1. Uses TLS over TCP 443 — essentially never blocked by firewalls; supports flexible authentication (username/password, MFA, SSO) without requiring digital certificates; used for individual user remote access; can be on-demand or always-on
2. Connects two complete networks with a persistent encrypted tunnel; concentrators are the perimeter firewalls at each site; users are completely unaware — no client software on their devices; always-on and network-to-network in scope
3. Decouples WAN management from hardware; routes cloud application traffic directly from branch to cloud, eliminating headquarters backhauling; primarily a networking optimization — does not by itself provide comprehensive security for cloud-routed traffic
4. Combines SD-WAN networking with cloud-delivered security (ZTNA, SWG, CASB, FWaaS, DLP) in a unified cloud service; SASE client on every device connects to the nearest cloud PoP; provides consistent security posture regardless of user location