . . . .8 were somewhere in between and were close to Gartner’s
The Open Systems SASE Platform . . . . . . . . . . . 10 description of what a SASE service should be.

The Palo Alto Networks SASE Platform . . . . . . . 12 There is not much consistency between vendors on

The Perimeter 81 SASE Platform . . . . . . . . . . . . . 15 what a SASE service should and could be, because
the technology is so early in its development and not
The Zscaler SASE Platform . . . . . . . . . . . . . . . . . . 17
standardized. That said, the Gartner description is the
closest there currently is to a standard.

In this guide, we will go into the details of that

description, how it differs from established approaches
to networking and security, and provide a series of
pertinent SASE vendors. This list is not intended to be
a complete coverage of the market, nor indicate the
quality of one offering is greater than another.

This content is independent and included vendors were

chosen for the contents of their service, earned media,
and through market reports.

About SDxCentral
SDxCentral is the leading resource for IT infrastructure
knowledge.

IT infrastructure is under more demand and more

scrutiny than ever. The way we build networks has
fundamentally changed, with new technologies
constantly popping up to solve new challenges. At the
same time, the role of IT departments and of individuals
within the department is changing. While vendors and
executives strategize around new technologies, those in
the trenches scramble to keep up.

These guides are independent content designed to

share knowledge and help technology professionals stay
ahead of the curve.

Guide compiled by: Connor Craven

© 2020 SDxCentral LLC. All Rights Reserved.

SASE 101: Getting Started Guide | What is SASE (Secure Access Service Edge)?

What is SASE (Secure Access Service Edge)?

Secure access service edge (SASE) is a network policies include the location the user or group’s traffic is
architecture that combines WAN capabilities with cloud- coming from, the time of day, the risk/trust assessment
native security functions like secure web gateways, cloud of the user’s device, and the sensitivity of the application
access security brokers, firewalls, and zero-trust network or data being accessed. 
access. These functions are provided as a service by
The network security functions used in access
the SASE vendor. Users and equipment in a network
management are secure web gateways (SWGs), cloud
are connected to a cloud-based service. The term was
access security brokers (CASBs), firewalls, and zero-trust
coined by Gartner in the 2019 Networking Hype Cycle
network access. These are examples of point solutions,
report. There is no set industry standard for SASE yet.
which are dedicated to solving one problem. 
SASE: Edge and Cloud Computing
SASE does not use point solutions, but rather a cloud-
SASE is foremost a cloud-based approach to securing native software stack that performs all of these functions
a WAN. Instead of having the network centered around and more at once, running in parallel in different engines.
the organization’s central private data center, SASE puts This will be discussed in further detail below.
the cloud at the center of the network.
Service Edge
This is particularly significant as organizations shift to
A SASE architecture enables end-to-end security,
software-as-a-service (SaaS) and other cloud-native
whether the source is a remote worker, a branch
applications. The network perimeter is expanding to
location, or a headquarters. Threat prevention
encompass practically anywhere a network user is
capabilities inherent to SASE include encryption
located. SASE can be used to secure a single, isolated
of all communications, firewalls, URL filtering, anti-
user by putting security agents on his or her device.
malware, and intrusion prevention systems (IPS). These
Once users aggregate into groups at the network edge, capabilities are available to all connected network edges
such as in an organization’s branch locations, a CPE across the globe.
appliance may be needed as an onramp to the cloud’s
Gartner describes SASE as delivering services and
nearest edge data center. This onramp has enough
enforcing policies as needed no matter where the
intelligence to organize branch traffic and send it to the
entity requesting a service is located, nor what type of
cloud for the heavy lifting to be done.
connection it has to the cloud. 
“In most cases, the heavy lifting of SASE is performed
According to the report, “The result is the dynamic
in the cloud,” said Neil MacDonald, distinguished VP
creation of a policy-based, secure access service edge,
analyst at Gartner, in an interview with SDxCentral.
regardless of the location of the entities requesting
“Some of the vendors, like Palo Alto, use AWS and
the capabilities and regardless of the location of the
Google Cloud Platform [GCP]. Other vendors like Zscaler
networked capabilities they are requesting access to.”
or Netskope, [are] heavily investing in their own points
of presence around the world, [and] their own data SASE and SD-WAN 
centers, not depending on what AWS, Azure, and GCP
SASE combines an SD-WAN approach and security
are doing.”
functionalities into one cloud-based service. A WAN
Secure Access in a SASE service is not the same as in an SD-WAN. A
SASE vendor has a globally distributed network fabric
Secure access is a key element of SASE architecture.
that is made up of their own points of presence (PoPs).
Access privileges are enforced by policies based on
An alternative to the vendor is to use a public cloud
user identities. Other pieces of information that inform
provider’s PoPs. 

© 2020 SDxCentral LLC. All Rights Reserved. 1

SASE 101: Getting Started Guide | What is SASE (Secure Access Service Edge)?

SD-WAN features, like bandwidth optimization and In other words, the functions that used to be executed
traffic prioritization, are used by SASE. However, in by point solutions are integrated into one cloud-native
an SD-WAN, virtualized devices spread throughout software stack. And since the engines in the software
the WAN execute these features. In SASE, the cloud stack are all from the same vendor, the data does not
or a security agent on an end user’s computer makes have to spend the time being sent back and forth
networking decisions, such as where to send different between vendor products.
applications’ traffic.
What is SASE: Key Takeaways
An element of SASE that sets it apart from SD-WAN
1. The analyst firm Gartner coined the term secure
is how it inspects traffic in an organization’s network.
access service edge in a 2019 Hype Cycle report.
Instead of using service-chained point solutions, as
SD-WAN does, SASE runs all security functions at once 2. SASE is a network architecture that integrates WAN
in multiple policy engines that make up a cloud-native capabilities with cloud-native security functions.
software stack. 
3. With SASE, security services and networking
“Let’s say there’s an attachment in a conversation functions are run in the cloud or a security agent on
stream,” MacDonald said, “Now, you want to open up the end user’s device.
that attachment and inspect for sensitive data. That
4. SASE uses a software stack in the cloud to run
could be a point solution. But likewise, you might
multiple security functions on data at once in
want to take that same content and inspect it for
multiple engines.
malware. That’s another point solution. So what you
start to realize is, if you’re in these packets and in
these attachments, why daisy chain a bunch of point
solutions? It’s just going to slow you down. Why go
looking for patterns of goodness, and then jump to
another point solution look for patterns of badness?
Why don’t we do both at the same time? … Only open
the conversation once and do all of the things that you
need to do.”

© 2020 SDxCentral LLC. All Rights Reserved. 2

SASE 101: Getting Started Guide | SASE vs SD-WAN: A Comparison

SASE vs SD-WAN: A Comparison

SASE and SD-WAN are two networking technologies points of presence form the architecture’s service edge
designed to connect geographically disparate endpoints on which the SASE stack runs. Also, these PoPs are often
to a source of data and application resources.  located in public clouds, or in close proximity to public
cloud gateways for secure low-latency access to cloud
SD-WAN is an application of software-defined
resources. Whichever node has sufficient resources for
networking (SDN), that uses a virtualized network
what the user is requesting is where the traffic goes.
overlay to connect and remotely manage branch offices.
The focus is placed on connecting these branch offices SASE software can determine optimal routes for traffic
back to a central private network. While SD-WAN can be to use while heading to its endpoint. A distributed
adapted to connect to the cloud, it is not built with the architecture is different from SD-WAN’s nature of being
cloud as its focus. centered on its organization’s data center. Gartner
contends that having a single private data center as
SASE, on the other hand, does focus on the cloud
a network’s focus causes inefficiencies when cloud
and has a distributed architecture. Instead of focusing
services are increasingly used.
on connecting branches to a central network, SASE
focuses on connecting individual endpoints (whether There are SD-WAN offerings that work with the cloud.
a branch office, individual user, or single device) to the However, cloud integration is more of a feature of
service edge. The service edge consists of a network SD-WAN than a key component. In cloud-enabled
of distributed PoPs where the SASE software stack SD-WANs, users connect to a virtual cloud gateway
runs. Moreover, SASE puts a focus on baked-in security through the internet, making the network more
(hence the “secure access” part of its name). accessible and supportive of cloud-native applications.
It’s like the difference between sharing files over an This is fairly similar to the SASE approach.
intranet versus over Google Drive. Both methods strive Location of Security and Networking
to achieve the same end goal, but the two approaches Decisions
are vastly different.
SASE’s focus is on providing secure access to distributed
SD-WAN is a maturing market that has overall seen resources for the network and its users. The resources
consistent growth, though the COVID-19 pandemic did can be distributed in private data centers, colocation
hinder it some. SASE is comparatively new since it is facilities, and the cloud. As such, security and
a term that was coined by the research organization networking decision-making are baked into the same
Gartner in 2019. Despite the SASE market being nascent,
security tools. SASE products have security tools that
many vendors are beginning to enter the market with
reside in a user’s device as a security agent, as well as in
their own SASE or SASE-like services.
the cloud as a cloud-native software stack. For example,
The differences between SASE and SD-WAN can be the security agent can contain a secure web gateway
summarized in three categories: and a vendor’s cloud can contain a firewall-as-a-service.
In a branch office or other location with a collection of
• Their relationship to the cloud
people, a SASE appliance is common in order to secure
• Where security and networking tools reside agentless devices like printers.

• How traffic inspection is done SD-WAN technology was not designed with a focus
on security. Security is often delivered via secondary
SASE, SD-WAN, and the Cloud
features or by third-party vendors. While some
SASE uses one or more of the following: private data SD-WAN solutions do have baked-in security, this is not
centers, the public cloud, and colocation facilities. These in the majority. SD-WAN’s central goal is to connect

© 2020 SDxCentral LLC. All Rights Reserved. 3

SASE 101: Getting Started Guide | SASE vs SD-WAN: A Comparison

geographically separate offices to each other and to a Despite the different formats of the two infrastructures,
central headquarters, with flexibility and adaptability to they are both still virtualized. SD-WAN and SASE do
different network conditions. In an SD-WAN, security not rely on fixed-function proprietary boxes like a
tools are usually located at offices in CPE rather than on non-virtualized WAN. As previously stated, SASE runs
devices themselves. Networking decisions in an SD-WAN security and networking functions in a cloud or other
are made in the virtualized networking devices that are data center and in a security agent. For SD-WAN, the
spread throughout the network. network nodes, as well as the CPE, are software-defined.
In other words, the functions are running as software.
SASE vs SD-WAN Traffic Inspection
How Vendors are Selling SASE and SD-WAN
With SASE networks, traffic is opened up one time
and inspected by multiple policy engines at once. SASE is still an emerging technology. And to reflect that,
The engines run in parallel without passing the traffic many vendors are beginning to offer a SASE solution in
between them. This saves time because the traffic isn’t addition to their SD-WAN solution, or at least claiming
repeatedly accessed as it is passed from one security that what they have is SASE. For example, Cisco,
function to the next as is the case in an SD-WAN. VMware VeloCloud, and Open Systems are all practicing
Additionally, these policy engines do as much, if not this; among many others.
more, than the security tools in an SD-WAN.
There are other organizations that have put their
SD-WAN uses service chaining. Service chaining is where resources more into developing and deploying SASE
traffic is inspected by one security function at a time, services over SD-WAN. For example, Palo Alto and Cato
one after the other. These individual functions handle Networks.
one type of threat and are called point solutions. Each
SASE vs SD-WAN: Key Takeaways
point solution opens up the traffic, inspects it, closes it
up, and then forwards it to the next point solution until 1. SASE and SD-WAN are two different networking
the traffic has passed through all point solutions.  technologies that use different means to get to
similar ends.
Similarities Between the Two Networking
Technologies 2. Both technologies are meant to connect
geographically distributed organizations in a flexible
Despite serving similar ends, SASE and SD-WAN do
and adaptable manner.
not have many architectural similarities. Some higher-
level similarities include how they are both wide-area 3. A SASE network is focused on providing cloud-
networks and their virtualized infrastructure. native security tools and has the cloud at the center
of the network.
Both SD-WAN and SASE are designed to cover a large
geographic area. What is different is in the infrastructure. 4. SD-WAN technology is focused on connecting
SASE’s infrastructure has private data centers, offices to a central headquarters and data center,
colocation facilities, or a cloud acting as endpoints. though it can also connect users directly to the
These are where the networking, optimization, and cloud.
security functions run. In an SD-WAN these functions run
in boxes at a branch and headquarters. Both SASE and
SD-WAN can be controlled from anywhere.

In SD-WAN’s case, a DIY approach can put control in

the organization’s headquarters, a managed solution
will be controlled remotely by the service provider, and
a co-managed solution, similar to a managed solution,
gives an organization some control through a portal.

© 2020 SDxCentral LLC. All Rights Reserved. 4

SASE 101: Getting Started Guide | The Cato Networks SASE Platform

The Cato Networks SASE Platform

The Cato Networks SASE platform is described by access control (RBAC) features, where access to Cato
the vendor as the first implementation of the SASE Cloud resources in the network is based on the identities
framework that was defined by Gartner in August 2019. and roles of individual users or groups.

When Gartner coined SASE, Cato was offering an The Cato NGFW segments the LAN. No traffic can move
SD-WAN product that was converged with security between different segments. LAN connections can be
and delivered through a distributed network of PoPs. established through local segmentation rules and are
This was very close to SASE’s definition. This article will enforced by Cato Socket, the Cato local appliance.
look at the security services in Cato’s SASE platform, its Alternatively, WAN firewall rules can be enforced by the
network backbone, and edge appliances. Cato Cloud that performs full traffic inspection.

Cato SASE Platform Security as a Service The WAN firewall is also used by security administrators
to allow or block traffic between points in the
The Cato SASE platform has many security services.
organization’s network. If administrators prefer, it is
They are built directly into the cloud network and are
possible to blacklist certain types of traffic.
a tightly-integrated software stack. That architecture
puts the platform squarely within the Gartner definition The firewall applies rules that allow or block traffic
where multiple networks must be involved and the heading between network points. The firewall’s default
security functions must be integrated into one stack. state is to blacklist types of traffic. To block access,
Cato’s current services include: administrators must define rules that explicitly block

• Next-generation firewalls connections from certain network points to applications.

• Secure web gateways Secure Web Gateway

• Anti-malware The SWG included in the Cato SASE platform gives

customers the capability to monitor, control, and block
• Intrusion prevention system access to websites in addition to warning users of
Next-Generation Firewall potential risks. Organizations can use Cato’s predefined
URL categories and add their own. The categories
The Cato next-generation firewall (NGFW) is able to
include sources of suspected spam and suspected
granularly enforce rules based on time restrictions and
malware.
types of traffic.
Anti-Malware
Application awareness, user awareness, LAN
segmentation, WAN traffic protection, and internet The anti-malware service elements are deep packet
traffic protection are all capabilities of the Cato SASE inspection, true filetype detection, and malware
platform’s NGFW. detection and prevention.

The deep packet inspection engine in the NGFW The deep packet inspection looks closely at both
classifies application traffic as early as the first packet, encrypted and unencrypted traffic. Files are taken out of
without performing secure socket layer (SSL) inspection. the traffic stream, inspected, and blocked if needed.
It uses information taken from network metadata and
True filetype detection is able to determine the actual
information that is correlated with the Cato Research
type of file traveling on the network no matter what the
Labs application database.
file extension or content-type header is. This tool is used
The user awareness capability is a combination of to combat evasion tactics used by attackers to mask
identity access management (IAM) and role-based high-risk file types.

© 2020 SDxCentral LLC. All Rights Reserved. 5

SASE 101: Getting Started Guide | What is the Cato Networks SASE Platform

The malware detection and prevention service has a from a country considered to be high-risk for attacks.
multi-featured engine that uses heuristics to review The IPS can do this because it has policies that use the
digital signatures. In this case, heuristics refers to the geolocation of traffic sources and destinations.
detection of malware based on contextual information
Finally, the Cato SASE IPS is able to detect and prevent
and the SASE system’s prior knowledge of existing
network scans with network behavioral analysis.
suspicious sites and attack methods. Threats reported
by global threat intelligence databases keep the Global PoP Network Backbone
engine up to date on possible threats. Cato partnered
As of this writing, there are over 50 PoPs in Cato’s global
with SentinelOne for machine learning and artificial
private network. All of the PoPs are able to run the Cato
intelligence (AI) technology. SentinelOne is able to
SASE platform cloud-native software stack. That stack
identify and block unknown malware.
executes all of the security functions mentioned above
The processing of these three anti-malware services and the networking services mentioned below. Multiple
happens in parallel during traffic inspection. This means customers can use a single PoP.
the traffic is opened up for inspection once, and all
The architecture of the network connects customers
services review it at the same time. By doing that instead
to the backbone via encrypted tunnels from a Cato
of one security function at a time, inspection takes
Socket — a zero-touch edge SD-WAN appliance —
less time. Parallel inspection is a key element of SASE
or from the device if it can use IPsec tunnels. Cloud
services, as defined by Gartner.
data centers connect to the network with an agent or
Intrusion Prevention System agentless configuration. Having both a private network
and a cloud network is a fundamental aspect of a SASE
The Cato SASE platform IPS is multi-layered. It offers
service, as defined by Gartner.
services covering behavioral signatures, reputation
feeds, protocol validation, known vulnerabilities WAN optimization is one of the networking services
protection, malware communication, geolocation, and available through a Cato SASE PoP. It uses TCP proxies
network behavioral analysis. and congestion management algorithms for the
optimization of key operations like file transfers.
Behavioral signatures are when the IPS searches for
deviations from the expected system or user behavior. The Cato PoP network has routing algorithms that factor
in latency, packet loss, and jitter to get traffic to and
Reputation feeds are collections of Cato’s and others’
from its destination optimally, favoring performance over
intelligence feeds that detect and alert organizations to
cost of transmission.
compromised resources. Feeds are updated hourly.
The connections between PoPs are completely
Protocol validation is when the IPS validates that
encrypted. Cato states that the strongest industry-
packets conform to protocols, which reduces the chance
standard ciphers are used.
of attack from exploits using anomalous traffic.
Cato Socket
Protection from known vulnerabilities means the IPS can
defend against common vulnerabilities and exposures. The Cato edge SD-WAN device, Cato Socket, is meant
The IPS can rapidly adapt when new vulnerabilities are for branch offices and data centers.
discovered, integrating the knowledge into the deep
The Cato Socket is capable of link aggregation, dynamic
packet inspection engine.
path selection, application identification, bandwidth
The IPS uses reputation feeds and network behavioral management, packet loss mitigation, and routing
analysis to stop outbound traffic from reaching protocol integration.
command and control servers used to spread malware.
Link aggregation makes MPLS, fiber, DSL, cable, and
The Cato SASE IPS can stop traffic if it is heading to or cellular connections available for traffic to use.

© 2020 SDxCentral LLC. All Rights Reserved. 6

SASE 101: Getting Started Guide | The Cato Networks SASE Platform

Cato Socket has dynamic path selection capabilities Cato SASE Platform: Key Takeaways
where traffic is routed optimally depending on the
1. The Cato SASE platform has an integrated cloud-
application, user, and the connection quality.
native security software stack that includes NGFW,
More critical applications passing through a Cato Socket SWG, anti-malware, and IPS services.
device always receive prioritized bandwidth capacity. All
2. The Cato SASE network consists of over 50 points of
other applications are served on a best-effort basis.
presence and cloud networks as well.
When a connection falters, packet loss mitigation
3. Cato Socket is an appliance for branches and data
ensures traffic is switched to better-performing links. At
centers that offers connection through multiple
the same time, packets can be proactively duplicated.
mediums including MPLS, DSL, and cellular
Routing protocol integration in the Cato Socket uses connections.
border gateway protocols to make informed routing
decisions. It can also integrate an organization’s existing
routing infrastructure into the Cato SD-WAN.

© 2020 SDxCentral LLC. All Rights Reserved. 7

SASE 101: Getting Started Guide | The Cisco SASE Platform

The Cisco SASE Platform

The Cisco SASE integrates technology from Umbrella, protection software. For remote users, Umbrella is able
Viptela, and Duo Security. to block direct IP connections to a hacker’s command
and control servers.
Umbrella contains most of the security aspects of the
Cisco SASE offering, as outlined below. Viptela is the The Umbrella DNS security element gives organizations
larger network that intelligently connects users on the visibility into the cloud applications used by their
network to the SASE security services. Users securely employees. This visibility covers sanctioned and
access the network via Duo Security’s zero-trust unsanctioned cloud applications and services. The
security tools. Duo Security is a cloud-based secure visibility is so granular that organizations can determine
access technology vendor that was acquired by Cisco in what applications are being used and by whom, find
October 2018.  potential risks, and block individual applications. 

Umbrella, Viptela, and Duo Security together have A Cloud-Based Secure Web Gateway 
elements of the SASE description written by Gartner in
The Umbrella SWG cloud proxy scans all files that are
August 2019.
uploaded and downloaded to and from the cloud for
The Secure Internet Gateway threats such as malware. Part of being able to scan files
includes SSL decryption, which Cisco says can protect
The Umbrella secure internet gateway (SIG) is where the
from hidden attacks.
security services are all integrated into a single cloud-
native software stack. Included in the SIG are services The SWG can block file types from being accessed
for: and block users from specific activities in different
applications. For example, .exe files can be blocked
• Domain name system (DNS) security
because of their increased risk of being malware. Also,
• A full proxy SWG users can be prevented from actions such as uploading
files to a storage system or posting to social media.
• CASB
Another blocking ability in the Umbrella SWG is to
• A cloud-delivered firewall
block traffic destinations that go against policies or
A SASE platform will open up traffic for inspection compliance regulations. Content filtering by website
and run all security functions once. In Umbrella, many category or specific URLs enables the SWG to determine
of the mentioned security functions will include traffic what destinations to block.
inspection as a feature for this reason.
Security teams that use the Cisco Umbrella SWG
Cisco Umbrella’s DNS Security received detailed reports that include full URL addresses,
network identities, the allow or block actions taken
Cisco describes DNS-layer security as the first line of
by the gateway, and the external IP addresses of the
defense because the first step to accessing the internet
accessed websites.
is with DNS resolution. In the Umbrella platform, the DNS
Security Advantage Package works at both the DNS and Cisco Umbrella’s CASB Offers Application
IP layers. Because of this, access requests to malware, Awareness
ransomware, phishing, and botnets are blocked before a
The CASB in Cisco Umbrella, like the DNS tool,
connection can be made.
gives security teams visibility into any shadow IT
Before an attack reaches a user, it hits a DNS server first that is happening by producing reports on all cloud
where the URLs, files, or domain goes through deeper applications being used throughout the cloud
inspection via antivirus engines, and advanced malware environment. The reports include information on each

© 2020 SDxCentral LLC. All Rights Reserved. 8

SASE 101: Getting Started Guide | The Cisco SASE Platform

application’s vendors, categories, name, and amount Duo Security and Zero Trust Access
of use. Additional information includes how risky an
Zero-trust is a security approach where all traffic and
application may be. Security teams can use the CASB
sources of traffic are suspect, even if the traffic source is
to establish policies for blocking or allowing different
a reliable employee. Umbrella is integrated with the zero
applications.
trust technology from Duo Security. 
The CASB software offers granularity for what gets
To access the organization’s SASE network, employees
blocked or allowed. Individuals or groups can be
use multi-factor authentication, which ensures with
prevented from accessing specific SaaS applications.
greater certainty that the employee’s credentials are
A Firewall in the Cloud not compromised. To further ensure that devices
in the network are not compromised, device health
In its documentation for the Cisco Umbrella cloud-
is monitored in real-time. The amount of data and
delivered firewall, Cisco says the firewall secures 15%
resources an employee has access to can be applied
of traffic going through an Umbrella network. Cisco
differently via policies that are informed by where an
argues in the documentation that the amount of traffic
employee is located, what kind of device they are using,
the cloud-delivered firewall secures “is on the cusp of
or how recently the device was updated, along with
exploding,” as employees and students continue to move
other contextual information.
to use cloud-native applications for remote work and
study via their phones and laptops. These security policies from Duo Security add to the
overall security of the Cisco SASE offering that is
Like other security services mentioned above, the cloud-
integrated with Umbrella and Viptela.
delivered firewall enables visibility into traffic passing
through the network. Outbound internet traffic across all Cisco Umbrella: Key Takeaways
ports and protocols heads through the firewall because
1. Cisco Umbrella, Viptela, and Duo Security together
it works at Layer 3 and Layer 4. All such traffic activity is
create secure, cloud-based SASE networks for
logged by the firewall.
organizations.
Traffic can be sent to the firewall from any network
2. The secure internet gateway has security features
device via an IPsec tunnel.
that include DNS security, a secure web gateway,
This infographic depicts the flow of traffic as it passes a cloud access security broker, and a cloud-based
through the Cisco Umbrella cloud-based security tools firewall.
before reaching the internet. Source: Cisco
3. All of these security tools inspect traffic at once and
Networking via Viptela provide visibility into the whole cloud environment,
including cloud applications, services, and usage
The Viptela SD-WAN product within the Cisco portfolio
rates.
is used for the routing and other networking features
used by Umbrella. If an organization already has Viptela, 4. Cisco Viptela is how traffic is intelligently routed
then it can choose to expand the service to include throughout the SASE network.
Umbrella as well.
5. Duo Security is the zero-trust part of the Cisco
The network edge is a fundamental part of SASE, and SASE, which plays a large part in meeting the
Viptela can be used to route traffic to and from the Gartner definition of SASE.
edge. Network PoPs are edge locations where SASE
services are delivered. Cisco has scaled existing PoPs for
Umbrella in order to handle increased tunneling to the
SIG and increased traffic to the firewalls.

© 2020 SDxCentral LLC. All Rights Reserved. 9

SASE 101: Getting Started Guide | The Open Systems SASE Platform

The Open Systems SASE Platform

The Open Systems SASE platform is a security service managed network security service that runs within a
designed to work in tandem with an organization’s customer’s environment of choice. 
existing SD-WAN and cloud provider’s infrastructure.
Silvan Tschopp, head of solution architecture and
There are fully managed or co-managed options.
product marketing at Open Systems, explained this
The Open Systems’ Mission Control security operations approach’s purpose in an interview with SDxCentral.
center and network operations center is a team
“Let’s say if our customers are completely Azure
of personnel that keep an eye on its customers’
focused, we believe it’s best to provide them the entire
infrastructure to identify and address issues. Mission
SASE experience directly out of Azure and not have
Control operates at all times and is the most unique
them go to our cloud first, and then potentially go to
aspect of Open Systems’ SASE solution.
Azure cloud or the same with Amazon,” he said. “The
The specific security functions of the Open Systems goal is that we enable and empower our customers to
SASE are common to SASE offerings. Some examples connect to wherever their data and their resources are,
include a device client that runs security functions through the best way possible.”
on remote workers’ devices, a virtual private network
Networking Features
(VPN), secure web gateways, DNS filters, a firewall, and
a cloud access security broker. The remote workers are a proven use case for SASE.
These workers may need to connect to the closest
Open Systems Managed Service
network node while outside of an office or branch
Open Systems began offering a SASE platform after location. In this instance, Open Systems utilizes VPN
being a managed service provider (MSP) for both connections.
SD-WAN and security services. The vendor’s flagship
However, Tschopp said the vendor is working on zero-
product, before SASE, was Secure SD-WAN. The Secure
trust network access technologies that would make
SD-WAN service is used to secure a company’s existing
it unnecessary to have a VPN when accessing cloud
SD-WAN.
resources.
The security service is also helmed by Open Systems’
Open Systems does not require the use of a hardware
Mission Control team, the security and network
networking or security device; instead, the SASE
operations center mentioned earlier that manages an
functions are carried out in a software client on the
organization’s entire network. If an organization has
device or in the cloud.
the time, resources, and inclination to get involved, a
co-managed option is available. However, Open Systems does have devices available for
manufacturing branches and large offices where a “thick
The MSP approach to SASE is what makes Open
branch” is needed. A “thick branch” is a deployment
Systems unique. Essentially, Open Systems is offering
model that requires multiple networking and security
network-as-a-service and security-as-a-service on a
devices to securely link the network-connected devices
cloud-native platform with analytics. The SASE service
at the location to the cloud and the organization’s larger
can be managed or co-managed. Not many other
WAN. 
vendors are following this model.
Open Systems SASE Security Features
The network-as-a-service aspect of Open Systems’
offering is not based on a proprietary Open Systems Open Systems provides a common slate of security tools
network. The vendor does not have its own PoPs. that align with what Gartner deems necessary to be
Instead, it works with network providers to provide a considered a SASE vendor.

© 2020 SDxCentral LLC. All Rights Reserved. 10

SASE 101: Getting Started Guide | The Open Systems SASE Platform

These security tools include:

• Secure email gateway

• Secure web gateway

• Unified threat detection

• DNS filter

• Firewall

• CASB

• Managed detection and response

With all of these tools, among others, Open Systems is

able to detect, log, and report attacks on the network
as well as respond to the attacks to prevent them from
doing too much damage.

Open Systems SASE: Key Takeaways

1. Open Systems is a managed services provider
and does not have its own network or cloud
infrastructure.

2. Open Systems works closely with SD-WAN and

cloud providers to secure the infrastructures of both.

3. The Mission Control Team is an always-available

security and network operations center that handles
everything that may happen on or to the network.

4. The security features of the Open Systems SASE

are similar to many other SASE vendors’ security
features.

© 2020 SDxCentral LLC. All Rights Reserved. 11

SASE 101: Getting Started Guide | The Palo Alto Networks SASE Platform

The Palo Alto Networks SASE Platform

Prisma Access is the SASE service from Palo Alto Additionally, a CASB with Prisma Access provides
Networks. The vendor has a reputation in the security consistency in threat detection and policy enforcement,
field and has experience offering networking services. which helps remove weak links in the security chain. This
CASB is capable of using unified policies and a cloud-
After Gartner released its SASE report, Palo Alto was
based engine to protect all data channels and be aware
able to integrate its security and networking services
of known threat vectors. Together, this reduces the
into a cloud-native software stack that closely fit the
workload for administrators when it comes to deploying
definition. There are still no standards for SASE, and it
security for the entire organization.
can vary considerably from vendor to vendor.
Zero Trust Network Access
Palo Alto’s SASE Security Functions
Zero trust network access (ZTNA) is the embodiment of
The Prisma Access service from Palo Alto has multiple
not trusting anyone or anything. Before traffic is given
security features, the policies of which can be managed
access to a network and the network’s data, the traffic is
by customers through dedicated cloud instances.
inspected and verified. It is a philosophy that embodies
Features include:
the principle of least privilege, where users and other
• Cloud access security broker entities are only granted access to networks, data,
applications, and other IT resources if it is absolutely
• Zero trust network access
necessary for their job.
• Cloud secure web gateway
In Prisma Access, the principles of ZTNA are present in
• Data loss prevention all services of the SASE network.

• Domain name system security Cloud Secure Web Gateway

• Firewall-as-a-service A cloud SWG is a security tool that defends against
web-based threats and enforces acceptable internet
• Threat prevention
use policies. Traffic from a user passes through an
Cloud Access Security Broker SWG before heading to the desired website. The
SWG also performs many functions before a user
A CASB is typically used to deploy security, governance,
accesses a website. They include URL filtering, web
and compliance policies in a cloud environment; locate
visibility, malicious content inspection, and web access
where sensitive data is in the cloud; and ensure data is
controls. Those functions block inappropriate websites
kept confidential and in the organization’s possession
and content, enforce security policies, and prevent
through the CASB security measures.
unauthorized data transfers.
A SASE service integrates several security tools into
Palo Alto says that in its SASE service, the cloud SWG
one consolidated cloud-native software stack. This
offers improved visibility and granular control over users’
is opposed to using tools, potentially from different
web access while enforcing security policies that defend
vendors, that are difficult to manage separately. CASBs
against hostile websites.
are included in the Prisma Access SASE software stack.
Data Loss Prevention
With Prisma Access, a CASB can be managed with both
in-line and API-based controls. In-line security prevents It is important for regulatory and business reasons
malware from accessing applications and then infecting to keep data safe from being lost, stolen, or misused.
user devices. API-based security looks for violations in Security measures must apply to data at rest, in transit,
policy from traffic and within SaaS applications.  or while it is in use. As organizations start using multiple

© 2020 SDxCentral LLC. All Rights Reserved. 12

SASE 101: Getting Started Guide | The Palo Alto Networks SASE Platform

clouds and private data centers concurrently to store Threat Prevention

data, it is common for organizations to lose track of
Threat prevention technology is another portion of the
what data is where.
Palo Alto portfolio integrated into Prisma Access. Threat
Prisma Access uses a cloud-based data loss prevention prevention available through Palo Alto includes intrusion
(DLP) tool. What it does is consistently find and monitor prevention, malware protection, and command-and-
sensitive data in the network no matter where the data control prevention.
is or moves to. It also performs governance and security
Prisma Access takes these technologies and combines
functions. Since it is cloud-based, the DLP tool is
them with global sources of threat intelligence along
centered around the data itself.
with automation. The goal is to protect against known
Since it is part of a SASE service, automation comes and unknown attacks. 
into play for finding and classifying data, authentication
of users and devices, uniformly applying policies
Prisma Access Networking Services
throughout a network (even across multiple clouds SASE is not only about security. It also is a networking
and on-premises data centers), and identifying and technology. These are the networking pieces of the
potentially stopping illegitimate or malicious activity. Prisma Access SASE service:

Domain Name System Security Service • Virtual private networks

According to Palo Alto, their SASE service uses the DNS • Quality of service bandwidth management
security portions of the Palo Alto portfolio. The SASE
• CloudGenix’s SD-WAN
vendor’s DNS security service is capable of predictive
analytics, machine learning, and automation for Virtual Private Networks
preventing DNS-based attacks.
A VPN is a means of encrypting network traffic so it
Machine learning in particular is used to detect when can pass through a public network without being read
data theft via DNS tunneling is underway, allowing by other users on the network. In a SASE service, such
organizations to neutralize the attack. as Prisma Access, VPN technology is integrated into
the SASE agent on the user’s device so there is one less
Like the other security technologies mentioned, the DNS
security tool to manage separately from everything else.
security service is integrated into the Prisma Access
software stack. Quality of Service in Networking
Firewall-as-a-Service The measurements of a network’s quality of service
(QoS) are bandwidth, latency, jitter, and error rate. In
 The Prisma Access firewall-as-a-service (FWaaS) is
Prisma Access, bandwidth management is accomplished
equivalent to an NGFW device in terms of security
through application whitelisting and blocking policies.
functions and capabilities.
Applications that are blocked are prevented from
However, FWaaS is entirely cloud-based. By using taking up or hogging bandwidth, so business-critical
FWaaS technology, organizations are able to aggregate applications can be provisioned more bandwidth.
traffic from the multiple sources within its network, such
The Prisma Access software stack is integrated with
as on-premises data centers, branch offices, remote
QoS policies so it can set priorities for which traffic to
workers, and the cloud itself. Organizations can also be
provision certain amounts of bandwidth.
consistent in the application and enforcement of security
policies throughout the network and for all users. The CloudGenix Brings in Robust SD-WAN
technology grants enhanced visibility and control of a
Prior to the acquisition of GlodGenix, Prisma Access
network without any physical appliances.
was focused largely on secure connecting remote

© 2020 SDxCentral LLC. All Rights Reserved. 13

SASE 101: Getting Started Guide | The Palo Alto Networks SASE Platform

workers and did not adequately address branch and

retail use cases. Palo Alto and CloudGenix had already
been working closely together, so integration was not
expected to take long. For example, the first phase was
predicted to take 90 days.

The reason for the purchase was to obtain CloudGenix’s

cloud-delivered SD-WAN technology. Acquiring
CloudGenix meant Palo Alto could make its SASE
service more powerful on the networking side. And since
the CloudGenix SD-WAN was focused on working with
the cloud, it fit well with the SASE model.

Prisma Access: Key Takeaways

1. The Palo Alto SASE service, Prisma Access, contains
a multitude of security services from the Palo Alto
portfolio along with networking technologies from
Palo Alto and CloudGenix.

2. Security services and techniques include cloud

access security brokers, zero trust network access,
cloud secure web gateways, data loss prevention,
domain name system security, and firewall-as-a-
service.

3. Some of the networking technologies that Prisma

Access contains are CloudGenix’s SD-WAN
connections, virtual private network connections,
and quality of service policies.

© 2020 SDxCentral LLC. All Rights Reserved. 14

SASE 101: Getting Started Guide | The Perimeter 81 SASE Platform

The Perimeter 81 SASE Platform

The Perimeter 81 SASE platform has three main their office’s LAN or organization’s data center, they
components, said CEO and Co-founder Amit Bareket in can use a remote desktop, HTTPS, virtual network
an interview with SDxCentral.  computing, or secure shell protocols. Those four
connection types are part of the Perimeter 81 SASE zero
The first is the globally-distributed and fully-managed
trust approach to network security. Zero trust means
network infrastructure that consists of 25 PoPs. These
that all network traffic is suspected to have malicious
PoPs form a foundational network for the SASE
content. Everything is inspected and goes through the
platform, which includes SD-WAN technology. Perimeter
same processes of ensuring the traffic is safe.
81’s network can connect users via Layer 3 to Layer 7 of
the network and takes advantage of the cloud edge. To Security Elements
secure the network, organizations sign up for varying
The Perimeter 81 website provides eight use cases for its
levels of security services from the vendor.
SASE platform:
The second component is the device agent that
• Unified cloud management
prepares traffic for network transit. A device’s traffic will
pass through the agent then go through an encrypted • Zero trust network-as-a-service
tunnel in the Perimeter 81 network to the cloud. Once in
• Firewall-as-a-service
the cloud, the traffic is subjected to the many security
features of the Perimeter 81 SASE security stack. • Cloud sandboxing

The third component is the SASE platform’s • DNS security

management console. This is where organizations can
• SaaS security
control their networks and create user-centric policies
that can be enforced inside or outside the office. • Endpoint security

Network Elements • Endpoint compliance

As mentioned, the Perimeter 81 network infrastructure Unified cloud management means all of the SASE
for its SASE platform consists of 25 different PoPs that security stack is managed via the cloud. The security
span the globe and are completely managed. In short, a functions are integrated so security personnel can have
cloud-centric SD-WAN has been integrated with security visibility across functions and monitor performance.
tools and functions to create a SASE platform. 
Zero trust network-as-a-service takes all of the security
One of the security tools that Perimeter 81 uses in functions available on the Perimeter 81 network and
its SASE is a proxy server. A proxy server acts as a delivers them via the cloud, like a typical SASE platform. 
barrier between the employee and any website or web
The firewall-as-a-service protects an organization’s
application the employee is accessing. Traffic goes to the
office networks. The firewall itself is a NGFW, which
proxy server, which is remotely viewed by the employee
employs virtualized and improved security features as
so no traffic goes directly from the host to the employee.
compared to a hardware-based firewall.
If there is malicious traffic received by the proxy server,
it can be detected by the SASE security stack at the PoP Cloud sandboxing is where unknown files are analyzed
and is kept from spreading through the network. in the cloud for any kind of attack or threat.

Not all of an employee’s work has to be done by DNS security uses information from global threat
accessing cloud-based resources like a website or web intelligence sources to identify malicious domains.
application. When a remote employee needs to access Employees cannot access known malicious domains.

© 2020 SDxCentral LLC. All Rights Reserved. 15

SASE 101: Getting Started Guide | The Perimeter 81 SASE Platform

SaaS security is designed to protect an organization’s Perimeter 81 SASE: Key Takeaways

SaaS applications from malicious actors.
1. The Perimeter 81 SASE platform is made up of
Endpoint security protects the devices and offices on an SD-WAN, an agent for user devices, and a
the SD-WAN with functions, including next-generation centralized network management console residing in
malware protection and visibility into encrypted traffic. the cloud.

For endpoint compliance, Perimeter 81scans for the 2. The vendor added integrated security functions
security features the customer organization has in their to its SD-WAN infrastructure to create the SASE
network to make sure that the organization is compliant platform
with appropriate regulations.
3. A major security feature Perimeter 81 built its SASE
What is Unique About the Perimeter 81 SASE off of is zero trust network access, where all traffic is
Platform? treated as suspicious.

In his interview with SDxCentral, Bareket said that what 4. What makes Perimeter 81’s SASE unique is that its
makes Perimeter 81’s SASE a unique service is how SD-WAN infrastructure includes Layer 3 to Layer 7
mature its network is.  of the OSI model, which are used for transmitting
data differently.
“We are providing a true Layer 3 to Layer 7 network in
our cloud when other vendors took a web proxy and
added different security services on top,” he said, “which
is completely different.”

What this means is Perimeter 81’s SASE can transmit

data itself over the network, transport, session,
presentation, and application layers of the Open Systems
Interconnection (OSI) model.

© 2020 SDxCentral LLC. All Rights Reserved. 16

SASE 101: Getting Started Guide | The Zscaler SASE Platform

The Zscaler SASE Platform

The Zscaler SASE platform is a set of security functions Zscaler has been using this approach since before
that are interoperable with the networks of several it began offering a SASE service. Zscaler has
SD-WAN vendors. documentation on its website showing how to deploy
its security technology with several vendors’ SD-WANs.
The security functions are mostly found within the
Some of those SD-WAN vendors have also joined the
Zscaler Cloud Security Platform service. It provides
SASE market, such as CloudGenix (now part of Palo
security through decryption, traffic inspection, URL
Alto’s SASE service), Fortinet (which purchased SASE
filtering, browser proxies, and cloud sandboxes.
vendor OPAQ), and Cisco.
The security functions are executed at any of the
So while Zcaler does not have its own wires in the
Zscaler’s 150 PoPs, which are globally distributed at
ground transmitting customers’ data to one of its 150
common internet exchanges.
PoPs, it has worked closely with a multitude of SD-WAN
Zscaler Interoperates with SD-WAN Vendors vendors to make its security functions interoperate with
the networking functions and infrastructure.  
The Gartner document that introduced and defined
SASE technology proposes that there is a high risk of a The Zscaler SASE Security Tools
poorly performing SASE service when multiple services
To be considered a SASE service, the vendor must have
are put together instead of an organization using a
a full stack of security tools integrated together into an
single vendor or a vendor offering all aspects of a
engine that executes all of the security features at once
Gartner-defined SASE itself.
on a set portion of traffic. The Zscaler Cloud Security
This relates to the Zscaler SASE because it focuses Platform secure internet and web gateway is how the
on security and has APIs that allow security tools to Zscaler SASE meets that requirement.
interoperate with SD-WAN vendors’ infrastructures. 
Zscaler Cloud Security Platform can be broken down
Essentially, what Zscaler has done is create a security into three categories: threat prevention, access control,
service that works in conjunction with a customer’s and data protection. 
existing SD-WAN. Zscaler’s customers can connect via
Threat prevention includes a proxy, an IPS and advanced
their existing SD-WAN to Zscaler’s data center PoPs.
protection, a cloud sandbox, and DNS security. The
Once there, the traffic passes through security engines
proxy inspects traffic that has SSL encryption. The IPS
that combat security issues.
and advanced protection aspect protects users from
In an interview with SDxCentral, Zscaler’s CIO and VP of browser exploits and scripts while also identifying
Emerging Technologies, Patrick Foxhoven, explained his and blocking botnets and malware callbacks. A cloud
organization chose this approach because it can offer sandbox is where files are opened before they are given
the Zscaler SASE service more effectively by working to the user so any malware within them can be detected
with SD-WAN vendors instead of competing against before it gets to the user. The cloud sandbox keeps the
them. malware from infecting the user’s device. Finally, DNS
security can identify and send suspicious connections to
“We don’t believe that you have to own SD-WAN to
the Zscaler threat detection engines for inspection.
deliver SASE by any means,” Foxhoven said. “We don’t
want to be the router or the device that is forwarding For access control, there is a cloud firewall, URL
the traffic at the customer edge. We opened up APIs to filtering, bandwidth control, and DNS filtering. The
all of those [SD-WAN] players, we interoperate with all cloud firewall provides deep packet inspection (DPI)
the branch router SD-WAN players. They all are capable and access controls for all ports and protocols. With
of forwarding traffic to our SASE platform.” URL filtering, the Zscaler SASE software can block or

© 2020 SDxCentral LLC. All Rights Reserved. 17

SASE 101: Getting Started Guide | The Zscaler SASE Platform

limit access to specific websites. The URL filtering can Zscaler SASE: Key Takeaways
be applied differently based on the user or group of
1. Zscaler focuses on providing security tools to
users. Bandwidth control is more of a networking tool
customers that align with the SASE model defined
than a security tool; however, the Zscaler Cloud Security
by Gartner.
Platform technology still uses it to prioritize business-
critical traffic. DNS filtering can prevent DNS requests 2. There is no networking infrastructure in the Zscaler
against malicious hosts. SASE service; instead, the security tools interoperate
with SD-WAN vendors’ networks.
Lastly, data protection includes cloud data loss
prevention with exact data matching (EDM), a CASB, 3. The Zscaler SASE is deployed at 150 PoPs across the
cloud security posture management, and cloud browser globe in internet exchanges.
isolation. Cloud data loss prevention can be scaled to all
4. The collection of integrated security tools in the
of an organization’s users. Fingerprinting data via EDM
Zscaler SASE service is called the Zscaler Cloud
improves the detection of data loss. A CASB prevents
Security Platform.
data exposure to malicious actors and secures cloud-
based applications that are known and unknown to the
organization. The cloud security posture management
tool extends data protection into an organization’s
cloud environment to mitigate app misconfiguration,
ensure compliance reporting is performed, and fix any
compliance violations. The cloud browser isolation tool
separates browsing activity from the end-user device so
users aren’t exposed to malicious web content.

© 2020 SDxCentral LLC. All Rights Reserved. 18

SDxCentral, LLC
3511 Ringsby Ct, #101
Denver, CO 80216 USA
www.sdxcentral.com