When people think of virtualization and computing, most of them also think of VMware. So it’s no surprise that networking professionals considering virtualizing their networks include VMware on their list of vendors.
VMware has assembled a broad Secure Access Service Edge (SASE) offering that ticks all the right boxes. Does this make VMware the SASE answer to enterprise networking and security challenges? Let’s find out.
What is SASE?
As we have seen in previous articles, SASE represents the convergence of networking and security capabilities. Ideally, it is delivered as a native cloud service instead of using common IT edge devices.
Although SASE encompasses a dozen security features, the emphasis is less on a feature-by-feature comparison and more on reducing complexity through integration. This integration enables IT to deliver consistent, accurate, and high-performance security and connectivity to users around the world with minimal administration and overhead.
It’s that last part that’s so important – minimal administration and overhead. The functionality provided by SASE providers is not new. We’ve long had firewalls, cloud access security brokers (CASBs), and the rest of the bunch. What is the novelty is the convergence of these technologies in a global service architecture, provided by the cloud. These changes are a revolutionary approach to how SASE connects and secures the enterprise.
VMware SASE Platform Components
vmware Documentation describes the VMware SASE Platform as a cloud-native platform that combines cloud networking and cloud security “to deliver flexibility, agility, protection, and scalability to businesses of all sizes.” The company says it is unique in the way its points of presence (PoPs) act as an on-ramp to SaaS and other cloud services.
Several VMware products make up the VMware SASE platform. To connect to VMware SASE, sites run VMware Software-Defined WAN (SD-WAN) devices; remote users connect through VMware Workspace ONE. VMware claims that both options are compliant with Zero Trust Network Access (ZTNA) principles.
The VMware SASE PoP strategy includes the following components:
- VMware Secure Access allows ZTNA-based access.
- VMware SD-WAN Gateway provides cloud access. VMware says more than 3,000 cloud gateways are available at hundreds of points of presence around the world.
- VMware Cloud Web Security integrates Secure Web Gateway (SWG), CASB, Data Loss Prevention (DLP), URL Filtering, and Remote Browser Isolation (RBI).
- VMware NSX Cloud Firewall provides next-generation firewall (NGFW), intrusion prevention systems and intrusion detection systems.
In addition to VMware SASE Platform, the vendor offers VMware Edge Network Intelligence, which uses AI for IT operations to provide end-to-end visibility from WAN to branch and LAN.
As with Palo Alto Networks’ SASE, the VMware SASE platform seems to tick the right boxes required to be a SASE platform. Yes, it has SD-WAN and is Secure Access compliant with ZTNA. It also offers NGFW, SWG, CASB, DLP, and RBI. Enterprise gateways are an important asset for bringing SD-WAN traffic closer to an organization’s cloud instances.
However, VMware’s SASE offering feels rushed to market, a set of discrete products bundled under a SASE brand. SD-WAN comes from the acquisition of VeloCloud; manage mobile access from AirWatch; and security from Carbon Black and Menlo Security. Cloud-hosted components are point services chained together. Each product requires its own management portal.
The PoPs touted by VMware are very different from what we’ve seen from Cato Networks or Aryaka, where PoPs include a global private backbone that could replace an organization’s WAN. To replace a WAN with VMware, companies must rely on a third-party backbone provider, which introduces even more complexity. Not all VMware PoPs offer the same set of SASE features either, which adds even more complexity to the network.
In short, SASE from VMware brings much of the complexity and cost that has long plagued the buying approach that has complicated IT.
Lots of features but not a lot of SASE
VMware SASE certainly provides many features. And if companies were previously happy with discrete appliances, they will be familiar with the appliance-centric approach offered by VMware.
Companies expecting something new may be disappointed. VMware is more like custom product integration than a single SASE platform, and the degree of integration is key.
SASE innovation has never been about defining new capabilities; it was always promised that through tight integration of capabilities and their migration to the cloud, IT would evolve. Unfortunately, this promise is still missing in VMware SASE.