Service Chaining is Not True SASE

service chaining
service chaining

When Gartner defined the term Secure Access Service Edge (SASE), they set the vision for the next generation of network security. However, when evaluating SASE solutions, it is important to be careful as some SASE vendors are taking advantage of the buzz and not delivering a true SASE solution.

What is SASE?

SASE is a network and security solution designed for the modern network. Legacy security solutions were intended to build a network perimeter around an on-site network. As organizations’ IT infrastructure increasingly moves off-premises – due to cloud adoption, remote work, and the growing use of mobile and Internet of Things (IoT) devices – this legacy model (and the solutions built for it) are no longer effective.

SASE is a cloud-native, fully-integrated networking and security solution. It combines the network optimization of software-defined WAN (SD-WAN) with a full security stack and deploys as a virtualized cloud-based appliance.

Where Service Chaining Falls Short

Many cybersecurity vendors have invested heavily in developing standalone security solutions. They specialize in creating next-generation firewalls (NGFWs) or identity and access management (IAM) solutions or SD-WAN appliances.

As SASE becomes more popular, these vendors are trying to move into the market using their existing solutions. To do so, they take advantage of service chaining to build a SASE-like solution out of the pieces that they already have.

How Service Chaining Works

The development of virtual network functions (VNFs) has been ongoing for several years. A VNF is software that is designed to fulfill a role that historically was filled by a physical appliance. Common examples are firewalls, intrusion prevention systems (IPSs), networking routing, and similar functionality.

With the right VNFs, it is possible to build a solution with the same capabilities as SASE via service chaining. Service chaining uses software-defined networking (SDN) to route traffic through a series of VNFs in a chain. For example, service chaining may send traffic through a NGFW, followed by an IPS, etc.

SASE is commonly defined as having a set of core capabilities, including: both networking (SD-WAN, WAN optimization, Quality of Service, etc.) and security (NGFW, SWG, CASB, etc.) functionality. By taking a “check the box” approach using VNFs and service chaining, it is possible to build a solution that performs the same functions as a true SASE solution.

The Limitations of Service Chaining

While service chaining can create a SASE-like solution, it is impossible to create a true SASE solution via service chaining. Some of the limitations of the service chaining-based approach to SASE include:

  • Lack of Security Integration: One of the major selling points of SASE is that it offers full security integration. All of the components of a SASE solution are built into a single solution. This allows the SASE solution to achieve additional efficiency and increased effectiveness since all of its components are designed to work as one, rather than being cobbled together like Frankenstein’s monster.
  • Degraded Performance: Service chaining uses SDN to fit all of the necessary components into a chain and forces all traffic to flow through this chain. This rigid structure makes the throughput of the entire system equal to the component with the smallest bandwidth. As a result, the system is slower and lacks the adaptability and optimization of a SASE solution.
  • Increased Complexity: The growing complexity of security is one of the biggest challenges faced by security teams. Many organizations are dependent on an array of standalone point security products that need to be independently configured, monitored and maintained. A SASE-like solution built using service chaining does not solve this problem because the same array of standalone components still exists. SASE, on the other hand, integrates all of the required functionality into a single, fully-integrated solution with one dashboard for configuration, monitoring, and maintenance.

Service chaining makes it possible to build a solution that looks like SASE and acts like SASE at a high level. However, the lack of integration among its various components results in a solution that is less efficient, not as effective, and harder to use.

The Advantages of a True SASE Solution

A true SASE solution is designed to provide all of the functionality of SASE as an integrated whole. This provides several advantages compared to a tool built via service chaining, including:

  • Solution Optimization: SASE solutions are designed to be a single integrated tool. This makes it possible to take advantage of optimizations and synergies between the various functions that do not exist for standalone solutions linked together.
  • Simplified Maintenance: A SASE solution is a single tool, and updates are shipped for the solution as a whole. This eliminates the complexity of independently updating and reconfiguring each of the components cobbled together via service chaining.
  • Coherent Design: The components of a SASE solution are designed to work together. This minimizes the probability of security oversights or undesirable interactions between standalone components that can make a service chaining-based solution difficult to use.

SASE is a solution designed to address the network and security challenges of the modern enterprise. When evaluating potential solutions, make sure that they are true SASE solutions and not just legacy technology cobbled together via service chaining.


Please enter your comment!
Please enter your name here