Conventional WAN topology

In traditional networks, the company’s proprietary data center is the hub for all data traffic. Internet or cloud connectivity is provided through the dedicated demilitarized zone (DMZ) – a buffer zone that isolates the external network (Internet) from the internal network through strict communication rules and firewalls. All branch offices are connected to the main office data center via WAN connections (MPLS or VPN) and use them to access Internet and cloud services. This has several disadvantages: All network traffic must pass through the data center (backhaul) and this leads to inefficient routing and bottlenecks in data traffic. The problem can be resolved with increased bandwidth, but this entails costs and effort.

SD-WAN and Direct Internet Access (DIA)

With the cloud and distributed working, enterprises are increasingly turning to SD-WAN architectures: Internet access no longer has to be provided by the data center at the company’s headquarters, but instead directly by the router at the particular location (Direct Internet Access, or DIA for short). This significantly reduces latency and improves the user experience. Using the software-based network overlay, network properties for all company locations can be controlled and configured centrally, granting an overview of the company’s network status at all times. In this model, security is still implemented locally – usually in the headquarters or partially in the hardware at external locations. In addition, remote-access traffic is still routed through the data center.

Cloud-capable network topology (SASE)

Growing network complexity (e.g., micro-segmentation) and increasing data traffic as well as higher security risks from ever more complex threats require a network model with cloud-based security services. In addition to SD-WAN, cloud-based security enables the secure and controlled use of software as a service (SaaS). Traditional local security is increasingly overwhelmed by the requirements of cloud-centric IT architectures. Furthermore, SASE allows for a zero-trust approach: All network and cloud access is protected – regardless of whether the user is inside or outside the corporate network.