Cato Adds IPS as a Service with Context-Aware Protection to Cato SD-WAN

  • July 31, 2017

Cato SD-WAN is First to Converge Global Networking and Advanced Security Services

Cato introduced today a context-aware Intrusion Prevention System (IPS) as part of its Cato Cloud secure SD-WAN service. Cato’s cloud-based IPS is fully converged with the rest of Cato’s security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection. Cato IPS is the first to be integrated with a global SD-WAN service, bringing context-aware protection to users everywhere.

Cato IPS as a Service

Today’s IPS appliances are hampered by many factors. The increased use of encrypted traffic, makes TLS/SSL inspection essential. However, inspecting encrypted traffic degrades IPS performance. IPS inspection is also location bound and often does not extend to cloud and mobile traffic. And, appliances must be constantly updated with new signatures and software patches, increasing IT operational costs.

Cato solves these problems with a managed and adaptive cloud-based IPS service that delivers advanced security everywhere with unlimited inspection capacity:

  • Managed and Adaptive Cloud Service: The Cato Research Labs leverages big data insights derived from the Cato Cloud to update, tune and maintain IPS signatures without customer involvement. New signatures are validated on real traffic, which allows them to be optimized for maximum effectiveness before being applied to production, customer traffic.
  • Advanced Security Everywhere: Internet and wide area network (WAN) traffic is scanned and protected for all branch offices and mobile users regardless of location.
  • Unlimited Inspection Capacity: The Cato IPS has no capacity constraints, inspecting all traffic, including TLS traffic, today and in the future.

Context-Aware Protection

Beyond common protection for the latest vulnerabilities and exploits, Cato IPS uses a set of advanced behavioral signatures to protect against complex attacks by identifying suspicious traffic patterns. Leveraging the converged network and security cloud platform, Cato’s IPS has access to unique context across multiple domains typically unavailable to a standard IPS. The use of this context makes IPS signatures more accurate (reducing false positives) and more effective (reducing false negatives). The context attributes include:

    • Layer-7 Application Awareness: The Cato IPS is application-aware, applying rules based on network services, business applications, and application categories.
    • User Identity Awareness: The Cato IPS recognizes user identity based on Active Directory.
    • Geolocation: Cato IPS can enforce customer-specific, geo-protection policies to stop traffic based on the source and destination country.
    • User Agent and Client Fingerprinting: The Cato IPS identifies the sending client, such as a browser type or mobile device.
    • True Filetype Inspection: A common attack vector is to mask executables attached to a message by changing the appearance of filename extensions. The Cato IPS identifies and block such threats by inspecting the data stream to determine the actual filetype.
    • DNS Queries and Activation: By investigating the DNS stream, the Cato IPS can run heuristics to detect anomalies in DNS queries indicating a domain generation algorithm (DGA) or malware-related DNS queries.
    • Domain or IP Reputation Analysis: In-house and external intelligence feeds enable the Cato IPS to detect and stop inbound and outbound communications with potentially compromised or malicious resources, such as domains and IP addresses that are newly registered or whose reputations are labeled unknown, suspicious, or malicious.  

Cato IPS in Action

The combination of functions allows Cato to spot threats efficiently and effectively. The recent WannaCry outbreak, for example, can be stopped by detecting malicious buffers indicative of the EternalBlue exploit used by WannaCry:

The suspicious locations can be blocked by leveraging Cato’s geolocation restrictions:

And with reputation analysis, Cato IPS can identify and prevent inbound or outbound communications with compromised or malicious resources:

The Cato IPS has already been deployed within the Cato Cloud, protecting customers from infection. Upon deployment, the IPS detected several infected machines in one leading manufacturing company. The manufacturer relies on the Cato Cloud to connect and secure it’s three US locations, five international offices, and cloud instance. Cato IPS identified that the machines were communicating with a C&C server that is used to spread Andromeda bot malware. Details of the anti-malware event can be seen below:

The SD-WAN of the Future. Today.

Today’s users work everywhere and so must their wide area networks. But advanced security must be built into the network to securely connect locations, cloud resources, and mobile users. With Cato IPS and the rest of Cato’s converged security services, Cato inspects and protects against threats in WAN and Internet traffic without the administrative overhead, capacity constraints, or restrictions of standard security appliances. Combined with its private backbone, the Cato Cloud makes securely connecting your business simple — again.

 

Dave Greenfield

Dave Greenfield

Dave is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.

More Posts - Website

Dave Greenfield

Author: Dave Greenfield

Dave is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.