SASE Ultimate Guide and Best SASE Tools

SASE stands for “Secure Access Service Edge”. It is a method of creating secure connections between sites over the internet. It is like turning the space between company networks into a single private system, enabling the network manager to treat a fragmented network as a secure whole.

Several related technologies help to compose a SASE system. Understanding the overlapping concepts emerging for WAN security helps better define the meaning of SASE and its purpose.

If you are just here for the tools, here is our list of the four best SASE tools:

  1. Perimeter 81 EDITOR’S CHOICE A flexible platform with adaptable combinations of services that let you assemble your SASE strategy.
  2. Cloudflare One A package of pre-existing Cloudflare products that create secure virtualized networks and services.
  3. Zscaler SASE A comprehensive platform of services that work through centralizing applications or data.
  4. Open Systems SASE An appealing contender provider with the option for on-site deployment.

We also provide full reviews at the end of the post.


A SASE is a refinement of the SD-WAN concept. SD-WAN stands for “software-defined wide area network”. In this technology, the network management software overlays an IP address structure over private network links that are not fixed but supplied by intermittent connections across the internet.

Taking the SD-WAN concept a little further, it is possible to do away with the internal network altogether. This idea would be of particular interest to businesses that run virtual offices. With the virtual office strategy, no one sits in the company office. Instead, they work from home or are permanently out in the field.

The corporate telephone number can be hosted on a cloud-based exchange and map internal extension to the actual telephones, possibly mobile devices, owned by each worker. Similarly, the corporate network is a series of ad-hoc connections forged across the internet on an as-needed basis.

Just as the Cloud telephone exchange makes it seem to the outside world that they are dealing with a group of people housed in one location, the SD-WAN makes those workers feel as though they are connected to a company network and can communicate with each other just as easily as if they were all in the same building.

In the meantime, the SD-WAN software presents an overview of a network structure, which is just a series of pointers to people instead. For example, consider endpoints on a network. Consider that a device at one IP address could be a tablet rather than a desktop. As the sales rep that uses that device moves around the country, its location within the network appears to stay in the same place.

The mediation of the SD-WAN software means that the network manager doesn’t need to know where each node is; the system can be managed from an imaginary structure rather than getting concerned with the actual physical underlying infrastructure.

With a SASE system, the SD-WAN software is hosted in the cloud and offered as a SaaS platform; the network administrator doesn’t need to be in the same place to access the system dashboard, which is available through a Web browser.

Being in a state of expansion, the company can switch office locations regularly and even add on temporary locations and operate pop-up outlets. In addition, the network administrator can integrate short-term contract consultants into the team without remapping any of the networks. In short, it doesn’t matter where anyone is in reality or what actual physical hardware connects them to the network.


CASB stands for “cloud access security broker.” The abbreviation is pronounced “cass-be”. It enforces security policies between the users of cloud services and the cloud resources. To operate, the CASB needs to get a look at all of the virtual network traffic. Therefore, all traffic passes through the CASB server. While it is traveling through, the CASB gets to implement security procedures and extract information for security reporting.

As SASE combines SD-WAN technology with security processes, it needs a CASB node to fulfill its purpose. Therefore, CASB is the engine that implements SASE on an SD-WAN.

The CASB is an authentication server. It is like the Active Directory for your imaginary network that the SD-WAN created. While it is operating its authentication process, the CASB system can also log which user accessed which resource and for how long. This is a crucial audit trail information for data privacy standards compliance.

SWG, FWaaS, and SASE

SWG stands for “secure Web gateway”. This is, to all intents and purposes, a firewall. The SWG will check on outgoing traffic as well as incoming traffic. The standard firewall function blocks malicious actors from gaining access and filters out malware. The reverse firewall inspects all outgoing transmission, which enables it to prevent data theft.

The SWG can be implemented on-premises on a network appliance or as an edge service on a remote server. The SWG is termed “firewall as a service” (FWaaS) in the edge service scenario.

As the SASE implements network security along with network virtualization, it needs to perform FWaaS functions. This service can be implemented as an SWG on each site or as an FWaaS operating as a proxy. If the firewall for each of your sites is a pre-filtering proxy-based somewhere out in the cloud, it isn’t too much of an intellectual leap to realize that the firewall function for all sites can be performed from the same service and controlled from a single dashboard.


If the network’s firewall is not on site but is provided by a SaaS server somewhere else, there is a security gap between that firewall and the physical network boundary. A VPN secures the gap.

The VPN is a “virtual private network”. That means software processes create the same level of privacy for internet transmissions as packets traveling over a private network experience. Not only can no one outside get into the traffic, but they can’t read the packet headers to identify the actual source and destination of the packet. Encrypting the body of a packet creates security, encryption the header of a packet creates privacy.

The SASE creates a hub, which is an edge service. This is like a very busy network switch, linking together all of the subnets of the network. For example, one virtual cable leading out of the switch might go to a single device that could be on the desk of a telecommuter in a home somewhere. Another virtual cable led to a mobile device in New York yesterday and is in Tulsa today. Another virtual cable leads to an entire office network serving a hundred desktops and printers.

When the network administrator looks at the network topology map, each cable leads to one device with one IP address, and all connections are both secure and private.

Converging virtualization and security

After looking at all of these elements of edge services: network virtualization, access rights management, system security, data loss prevention, connection protection, network performance monitoring, security monitoring, and standards compliance, you can see that all of these functions can be centralized. This is the SASE.

An FWaaS needs to get all traffic in and out of a site routed through it. As has already been explained, the firewalls for all sites can be merged into one, which creates a central point for all corporate traffic, both for traffic that circulates internally and for traffic that communicates with external locations.

As all traffic passes through the merged edge service firewall, CASB functions can all be performed in that exact location. Monitoring software can also record metrics simultaneously, and VPNs protect all connections to all locations.

Implementing SASE

As SASE is an edge service, you can expect to get a single provider’s entire network virtualization and system security package. Therefore, substantial organizations might prefer to set up their SASE by renting space on a cloud server and installing all of the necessary software elements on it. However, it is more usual to take out a subscription to an existing SaaS platform that provides a SASE package.

What should you look for in a SASE platform? 

We reviewed the market for SASE systems and analyzed the options based on the following criteria:

  • A secure package with solid encryption for connections
  • Account security to prevent the central hub and data store from being broken into
  • Included cloud storage space for activity logs
  • A service that is compliant with data security standards
  • A fast and easy to use network management system
  • A free assessment period or demo system
  • A comprehensive package that has no set up fees or lock-in period

Using this set of criteria, we looked for a range of scalable SASE systems to be suitable for businesses of all sizes and provide flexibility for rapidly-growing startups.

The best SASE tools

1. Perimeter 81 EDITOR’S CHOICE

SASE desktop

The Perimeter 81 SASE platform offers all of the elements of a SASE, such as Firewall as a Service, edge services for application access or network access, user-centric network architecture, and VPNs so you can create a SASE by taking out subscriptions to all of the services or just pick the parts that suit you.

This is the ultimate flexibility because you aren’t limited to one imposed architecture – you can pick and mix to create your system. For example, place gateway clients at the perimeter of your home network or place them on each endpoint in a virtual office to implement full virtualization with embedded security for a distributed team.

Key Features:

  • Zero Trust application access
  • Zero Trust networking
  • Flexible VPN implementations, such as split tunneling
  • Integrate user-owned devices
  • Standards compliance

All of the operations for this SASE platform are based in the cloud, but you need to install a VPN client on each internet gateway, which could mean on each endpoint. This agent also acts as an SD-WAN addressing interpreter to fully integrate all of your sites into one network. Pricing is calculated with a mix of per user and gateway charges. It can be paid per month or year, making the service accessible to small businesses, start-ups, and large organizations. You can request a demo to assess Perimeter 81 SASE.


  • Choose to protect networks with an SD-WAN approach or implement secure application delivery from a central cloud server
  • Segment users into groups regardless of their location
  • Alter the layout of your network with subnets and DMZs without regard to the actual location of endpoints
  • Use the facility to create a central, secure, and closely monitored primary datastore
  • Integrate user-owned devices allowing private use in parallel with corporate activity without compromising network security
  • Next-Gen Secure VPN service


  • Requires thorough planning to create a simplification of your service delivery with guarantee because the platform is very flexible


Perimeter 81 is our top pick for a SASE tool because it is so flexible. You don’t get a one-size-fits-all solution but rather have the option to decide how far you want to go with your network virtualization, choosing whether to remap the delivery of data, applications, or the entire network. In addition, scalable per-user pricing is very appealing to small businesses.

Request a demo:

Operating system: Cloud-based

2. Cloudflare One

Cloudflare One

Cloudflare One is a SASE product from a well-known security provider that recently expanded its edge services menu. The Cloudflare One platform neatly stitches together all of the edge services offered by the business into an off-the-shelf package. As all contributing technologies are available individually, you don’t have to go the entire route if just parts of the concept interest you.

The elements in this platform are WARP, which offers network optimization through user-centric networking; Magic Transit, an SD-WAN solution, and Cloudflare Network Interconnect (CNI), a data center fabric, use the Argo service for routing.

The Cloudflare One package gives you a Zero Trust network access (ZTNA) system and DPI for traffic implementing FWaaS and data loss prevention. You can use the Cloudflare CDN to protect access to data or deliver all of your applications from a cloud server, controlling access there, thus filtering data access through the related software. Integrate network into the service with a secure Web gateway (SWG) and benefit from the standard Cloudflare DDoS protection.

Key Features:

  • A complete package or a menu of services
  • Protect the network, applications, or data
  • An established leader in edge services

Cloudflare is very good at offering free versions or free trials to its services but, as Cloudflare One is a new service and so flexible, it doesn’t even provide an automated demo account for this package. So instead, you have to request a consultation to get started on your buyer’s journey.


  • Flexible services that enable you to choose how to virtualize
  • A well-established and trusted brand
  • Plugs in established Cloudflare services, such as the CDN or DDoS protection


  • No free trial or demo account

3. Zscaler SASE

Zscaler ZIA 6.0 Web Overview Dashboard

ZScaler offers a range of services that let you implement SASE in different ways. For example, choose to host all of your applications on the Zscaler server and let it implement access controls or install a gateway program on your network and let Zscaler marshal traffic across the internet by providing an IP overlay. You can also opt to centralize data storage and protect access to that or implement all of the above combinations.

Protect individual endpoints, including mobile devices, by integrating them into your home network or virtualizing everything and everyone. The Zsacaler system implements threat detection, access controls, and activity logging for compliance auditing, which every security strategy you implement.

Key Features:

  • Virtualize the whole network or integrate remote workers
  • Centralize controls on applications or data
  • Offers 150 data center locations

Zscaler doesn’t publish a price list. However, you can request a demo to get a view of its services.


  • Offers a choice of security focus and access models
  • All cloud-based services
  • Integrate an entire network with the deployment of an agent as a gateway


  • No free trial

4. Open Systems SASE

Open Systems SASE

Open Systems gives you a hybrid solution that hides the underlying platform of your resources, so you can combine cloud services and on-site servers into a unified system for your users. This SASE solution pulls together SD-WAN, network monitoring, and delivery security to form a SASE.

Unlike the other tools in this list, Open System offers an on-premises deployment option for this SASE, so you can choose to run it yourself instead of using a SaaS platform. However, the SaaS route is also available.

Key Features:

  • Includes SWG, SD-WAN, NGFW, CASB, and IPS
  • Integrates auditing and monitoring
  • Offers threat detection and data protection

Open Systems offers three plan levels, which means you don’t have to pay for all of the service elements if you choose a virtualization strategy that only needs specific services. The service is scalable and would be suitable for small businesses and start-ups, in addition, as well as large multinationals. The company doesn’t publish a price list or offer a demo. Instead, you need to request a quote to find an entry point into the purchase process.


  • Flexible options provided by three service plans to suit different virtualization strategies
  • A competent service offered by a trusted brand
  • On-site deployment option


  • ZTNA and CASB are add-on services
  • No free trial or demo