TL;DR (Too Long; Didn't Read): Traditional networking models have evolved with buzzworthy technologies like SD-WAN, SASE, and SSE. SD-WAN optimizes traffic flow, with Load Balancers using multiple circuits simultaneously. Backbone providers add private middle-mile for efficient traffic routing, and Accelerators enhance data transmission speed. SASE integrates SD-WAN, security features, and cloud services for efficient, secure networking, while SSE, a simplified version, offers the same benefits without needing on-premise hardware. Choose the right solution based on your organization's specific needs.

Get ready for some buzzword overkill, I'm not going to point any fingers but it's Gartner's fault so grab some caffeine and let's crush through this. Software-Defined Wide Area Networking (SD-WAN), Secure Access Service Edge (SASE), and Secure Service Edge (SSE) are all innovative Over-The-Top (OTT) approaches that have transformed traditional networking models allowing for increased flexibility, control, security, and ultimately scalability. OTT means that they are agnostic to the connections that are plugged in and they let software control the traffic whether it's locally on the device or create a tunnel connecting to other devices or infrastructure. Let's take a look at each one individually and then the other buzzwords that make them up.

SD-WAN can be broken out into 3 primary categories: Edge, Backbone, and Accelerators.

Edge is an appliance that sits on the WAN and does locally dynamic path selection and tunneling, deciding which traffic and where it will go. If there was any site-to-site or site-to-cloud connectivity, then the SD-WAN appliance would create a VPN tunnel to those other hardware/virtual devices directly riding over the top of the internet providers each hop. They have two main sub categories; Failover-Only and Load Balancers.

Failover-Only can only utilize a single circuit at a time and when the primary connection is down then the device will trigger to failover to the secondary connection based on a preset number of simultaneous missed packets (packet loss) and failback when the preset number of successfully received packets. These are considered legacy SD-WAN devices and there are still some of these out there today. It makes me cringe when I hear them being called SD-WAN but it's technically correct, so we gotta roll with it. 

Load Balancers are what people imagine when they think of SD-WAN. These utilize both, or all, circuits simultaneously. This allows for a much quicker Failover/Failback sequence as the circuit is already in use and if both are healthy and the configuration allows it, then they can aggregate the speeds, generally boosting up to 70%.

Backbone providers have some orchestration components to it and a private middle-mile, meaning they control traffic further to the destination than an edge appliance. Instead of site A connecting to site B directly, there is an intermediary called a Point of Presence (PoP) that is the first hop for all traffic within the tunnel (we will get into split-tunneling shortly). These backbone providers have multiple PoPs that are strategically placed to maximize geo-efficiency, redundancy, and optimization. Another great part is the resource intensive features are implemented at the PoP and not the local device. So let's say site A is East US and site B is West US then site A will send it's data to the backbone provider's PoP in the East and then ride their direct connection either via point-to-point (Layer 2) or OTT (Layer 3) to the West US and then sent to the Site B device. This method generally decreases latency unless the sites are very close to each other where the PoP just adds more distance to the equation. Not all data has to pass through this tunnel, split-tunneling is where some traffic can go over the tunnel and other traffic can go to the public internet. This is primarily used for SaaS applications like MS365 or Salesforce (unless the provider has private access to this) or deprioritized public data like employees streaming music and videos.

Accelerators are backbone providers that also employ advanced features like packet deduplication and TCP optimization to significantly enhance the efficiency and speed of data transmission. Packet deduplication is a technique that identifies and eliminates redundant data packets before they are transmitted across the network. By recognizing identical packets and sending only one instance of them, bandwidth is conserved, and network resources are used more effectively leading to faster transmission times and improved performance. For example, if I wrote a business plan on a word document and sent it to you. You make a ton of spelling and grammar changes to add to the overall reading level and send it back. The system would identify the changes you made and only send those back over the wire and complete the new file on my side. Pretty cool huh? Unfortunately ever since encryption became mainstream, the visibility into each file or packet to perform this functionality has been pretty much moot. On the other hand, TCP optimization, focuses on enhancing the Transmission Control Protocol (TCP), a fundamental protocol used for data transmission over the internet and inherently verifies the destination receives a packet before sending the next one. Accelerators optimize TCP by employing algorithms that streamline the way data is acknowledged and retransmitted in case of packet loss or network congestion. Imagine a system that sents packets in order, 1 then 2 then 3 and so on. TCP requires the packet 1 to be acknowledged before sending 2. TCP optimization says, let's send all of the packets and then we will acknowledge which ones don't make it and let the sender know to resend. These optimizations ensure that data is transmitted more efficiently, reducing latency and minimizing the chances of network bottlenecks at a global scale.

Now with an overused phrase, "Let's get SASE"!

When SD-WAN was introduced to the market, it had some known limitations. Sure, it could create an encrypted tunnel from one location to the next but it ultimately lacked advanced network security functionality. These features came with other services like within a Next-Generation-Firewall (NGFW) or FWaaS. In order to have this needed protection, companies would add a second device behind the SD-WAN appliance or send all traffic to a Cloud Firewall which added latency and extra hops. Then some visionaries decided, "Let's build these functions together", and SASE was born. 

SASE blends technologies such as Backbone and Acceleration SD-WAN with FWaaS. This allows for traffic to go through what's called a Single-Pass which performs the dynamic route optimization and security inspections while only passing through the infrastructure once for a more efficient transport. These security inspections and features include Deep Packet Inspection (DPI), Anti-Malware, Web Application Filtering, Zero Trust, Intrusion Detection and Prevention, plus many more. DPI is unencrypting the packing at the pass, inspecting it, and re encrypting to the destination. Just because a packet is encrypted doesn't mean it's safe. Zero Trust is the methodology that even if something is authenticated, that it still can't be trusted and needs to be reauthenticated every move it tries to make. It's the next iteration of VPN, which once you established the tunnel, you were trusted to everything. Think of walking into a hotel and you make it to the front desk, you are authenticated as someone that stays at the hotel so you may enter the building. They give you a key card that gives you access to the common areas like the gym, pool, and your room but not every single room. This is the incorporation of Least Privilege which only gives you access to the minimum to do your job and Zero Trust which requires you to enter your keycard every door you pass through to reauthenticate because you are not trusted.

SASE is great for in office a hybrid workforce because it requires a hardware component to centralize connections at each office or branch. Now what do we do if our company is primarily remote or we don't want to manage any network infrastructure? SASE has some ways to augment for this with ZTNA applications that function like a suped up VPN tunnel and the first hop was the provider's PoP. This was a neat and flexible architecture so someone looked at it and I'm assuming said "Our marketing company charges by the letter and we need to make this work for companies with all remote employees". If there's no office or nobody at the office then it doesn't need the Access part of SASE so SSE was created. Don't look too much into Access being synonymous with hardware because SSE gives Access as well, it was just the letter they decided to drop. With SSE, companies get all of the wonderful features of SASE without any hardware being deployed. Everyone connects with the SSE application which is like a suped up ZTNA one. Now, no matter where the employee is accessing from, they have a secure and optimized connection to the company data. This is a much more simple answer for IT staff trying to enable the "Work from Anywhere" flexibility for employees with minimal headaches.

To sum this up in 140 characters or less, SD-WAN excels in optimizing network performance and cost-efficiency, SASE offers route-efficiency and consistent security policies through cloud integration, while SSE provides SASE flexibility without the need for premise hardware. Organizations must assess their specific requirements and resources to choose the most suitable solution for their networking and security needs.