MPLS, SD-WAN and SASE, the future of WAN

WAN is the backbone of the business. It ties together remote locations, headquarters, and data centers into an integrated network. The role of the WAN has evolved significantly in the past years: beyond physical locations, we now need to provide optimized and secure access to cloud-based resources for a global and mobile workforce.

The existing WAN optimization and security solutions were designed for physical locations and point-to-point architectures, and are no longer able to support this transformation. 


First Generation: Legacy WAN Connectivity

Currently, there are two WAN connectivity options, which balance cost, availability and latency: MPLS and Internet. 


With MPLS, a telecommunication provider provisions two or more business locations with a managed connection and routes traffic between these locations over their private backbone. In theory, since the traffic does not traverse the Internet, encryption is optional.  

Because the connection is managed by the telco, end to end, it can commit to availability and latency SLAs. This commitment is expensive and is priced by bandwidth. Enterprises choose MPLS if they need to support applications with stringent up-time requirements and minimal quality of service (such as Voice over IP, VoIP). 

To maximize the usage of MPLS links, WAN optimization equipment is deployed at each end of the line, to prioritize and reduce different types of application traffic. The effectiveness of such optimizations is protocol and application specific (for example, compressed streams benefit less from WAN optimization)  

Advantages of MPLS: Low Latency and High availability 

Disadvantages: high price 


Internet connections procured from the ISP, typically offer nearly unlimited last mile capacity for a low monthly price. An unmanaged Internet connection doesn’t have the high availability and low-latency benefits of MPLS but it is inexpensive and quick to deploy.  

IT establishes an encrypted VPN tunnel between the branch office firewall and the headquarters/data center firewall. The connection itself is going through the Internet, with no guarantee of service levels because it is not possible to control the number of carriers or the number of hops a packet has to cross. This can cause unpredictable application behavior due to increased latency and packet loss. 

Advantages of Internet: Low price 

Disadvantages: Unknown latency and low availability 

Second generation: Appliance-based SD-WAN

The cost/performance trade off between Internet and MPLS, gave rise to SD-WAN. 

SD-WAN is using both MPLS and Internet links to handle WAN traffic. Latency sensitive apps are using the MPLS links, while the rest of the traffic is using the Internet link. The challenge customers face is to dynamically assign application traffic to the appropriate link.  

SD-WAN solutions offer the management capabilities to direct the relevant traffic according to its required class of service, offloading MPLS links and delaying the need to upgrade capacity.  

SD-WAN solutions, however, are limited in a few key aspects: 

  • Footprintsimilar to WAN optimization equipment, SD-WAN solutions must have a box deployed at each side of the link 
  • Connectivity: SD-WAN can’t replace the MPLS link because its Internet “leg” is exposed to the unpredictable nature of unmanaged Internet connection (namely, its unpredictable latency, packet drops and availability) 
  • Deployment: SD-WAN, like the other WAN connectivity options, is agnostic to the increased role of the Internet, cloud and mobility within the enterprise network. It focuses, for the most part on optimizing the legacy, physical WAN. 


Third Generation: Secure Access Service EDGE (SASE)

With the rapid migration to cloud applications (Office 365, Slaesforce), cloud infrastructure (AWS, Azure, Criticalcase cloud) and a mobile workforce, the classic WAN architecture is severely challenged.  

SASE (Secure Access Service EDGE) is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single, cloud-delivered service mode

According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.” 

It is no longer sufficient to think in terms of physical locations being the heart of the business, and here is why: 

  • Limited end-to-end link control for the cloud 

With public cloud applications, organizations can’t rely on optimizations that require a box both end of each link. In addition, cloud infrastructure (servers and storage) introduces a new production environment that has its own connectivity and security requirements. Existing WAN and security solutions don’t naturally extend to cloud-based environments. 

  • Limited service and control to mobile users 

Securely accessing corporate resources requires, mobile users to connect to a branch or HQ firewall VPN which could be very far from their location. This causes user experience issues, and encourages compliance violations (for example, direct access to cloud services that bypasses corporate security policy). Ultimately, the mobile workforce is not effectively covered by the WAN.  

SASE is aiming to address the challenges of traditional WAN. It is based on the following principles:  

– The perimeter moves to the Cloud: The notorious dissolving perimeter is re-established in the cloud. The cloud delivers a managed WAS backbone with reduced latency and optimal routing. This ensures the required quality of service for both internal and cloud-based applications. 

– The network “democratic” and all-inclusive: all network elements plug into the cloud WAN with secure tunnels including physical locations, cloud resources and mobile users. This ensures all business elements are integral part of the network instead of being bolted on top of a legacy architecture 

– Security is integrated into the network: beyond securing the backbone itself, it is possible to directly secure all traffic (WAN and Internet) that crosses the perimeter – without deploying distributed firewall. 

Download the paper to learn network transformation strategies and how to migrate from MPLS to modern SASE solutions. 

Download free E-book

How to migrate from MPLS to SD-WAN

 By adopting SASE companies gain numerous benefits in terms of agility, collaboration, efficiency and cost reduction. 

Criticalcase has formed a strategic partnership with Cato Networks, the world first and only SASE platform. At your disposal we always have numerous engineers available to answer any of your question or add the information you might have missed. Fill out the form below to get in touch

Share on facebook
Share on twitter
Share on linkedin

Contact us

Fill out the form and one of our experts will contact you within 24 hours: we look forward to meeting you!

Richiedi la tua prova gratuita

Ehi! Stai già andando via?

Iscriviti alla nostra newsletter per restare aggiornato sulle novità dell’universo Criticalcase