Building Encryption Into the Network Fabric with SASE

Last updated: April 8, 2024 Reading time: 5 minutes
Building Encryption Into the Network Fabric with SASE

What is a network fabric?

A network fabric is a mesh of connections between network devices such as access points, switches, and routers that forward data to its destination. “Fabric” refers to the physical wiring that makes up these connections but usually refers to a virtual mesh of virtualized connections automatically overlaid on top of a physical topology.

The physical or essential part of the fabric consists of switches, routers, and Wi-Fi devices. It provides a simple, scalable infrastructure for communication between network devices. The virtualized or overlay portion of the network fabric is used to transport user data.

The virtualized part of the structure is created by adding specific headers to packets. The network device interprets these headers and either blocks or forwards the packet. This conditional routing ensures that devices see only the relevant subset of the network.

Virtualization adds value to the network fabric. By virtualizing the base layer of your network, splitting it into multiple overlay networks, and optimizing them individually, you can use separate strategies for different needs. In addition, this structure has extensive policy-based control and automation mechanisms, allowing you to react to changes based on business requirements quickly.

Network fabric use cases

Enabling virtual machine scaling and migration

Cloud providers and many private organizations use virtual machines (VMs) to manage workloads and improve server utilization. There is often a need to migrate virtual machines (VMs) running applications to other servers in a data center or other data centers.

As this process accelerates, manual processes cannot support the speed at which network resources scale. The network fabric is instrumental in facilitating VM migration by maintaining the IP address of a virtual machine when it changes location within a data center so that users can find it. The network fabric allows virtual machines to communicate with any network port over the data center network, making migration easier.

Container networking

A container is a small runtime environment for application code. Containers are spun up or down depending on workload needs and usually run for short periods. Here too, manual configuration cannot keep up with what is happening in the network, and container security is also at risk.

As the number of containers increases or decreases, the network fabric uses automation to create the necessary network resources.

Multiple data centers

If an organization’s network has multiple data centers, it is necessary to interconnect them. A data center interconnects (DCI) service allows different data centers to become one logical data center. Applications and other services can be deployed anywhere and interact as if they were on the same network. If your organization already has a WAN infrastructure, DCI can be an overlay over the WAN. A network fabric is a primary component of DCI.

What is SASE

SASE is a set of technologies that embed security into the global fabric of networks. The critical components of SASE are software-defined WAN (SD-WAN), cloud access security broker (CASB), Firewall as a Service (FWaaS), zero-trust network access (ZTNA), and secure web gateway (SWG).

SASE solutions provide simple connectivity and security for today’s complex IT environment, with massive cloud adoption, digital transformation, remote workers, and the Internet of things (IoT). It enables consistent connectivity and performance for mobile users and cloud applications, consistent policy enforcement across networks, protection of unmanaged devices, and protection against modern threats. All these can be seamlessly and automatically deployed to any edge.

SASE: The modern, customizable network fabric

SASE provides a globally-available network fabric that connects the entire enterprise. It is not a technology but a platform that includes several technologies. A core component of SASE is SD-WAN, which connects sites, clients, users, mobile devices, IoT devices, and virtual appliances – wherever they are. Configuration, management, and reporting are all done from one console.

SASE does more than just connect users and devices – it also protects them. SASE includes several solutions that provide multiple layers of security:

  • Encryption and decryption of inline traffic.
  • Traffic inspection using multiple security engines, including malware scanning and sandboxing. 
  • DNS-based protection 
  • Denial of Service (DoS) protection
  • Policy enforcement to support compliance with regulations such as the General Data Protection Regulation (GDPR).

Key capabilities of the SASE network fabric

As a complete enterprise network fabric, the SASE platform provides consistent uptime and performance for all applications and use cases, from non-critical (such as web browsing) to mission-critical use cases (such as finance transactions). Ideally, SASE products can evaluate costs and choose the lowest path for any application.

To support this wide range of use cases, its architecture is resilient and elastic – making it able to adapt to specific applications and environments. Specifically, SASE provides hardware redundancy and failover for network equipment, as well as path resiliency, which means it can provide multiple routes to the destination and select the best route depending on line conditions.

Another aspect of SASE is the ability to provide optimal performance for each session, meeting the requirements of every application, regardless of location. This is achieved by:

  • Low latency global connections – SASE mainly relies on broadband connections managed by SD-WAN, less on private MPLS connections.
  • Bandwidth optimization – deduplication and compression to minimize the data that needs to be transmitted and maximize available bandwidth.
  • Latency optimization – using various techniques such as proxy connections to minimize latency impact on protocol performance.
  • Packet loss mitigation – minimizing packet loss, especially in the first mile, where it is pervasive.

Lastly, SASE lets organizations define security policies that reflect user identity and the real-time context of users and devices. This is critical to creating flexible and robust network structures. SASE can integrate with directory services such as LDAP and Active Directory and combine this data with the current security context – such as time of day, device, network, and user location.


In this article, I explained the basics of network fabrics and how SASE can secure it:

  • Encryption and decryption of inline traffic.
  • Traffic inspection using multiple security engines, including malware scanning and sandboxing. 
  • DNS-based protection 
  • Denial of Service (DoS) protection
  • Policy enforcement to support compliance with regulations such as the General Data Protection Regulation (GDPR).

I hope this will be useful as you deploy SASE in your organization.

Share this article

About the Author

Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in:, Nordic APIs,,, and VentureBeat.

More from Iam Waqas

Related Posts