SASE - My general ideas - looking for discussion and experiences!

We're doing an RFI for S(A)SE, with the primary goal of replacing our classic VPN solution for both internet and private access. In a second phase we're looking to introduce SD-WAN.

A bit about us to set the context (feel free to skip): We have ~5k users, with a large campus (roughly 80-90% of employees are here), and about a dozen small(er) remote offices globally (mostly EU & US). Work from home is embraced widely. On the server/app side we have a mix of on-prem DC (at the main campus), private cloud environments and SaaS - so all over the place :-). The on-prem DC will remain critical for the foreseeable future, although there is a cloud first strategy so SaaS will increase. We are currently a Palo Alto shop, but have no investment in SD-WAN yet. We have a strong relationship with Microsoft (O365 and Azure) and have E5 licensing, which is why Microsoft got on the list in the first place even before their recent SSE announcement.

We have been talking to these vendors below, and this is my personal take-away about each of them. Curious to hear where I'm wrong!

  • Palo Alto (disclaimer: we are a satisfied PA customer for NGFW so for us this seems like a natural fit)
    • 100% public cloud (GCP mostly)
    • Prisma access sounds more like an evolution of their existing NGFWs: "make it virtual and stick it in the cloud", versus a more cloud-native solution. So while they were very cool a couple of years ago, the cutting edge feeling is not there. I'm not sure yet if that is a good thing or a bad a thing, since we love our physical PAs :-) and we're told that many of the things we know (management, APIs, logging, etc) remains the same.
    • SD-WAN is bolted on (former Cloudgenix) and is managed through a separate interface, although that should be better integrated into the cloud management solution? Curious how well that would play out with a mix of SASE and physical firewalls.
    • No backhaul to cloud needed for users to local DC traffic since policies across SASE and on-prem DC firewall should be transparent (?)
    • Licensing seems a kludge! (local/global, users/branches, service connections,....)
    • Strong focus on client monitoring (ADEM): local wifi quality, CPU/MEM, etc...
  • Netskope
    • CASB at origin.
    • Own hardware in colocation DCs.
    • More cloud-native and 'zero trust' by design with a "connector" VM that you run close to the resources that the client needs to get to.
    • Local "edge" available to prevent backhaul from users to local DC via cloud while still ensuring the full security stack. But just recently announced.
    • SD-WAN is bolted on (former Infiot) and is managed through a separate interface. Sounds like this should improve.
    • "Experience monitoring" available but does not monitor the client itself (see above with ADEM).
  • Zscaler
    • SWG at origin.
    • Looks conceptually and architecturally very similar to Netskope: own hardware at colocation facilities, and a connector which builds an outbound connection from your DCs to the cloud.
    • Also local edge available, like Netskope.
    • No SD-WAN offering of its own, but partnering with major players. However there is a "branch connector" which may sort of replace the SD-WAN capabilities by at least allowing to tie in branch offices into the Zscaler cloud platform. This is only a VM now but I hear this will also become available as a physical box (?)
    • Monitoring does include client statistics like CPU/Mem, wifi, etc.
    • All in all Zscaler seems a bit more mature than Netskope (API ecosystem, etc). -> looking forward to hear comparisons between Netskope and Zscaler!
  • Cato
    • To me Cato seems to have the most "complete" architecture, with their SD-WAN appliances truly integrated into the entire solution, unlike the previous vendors.
    • The SD-WAN boxes are part of the OPEX model which may or may not be nice, depending on your finance people :-)
    • Unlike Netskope and Zscaler they provide actual IP to IP connectivity, no NAT behind connectors.
    • However, seems less mature than the vendors above: limited API ecosystem, no real client monitoring,...
  • Cisco
    • Just recently announced their new SSE offering, which is built from scratch (?) based on Umbrella and Duo technology. Those are good products so that sounds promising. But Cisco doesn't have the best track record of building out new products so I'm very hesitant to bet if this will become a true competitor to the others.
    • For now 100% AWS only and limited POPs globally.
    • Lots of features are "roadmap".
  • Microsoft
    • Even more recently than Cisco, Microsoft this week also announced an SSE solution: Entra Internet access and Entra Private access.
    • Private access is based on the existing app-proxy technology, which is a known and stable technology - at least for web traffic at this point.
    • Curious to find out what their security capabilities will be on the internet access part specifically, since they have not NGFW capabilities in-house today (?). I have not really been impressed by Azure firewall so far.
    • Licensing not clear - some features may be part of the E5 licensing?

This clearly seems like a hot market with completely new products/announcements left and right (Cisco, Microsoft), and lots of roadmap items with existing SASE vendors.
Note that we haven't done any POCs yet so this is all based on (tech) talks, (marketing) slides and vendor websites. Next step for us is to select a few vendors for a POC. Looking forward to your real-world experiences to help us in that decision.

Some open questions:

  • What's your experience with impact to real-world traffic and your day to day life as a network/security admin, between the architecture of PA/Cato (IP to IP) versus Zscaler/Cato/Microsoft (NAT behind some sort of connector)
    • Apps don't see the true client source IP.
    • No more server-to-client connectivity possible.
    • Seems more complex for troubleshooting/visibility? But that should just move to the SASE cloud?
  • What's your opinion/experience on Netskope vs Zscaler? Pros/cons?
  • What are your experiences with TAC support with any of these vendors?
  • Pricing? :-)