Home » SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS และ Cloud Security
SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS และ Cloud Security
SASE Architecture: SD-WAN + SSE, ZTNA, CASB, SWG, FWaaS และ Cloud Security
SASE (Secure Access Service Edge) รวม networking และ security เข้าด้วยกันเป็น cloud-delivered service SD-WAN ให้ intelligent routing, SSE (Security Service Edge) รวม security functions, ZTNA (Zero Trust Network Access) แทนที่ VPN ด้วย identity-based access, CASB ควบคุม cloud application usage, SWG กรอง web traffic และ FWaaS ให้ firewall-as-a-service จาก cloud
องค์กรในยุค hybrid work มี users กระจายอยู่ทุกที่: office, home, coffee shop, co-working space — traffic ไม่ได้ผ่าน corporate data center อีกต่อไป Traditional architecture (backhaul traffic ผ่าน HQ firewall) สร้าง latency สูงและ bottleneck SASE แก้: security ไปอยู่ที่ cloud edge ใกล้ users → secure + fast ไม่ว่า user อยู่ที่ไหน
SASE Components
| Component |
Category |
Function |
| SD-WAN |
Networking |
Intelligent routing, WAN optimization, application-aware traffic steering |
| ZTNA |
Security (SSE) |
Zero trust access to private apps (replace VPN) |
| CASB |
Security (SSE) |
Cloud app visibility + control + DLP (Shadow IT detection) |
| SWG |
Security (SSE) |
Web filtering, malware scanning, URL categorization |
| FWaaS |
Security (SSE) |
Cloud-based firewall (L3-L7 inspection) |
| DLP |
Security (SSE) |
Data Loss Prevention (prevent sensitive data leakage) |
| RBI |
Security (SSE) |
Remote Browser Isolation (isolate risky web sessions) |
SD-WAN in SASE
| Feature |
รายละเอียด |
| Application-Aware Routing |
Identify applications → route over best path (MPLS, broadband, LTE) |
| SLA Policies |
Define latency/jitter/loss thresholds → auto-failover ถ้า SLA fail |
| Direct Internet Access |
Route SaaS traffic directly ไป internet (ไม่ backhaul ผ่าน DC) |
| WAN Optimization |
TCP optimization, dedup, compression → improve WAN performance |
| Zero-Touch Provisioning |
Branch devices auto-connect to SD-WAN fabric (no on-site engineer) |
ZTNA (Zero Trust Network Access)
| Feature |
VPN (Traditional) |
ZTNA |
| Trust Model |
Trust after VPN connect (full network access) |
Never trust, always verify (per-app access) |
| Access Scope |
Entire network segment |
Specific application only (least privilege) |
| Visibility |
App ซ่อนอยู่หลัง VPN (discoverable once connected) |
App invisible จนกว่า authorized (dark cloud) |
| User Experience |
VPN client → connect → access |
Seamless (agent-based หรือ browser-based) |
| Lateral Movement |
เป็นไปได้ (full network access after VPN) |
ป้องกัน (per-app micro-tunnel) |
CASB (Cloud Access Security Broker)
| Feature |
รายละเอียด |
| Shadow IT Discovery |
ค้นหา cloud apps ที่พนักงานใช้โดยไม่ได้รับอนุญาต |
| Data Protection |
DLP สำหรับ cloud apps (block upload sensitive data ไป personal Dropbox) |
| Threat Protection |
Scan files ใน cloud storage สำหรับ malware |
| Compliance |
Enforce compliance policies บน cloud apps (encryption, sharing controls) |
| API Mode |
Connect via API ไป SaaS (O365, Salesforce) → inspect data at rest |
| Inline Mode |
Proxy traffic → inspect data in motion (real-time) |
SWG (Secure Web Gateway)
| Feature |
รายละเอียด |
| URL Filtering |
Block access to malicious/inappropriate websites (category-based) |
| SSL Inspection |
Decrypt HTTPS → inspect content → re-encrypt (see encrypted threats) |
| Malware Scanning |
Scan downloads for malware/viruses ก่อนถึง endpoint |
| Sandboxing |
Execute suspicious files in sandbox → detect zero-day malware |
| DNS Security |
Block DNS queries to malicious domains |
SASE Vendors
| Vendor |
Product |
จุดเด่น |
| Zscaler |
ZIA (SWG) + ZPA (ZTNA) + ZDX |
Largest SSE cloud, 150+ PoPs, zero trust leader |
| Palo Alto |
Prisma SASE (Prisma Access + Prisma SD-WAN) |
Full SASE, ADEM (experience monitoring), ML-powered |
| Cisco |
Cisco+ Secure Connect (Umbrella + Meraki SD-WAN) |
Umbrella DNS + SWG + ZTNA + Meraki SD-WAN integration |
| Fortinet |
FortiSASE (FortiGate Cloud + FortiClient) |
Single OS (FortiOS), unified management, strong SD-WAN |
| Netskope |
Netskope One (SSE leader + SD-WAN) |
Best CASB, inline + API, NewEdge network (low latency) |
| Cloudflare |
Cloudflare One (ZTNA + SWG + CASB + DEM) |
Largest edge network (300+ cities), developer-friendly |
SASE Deployment
| Phase |
Action |
| 1. SD-WAN First |
Deploy SD-WAN ที่ branches → direct internet access → ลด MPLS cost |
| 2. SWG + DNS |
Route web traffic ผ่าน cloud SWG → web filtering + malware protection |
| 3. ZTNA |
Replace VPN ด้วย ZTNA → per-app access, better security + UX |
| 4. CASB + DLP |
เพิ่ม cloud app visibility + data protection → control Shadow IT |
| 5. Full SASE |
Converge networking + security → single platform, single policy |
ทิ้งท้าย: SASE = Network + Security Converged in the Cloud
SASE Architecture SD-WAN: intelligent routing + DIA + WAN optimization (networking side) SSE: ZTNA + CASB + SWG + FWaaS + DLP (security side) ZTNA: replace VPN → per-app access, least privilege, app invisible until authorized CASB: shadow IT discovery, cloud DLP, threat protection, compliance SWG: URL filtering, SSL inspection, malware scanning, sandboxing Vendors: Zscaler (SSE leader), Palo Alto Prisma, Netskope (CASB), Cloudflare One Deploy: SD-WAN first → SWG → ZTNA → CASB → full convergence Key: SASE = security follows the user (not bound to corporate network perimeter)
อ่านเพิ่มเติมเกี่ยวกับ SD-WAN Architecture Overlay Underlay และ Zero Trust Architecture ZTNA ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
