SD-WAN Vendors & SASE Vendors

Last updated: April 5, 2024

About SD-WAN, SASE, SSE and This List

SD-WAN, or software-defined WAN, lets enterprises connect branch and remote offices using multiple link types, including the public internet, private links such as MPLS and 4G/5G connections.

Rather than use one link for a primary connection and a second as a failover, an SD-WAN gateway can use multiple links simultaneously. It will balance loads across links to maximize usage. The SD-WAN gateway continuously measures link performance. Administrators can set policies based on application type and performance requirements to ensure that high-priority applications always use the best-performing link.

The SD-WAN market is now being overtaken by SASE (secure access service edge) and SSE (security service edge), which are Gartner-defined terms that vendors have adopted. SASE combines SD-WAN networking with cloud-delivered security services such as application firewalling, secure Web gateways, cloud access security brokers (CASBs), malware inspection, and other capabilities.

When you sign on to a SASE service, you’ll get the SD-WAN and cloud-delivered security services from the same provider. SSE provides the cloud-delivered security services described above, but you have to bring your own SD-WAN connectivity to the SSE cloud.

Some of the vendors on this list are Packet Pushers sponsors or podcast guests, meaning you can search our site to find more detailed information about their products and services. If there’s a product or service we’ve missed, let us know through our follow-up form.

Adaptiv Networks (formerly TELoIP)

Adaptiv Enterprise Connect is a cloud-managed SD-WAN offering. It’s delivered as a network service that includes remote provisioning, monitoring, and 24/7 support. Adaptiv Enterprise Connect includes table stakes SD-WAN features such as the use of multiple links, seamless failover, and application-aware policies to ensure business-critical applications get the best-performing connections.

The service includes security features such as a stateful firewall at the branch gateway. Additional security features are available with add-on subscriptions including URL and DNS filtering, as well as cloud-delivered Secure Web Gateway and deep content inspection. Adaptiv targets industries including enterprise branch locations, retail, manufacturing, and healthcare.

🔗 TELoIP Is Now Adaptiv Networks

Aryaka’s Global SD-WAN

The core differentiator of Aryaka’s global SD-WAN is a global private network with more than 40 points of presence (POPs) across six continents. These POPs are interconnected by a backbone of private network connections delivered by top service providers. Customers connect to the Aryaka PoPs using public Internet or private connections.

Aryaka provides the branch gateway device, called an ANAP, to customer locations. These ANAPs can also host local security services such as virtual firewalls from partners such as Palo Alto Networks and Check Point. If customers don’t want to run security services on the ANAP, Aryaka also provides Next-Gen Firewalling and a Secure Web Gateway via its PoPs.

Barracuda Networks SecureEdge

Barracuda is a maker of various networking-related appliances aimed primarily at the mid-market. Their CloudGen firewall includes some SD-WAN functionality.

Barracuda also offers their SecureEdge SASE solution, described as follows: “Barracuda’s cloud-first SASE platform enables businesses to control access to data from any device, anytime, anywhere, and allows security inspection and policy enforcement in the cloud, at the branch, or on the device. Barracuda SecureEdge delivers enterprise-grade security including Zero Trust Network Access (ZTNA), Firewall-as-a-Service, web security, and fully integrated office connectivity with Secure SD-WAN.”

Bigleaf Networks

Bigleaf’s focus is on seamless, robust internet connectivity using their own software and SD-WAN tech. Bigleaf has built their own “cloud access network” you can connect up to four ISP circuits to. They’ll ship you one of their routers pre-configured, and the device does the work of staying connected to the internet seamlessly. Their SD-WAN feature set includes circuit monitoring, dynamic QoS, intelligent load balancing, and same IP address failover.

Cato Networks

Cato Networks is a SASE startup that’s aggressively competing against MPLS providers by offering its own cloud-based WAN backbone. Cato provides a branch device they call a SPACE (Single Pass Cloud Engine) that connects customers to the nearest Cato POP and provides application-based policy options to direct traffic over specific links. In addition, Cato offers a series of cloud-based security services including not only firewalling and malware detection, but also the acronym soup of ZTNA, CASB, DLP, SWG, XDR, and more. Shlomo Kramer, who also helped launch Check Point Software, is a co-founder.

Check Point Quantum SD-WAN and Check Point Harmony SASE

Check Point has an SD-WAN offering and a SASE service. The SD-WAN offering is a software blade that can be activated in Check Point’s Quantum Gateway appliances. The appliances range from small branch devices that offer 1Gbps of throughput to data center devices that offer 30Gbps. Check Point says its SD-WAN software offers sub-second failover between connections and can identify more than 10,000 applications.

The Harmony SASE service emphasizes fast connectivity delivered by a global private backbone. Based on my reading of this datasheet from Check Point, it sounds like many of the security capabilities, including Web filtering, DNS filtering, and malware protection, are actually delivered on the client device rather than in the cloud, which seems counter to the definition of SASE. Check Point says the cloud service provides a Zero Trust Network Access policy that applies least-privileged access to sites and applications based on identity-centric policies.

Cisco Catalyst SD-WAN (formerly Viptela)

Since Cisco’s acquisition of Viptela in 2017, they’ve been hard at work pushing the customer base into replacing traditional WAN routers with SD-WAN. The solution has evolved to be SD-WAN with a SASE feature set courtesy of integration with the Cisco Secure product family.

The Catalyst SD-WAN architecture consists of a manager (management plane/orchestrator), controller (control plane), and WAN edge routers (data plane). In addition, there are various security modules that can become part of the data path.

🗒️ Cisco Acquires Viptela: Facts & Commentary
🎧️ Show 223 – Viptela and the Software Defined WAN
🎧️ Show 240 – Software Defined WAN – Night of Nerdery – Live From New York
🎧️ Show 274: Packet Pushers Live! Viptela & Three Real-World SDN Deployments
🔗 Cisco Live Session-Cisco SD-WAN: Start Here – BRKENT-2108 (CCO Login Required)

Cisco Meraki MX

The Cisco Meraki MX platform delivers SD-WAN. For the full SASE experience, Cisco security services such as Umbrella and Duo and visibility services from Cisco ThousandEyes can be added to the mix.

The Meraki MX datasheet highlights that the platform is cloud-managed and security first, comes in a variety of form factors including virtual, is an IPSEC-based VPN tunnel fabric, and can be licensed for the features you need from basic SD-WAN to SASE.

🔗 Meraki – What Is SASE?
🔗 Meraki MX Datasheet

Cisco Secure Access (SSE)

Beyond Cisco’s SD-WAN offering is their SSE offering, Secure Access. Cisco’s Secure Access data sheet mentions all the key acronyms you might be looking for in your SASE or SSE tooling, include SWG, CASB, ZTNA, FWaaS, DLP, RBI, DEM, and more. Cisco claims that Secure Access works with their SD-WAN, XDR, and ISE products. If you’re a Cisco customer invested in one or more of these other products, these integrations–if meaningful–could be a selling point.

Additional features of Cisco Secure Access include ZTNA, VPNaaS, IPS, DNS security, and malware detection & analytics. Cisco also touts an AI Assistance capable of taking natural language input and translating it into security policy.

Cisco packages Secure Access as “Essentials” and “Advantage”. Advantage adds L7 FWaaS, IPS, DLP, and RBI over the core offerings of the Essentials package.

Citrix NetScaler SD-WAN

Honestly, we’re not sure if this entry should be here. NetScaler is known primarily for being an Application Delivery Controller vendor. The product has been on a long journey. It was acquired by Citrix in 2005. Over time, Citrix added SD-WAN capabilities to the product. Then Citrix was acquired by a private equity firm, and then merged with TIBCO into a new entity called the Cloud Software Group.

It appears that NetScaler was spun out as a standalone entity in 2022. A NetScaler blog from October 2022 focuses on NetScaler’s commitment to ADC. There’s little mention of SD-WAN on NetScaler’s site. They claim to offer SASE functionality, but as of this writing, we could only find mention of SD-WAN or SASE buried in an aging analyst report Citrix references or on documentation pages. If you’re in the NetScaler world and know something we don’t, let us know.

Cloudflare One

Cloudflare wants to be your one-stop shop for all your SASE needs. In a February 2024 blog, Cloudflare announced a group of product updates to their Cloudflare One portfolio offering improved connectivity choices, DevOps friendliness, extended ZTNA, WAN-as-a-Service, security team facilitation, and more.

The Cloudflare One offering includes a full suite of SSE services, Firewall- and WAN- as-a-Service, a massive global network for you to interconnect clients and services with, and several ways to access that global network including a clientless reverse proxy, a device client, IP tunneling, and direct connect at a variety of colocation facilities. Naturally, Cloudflare being Cloudflare, the services are meant to be easy to consume by folks who are network automation or devops savvy. If you can use automation tooling, Cloudflare likely offers an interface for you.

The Cloudflare One landing page is here. Cloudflare’s SASE reference architecture is here, and worth a read.

Cradlepoint NetCloud Exchange (NCX) SD-WAN

Cradlepoint’s SD-WAN perspective is that of integrating 5G into the WAN connectivity mix. As Cradlepoint’s specialty has been hardware purpose-built for wireless environments, this play makes sense. The product page highlights application identification, app steering, support for PDNs and 5G network slices, deep 5G “cellular intelligence” metrics, and a zero trust foundation.

In December 2015, Cradlepoint announced it was acquiring Pertino to integrate SD-WAN capabilities into Cradlepoint’s devices. The acquisition price was not disclosed. Presumably, Pertino tech became part of the Cradlepoint NCX platform.

🎧️ HN478: Leveraging LTE For SD-WAN With Cradlepoint

Ecessa (part of OneNet Global)

Ecessa SD-WAN products include WANworX, WANworX for Microsoft Azure, PowerLink, and Edge. These products are aimed at Ecessa’s target verticals of government, education, and banking.

The WANworX features list consists of the classic SD-WAN offerings: automatic failover and failback, active/active use of bandwidth, session load balancing, Quality of Service (QoS), virtual instances for Azure + VMware + KVM, IPSEC encrypted SD-WAN tunnels, bandwidths up to 20Gbps, next generation firewall (NGFW), authoritative DNS, encryption (VPNs), and packet level duplication.

PowerLink appears to be a somewhat stripped-down version of WANworX, focusing on seamless use of redundant WAN links.

Ecessa Edge is their SD-WAN product for small business. In July 2023, Ecessa was acquired by OneNet Global.

Elfiq (Adaptiv)

Historically in the internet link load-balancing space, Elfiq has expanded their offering with SD-WAN capabilities. Elfiq offers the core SD-WAN value proposition of secure transport over the internet. Elfiq also offers an array of closely related products such as hybrid WAN and deep packet inspection that work together for a more complete WAN offering.

Adaptiv is positioning Elfiq as link balancing with SD-WAN capabilities for the small and medium enterprise. Elfiq merged with Martello, a network management company, in January 2018. In July 2020, Martello sold Elfiq to Adaptiv Networks. See also this press release.

Extreme Networks ExtremeCloud SD-WAN

Extreme Networks’ SD-WAN offering looks like the main product to consider if you’re already invested in Extreme Fabric. Repeatedly in their literature, Extreme points out that ExtremeCloud SD-WAN is a seamless extension of their fabric. That’s no small claim, in that integrating campus LAN security policies into the WAN has been anything but seamless, at least for multi-vendor networks.

Reviewing the solution, it claims the typical SD-WAN architecture with an orchestrator sending policy to edge routers. Traffic forwarding is application-oriented, and there are integrations with several security vendors.

FatPipe

FatPipe makes an appliance that sits on the edge of your network and connects to other FatPipe appliances or IPSEC compatible devices. The box gives you the SD-WAN functionality you’d expect, including active/active forwarding, seamless WAN circuit failover, and application-specific routing. The appliance is also a firewall, and FatPipe claims it can even help mitigate a DDoS attack.

FatPipe has also latched onto the SASE moniker, leveraging their firewall’s next gen capabilities to security enhance their core SD-WAN functionality. FatPipe also claims full ZTNA capabilities and functions such as a Secure Web Gateway. However, their website doesn’t explain how any of the SASE functions actually work. Their case studies center on seamless WAN circuit failover. I was left wondering if FatPipe delivers ZTNA, etc. via their own software or through a partnership with a third party.

For a good overview of the FatPipe platform, check out their seven-minute FatPipe product demo video.

flexiWAN

FlexiWAN is open source SD-WAN, but that’s only part of the story. They are also building a virtual router and other infrastructure functions, such as security. As with many OSS projects, there are commercial variants.

On top of flexiWAN, you can, if you like, roll your own SD-WAN solution catered to your individual requirements. Ergo, the “flexi” in flexiWAN means the platform is customizable. There is an interface to write code, which you could leverage to handle in a unique way your own applications. For example, perhaps you’re a VoIP provider, and want to make decisions at the SD-WAN router level based on your VoIP system telemetry. FlexiWAN allows you to do this, something they claim is lacking in any other SD-WAN solution.

The big win for flexiWAN users is that they can construct a differentiated SD-WAN service offering. Another selling point is that it enables you to integrate any sort of cutting edge technologies as services. Not all apps you can make forwarding decisions on are chosen for you.

If the customization of flexiWAN isn’t that interesting to you, be aware that flexiWAN delivers SD-WAN out of the box too. You aren’t required to create a customized SD-WAN solution to use flexiWAN.

🔗 FlexiWAN’s Launch Announcement (April 2019)

Forcepoint ONE SASE

Forcepoint offers a single-vendor SD-WAN and SSE solution to deliver their SASE platform. The architecture is like many others, where a clients on endpoint devices or FlexEdge SD-WAN devices at a remote office routes traffic into the Forcepoint ONE cloud.

Forcepoint’s SD-WAN reportedly supports as many as 6,000 sites via a single management console. Their SD-WAN offers features you’d expect from a modern SD-WAN beyond simply active/active circuits, including application steering and application health monitoring.

Forcepoint ONE offers a CASB and SWG for brokering cloud and web resources securely. Like most others in this space, Forcepoint leans hard into Zero Trust, using it in their DLP tech as well as ZTNA remote access solution.

A decent overview of Forcepoint ONE SASE can be found in this whitepaper.

Fortinet Secure SD-WAN and Fortinet FortiSASE

Fortinet is a security vendor that has added SD-WAN functionality to their next-generation firewall appliances. This is similar to the “branch-in-a-box” move we’ve seen several vendors make, catering to customers who wish to consolidate their branch operations and physical appliances under one vendor flag in one single device.

As a branch-in-a-box play, Fortinet is not a pure-play SD-WAN connectivity tool. That said, it feels like Fortinet is playing to their strengths by leveraging their existing, scalable platform and management tooling and adding smarter routing. Perhaps security has been their historical focus, but adding SD-WAN forwarding capabilities sure feels like it dovetails in nicely. It’s hard to say whether this approach will win Fortinet new customers or merely keep existing customers from checking out the market.

SD-WAN links are monitored for jitter, packet loss, and latency using several different techniques, including ping, HTTP, and TWAP (two-way active measurement protocol). When a WAN link moves to a degraded state, Fortinet expects failover to take less than two seconds.

Fortinet can support sizable clients, with solid scaling ability and multi-tenancy. One of their largest deployment of Fortigate appliances exceeds 13,000 sites, with typical deployments ranging between the 100s and 1,000s of sites.

Tunneling architecture between branches can be whatever you like. Fortinet supports hub and spoke, partial mesh, full mesh, and on-demand VPN. Up to 4,000 tenants (administrative domains and virtual domains in Fortinet-speak) are supported.

FortiGate appliances come in several form factors with varying degrees of throughput, depending on the features being deployed. These appliances can completely replace a WAN router. In fact, FortiGate claims this is the typical deployment for their customers. Physical ports supported include RJ45 copper, SFP, SFP+, ADSL/DSL/ADSL+, LTE, and wireless 802.11a/b/g/n. Routing protocol support includes static, BGP, OSPF, RIP, and IS-IS. The appliances support HA as well as clustering.

Centralized management, monitoring, and reporting are available with the FortiManager and FortiAnalyzer products.

Fortinet also offers a SASE service called FortiSASE. It integrates its SD-WAN offering with cloud-delivered security services including a Secure Web Gateway, CASB, firewalling, and Digital Experience Monitoring (DEM).

HPE Aruba Networking EdgeConnect SD-WAN (formerly Silver Peak)

Historically a WAN optimization player like Riverbed, Silver Peak released an SD-WAN product called Unity, including the Unity EdgeConnect appliance that can terminate WAN circuits. Silver Peak had always been good at application identification; it brought that capability, along with its policy controller, into a full SD-WAN solution. Silver Peak also offered a step-up called Unity Boost, adding WAN optimization capability to the SD-WAN platform.

HPE acquired Silver Peak in July of 2020 for $925 million. Silver Peak was folded into HPE’s Aruba Networks business unit.

🗒️ SilverPeak Launches EdgeConnect SD-WAN Product
🗒️ Silver Peak, Masergy Partner On SD-WAN Service
🗒️ Silver Peak Adds BGP & Firewall Capabilities To SD-WAN Product
🎧️ Tech Bytes: SwyMed And Silver Peak Partner On Telemedicine Backpack
🎧️ Tech Bytes: How First Bank Said Goodbye To MPLS With Silver Peak SD-WAN
🎧️ Show 367: Silver Peak & The Maturing Of SD-WAN
🎧️ Show 377: SD-WAN Use Cases With Silver Peak
🎧️ HN444: Silver Peak And Zscaler Team Up On SD-WAN Security

HPE Aruba Networking SSE (formerly Axis Security Atmos)

Axis Security’s Atmos is an SSE offering focused on secure connectivity for your remote workforce. The Atmos platform offerings include ZTNA, SWG, CASB, and DEM into a single platform managed from a single dashboard.

Axis Security was purchased by HPE in March 2023 to be integrated with Aruba Networks’ SASE offerings. The product has been re-branded to HPE Aruba Networking SSE.

iboss Zero Trust SASE

iboss self-describes as a cloud-hosted SASE solution. You bring your own Internet connectivity, and iboss provides several ways to connect to their cloud, including GRE and IPSEC tunnels and several endpoint client options. The iboss solution doesn’t offer SD-WAN functionality in and of itself, which makes them feel like an SSE solution to me, rather than a SASE. Rather, the iboss pitch is to send all Internet traffic to them via a tunnel plumbed over direct Internet access circuits, leaving SD-WAN tunnels and private MPLS circuits you might have to handle interoffice traffic.

The iboss cloud offers firewalling (FWaaS), a cloud access security broker (CASB), proxy service including decrypt & re-encrypt, malware detection, and data loss prevention (DLP). iboss claims to have integrations with “a number of leading SD-WAN vendors”, although none were specifically named in the literature I reviewed. I have seen such integrations before, so I suspect it’s a matter of talking to an iboss rep to find out if they have integration with whatever SD-WAN platform you’re running.

The iboss website makes much of their Zero Trust SASE capabilities, citing NIST SP 800-207, and claiming they meet all requirements found therein.

iboss offers several other security-related services as well.

Ipanema SD-WAN

Ipanema is dead. Infovista acquired Ipanema in 2015. In August 2021, Infovista sold Ipanema to Extreme Networks. In July 2023, Extreme announced end-of-sale, end-of-software-maintenance, and end-of-service-life dates for the Ipanema product line. Extreme’s current offering is ExtremeCloud SD-WAN.

Juniper Networks SD-WAN and Juniper Networks SASE

Juniper’s Session Smart Router (SSR), which comes from a 2020 acquisition of the startup 128 Technology, forwards traffic based on sessions. Each node tracks session state, forwarding packets that are a part of a known session in accordance with policy defined either on the conductor (a centralized controller) or via Juniper’s Mist AI Cloud.

SSRs don’t use tunnels, which Juniper says improves network performance and simplifies deployments. SSRs can peer with each other for enhanced forwarding capabilities or with non-SSR routers using standard routing protocols like BGP and OSPF. SSR nodes can forward to each other, allowing for sophisticated traffic engineered, per-session paths.

An SSR network creates a dynamic, session-oriented service fabric with a number of use cases. One of these use cases is SD-WAN. In an SD-WAN scenario, paths are engineered to forward specific traffic classes over specific links, or over links with specific latency, jitter, and loss characteristics in real-time, matching an SLA centrally defined. Payloads are encrypted using AES 256 encryption.

SSR is available as software rather than a physical appliance. The software runs on off-the-shelf x86 servers and can also be deployed as an ESXi virtual machine or an instance in AWS, Azure, and Google Cloud.

The SSR is one part of Juniper’s SD-WAN product set, the other two components being Mist AI and Mist WAN Assurance.

Juniper also says it has a SASE offering. It’s a combination of its Security Director, for centralized security policy management; Secure Edge, an SSE that provides cloud-delivered security services including firewalling, secure Web gateway, and CASB; and its Session-Smart Router.

HPE announced its intention to acquire Juniper Networks in January 2024. There’s no word, at present, whether the combined company will maintain multiple SD-WAN products in the portfolio.

Lookout Cloud Security SSE Platform

Lookout offers several products that fall under the SSE heading. Their Secure Cloud Access (brief) is a CASB. Secure Private Access (brief) provides ZTNA. Secure Internet Access (brief) offers DLP, SWG, FWaaS, RBI as well as sandboxing.

Lookout also claims easy on-boarding of their services, with one promo video claiming you could be up and running on Lookout in under an hour.

Lookout does not offer SD-WAN functionality as far as I can tell, although they hint that it’s possible to integrate Lookout with SD-WAN solutions in this blog post.

Microsoft Entra SSE

Microsoft has entered the SSE under their relatively new Entra branding with Entra Internet Access and Entra Private Access, along with Defender for Cloud Apps.

Entra Internet Access is an SWG. The differentiator is tight integration with Microsoft 365 for granular access control to help with data loss prevention.

Entra Private Access is a ZTNA solution featuring application connectors you might be familiar with from the Application Proxy product.

Defender for Cloud Apps is Microsoft’s CASB offering.

Microsoft brags that their SSE services are delivered via Microsoft’s global network, which is no idle boast. The Azure network is one of the largest networks on the planet, meaning that their services are likely to be a low latency series of hops away from anywhere your users or data are likely to be located.

Read more about Microsoft Entra SSE in this blog post.

Mushroom Networks Enterprise SD-WAN

Mushroom’s SD-WAN system is delivered as an appliance you place in-line or as a firewall replacement. The main sell is that of WAN circuit bonding, where you can have multiple WAN links active at the same time. Mushroom’s tech is capable of application-level routing and is SLA-aware, so applications can be steered to a circuit capable of delivering on the SLA requirement. Management is centralized and cloud based, and appliances are shipped zero-touch.

Netskope One

Netskope is a security company offering a full suite of SASE and SSE products. The way they present their many offerings, you could buy what you like piecemeal. For example, maybe you’re only shopping for a CASB.

Another approach if you’re looking for a full SASE solution is the Netskope One platform. An architecture like many others, Netskope wants you to connect to their global cloud called the “NewEdge Network” where traffic will be inspected via their Zero Trust Engine. Connecting to the NewEdge Network can be done via the Netskope One Client for individual users or their Netskope One Gateway, an edge gateway router for branch office and data center locations.

NTT Global SD-WAN Services (formerly Virtela)

NTT is a global WAN provider offering SASE services in over 190 countries. The product set includes core SD-WAN functionality as well as cloud-provided secure web and VPN gateways. A key differentiator is granular route optimization, where traffic will flow across a traffic engineered path governed by the needs of, for example, traffic distribution or cloud connectivity. NTT has relationships with over 1,000 ISPs and other service providers globally.

Virtela was acquired by NTT Communications in January 2014.

Nuage Networks

Nuage’s SDN solution has found traction as a network virtualization platform and in cloud operations. Nuage abstracts the physical network away, and automates virtual network services. The functionality is rich enough that Nuage has a play in the SD-WAN space as well, although that has not been its hallmark.

Their SD-WAN 2.0 product page highlights a feature set that has since been termed SASE. This makes sense, as a Nuage Network is intended to route traffic through network functions.

Nuage Networks was an internal startup of Alcatel-Lucent in 2013. Alcatel-Lucent was bought by Nokia in 2015.

📺️ Nuage Networks Presentations At Network Field Day 10

Open Systems SASE Experience

Open Systems offers a managed SASE as well as SD-WAN and SSE both “as-a-service”.

Oracle SD-WAN (formerly Talari Networks)

Oracle SD-WAN appears to be a dead product. As of this writing and according to Oracle’s documentation site, Oracle SD-WAN’s latest release was version 9.1 in September 2022. Searching for “SD-WAN” on Oracle’s site turns up primarily support pages and documentation, but nothing from product or solution pages.

A global internet search turned up this page from February 2023, suggesting that Oracle has killed off the product entirely.

Talari was acquired by Oracle Systems in 2018.

🎧️ Tech Bytes: Oracle And The Failsafe SD-WAN
🎧️ Show 261: Lessons Learned From SD-WAN Deployments
🎧️ Show 236 – Talari and the Software-Defined WAN

Palo Alto Networks Prisma SASE (formerly CloudGenix)

Palo Alto Networks acquired CloudGenix in March 2020 for $420 million. Since that time, we’ve done many recordings with Palo Alto Networks covering the Prisma SASE product set and feature advancements through the years. If you’d like to get to know what PANW is offering in the SASE space (and it’s a lot), here’s a sampling to jumpstart your research.

Riverbed Networks Secure Enterprise SD-WAN

Long the WAN optimization king, Riverbed has had a complicated relationship with SD-WAN. Riverbed was initially slow to the SD-WAN party, and didn’t make the pivot that could have leveraged their massive install base of SteelHead appliances before other vendors began to eat their lunch. Riverbed still has an SD-WAN story to tell, if they’re a firm you’re comfortable spending budget with. They’ve had a rough go of it, although seem to be on a more stable financial footing as of this writing.

On the landing page, Riverbed emphasizes a somewhat dated but still relevant SD-WAN value proposition of replacing a private MPLS WAN with a combination broadband and LTE WAN. Riverbed’s SD-WAN differentiator leans into their past: WAN optimization. By combining modern SD-WAN routing with WAN optimization, customers can add latency reduction to the list of benefits they get from SD-WAN.

Riverbed’s recent history highlights how they never quite forwarded along the SD-WAN path. Riverbed purchased SD-WAN vendor Ocedo in January 2016. In April 2017, Riverbed acquired Xirrus to supposedly supercharge their SD-WAN offering. In June 2019, Riverbed announced an OEM agreement with SD-WAN vendor Versa Networks. By April 2020, Riverbed no longer considered themselves an SD-WAN company, choosing to re-emphasize their WAN optimization roots. In November 2021, Riverbed filed for chapter 11 bankruptcy protection to restructure their considerable debts. In May 2023, Vector Capital acquired Riverbed.

🗒️ Riverbed: We’re An SD-WAN Company
🎧️ Show 254 – Riverbed: Beyond WAN Optimization
🎧️ Show 266: Exploring Riverbed SD-WAN And Project Tiger

SonicWall Secure SD-WAN

SonicWall offers SD-WAN appliances with table stakes features including the ability to steer traffic over the best-performing link, dynamic path selection based on performance characteristics, and support for internet and mobile links.

Turnium

Based in Canada, Turnium (formerly Multapplied Networks) is a provider of SD-WAN technology primarily to service providers and managed service providers. SPs and MSPs use Turnium technology to create their own service offerings for their customers, placing Turnium in a similar space to TELoIP (now Adaptiv), VMware’s VeloCloud, and a few others.

Turnium is not in the hardware business, although they have a series of x86-based CPE boxes they test. Test results are published to help Turnium buyers make informed decisions about what hardware they should choose to obtain the performance from Turnium software they require. This approach underscores Turnium’s focus on enabling SPs and MSPs to build whatever branded service they wish to offer their customers.

Turnium, like most SD-WAN offerings, is physical layer agnostic, aggregating WAN services over a mix of DOCSIS, LTE, MPLS, and so on. The technology works by delivering IP over whatever the physical layers happen to be, enabling a carrier and circuit diversity design that guarantees application availability.

Turnium capabilities also include multiple tiers of encryption that can be leveraged on an application-by-application basis, a claimed 90-95% circuit utilization efficiency, single flow distribution across multiple physical circuits at a time, and hitless real-time transfer of flows away from circuits that begin to underperform.

Versa Networks

Versa entered the SD-WAN market in 2015, formed by a team of ex-Juniper folks. Versa offers a full range of SD-WAN and SASE products, their own operating system, multiple appliances, and more. A January 2024 press release boasts “Versa Networks Launches Industry’s First Unified SASE Gateway that Scales Beyond 100Gbps” —significant as this performance appears to be delivered in a single box and uses single-pass architecture.

Versa customers are both enterprises and service providers. The product set is even beyond SASE, touching on SSE and other networking related products. You can get a sense of the Versa architecture by reviewing their components page.

VMware SD-WAN (formerly VeloCloud) & SASE

VMware’s SASE portfolio includes SD-WAN services along with SD-Access, Cloud Web Security, and Edge Intelligence. Here’s a breakdown of these modules. SD-WAN offers the core SD-WAN functionality you’d expect: a virtualized WAN that leverages one or more physical WAN circuits with customized routing. Their SD-Access product is for remote access and emphasizes the zero-trust model. Cloud Web Security filters traffic heading from users and corporate infrastructure to cloud services. Edge Intelligence is focused on client experience by monitoring and analyzing traffic at the far edge of the network.

VeloCloud was acquired by VMware in November 2017. VMware was acquired by Broadcom in November 2023.

🎧️ D2C023: Optimizing Multi-Cloud Connectivity With VeloCloud
🎧️ BiB 41: VMware NSX SD-WAN By VeloCloud
🎧️ Show 257: VeloCloud SD-WAN
🗒️ Is Cisco Hedging On SD-WAN With VeloCloud Investment?
🎧️ HN607: ZTNA Everywhere With VMware SASE
🎧️ Tech Bytes: Boosting WAN Speeds While Cutting Costs With VMware SD-WAN
🎧️ HN657: New VMware Client Connects Users To SASE, SD-WAN

WatchGuard Technologies

WatchGuard leverages the capabilities of its Firebox Unified Security Platform to provide table stakes SD-WAN features. The company announced its SD-WAN offering in December 2018. Their solution brief from that time summarizes the feature set succinctly.

WatchGuard’s SD-WAN capabilities include dynamic path selection of multiple WAN links, including MPLS and internet. WatchGuard measures link performance for delay, jitter, and packet loss, and can assign paths based on link performance, application type, and other criteria. Administrators can also apply traffic shaping policies to limit bandwidth consumption of particular application categories (a feature available prior to WatchGuard rolling out its SD-WAN offering).

Like other firewall and UTM vendors moving into the SD-WAN space, WatchGuard touts its security features as a compelling differentiator. Customers get a next-gen firewall, packet inspection, malware prevention and AV, and other security features along with SD-WAN capabilities in a single package.

🗒️ SD-WAN At Home? The Obstacles And Issues

Zscaler

Zscaler is a security company known for cloud-based offerings. This company focus has played well into the modern SASE architecture emphasizing zero-trust and anything connecting to anything else from anywhere.

The Zscaler SASE model is like Cloudflare’s, Aryaka’s, Netskope’s, and Cato Networks’, among others. Connect to the Zscaler cloud they call the “Zero Trust Exchange”, and Zscaler will handle the traffic inspection using a variety of services. Zscaler offers a marketing whitepaper titled The One True Zero Trust Platform to explain what’s going on with your company’s traffic in their cloud. If you want to more detail about how Zscaler thinks about zero-trust, identity management, inspection of TLS-encrypted traffic, it’s worth a look.

Another Zscaler reference architecture on Protecting Private Applications with ZPA AppProtection is also worth looking at, as secured application publication might be an approach you’re interested in for publishing your own company’s applications if you’re adopting SASE.

About Ethan Banks: Hey, I'm Ethan, co-founder of Packet Pushers. I spent 20+ years as a sysadmin, network engineer, security dude, and certification hoarder. I've cut myself on cage nuts. I've gotten the call at 2am to fix the busted blinky thing. I've sat on a milk crate configuring the new shiny, a perf tile blowing frost up my backside. These days, I research new enterprise tech & talk to the people who are making or using it for your education & amusement. Hear me on the Heavy Networking podcast.

Blog > Good to Know | March 13, 2024

TAGS: SASE | SD-WAN | vendor

SD-WAN, SASE, and SSE Vendors: A Reference List

Ethan Banks