Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey By all accounts, 2023 is expected to see strong growth in...
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey
By all accounts, 2023 is expected to see strong growth in the SASE market. Gartner has already predicted in The Top 5 Trends in Enterprise Networking and Why They Matter: A Gartner Trend Insight Report (subscription required) that by 2025, 50% of SD-WAN purchases will be part of a single vendor SASE offering, up from less than 10% in 2021. And in a recent audience poll at Gartner’s I&O Cloud conference, audience members were asked which of the five technologies were they most likely to invest in, 31% indicated SASE, making number two overall just behind Universal ZTNA (at 34%).
And Gartner isn’t the only one expecting SASE to perform well this year. Dell’Oro expects the SASE market to reach $8 billion in 2023. The drivers for this activity? The need for security everywhere particularly driven by hybrid work. “The internet is now a logical extension of the corporate network, and the need for security is as great as ever,” Dell’Oro Research Director Mauricio Sanchez told SDxCentral.
We couldn’t agree more. We just finished surveying more than 1661 IT leaders around 2023 SASE drivers for adoption. The survey gathered insight into their experiences with SASE and, for those who have not yet deployed SASE, the IT challenges confronting them moving forward.
What’s so striking when you look the data is the role remote access plays. More than half (51%) of respondents who have not yet adopted any kind SASE point to enabling remote access from anywhere as their number one challenge. The same is true for “Adopt zero trust security posture for all access.”
Why Remote Access VPNs Are Not the Answer for Hybrid Work
There are any number of reasons for why enterprises are looking at replacing legacy remote access solutions. “Traditional approaches anchored only to on-premises solutions at the corporate internet gateway no longer work in the new ‘anywhere, anytime, with any device’ environment that the pandemic accelerated, SDxCentral quoted Sanchez.”
[boxlink link="https://www.catonetworks.com/resources/have-it-the-old-way-or-enjoy-the-sase-way/"] Have it the Old Way or Enjoy the SASE Way | Download the White Paper [/boxlink]
More specifically, legacy VPNs suffer from five key problems:
Scaling and capacity Issues. VPN servers have a limited amount of capacity, as more users connect, performance degrades, and the user experience suffers. To increase VPN server capacity, IT must deploy new appliances or upgrade existing ones. Security and performance optimization challenges requires additional appliances to be purchased, deployed, and integrated, which only increases network complexity.
Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.
Poor performance. All too often, remote users complain about their sluggishness of corporate application when access remotely. Part of that is an architecture issue, particularly when traffic needs to brought back to an inspection point, adding latency to the session. VPN traffic is also susceptible to the unpredictability and latency of Internet routing.
Rotten user experience. Remote users struggle with connecting using legacy VPN software. Too many parameters have to be configured to connect properly. Where once this might have been tolerated by a small subset of remote users, it becomes a very different story when the entire workforce operates remotely.
Growing security risk. VPN infrastructure itself has all too frequently been the target of attack. A brief search in the MITRE CVE database for “VPN Server” shows 622 CVE records. VPN servers showed so many security vulnerabilities that CERT warned that many VPN devices were storing session cookies improperly.
It shouldn’t be surprising to learn, then, that when we asked IT leaders further down the SASE adoption curve as to what triggered their SASE transformation project, “remote access VPN refresh” was the most common response (46%)
SASE: The Answer to the Hybrid Work Challenge
SASE answers those challenges by enabling work to occur anywhere, securely and efficiently. As part of a SASE platform, remote access benefits from the scaling of a cloud-native architecture. There’s no need to add server resources to accommodate of users who suddenly need remote access. “Deployment was quick. In a matter of 30 minutes, we configured the Cato mobile solution with single-sign-on (SSO) based on our Azure AD,” says Edo Nakdimon, senior IT manager at Geosyntec Consultants, who had more than 1200 users configured for remote access in less than an hour with the Cato SASE Cloud.
Zero-trust is just part of the SSE pillar of a single-vendor SASE platform, giving IT granular control over remote user resource access. Security is improved by eliminating the VPN servers so frequently and object of attack. And remote user performance improves by inspecting traffic in the PoP right near the user’s location and then sending traffic out to other location across the SASE platform’s global optimized backbone not the unpredictable Internet.
No wonder those IT leaders who did adopt SASE, indicated they were able to address the remote access challenge. When asked, “As a SASE user what are the key benefits you got from SASE?” “Enable Remote Access from Anywhere” as the highest ranked benefit (57% of respondents) followed by “Adopt zero trust security posture for all access” at 47% of respondents.
All of which makes remote access a “quick win” for anyone looking to deploy SASE.
Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our...
Cato SASE Cloud’s “Innovation” and “Platform Play” Earn “Leader” and “Outperformer” Status in GigaOm SD-WAN Radar Report Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our first year to be included in the report and already we shot to the top of the leader’s circle, underscoring the strength and maturity of Cato SD-WAN and showing the importance of considering SD-WAN as part of a broader SASE offering.
The report evaluates 20 notable SD-WAN vendors, including Cisco, Fortinet, Versa Networks, Juniper, Palo Alto, VMware, and others. Of all these SD-WAN providers, Cato Networks is the only one rated as Exceptional in all the key criteria considered to be differentiators among the providers as well as the primary features for customers to consider as they compare solutions.
Figure 2: Only Cato scored “Exceptional” across every one of GigaOm’s Key Criteria
GigaOm: Cato’s SD-WAN Is “Easier to Maintain and Scale”
The report highlights Cato’s unique cloud-based approach to delivering SD-WAN as a real differentiator that makes a software-defined wide area network easier to maintain and scale for business needs.
“Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass,” says the report. “By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution – Cato SSE 360 – for securing third-party SD-WAN devices.”
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Cato Is a Strong “Platform Play” with “Innovation”
The report places Cato as the only vendor with a strong “Platform Play” and “Innovation” in features. According to the report, “Positioning in the Platform Play quadrant indicates that the vendor has a fully integrated solution – usually built from the ground up – at the functional level.” The report additionally recognizes Cato as an Outperformer “based on the speed of innovation compared to the industry in general.” GigaOm calls Cato “a vendor to watch” for its innovation.
Read the GigaOm report for yourself to see why Cato SASE Cloud is the leader of the SD-WAN pack.
Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a...
Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a Gartner SASE Magic Quadrant.
And for good reason.
The industry has seen widely different approaches to what’s being marketed as SASE. Some companies partnered with each other to offer a joint solution with slightly integrated products. For example, Zscaler and any number of SD-WAN partners. Others simply rebranded their existing solutions as SASE. Think VMware SD-WAN (previously VeloCloud) turning into VMware SASE.
Market consolidation has brought together still other companies with disparate services requiring years’ worth of integration. As an example, consider HPE, Aruba and Silver Peak and the integration work ahead of them to make a cohesive SASE product. Meanwhile, we at Cato Networks chose a different path: to build a fully converged, global networking and security solution from the ground up. Gartner calls this “single-vendor SASE.”
A SASE Magic Quadrant would clear up the confusion in the industry and separate the leaders from losers. But while Gartner may not yet be ready to issue a SASE Magic Quadrant, the firm has issued the next best thing -- Market Guide for Single-Vendor SASE. The report takes a close look at the SASE market and specifically at single-vendor SASE.
The Single-Vendor SASE Market is Projected to Grow Substantially
Gartner defines a single-vendor SASE offering as one that delivers converged network and security as-a-service capabilities using a cloud-centric architecture. Cato is the prototypical single-vendor SASE leader. Example services that are part of a single-vendor SASE offering are SD-WAN, SWG, FWaaS, ZTNA, and CASB. All of those service, and this is key, are fully converged together in the underlying architecture, service delivery, and management interface. They truly are one cloud service, which is what separate single-vendor SASE from other approaches.
These converged services might also be the full roster of capabilities for the newest single-vendor SASE entries but they are only the starting point for Cato. In addition to those services, Cato also offers a global private backbone, data loss prevention (DLP), rapid CVE mitigation, managed threat detection and response, SaaS optimization, UC and UCaaS optimization, and a range of other capabilities.
According to Gartner, there should be rapid growth in single-vendor SASE implementation in the next few years. While only 10% of deployments were single-vendor SASE solution last year, Gartner expects a third of all new SASE deployments by 2025 to be single-vendor. By the same timeframe, half the new SD-WAN purchases will be part of a single-vendor SASE offering.
The market’s growth is largely being driven by the desire for simplicity by reducing the number of deployed solutions and vendors. Of course, reducing complexity while still offering enterprise-class capabilities is something Cato has been delivering for years.
[boxlink link="https://www.catonetworks.com/resources/gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_single_vendor_sase"] Gartner® Market Guide for Single-Vendor SASE | Report [/boxlink]
Cato Was Ahead of Its Time in This “Adolescent” Market
“A single-vendor SASE must own or directly control (OEM, not service chain with a partner) each of the capabilities in the core category,” according to the report authors. A “well-architected” solution must have all services fully integrated, a single unified management plane and a single security policy, a unified and scalable software-based architecture, and flexibility and ease of use. The report lists core functional requirements in each of the areas of secure web gateway, cloud access security broker, zero trust network access, and software-defined WAN.
Gartner points out that there are several vendors in the “adolescent” industry that meet the analyst firm’s minimum requirements. There are more, still, that come close but aren’t quite there with their offerings.
Because single-vendor SASE brings together networking and security into one solution with many functions, Gartner recommends that a joint team of network professionals and security experts be appointed to evaluate the solutions based on the organization’s foremost needs.
Single-Vendor SASE Has Lots of Benefits
The benefits of single-vendor SASE are many. Gartner cites the following as reasons to go this route for a SASE solution:
An improved security posture for the organization – This is based on reduced complexity of the various security functions, a single policy enforced everywhere, and a smaller attack surface.
Better use of network and security staff – Deployment times are reduced, fewer skills and resources are needed to manage a unified platform, a single policy is applied throughout the various security functions, and redundant activities go away.
Improved experiences for users and system administrators – Performance issues such as latency and jitter are easier to tame or eliminate, it’s easier to diagnose issues end-to-end, and there is a single repository for logs and other event data.
Of course, implementing such a solution can have its challenges as well—like how to deal with organizational siloes, and what to do about existing IT investments. Global coverage can be an issue for the early-stage vendors. Fortunately, Cato has extensive coverage with 75+ PoPs around the world today. Gartner says solution maturity can be an issue, but that’s mainly a problem for the neophyte vendors. With more than 8 years in the single-vendor SASE business behind us, Cato is one of – if not the – most mature vendor in the market.
Gartner Offers Recommendations
As with all Gartner guides, the research firm has recommendations pertaining to strategy and planning, evaluation, and deployment:
Establish a cross-functional team including people from both networking and security to increase the potential for a successful implementation.
Evaluate single-vendor SASE against the backdrop of multi-vendor and managed offerings to determine which method would provide the most flexibility.
“Choose single-vendor SASE offerings that provide single-pass scanning, single unified console and data lake covering all functions to improve user experience and staff efficacy.” (Spoiler alert: Cato provides all of these things.)
Do a Proof of Concept project with real locations and real users to see how well an offering can meet your needs. (Cato is happy to set you up with a PoC today.)
If you are looking for the most mature and feature-rich single-vendor SASE offering with the largest number of worldwide PoPs, look no further than Cato Networks. Request a demo at https://www.catonetworks.com/contact-us/.
The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?...
The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week.
What is OpenSSL?
OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols.
What Are the Vulnerabilities?
The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer.
[boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink]
With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.)
What’s the Impact on Cato SASE Cloud? None.
While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL.
What Actions is Cato Taking?
Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild.
What Actions Should I Expect from Other Tech Vendors?
The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j.
Cato Networks Research Labs will continue to monitor the situation and update accordingly.
Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On...
Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On Monday night, a major fiber optic cable was severed in the Bouches-du-Rhône region of France. The cut impacted the Internet worldwide. Instantly, packet loss surged to 100 percent on select carriers connecting to our Marseilles, Dubai, and Hong Kong PoPs.
And, yet, despite this major outage, Cato users were unaffected. No tickets were opened; no complaints filed. Why? Because the Cato SPACE architecture detected the packet loss spike on the carrier’s network and moved user traffic to one of the other tier-1 providers connecting the Cato PoP.
All of this was done automatically and in seconds. Just look at the below report from our Marseilles PoP. Notice how at 02:21 UTC Cato isolated the two affected carriers (aqua and orange lines) and traffic was picked up by the other carriers at the PoP.
Uplink Traffic Report from Cato’s Marseilles PoP
Click here to enlarge the image
It’s not the first time we’ve seen the resiliency of the Cato Global Private backbone. Whether it’s a network failure or a crash at a top-tier datacenter housing a Cato PoP Cato has proven its ability to automatically recover quickly with little or no impact on the user experience.
The network engineering involved in delivering that kind of availability and performance goes to the very DNA of Cato. From the very beginning, we built our company to address both networking and security. Our founders didn’t just help build the first commercial firewall (Shlomo Kramer) they also built one of the global cloud networks (Gur Shatz). The teams they lead and have built the tools and processes to lead in both domains, which is what’s required in this world of SASE.
When building the Cato Global Private Backbone, we wanted to provide enterprises with the optimum network experience regardless of a site’s location, route taken, or network condition. As such, we built many tiers of redundancy into Cato, such as users automatically connecting to the optimum PoP, instant failover between SPACE instances within a server, servers within a PoP, and between PoPs. (Follow the link for a detailed look at the resiliency built into the Cato Global Private Backbone.)
[boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_medium=blog_top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | EBOOK [/boxlink]
Building our backbone from third-party networks, such as those offered by Amazon, Azure or Google, would certainly have been easier, but that would also compromise our control over the underlying network. The network between two PoPs on an Azure or Amazon network in the same region or zone might be reliable enough, but what happens when those PoPs exist across the globe, in different hyperscaler regions/zones, or on separate hyperscaler networks altogether?
As both networking and security professionals, we at Cato didn’t want to leave those and other scenarios to chance. We wanted to own the problem from end-to-end and ensure enterprise customers that they would receive the optimum performance all the time from anywhere to anywhere even during failover conditions.
By building PoPs on our own infrastructure and curating PoP-to-PoP connectivity, we can control the routing, carrier selection, and PoP placement. Carriers connecting our PoPs have been carefully selected for zero packet loss and low latency to other PoPs and for optimal global and regional routes. Cato SPACE architecture monitors those carrier networks, automatically selecting the optimum path for every packet. This way no matter the scenario, users receive the optimum performance.
And by owning the infrastructure, we can deliver PoPs where enterprises require them not where hyperscalers want to place them. With 75+ PoPs all running Cato’s cloud-native SPACE architecture, Cato has more real time deep packet processing capacity than any hyperscaler worldwide. It’s why enterprises with users in 150+ countries trust Cato every day to help them slash telecom costs, boost performance by 20x, and increase availability to five nines by replacing their legacy MPLS networks with the Cato Global Private Backbone.
For many so-called SASE players, one or the other side gets missed. Players coming from the security world need to outsource PoP placement to third-parties who understand networking. Networking vendors coming to SASE need to partner for security expertise. Both approaches compromise the SASE solution. Cato is the only vendor in the world built from the ground up to be single-vendor SASE platform. This is why we can deliver the world’s most robust single-vendor cloud-native SASE platform – today.
Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide...
New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE, Cato meets those capabilities delivering SWG, CASB, ZTNA, SD-WAN, FWaaS, and Malware inspection all at line-rate operation even when decrypting traffic.
While a single platform providing those capabilities is certainly impressive, we at Cato have never thought those features alone make for a single-vendor SASE platform. To radically simplify and improve their security and network operations, IT teams require a fully converged platform. Platforms where capabilities remain discrete and fail to share context and insight forces IT operation to continue juggling multiple consoles that leads to the difficulties IT has long faced when troubleshooting and securing legacy networks.
Gartner would seem to agree. In the 2022 Gartner Market Guide for Single-Vendor SASE (available here for download), Gartner explains how the core capabilities of a well-architected single-vendor SASE offering should be integrated together, unified in management and policy, built on a unified and scalable architecture and designed in a way that makes them flexible and easy to use.
You Say Integrated, We Say Converged
What Gartner describes as integrated we prefer to call converged. But whether it’s converged or integrated we both agree on the same point -- all capabilities must be delivered as from one engine where event data is stored in one common repository and surfaced through a common analytics engine.
[boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink]
Unified Management and Policy: Essential for Visibility and Enforcement
Arguably the biggest operational challenge for legacy networks post-deployment is with data distributed across appliances and, by extension, data repositories. How do operational teams quickly identify and address and diagnose potentially malicious or problematic activity and then enforce consistent security policies across the enterprise? And, as a cloud service, how is that done in a way that gives enterprise customers complete control over their own networks while running on a shared platform?
At Cato, we’ve developed the Cato SASE Cloud so that a single management console gives enterprises control over all Cato capabilities – networking and security. A single policy stack uses common data objects enabling enterprises to set common security policies for users and resources in and out of the office. And the Cato architecture is a fully multitenant, distributed architecture giving users complete control over and visibility into their own networks.
The Cloud Provides Unified and Scalable Architecture
With legacy networks, IT teams must invest considerable time and resources on maintaining their branch infrastructure. Appliances need to be upgraded as new capabilities are enabled or traffic volumes grow. And with each new security feature enabled, there’s a performance hit that further degrades the user experience.
All of which is why Cato built the Cato SASE Cloud platform on a global network of PoPs. Every Cato PoP consists of multiple compute nodes with multiple processing cores, with each core running a copy of the Cato Single Pass Cloud Engine (SPACE), Cato’s converged networking and security software stack. Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. SPACE is a single-pass architecture, performing all security inspections in parallel, which allows Cato to maintain wire-speed inspection regardless of traffic volumes and enabled capabilities.
Make it Flexible, Make it Easy
With legacy networks, IT leaders had a tough choice: backhaul traffic to a central inspection point simplifying operations, but add latency and undermine performance, or inspect traffic on-site for better performance but far more complicated operations and deployment.
At Cato, we found a different approach: bring processing as close to the user as possible by building out a global network of PoPs. With the Cato SASE Cloud spanning so many PoPs worldwide, enterprise locations are typically within 25ms RTT of a Cato PoP. In fact, today, Cato serves 1,500 enterprises customers with sites and users in 150+ countries. With PoPs so nearby, enterprises gain the reduced latency experience of local inspection without burdening IT. All with the simplicity of a cloud service.
Single-Vendor SASE: It’s Not Just About the Features
SASE didn’t introduce new capabilities per se. Firewalling, SWG, CASB, ZTNA, SD-WAN, and malware inspection -- all of SASE's core capabilities receded SASE. What SASE introduced was a new way of delivering those capabilities: a singular cloud service where the capabilities are truly one -- fully converged (or integrated) together -- managed from one console and delivered globally from one platform, everywhere. Yes, evaluating features must be part of any SASE platform assessment, but to focus on features is to miss the point. It is the SASE values of convergence, simplicity, ubiquity, and flexibility -- not features -- that ultimately differentiate SASE platforms.
What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the...
September 20, 2022
The Return On Investment of SD-WAN What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the actual SD-WAN ROI is a mix of hard and soft savings from increasing overall network capacity and availability to a reduced operational load of managing and securing the network. Let's look at the various areas of savings SD-WAN can offer and the resulting ROI.
SD-WAN ROI Driver #1: Reducing MPLS Connectivity Costs
Enterprises have long invested in managed MPLS services to connect locations. The bandwidth is expensive (relative to Internet capacity) and often limited or unavailable on some routes, forcing companies to either pay exorbitant fees to connect locations or, more likely, resort to Internet-based VPNs, complicating network design.
SD-WAN promises to break that paradigm, replacing MPLS entirely or partly with affordable last-mile Internet connectivity. The magnitude of SD-WAN savings is often related to how much MPLS can be replaced and the type of Internet-based connectivity.
Here there's a balance of considerations. Symmetrical Internet connections (also known as Dedicated Internet Access or DIA) offer guaranteed capacity, providing small savings relative to MPLS. Asymmetrical connections with best-effort capacity, such as xDSL or cable, can be aggregated together to match and exceed MPLS last mile uptime at a substantial discount compared to MPLS.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_medium=blog_top_cta&utm_campaign=things_sase_covers_sd-wan_doesnt"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Often, the ROI argument for SD-WAN is less about hard cost savings and more about optimizing network spending. Enterprises receive far more capacity and functionality for the same amount spent on MPLS. The cost per bit drops dramatically, enabling IT to equip locations with 5x to 10x more capacity. With SD-WAN able to aggregate and failover between multiple last-mile lines, uptime increases significantly
One example was Fischer & Co, an automotive company that reduced its connectivity costs by 70% by replacing MPLS with Internet last-mile and Cato SASE Cloud while relying on Cato SSE 360 for network security protection. Along with the cost savings, Fischer & Co gained the agility to respond to new business challenges instantly, adding new security services or opening new locations, all without the operational overhead of upgrading and scaling of branch security appliances.
SD-WAN ROI Driver #2: Reducing the Costs of Branch Security
SD-WAN also allows organizations to avoid the branch security costs of legacy networks. With legacy architectures, enterprises backhaul branch Internet traffic to a regional datacenter for security inspection and policy enforcement. This approach consumed precious MPLS capacity, increasing costs while adding latency that undermined the user experience. With SD-WAN, companies avoid consuming expensive MPLS capacity on Internet traffic. Instead, MPLS only carries critical application traffic, offloading bandwidth hungry and less critical applications to Internet connections.
However, this now requires branch security to inspect and enforce policies on the Internet flows. SD-WAN appliances include basic firewalls, but those firewalls lack the threat protection needed by today's enterprises. Branch firewalls offer more capabilities, but their capacity constraints limit inspection capabilities for CPU-intensive operations, such as SSL decryption, anti-malware, and IPS. As traffic grows or new capabilities are enabled, companies are often forced to upgrade their appliances. Cloud-based SSE solutions are more scalable but incur the operational cost of integrating and managing another point solution.
Network and network security convergence through a single-vendor SASE platform offers a way to tackle this tradeoff. Alewijnse, a Dutch manufacturing company, eliminated its MPLS network and applied enterprise-grade security to all traffic by switching to the Cato SASE Cloud, taking advantage of Cato’s full SSE 360 protection. "With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost," said Willem-Jan Herckenrath, ICT Manager at Alewijnse.
UMHS, a healthcare company, eliminated its MPLS network and branch security firewalls by moving to Cato's converged, cloud-native and global SASE service. "UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud," said Leslie W. Cothren, IT director at UMHS.
SD-WAN ROI Driver #3: Network Automation and Co-managed Services
One of the costliest components of enterprise networking is the network management model. Legacy network management comes in two flavors: Do It Yourself (DIY) and a managed service. With DIY, network managers often use crude tools like Command Line Interfaces (CLIs) to manage router configurations. Since any network outage costs the business, networking teams focus on availability, evolving the network very slowly. Maintaining dynamic traffic routing or failover becomes very complex. To reduce this complexity, IT outsources network management to service providers, increasing costs and longer resolution times depending on the provider.
SD-WAN promises an improvement in network agility. DIY enterprises can automate network changes and increase network resiliency. However, SD-WAN does add "one more box to manage." For enterprises that prefer a managed service, a new co-managed model enables IT to make quick network changes through a self-service model while the service provider maintains the SD-WAN service. In a co-managed model, the customer doesn't have to maintain the underlying infrastructure and can focus instead on business-specific outcomes.
A case in point is Sun Rich, a food supplier with a North American network comprised of multiple MPLS providers, SD-WAN appliances, WAN optimization solutions, and network security devices – all managed by a small IT team. Every appliance came with its management platform, complicating troubleshooting. By switching to the Cato SASE Cloud, Sun Rich reduced costs and gained control over network and security changes through Cato's single, converged management application. "Based on our size, our annual renewals on our appliances alone were nearly Cato's price," says Adam Laing, Systems Administrator at Sun Rich. "Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers," he says.
But Is SD-WAN Enough? Comparing SD-WAN to SASE
SD-WAN offers significant opportunities to reduce costs and gain more "bang for the buck" compared to MPLS, but SD-WAN alone will be insufficient to address the needs of today's workforce. As such, an SD-WAN ROI evaluation must consider the myriad of additional point solutions needed to meet enterprise networking and security requirements.
The most obvious example, perhaps, is the hybrid workforce. SD-WAN only connects locations. Remote users will require additional services. Security requirements demand protection against malware, ransomware, and other network-based threats not provided by the rudimentary firewalls included in SD-WAN devices, forcing the deployment of third-party security solutions. Cloud-connectivity solutions are also required. Additionally, SD-WAN performance over the long haul is undermined by the unpredictability of the Internet core, requiring the subscription and integration of yet another solution – a global private backbone.
Separately, these individual solutions may be manageable, but together they significantly complicate troubleshooting and deployment. Deployment takes longer as each point solution must be deployed. Problems take longer to resolve as operations teams must jump between management interfaces to solve issues. In short, organizational agility is reduced at a time when agility is often the very reason for adopting SD-WAN.
How Does SASE Solve SD-WAN's Limitations: Read the eBook
SASE solves these challenges while reducing overall spending compared to MPLS alternatives, like SD-WAN. Cato SASE Cloud overcomes SD-WAN's limitations with built-in SSE 360, zero trust, cloud-native architecture with a complete range of security protections, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS and Next Generation Anti-Malware). Those capabilities operate from Cato's global platform, making them available anywhere while providing location and remote users with MPLS-like performance at a fraction of global MPLS costs. And with all components managed through a single interface, troubleshooting happens far faster than when juggling multiple interfaces. In short, SASE provides the promises of SD-WAN without its limitations, delivering considerable cost savings without comprising security, simplicity, or performance. For a more in-depth comparison of SASE vs SD-WAN, download our complimentary eBook, 5 Things That SASE covers that SD-WAN Does Not.
Cato has received much praise and many industry awards from analysts over the years, but it’s our customers who know us the best. So, it’s...
September 6, 2022
The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category Cato has received much praise and many industry awards from analysts over the years, but it's our customers who know us the best. So, it's especially gratifying to receive an award from a customer -- the 2021 Best Supplier award in the Innovation Category from global manufacturer Gnutti Carlo Group. The award recognizes the high value of the WAN connectivity and security the Cato SASE Cloud delivers in support of the Gnutti Carlo Group's digital transformation initiative.
"Thanks to the Cato platform and together with strategic services, the Gnutti Carlo Group has benefitted from a more structured, controlled, and secure ICT landscape across the entire company," says Omar Moser, Group Chief Information Officer for the Gnutti Carlo Group. (You can read more about the award here and the Gnutti Carlo Group's story here.)
Too Much Complexity!
Based in Brescia, Italy, the Gnutti Carlo Group is a leading global auto component manufacturer and partner to several OEMs active in the auto, truck, earthmoving, motorcycle, marine, generator sets, and e-mobility sectors. With annual revenues of 700 million euros and nearly 4,000 employees, the company has 16 plants in nine countries in Europe, America, and Asia.
The Group came to Cato to reign in the complexity of its network and security infrastructure built over the years from numerous mergers and acquisitions. "“Since 2000, we have started with an intensive program of internationalization, performing various acquisitions of companies of our sector and even competitors, each with different network and security architectures and policy engines,” says Moser. "It was difficult to keep policies aligned and prevent back doors and other threats."
The company had several datacenters across its locations for local services and took advantage of Microsoft Office 365, Microsoft Azure, and hosted SAP cloud services. "We had it all: public cloud, private cloud, and on-premises applications," says Moser.
Most locations were connected with IPsec VPNs, except for China, which was reached from Frankfort via a shared MPLS.
Moser realized that the only way to serve the business effectively was to centralize security and interconnection control among all locations and between plants, suppliers, and the cloud.
[boxlink link="https://www.catonetworks.com/customers/the-gnutti-carlo-group-centralizes-wan-and-security-boosts-digital-transformation-with-cato/?utm_medium=top_cta&utm_campaign=gnutti_case_study"] The Gnutti Carlo Group Centralizes WAN and Security, Boosts Digital Transformation with Cato | Customer Success Story [/boxlink]
Cato Does it All
He looked at several SD-WAN and SASE solutions, but Cato SASE was the only one that could deliver on all his requirements. "The other solutions couldn't give us a single package with integrated security, networking, and remote access," says Moser. He liked other things about the Cato solution, including its large number of globally dispersed points of presence, SASE architecture, single network and security dashboard, and forward-looking roadmap. Less tangible pluses were his great relationship with Cato and its excellent response time whenever he had any questions.
Moser entered into a three-month conditional purchase contract with Cato, after which he could close the contract if it didn't meet expectations. He connected ten plants, two service providers, 650 remote access VPN users, and Microsoft Azure via Cato and deployed Cato's SSE 360 security services across them.
A Platform for Digital Transformation
The results were so positive that he nominated Cato for the Best Supplier award. Network performance was excellent, even in China, where Moser saw a noticeable latency improvement over MPLS. Security was much improved thanks to firewall policy centralization and optimization and the ability to monitor traffic and block risky services that were previously open. "Standardizing firewall policies and knowing I can prevent intrusions and malware has allowed me to sleep a lot better," says Moser.
Best of all, Cato has enhanced the group's business agility for its digital transformation. "It is my job to be proactive and efficient," says Moser. "If we need to open a new office we can do it easily. With Cato, we have standardization, an innovative approach, and a single partner we can grow with as we transform digitally,"
Satisfying and empowering our customers are Cato's ultimate goals, which is why awards like this one from the Gnutti Carlo Group are music to our ears.
Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions. That is a mistake....
Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.
That is a mistake.
SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.
Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.
GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence
Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:
The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.
The Findings: Platform Convergence is Not a Given in the SASE Market
The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.
The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.
Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:
Defense in Depth Identity-Based Access Dynamic Segmentation Unified Threat Management ML-Powered SecurityAutonomous Network Security Integrated Solution
And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.
“Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”
To learn more, download the report.
Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work,...
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour.
But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends.
Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say.
1. Greg Ferro
Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com.
2. Ivan Pepelnjak
Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs.
3. Orhan Ergun
Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks.
4. Jeff Tantsura
Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise!
5. Daniel Dib
Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.
[boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink]
6. David Bombal
David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication.
7. John Chambers
John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market.
8. Tom Hollingsworth
Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes.
9. Matt Conran
Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more.
10. Russ White
Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events.
11. Ben Hendrick
Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space.
12. Ashish Nadkarni
Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events.
13. Erik Fritzler
Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time.
14. Matt Simmons
Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals.
15. Cato Networks
Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva).
Who Do You Follow?
As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content.
So, who do you follow? Share with us on Linkedin.
Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology...
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN
It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out.
SD-WAN: The Toddler Years
When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world. MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet.
SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant:
More capacity to improve application performanceReduced network costs by using affordable Internet access, not high-priced MPLS capacity.More bandwidth flexibility by aggregating Internet last mile connectionsImproved last-mile availability by connecting sites through active/active connectionsFaster deployments allowing sites to be connected in days not months
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
SD-WAN: The Teenager That Disappoints
But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging:
SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity.
SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity.
SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance.
SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments.
SD-WAN: The Senior Years
So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone.
And with multiple brains, everything becomes more complicated:
Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated.
High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios.
Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs.
Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats.
And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network.
SD-WAN: It’s Not Dead Just Part of a Bigger Family
So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed.
What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent.
To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources.
Cato is the World’s First and Most Robust Global SASE Platform
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership.
Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS).
With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.
It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or...
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.
Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.
Why a Global SASE Service?
Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.
Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.
Why Not Private Networks from Hyperscalers?
All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them? Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime.
[boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink]
Why Cato’s Global Private Backbone?
For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.
Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.
And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.
Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.
This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.
Key Benefit #1 – Optimized Performance
With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:
Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route. Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time. Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization. Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.
Key Benefit #2 – Self-Healing and Resiliency
To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:
Automatically working around backbone providers in case of outage or degradation to ensure service availability. Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers. Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.
A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.
Key Benefit #3 – Secure and Protected
Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.
Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.
Key Benefit #4 – Internet-like Costs
We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.
A Proven Solution for Global Connectivity
Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.
“Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.” Steve Waibel, Director of IT, Brake Masters
“We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.” Joel Jacobson, Global WAN Manager, Vitesco Technologies
“The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” Bill Wiser, Vice President of IT, Focus Services
Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone.
“The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”Matt Bays, Communications Analyst, Boyd CAT
With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers.
“This year, the entire WAN and Internet connectivity will be running on Cato.” Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation
As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud,...
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.
Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:
File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds.
Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer.
The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker.
To get a better sense of what our ransomware protections bring, check out the video below:
As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs...
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.
Azure SD-WAN’s MPLS and SD-WAN Problem
When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations.
You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem?
Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless.
And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.
Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
How Azure SD-WAN Works to Connect Cato and Azure
Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.
To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.
Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.
Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines.
How Azure SD-WAN Secures Azure Resources
In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling.
Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.
Azure SD-WAN Benefits
The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:
Superior Microsoft Azure performance
The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.
Security and deployment simplicity
With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.)
Networking and security agility
Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.
Affordable and fast ROI
Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.
For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.
Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our...
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries.
As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud.
Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances.
The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine.
Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load.
[boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink]
A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris.
"Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore."
Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon.
Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.
Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list...
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation.
Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. In short, Cato provides all of the core SASE capabilities identified by NWW.
We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation.
1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right.
Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service.
2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.)
[boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines?
Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.)
4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting?
Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet.
Question for MSPs
Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well.
1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices?
The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter.
2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection?
Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage.
3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor?
Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself.
4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers.
Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation.
5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard?
Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available.
6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements?
Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary.
7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud.
8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines.
9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?
Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture.
10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
Cato uses a single policy set for all access scenarios.
11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining.
12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services.
We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network.
13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?
Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected.
Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications.
14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?
The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change.
Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office.
Other Questions to Explore
We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include:
High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS.
What happens when there is a lockup rather than just an outage, will the system failover properly?
What about the underlying memory, storage, and server system underpinning what are often virtual appliances?
What happens if the PoP itself becomes inaccessible?
The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.
We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was...
Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned a Total Economic Impact (TEI) study with the consulting arm of the leading analyst firm Forrester.
Forrester interviewed several Cato customers in-depth and used its proprietary TEI methodology to come up with numbers for investment impact, benefits, costs, flexibility, and risks. More on this later.
The results were impressive. According to Forrester, Cato’s ROI came out to 246% over three years with total savings of $4.33 million net present value (NPV) and a payback of the initial investment in under six months. Those numbers don’t include additional savings from less tangible benefits such as risk reduction.
The $4.33 million NPV savings break down this way:
$3.8 million savings in reduced operations and maintenance
$44,000 savings in reduced time to configure Cato at new sites
$2.2 million savings from retiring all the systems replaced by Cato Networks
Investment of $1.76 million over three years
$6.09 million – $1.76 million = $4.33 million NPV.
Numbers Are Only Half the Story
The numbers are certainly impressive, but some of the unquantified benefits the report picked up were perhaps even more enlightening:
Improved employee morale: Team members reported that the activities they were able to shift to after switching to Cato—optimizing systems, for example--were considerably more rewarding than the more mundane activities of setting up, updating, and managing a lot of equipment before Cato.
Consistent security rules: Deploying Cato revealed a lot of inconsistencies in organizations’ governing and securing of network traffic across different sites. The Cato SASE Cloud was able to quickly consolidate all that mess into a single global set of rules, with an obvious positive impact on both security and management.
Reduced time and transit costs: Cato equipment moves through customs without delay or assessments of value-added tax (VAT). This is because Cato Sockets are very simple devices that simply direct traffic to our cloud, where most of the complex encryption and other technologies lie.
Better application performance: We expected this result, which comes from improved network performance.
Overall, respondents describe a transformative, before/after experience.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=tei_report"] The Total Economic Impact™ of Cato Networks | Report [/boxlink]
Before Cato, the organizations had to dedicate separate teams to the costly, time-consuming complexities of managing VPNs, Internet, WAN, and other functions, including spending a lot of time and resources deploying updates at each individual site. Adding new sites was a complex time-consuming process. All that mundane work made it difficult to execute the corporate digital transformation strategy.
As one technology director said about why he turned to Cato, “My goal was, I don’t want my team worrying about how to get a packet from A to B. I’m interested in Layer 7 of the network stack. I want to know: Are applications behaving the way they should? Are people getting the performance they should? Are we secure? You don’t have time to answer that if you’re worried about getting it from A to B.”
After Cato, all of the updates and most of the management were simply delegated to the Cato SASE Cloud. All the remaining network and security oversight required by the customer could be accomplished through a single Cato dashboard. This allowed organizations to redirect all those “before” resources to value-added activities such as system optimization, onboarding new acquisitions, and fast deployment of new sites.
The resulting employee satisfaction benefits were substantial. As a technology director said, “What I heard from my team is, ‘I love that the problems I’m solving on a day-to-day basis are on a completely different order than what I used to have to deal with before.’ They think about complex traffic problems and application troubleshooting and performance.”
Setting up new sites was also vastly easier with Cato, as one IT manager said. “Honestly I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [unnamed previous solution] you need 10 engineers to set it up and 20 engineers to keep it running. With Cato this all went away.”
How Forrester Got The Numbers
Forrester’s findings were the result of in-depth interviews with five decision-makers whose organizations are Cato customers. Forrester compared data based on their experiences prior to deploying Cato with a composite organizational model of a “vanilla” customer. The description of the five decision-makers is in the table below.
The report describes the composite organization that is representative of the five decision-makers that Forrester interviewed and is used to present the aggregate financial analysis in the next section. The global company is headquartered in the U.S. with 40 sites across the U.S., Europe, and the Asia Pacific region growing to 61 by year three. It also has two on-premises and two cloud datacenters in the U.S, one on-premises and two cloud-based datacenters in Europe, and two cloud-based datacenters in Asia Pacific. Year one remote users total 1,500 growing to 2,100 by year three.
Forrester then used its proprietary TEI methodology to construct a financial model with risk-adjusted numbers. The TEI modeling fundamentals included investment impact, benefits, costs, flexibility, and risks.
Some of the more dramatic savings numbers came in operations and maintenance: The organization was able to redirect 10 full-time employees (FTEs) from operations and maintenance to more value-adding activities in year one. By year three it avoided having to hire 12 more FTEs that would have had to manage the previous solution. The average fully loaded annual compensation for a single full-time data engineer is $148,500.
Lots of savings also came from retired systems, including the traditional edge router, perimeter next-generation firewall appliances, intrusion detection and prevention systems, and SD-WAN.
And then there were benefits from Cato’s remote access flexibility. As one IT team manager said, “When COVID hit we were able to add the entire company to the VPN and provide them the ability to work from home in a matter of days. That was amazing.” (Follow the link to read more about Cato’s approach to secure remote access).
I could go on but take a look for yourself. There’s a lot more juicy data in the report and it’s pretty surprising at times and not a difficult read. You can access The Total Economic Impact™ of Cato Networks report following the link.
One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at...
Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they're frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed to diagnose the problem. Wouldn’t it have been better if you had tools already in place before a problem occurs? Then you could run your testing without involving the user.
Well, now you do. We’ve added an IT toolbox to our Cato Socket, Cato’s SD-WAN device. Embedded in the Socket Web UI is a single interface through which network administrators can test and troubleshoot remote connectivity without involving the end-user. Ping, Traceroute, Speedtest, and iPerf are already available, instantly, through a common interface and without any user involvement.
[caption id="attachment_23495" align="alignnone" width="1699"] The IT toolbox within the Cato Socket UI provides a range of tools for IT to diagnose last-mile connections from a single web interface[/caption]
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=short_socket_demo"] Cato Demo: From Legacy to SASE in Under 2 Minutes With Cato Sockets [/boxlink]
Of course, those are not the only troubleshooting tools provided in Cato SASE Cloud. Cato was built from the philosophy that network troubleshooting is a team sport. While Cato Networks engineers maintain the Cato private backbone for 99.999% uptime, Cato users can manage and run the network themselves. They don’t have to open support tickets for changes they can just as easily address independently. Cato provides the tools for doing just that.
Numerous dashboards report on packet loss, latency, jitter, and real-time status help IT diagnose problems once users are connected to Cato.
[caption id="attachment_23497" align="alignnone" width="2113"] Cato includes dynamic dashboards reports on last-mile packet loss, latency, jitter, throughput and more for upstream and downstream connections.[/caption]
Our event discovery capability provides any IT team with advanced research and analytics tools to query a data warehouse that we curate and maintain. It organizes more than 100 types of security, connectivity, system, routing, and Socket management events into a single timeline that can be easily queried. Complex queries can be easily built by selecting from the types and sub-types of events to compare the test data being collected via tool access using Socket Web UI against what has previously occurred on that network connection.
[caption id="attachment_23499" align="alignnone" width="1920"] With Events, Cato converges networking and security events into a single timeline, simplifying the troubleshooting process.[/caption]
Remote troubleshooting has always been a challenge for IT. With remote offices and more users working from home that challenge will only grow. Having the diagnostic tools in place before problems occur goes a long way to improving IT satisfaction.
The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for...
Moving Beyond Remote Access VPNs The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success.
What is a Remote Access VPN and How Does it Work?
A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks.
VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping.
In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office.
Why Companies Need to Move Beyond Remote Access VPNs
The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including:
Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements.
Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well.
Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure.
Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware.
Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity.
Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing.
Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs.
Enterprise Solutions for Secure Remote Access
VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce.
Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack.
Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include:
Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances.
Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure.
Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs.
Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints.
If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here.
The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around...
What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis.
But what’s particularly interesting for anyone moving away from a global MPLS network or otherwise looking at WAN transformation is the impact NaaS will have on evolving the enterprise backbone. For all of its talk, SASE as understood by much of the industry, will not completely replace a global MPLS network; the Internet is simply too unpredictable for that. Only by converging SASE with NaaS can companies eliminate costly, legacy MPLS services.
What is NaaS (Network-as-a-Service)
Exactly what constitutes a NaaS is open to some debate. All agree that NaaS offerings allow enterprises to consume networking on a subscription basis without having to deploy any hardware. According to a recent Network World article, IDC’s senior research analyst Brandon Butler wrote in a recent whitepaper "NaaS models are inclusive of integrated hardware, software, licenses and support services delivered in a flexible consumption or subscription-based offering.”
Cisco in its recent report flushed that out a bit further defining NaaS as “a cloud-enabled, usage-based consumption model that allows users to acquire and orchestrate network capabilities without owning, building, or maintaining their own infrastructure,” writes industry analyst, Tom Nolle.
Gartner identifies the specific attributes of a cloud service. According to Gartner’s Andrew Lerner, “NaaS is a delivery model for networking products. NaaS offerings deliver network functionality as a service, which include the following capabilities:
Ability to scale up and down.
billed on an opex model
consumption-based, via a metered metric (such as ports, bandwidth or users), (not based on network devices/appliances).
NaaS offerings may include elements such as network switches, routers, gateways and firewalls.”
For those running datacenter networks, Network World reports NaaS offerings will allow them to purchase compute, networking, and storage components configured through an API and controlled by a common management package. (Personally, I find the focus on the appliance form factor a reflection of legacy thinking. Gartner’s view of a consumption-based model based on bandwidth or users, not appliances, I think to be more accurate but let’s leave that aside for the comment.)
But for those involved in the WAN, NaaS is also increasingly coming to describe a new kind of backbone, one that’s programmable, sold on a subscription basis, and designed for the cloud. “I see NaaS as a way to describe agile, programmable backbones and interconnections in a hybrid, multi-cloud architecture,” wrote Shamus McGillicuddy, vice president of network management research at Enterprise Management Associates in an email.
[boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls_ebook"] Terminate Your MPLS Contract Early | Here’s How [/boxlink]
NaaS Must Meet SASE
But here’s the thing, with the proliferation of threats any networking service cannot be divorced from security policy enforcement and threat prevention. It’s why SASE has emerged to be such a dominant force. The convergence of SD-WAN with four areas of security -- NGFW, SWG, CASB, and ZTNA – enables enterprises to extend security policies everywhere will also being more effective and more efficient. (Just check out what our customers say if you want first-hand proof.)
But SASE alone can’t replace MPLS. Converging SD-WAN and security still doesn’t address the need for a predictable, efficient global backbone. And the public Internet is far too unpredictable, too inefficient to support the global enterprise. What’s needed is to converge SASE with a backbone NaaS – a global private backbone delivered on subscription basis.
Cato: The Global SASE Platform That Includes NaaS
The Cato SASE Cloud is the only SASE platform that operates across its own global private backbone, providing SASE and backbone NaaS in one. With the Cato SASE platform, enterprises not only converge security with SD-WAN, but they also get predictable, optimized global connectivity.
“Cato Networks operates its own security network as a service (NaaS) providing a range of
security services including SWG, FWaaS, VPN, and MDR from its own cloud-based network,” writes Futuriom in its “Cloud Secure Edge and SASE Trends Report.” (Click on the link to download the report for free)
The Cato private backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Each PoP run Cato’s cloud-native software stack that along with security convergence provides global routing optimization and WAN optimization for maximum end-to-end throughput.
Our software continuously monitors network services for latency, packet loss, and jitter to determine, in real-time, the best route for sending every network packet. In fact, according to independent testing, is the only backbone NaaS in the world to include WAN optimization and, as a result, increases iPerf throughput 10x-20x over what you’d expect to see with MPLS or Internet. The backbone is fully encrypted for maximum security and self-healing for maximum uptime.
The Cato Socket, Cato’s edge SD-WAN device, automatically connects to the nearest Cato PoP. All outbound site traffic is sent to the PoP. Policies then direct Internet traffic out to the Internet and the rest across the Cato backbone.
SASE and NaaS Better Together
Converging SASE and backbone NaaS together also offers unique advantages compared to keeping the two separate. Deployment becomes incredibly quick. Customers can often bring up new locations on Cato -- complete with SD-WAN, routing policies, access policies, malware protection rules, and global backbone connections – in under two hours and without expert IT assistance.
Convergence also allows for deeper insights. Cato captures and stores the metadata of every traffic flow from every user across its global private backbone in a massive data lake. This incredible resource enables Cato engineers to do all sorts of “what if” analysis, which would otherwise be impossible. One practical example – the Cato Event screen, which displayed all connectivity, routing, security, system, and Socket management events on one queryable timeline for the past year. Suddenly it becomes very simple to see why users might be having a problem. Was it a last-mile issue? A permissions issue caused by a reconfigured firewall rule? Something else? Identifying root cause becomes much quicker and simpler when you have a single, holistic view of your infrastructure.
[caption id="attachment_21441" align="alignnone" width="1920"] Converging the backbone, SD-WAN, and security into one service enables all events to be presented in a single screen for easy troubleshooting. [/caption]
WAN Transformation That Makes Sense
In short, converging NaaS and SASE together results in better WAN transformation, one that reduces cost, simplifies security, and improves performance all without compromising on the predictability and reliability enterprises expect from their networks.
Hard to believe? Yeah, we get that. It’s why we’ve been called the “Apple of networking.” But don’t take our word for it. Take us for test drive and see for yourself. We can usually get a POC set up in minutes and hours not days. But that shouldn’t be a surprise. We’re an “as a service” after all.
If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly...
December 14, 2021
Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than 103 improvements.
New dashboards and capabilities can be found throughout the platform. We improved cloud insight with a new advanced cloud catalog. New independent conformance testing for regulatory compliance and security capabilities is, I think, a first in the industry. We enhanced security reporting with an all-new threats dashboard and opened up application performance with another new dashboard. Let’s take a closer look at some of these changes.
New Topology View and a New Backend
The top-level topology view has been redesigned to accommodate deployments of thousands of sites and tens of thousands of users. But in the new Management Application, we’ve enabled customization of the top-level view, enabling you to decide how much detail to show across all edges — sites, remote users, and cloud assets — connected to and are secured by Cato SASE Cloud (see Figure 1).
[caption id="attachment_20988" align="alignnone" width="1024"] Figure 1 Cato’s new Management Application lets enterprises continue to manage their network, security, and access infrastructure from a common interface (1). The new front-end is completely customizable and can surface the providers (2) connecting sites and remote users. You can easily identify problematic sites (3) and drill down into a user or location’s stats at a click (4). [/caption]
Behind the Cato Management Application is a completely rearchitected backend. Improved query analytics for site metrics and events makes the process more efficient and the interface more responsive even with customer environments generating over 2 billion events per day. A new event pipeline increases the event retrieval volume while allowing NetOps and NetSecOps to be more specific and export just the necessary events.
[boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/"] Cato Management Application
[30 min Walkthrough] | Take the Tour [/boxlink]
Independent Compliance Rating Revolutionizes Compliance and Security Verification
A new cloud application catalog has been introduced with 5000 of the most common enterprise applications. For each application, the catalog includes a detailed description of the target app automatically generated by a proprietary data mining service and an independently verified risk score (see Figure 2).
[caption id="attachment_20990" align="alignnone" width="1920"] Figure 2: The new Cloud Apps Catalog contains more than 5000 applications with an overall risk score[/caption]
The risk score is based on Cato’s automated and independent assessment of the cloud application’s compliance levels and security capabilities. Using the massive data lake we maintain of the metadata from every flow crossing Cato’s Global Private Backbone, machine learning algorithms automatically check an application’s claimed regulatory compliance and security features. Currently, Cato regulatory compliance verification includes HIPAA, PCI, and SOC 1-3. Security feature verification includes MFA, encryption of data at rest, and SSO (see Figure 3).
[caption id="attachment_20992" align="alignnone" width="1660"] Figure 3: Cato independently verifies the application’s conformance with regulations and security features[/caption]
New Threat Dashboard Identifies Key Threats Across the Enterprise
[caption id="attachment_21022" align="alignnone" width="1919"] Figure 4: The new Threat Dashboard provides a snapshot of threats across enterprise security infrastructure for assessing the company’s Shadow IT position[/caption]
The new Threat Dashboard summarizes the insights drawn from Cato’s Managed IPS, FWaaS, SWG, and Anti-Malware services. Through a single dashboard, security teams can see the top threats across the enterprise. A dynamic, drill-down timeline allows security teams to gather more insight. Top hosts and users identify the impacted individuals and endpoints (Figure 4).
New Application Dashboard Provides Snapshot of Usage Analytics
With the new Application Dashboard, you gain an overall view of your enterprise application analytics. Administrators can easily understand current and historical bandwidth consumption and flow generation by combinations of sites, users, applications, domains, and categories (Figure 5).
[caption id="attachment_20996" align="alignnone" width="1442"] Figure 5: The new Application Analytics dashboard provides an overview of an application usage that can be easily segmented by combinations of multiple dimensions. In this case, application consumption is shown for each user at a particular site.[/caption]
The Cato Management Application is currently available at no additional charge. To learn more about the management platform, click here or check out this 30 min walkthrough video. You can also contact us for a personal demo.
In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner...
New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform.
The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SD-WAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.”
To learn more, check out this excerpt of the SASE text from the report:
Secure Access Service Edge (SASE)
Analysis by: Nat Smith
Secure access service edge (SASE, pronounced “sassy”) delivers multiple converged network and security as a service capabilities, such as SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), firewall, and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises general internet security use cases. SASE is primarily delivered as a service and enables dynamic zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.
SASE is evolving from five contributing security and network segments: software-defined wide-area network (SD-WAN), firewall, SWG, CASB and ZTNA. The consolidation of offerings into a single SASE market continues to increase buyer interest and demand. Several vendors offer completely integrated solutions already, and many vendors offer intermediary steps, usually consolidating five products into two. Consolidation and integration of capabilities is one of the main drivers for buyers moving to SASE. This is more important than best-of-breed capabilities for the moment, but that will change as consolidated, single-vendor solutions become more mature.
While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SDWAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.
[boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_cta&utm_campaign=strategic_roadmap_webinar"] Strategic Roadmap for SASE | Watch Now [/boxlink]
Range: 1 to 3 Years
Even though some vendors are not implementing all portions of SASE on their own today, Gartner estimates SASE is about one to three years away from early majority adoption. There are several factors or use cases that we predict will drive the speed of adoption. Consolidation of administration and security enforcement of cloud services, network edge transport, and content protection features drives higher efficiency and scale for remote workers and cloud services. There are three key market segments that we expect to consolidate and serve as components of SASE: these are SWG, CASB and ZTNA. The majority of end users have already transitioned to cloud-based services or are actively doing so now. Second, instead of five components loosely from separate vendors, a single SASE offering with all five components converged into a single offering is the other activity to watch. Several vendors offer complete SASE solutions today and those solutions are maturing quickly. Because of the availability of these two factors, or use cases, buyer adoption is picking up.
Mass is high because SASE has a direct impact on the future of its five contributing market segments — SD-WAN, firewall, SWG, CASB and ZTNA — predicting that they will largely go away, eventually to be engulfed by SASE. Client interest, Google searches, and analyst opinion further validate the likelihood of SASE. Further adding to mass, SASE is also appropriate across all industries and multiple business functions. The changes required for offerings in the contributing segments to evolve to a SASE cloud edge-based solution are significant for some of these contributing markets. The density of this change is high — not only because this affects five segments, but some of these segments are quite large. Appliance-based products will need to transform into cloud native services, not merely cloud-hosted virtual machines (VMs). However, a cloud-native service alone is not sufficient — vendors will also need points of presence (POPs) or cloud edge presence as well, which may require substantial investment or partnerships.
Create a migration path that gives buyers the flexibility to easily adopt SASE capabilities when ready while still being able to use and manage their existing network and security investments. Most buyers will need to work in a hybrid environment of part SASE and part traditional elements for an extended period of time.
Fill out your portfolio or aggressively partner through deep integration to cover any gaps in the SASE offering. Products in the five contributing segments will increasingly become undesirable to buyers if they do not have a convergence path to SASE.
Develop cloud-native components as scalable microservices that can all process packets in a single pass. In a highly competitive SASE market, agility and cost will increasingly become important, and microservices provide both of these benefits. Build a network of distributed points of presence (POPs) through colocation facilities, service provider POPs or infrastructure as a service (IaaS) to reduce latency and improve performance for network security services. The evolution to SASE also requires an evolution of product delivery vehicles.
Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
1Gartner, “Emerging Technologies and Trends Impact Radar: Communications”, Christian Canales, Bill Ray, Kosei Takiishi, Andrew Lerner, Tim Zimmerman, Simon Richard, 13 October 2021
If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough....
The Future of the Enterprise Firewall is in The Cloud If you're like many of the IT leaders we encounter, you're likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS).
Yes, that's probably not news coming from Cato. After all, we've seen more than 1,000 enterprises adopt Cato's FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances.
But it's not just Cato who's seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1
And just this week, for the first time, Gartner included Cato in its "Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2"
What's Changing for FWaaS
What's behind this change? FWaaS, and Cato's FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato's FWaaS is kept updated automatically by Cato’s engineers.
Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=datacenter_firewall"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
Not Just FWaaS, Cloud-Native FWaaS
But to realize those benefits, it's not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture.
FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It's not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover?
By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato's Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining.
What are the five attributes of a "cloud-native" platform? Check out this blog post, "The Cloud-Native Network: What It Means and Why It Matters," for a detailed explanation.
Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato's FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato's more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail.
How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here: https://www.sd-wan-experts.com/blog/cato-networks-hits-2-5b-and-breaks-speed-barrier/
Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More
Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato's networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration.
FWaaS is only one of Cato's many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
And, all services are seamlessly and continuously updated by Cato's dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats.
FWaaS: A Better Way to Protect the Enterprise
In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security.
And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’t just serve as network ingress points where traffic must be sent to yet another PoP for processing. We will also be adding new security services next year not by putting a marketing wrapper around acquired or third-party solutions, but by building them ourselves, directly into the rest of the Cato Cloud. As for EPP and EDR, neither are currently in scope for SASE but both are viable targets for convergence.
Comparing cloud services and boxes is always challenging. Ultimately, enterprises face a trade-off between DIY or consuming the technology as a service. Moving to the cloud alters the cost of ownership, bringing the same agility and power that’s changed how we consume applications, servers, and storage to security.
To better understand how Cato can improve your enterprise, contact us to run a quick proof-of-concept. You won't be disappointed.
1 Gartner, Critical Capabilities for Network Firewalls, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Adam Hils, Jeremy D'Hoinne, 10 November 2020
2 Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, and Adam Hils, 1 November 2021
GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do...
Personalized alerts straight from production environments Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do you really look at them?
Sure, when catastrophe hits, they provide a lot of the required context of the problem, but if everything just works (or so you think) do you look at them? Monitoring tools do (hopefully), but even they are configured to only look for specific signs of disaster, not your everyday anomalies. And when will these be added? Yup, soon after a failure, as we all know any root cause analysis doesn’t come complete with a list of additional monitoring tasks.
One of our security researchers developed a solution. Here’s what he had to say:
What I’ve implemented is a touch-free and personalized notification system that takes you and your fellow developers a couple of steps closer to the production runtime. Those warning and error logs? Delivered to you in near real time, or a (daily) digest shedding light on what really goes on in that ant farm you’ve just built. Moreover, by using simple code annotations log messages can be sent to a slack channel enabling group notifications and collaborations. Your production environment starts talking to ya.
The system enables developers to gain visibility into the production runtime, resulting in quicker bug resolution times, fine tuning runtime behavior and better understanding of the service behavior.
Oh, and I named it Dice - Dice Is Cato’s Envoy. It was a fun project to code and is a valuable tool we use.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=Eliminate_Threat_Intelligence"] Eliminate Threat Intelligence False Positives with SASE [/boxlink]
How does it work then?
The first step is building a list of log messages extracted from the source code and a matching list of interested parties. These can be explicitly stated on a comment following the log line in the code, or automatically deduced by looking in the source control history for the last author of the line (i.e. git blame). Yes, I can hear you shouting that the last one on the blame list isn’t necessarily the right developer and you’d be right. However, in practice this isn’t a major problem, and can be addressed by explicit code annotations.
Equipped with this list of messages and authors the system now scans the logs, looking for messages. We decided to focus on Warning and Error messages as they are usually used to signal anomalies or plain faults. However, when an explicit annotation is present in the code we process the message regardless of its log level.
INFO_LOG("hello cruel world"); // #hello-worlders
Channel to which messages should be sent
WARN_LOG("the sky is crying"); // @firstname.lastname@example.org
Explicit mentioning of the developer (Elmore)
ERROR_LOG("it hurts me too");
No annotation here, so blame information will be used (e.g. email@example.com)
Real time messages
Channel messages (as in the example above) are delivered as soon as they are detected, which we used to communicate issues in real time to developers and support engineers. This proved to be very valuable as it enabled us to do a system inspection during runtime, while the investigated issue was still occurring, dramatically lowering the time to resolution.
For example, we used channel messages to debug a particularly nasty IPsec configuration mismatch. The IPsec connection configuration is controlled by our client, and hence we could not debug issues in a sterile environment where we have full control over both ends of the configuration. With the immediate notifications, we were able to get the relevant information out of the running system.
Digests are also of great value, informing a developer of unexpected or even erroneous behavior. My code (and I guess yours also) has these “this can’t really happen” branches, where you just log the occurrence and get the hell out of the function. With Dice’s messages, I was able to know that these unimaginable acts of the Internet are actually more frequent than I imagined and should get special treatment rather than being disregarded as anomalies. Alerts are usually sent to users in the form of a daily digest, grouping all the same messages together with the number of occurrences, on which servers and the overall time frame.
Using Slack as the communication platform, enables the system to make some judgment regarding the notifications delivery - developers asked for digests to be sent only when they are online and, in any case, not during the weekend, which is easy to accommodate. Furthermore, the ability to add interactive components into the messages opens the door for future enhancements described below.
Useful as Dice is, it can be made even greater. Interactivity should be improved - many times notifications should be snoozed temporarily, till they are addressed in the code, or indefinitely as they are just redundant. The right (or some definition of right) solution is usually to change the log level or remove the message entirely. However, the turnaround for this can be weeks, we deploy new versions every two weeks, so this is too cumbersome. A better way is to allow snoozing/disabling a particular message directly in Slack, via actions.
"It wasn’t me" claim many Sing Sing inmates and blamed developers - the automatically generated blame database may point to the wrong author, and the system should allow for an easy, interactive way of directing a particular message to its actual author. It can be achieved via code annotations, but again this is too slow. Slack actions and a list of blame overrides is a better approach.
Logs are essentially a read-only API of a system, yet they are mostly written in free form with no structural or longevity guarantees. At any point a developer can change the text and add or remove variable outputs from the messages. It is therefore hard to build robust systems that rely on message analysis. Dice, elegantly if I may say, avoids this induced complexity by shifting the attention to personalized and prompt delivery of messages directly to relevant parties, rather than feeding them into a database of some sort and relying on the monitoring team to notify developers of issues.
As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those...
SSE: It’s SASE without the “A” As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those teams are in lockstep and ready to change, SASE adoption is the logical evolution. But what happens when security teams want to modernize their tools and services but networking teams remain committed to legacy SD-WAN or carrier technologies? For security teams, Gartner has defined a new category, the Security Service Edge (SSE).
What is SSE?
The SSE category was first introduced by Gartner in the “2021 Roadmap for SASE Convergence” report in March of 2021 (where it was named “Security Services Edge” with service in the plural) and later developed in several Hype Cycle reports issued in the summer. SSE is the half of secure access service edge (SASE) focusing on the convergence of security services; networking convergence forms the other half of SASE.
The Components of SSE
Like SASE, SSE offerings converge cloud-centric security capabilities to facilitate secure access to the web, cloud services, and private applications. SSE capabilities include access control, threat protection, data security, and security monitoring. To put that another way, SSE blends
- Zero Trust Network Access (ZTNA)
- Secure web gateway (SWG)
- Cloud access security broker (CASB)
- Firewall-as-a-service (FWaaS)
and more into a single-vendor, cloud-centric, converged service.
[boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_vs_sdwan"] SASE vs SD-WAN What’s Beyond Security | Download eBook [/boxlink]
Why Is SSE Important?
The argument of SSE is much of the same as for SASE. Legacy network security architectures were designed with the datacenter as the focal point for access needs. The cloud and shift to work-from-anywhere have inverted access requirements, putting more users, devices, and resources outside the enterprise network. Connecting and protecting those remote users and cloud resources require a wide range of security and networking capabilities. SSE offerings consolidate the security capabilities, allowing enterprises to enforce security policy with one cloud service. Like SASE, SSE will enable enterprises to reduce complexity, costs, and the number of vendors.
SSE Need To Be Cloud Services Not Just Hosted Appliances
The SSE vision brings core enterprise security technologies into a single cloud service; today’s reality will likely be very different. As we’ve seen with SASE, SSE is still in its early days, with few, if any, delivering a single, global cloud service seamlessly converging together ZTNA, SWG, RBI, CASB, and FWaaS.
And as with SASE it’s important to determine which SSE vendors are cloud-native and which are simply hosting virtual machines in the cloud. Running virtual appliances in the cloud is far different from an “as-a-service.” With cloud-hosted virtual appliances, enterprises need to think through and pay for redundancy and failover scenarios. That’s not the case with a cloud service. Costs also grow with hosted appliances in part because companies must pay for the underlying cloud resource. With a cloud service, no such costs get passed onto the user.
How Are SSE and SASE Similar?
Beyond an “A” in their names, what separates SSE from SASE? As we noted, SSE technologies form the security component of SASE, which means the security arguments for SSE are much the same as for SASE. With users and enterprise resources existing, well, everywhere, legacy datacenter-centric security architectures are inadequate. At the same time, the many security tools needed to protect the enterprise add complexity, cost, and complicate root-cause analysis.
SSE and SASE address these issues. Both are expected to converge security technologies into a single cloud service, simplifying security and reducing cost and complexity. With the primary enterprise security technologies together, security policies around resources access, data inspection, and malware inspection can be consistent for all types of access and users and at better performance than doing this separately. Both SSE and SASE should also allow enterprises to add flexible, cloud-based network security to protect users out of the office. And both are identity-driven, relying on a zero-trust model to restrict user access to permitted resources.
The most significant difference between SSE and SASE comes down to the infrastructure. With Gartner SSE, enterprises unable or unwilling to evolve their networking infrastructure have a product category describing a converged cloud security service. By contrast, SASE brings the same security benefits while converging security with networking.
SASE: Networking and SASE Better Together
But bringing networking and security together is more than a nice-to-have. It’s critical for a platform to secure office, remote users, and cloud resources without comprising the user experience.
Too often, FWaaS offerings have been hampered by poor performance. One reason for this is the limited number of PoPs running the FWaaS software, but the other issue was the underlying network. Their reliance on the global Internet, not a private backbone, to connect PoPs leaves site-to-site communications susceptible to the unpredictability and high latency of the global Internet. SSE solutions will face the same challenge If they’re to enforce site-to-site security.
Converging networking and security together also brings other operational benefits. Deployment times become much shorter as there’s only one solution to set up. Root cause analysis becomes easier as IT teams can use a single, queryable timeline to interrogate and analyze all networking and security events.
Cato is SASE
Cato pioneered the convergence of networking and security into the cloud, delivering the Cato SASE Cloud two years before Gartner defined SASE. Today, over 1,000 enterprises rely on Cato to connect their 300,000 remote users and 15,000 branches and cloud instances.
Cato SASE Cloud connects all enterprise network resources, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, cloud-native network service. Cato SASE Cloud runs on a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The backbone’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. Current security services include FWaaS, SWG, standard and next-generation anti-malware (NGAV), managed IPS-as-a-Service (IPS), and Managed Threat Detection and Response (MDR).
Deploy Cato SASE for Security, Networking, or Both – Today
Cato can be gradually deployed to replace or augment legacy network services and security point solutions:
Transform Security Only: Companies can continue with their MPLS services, connecting the Cato Socket, Cato’s edge SD-WAN device, both to the MPLS network and the Internet. All Internet traffic is sent to the Cato Cloud for inspection and policy enforcement.
Transform Networking Only: Companies replace their MPLS with the Cato SASE Cloud, a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The PoPs software continuously monitors the providers for latency, packet loss, and jitter to determine, in real-time, the best route for every packet. Security enforcement can be done in the Cato SASE Cloud or existing edge firewall appliances.
And, of course, when ready, enterprises can migrate networking and security to the Cato SASE Cloud, enjoying the full benefits of network transformation. To learn more about Cato can help your organization on its SASE journey, contact us here.
Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021...
Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021 Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021 and Hype Cycle for Network Security, 2021 provide snapshots of which networking and security technologies are on the rise — and which aren’t.
And when it comes to secure access service edge (SASE), the two reports provide an optimistic picture. The SASE market continues to mature, as evidenced by the horizon for widespread adoption. The horizon reduced significantly this year, dropping from 5-10 years in last year’s “Hype Cycle for Enterprise Networking 2020” to just 2-5 years in this year’s report.
At Cato Networks, we’ve certainly seen that change. Today, more than 900 customers, 11,000 sites and cloud instances, and well over a quarter of a million remote users rely on Cato every day. And we’ve seen large deployments, like Sixt Rent A Car, rely on the global Cato SASE platform to connect its more than 1,000 sites.
“Over the past year, we’ve seen larger enterprises adopt SASE,” says Yishay Yovel, CMO at Cato Network. “Converging networking and security into the global Cato SASE Cloud enables these enterprises to become more efficient and agile in addressing critical business initiatives for cloud migration, widespread remote access, and business restructuring and transformation.”
[boxlink link="https://go.catonetworks.com/2021-Gartners-Hype-Cycle-for-Enterprise-Networking.html?utm_source=blog&utm_medium=upper_cta&utm_campaign=hypecycle_report"] Gartner® Hype Cycle™ for Enterprise Networking 2021 - Get the Report [/boxlink]
Cato Identified as a Sample Vendor for SASE
The reports also identify Cato as a Sample Vendor for the SASE category for the third year in a row. In addition, the number of sample vendors identified in the SASE category narrowed from 10 vendors to 6 vendors with the emergence of challenges delivering a cloud-native global SASE service.
In addition, Cato is only one of two vendors to be identified as a Sample Vendor in the SASE, ZTNA, and FWaaS categories, arguably the three most important sections for a SASE vendor. Zscaler is the second vendor, but, in our opinion, Zscaler is an SWG and lacks the NGFW enforcement and inspection of branch-to-datacenter traffic critical to enterprise deployments.
“We believe our recognition as a Sample Vendor across SASE, ZTNA, and FWaaS categories attest to Cato’s proven capabilities in delivering a complete networking and security platform for the enterprise,” says Shlomo Kramer, CEO and co-founder of Cato Networks. “Through our Cato SPACE architecture, we provide the only global, cloud-native SASE solution that can be deployed, simply and easily, by organizations of all sizes to enable optimal and secure access to anyone, anywhere, and to any application.”
To learn more about the Hype Cycle for Networking, download your copy today.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.” For many, SASE seems like...
Gartner’s Nat Smith Explains What Is and Is Not SASE A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.” For many, SASE seems like another marketing exercise like Big Data or Cloud Computing.
And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I could specialize and dive deep into the nuances of technologies. News journalists aren’t so fortunate. They must move between many technology areas, making it incredibly difficult to uncover the differences between slideware and reality.
So, I understand skepticism around SASE, particularly when every little networking and security vendor claims to be a SASE company. And if every security device, virtual appliance, or managed service is SASE, what have we accomplished? Nothing.
Which is why a recent session by Nat Smith, Senior Director in the Technology and Service Provider (TSP) division of Gartner, was so interesting. Smith pierced the confusion around the SASE market, explaining what is and what is not SASE in a very plain spoken kind of way.
[boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_link&utm_campaign=gartner_webinar"] Join Our Webinar –Strategic Roadmap for SASE [/boxlink]
SASE connects people and devices to services
Smith’s explanation was very straight forward: SASE is taking the networking service and those kinds of capabilities and also the security service and those capabilities and putting them into a single offering. Some people will simplify it a little bit and say SASE is connecting people and devices to services.
His simple definition alludes to two innovations. The first is convergence, the bringing of all networking and security functionality together. For too long, enterprises have had to grapple with the complexity of managing and integrating network security appliances. The assortment of appliances dotting enterprise networks extracted a significant operational burden on IT teams. They had to patch and maintain appliances. As encrypted traffic levels grew and CPU demands soared, branch appliances had to be upgraded. Gaps were created for attackers to exploit, required significant investment to integrate solutions. Visibility grew limited as critical data was locked behind silos requiring additional management tools to overcome those issues.
Convergence solves these issues, pulling networking and network security functions into one seamless solution. Packets come into the SASE platform, get decrypted, and functions applied in a single pass before sending the packet onto its destination. Performing operations in parallel rather than moving them through a service chain of devices reduces latency and allows the SASE platform to scale more efficiently.
While Gartner documents point to a wide range of functions converged by SASE, Smith broke them down into five main areas: SD-WAN, FWaaS, SWG, CASB, and ZTNA.
In truth, security and networking convergence preceded SASE. UTMs are probably the best example, and even some SD-WAN appliances have added security capabilities (Figure 1). Which brings us to the next innovation —cloud-native services.
[caption id="attachment_17138" align="alignnone" width="1546"] Figure 1: Network security appliances are “thick,” performing all functions themselves.[/caption]
SASE: It’s not an appliance
SASE is a true cloud service. It’s not a single-tenant appliance stuck in the Cloud. It’s a multitenant platform designed as a cloud service. I think of it as the difference between O365 and Word. Microsoft, and all cloud providers, push out new features and new capabilities all the time. There’s no need to download, test, and deploy a new version worrying all the while the repercussions for my laptop. And while desktop software only works for that computer, the Cloud is available to me wherever I go, from whatever device I’m using. I don’t have to worry about running out of storage or patching software. The provider handles all of that.
SASE brings those same cloud benefits to networking and security. SASE breaks functionality into two, keeping the bare minimum at the edge while moving core functioning into the Cloud (Figure 2). There are no patches or updates to test and deploy; they just “appear” in the service. Storage and scaling are things the provider has to worry about, not IT.
[caption id="attachment_17147" align="alignnone" width="1567"] Figure 2: SASE creates a “light” appliance at the edge, providing just enough processing to move traffic into the Cloud where compute-intensive security and networking services can benefit from the scalability and elasticity of the Cloud.[/caption]
Shifting processing to the Cloud leverages the Cloud’s scalability and elasticity. Compute-intensive services, like content inspection, normally force branch appliance upgrades to accommodate traffic growth. But within the Cloud, they can run at line-rate regardless of traffic volumes. And by being in the Cloud, SASE services can be made available to users anywhere without a perceptible difference.
SASE: It’s not just in the Cloud; it is the Cloud
And this point, SASE services being made available to the user efficiently; that’s critical. Smith pointed to the below example where security processing happens in Shanghai PoP that services three locations — Shanghai, Singapore, and San Francisco (Figure 3). He posed the question, “Is this SASE or not?”
[caption id="attachment_17152" align="alignnone" width="1577"] Figure 3: SASE is not a single PoP converging networking and security services, as users located far away (in San Francisco, in this case) will not experience local performance.[/caption]
Shanghai users will experience pretty good response time. Singapore less so, but San Francisco? With a thousand kilometers to the Shanghai PoP, San Francisco users will experience significant latency as traffic is brought back to Shanghai for inspection. Users probably won’t call it that. They’ll likely talk about “the network being slow” or applications taking forever to load.” But the culprit will remain the same: the latency needed to get back to PoP for processing. A single PoP does not make SASE.
SASE is meant to give local performance to all users regardless of location. As such, Smith points out that SASE must be distributed, delivering a cloud edge service that brings security processing near the source. A global network of PoPs is needed, where PoPs are close to the company locations and mobile users using that service (see Figure 4).
[caption id="attachment_17155" align="alignnone" width="1571"] Figure 4: With SASE, security processing is distributed across a global fabric of PoPs. Users experience local performance regardless of location.[/caption]
Convergence and Cloud-Native Define SASE
SASE is the convergence of networking and security, but it’s also about moving from the edge to the Cloud. Smith sees both of those elements — convergence and cloud-native — as essential for realizing SASE’s promise.
Failure to deliver on both of those elements isn’t SASE. It’s just hype.
Nobody likes to wait for results, and that’s certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant...
Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks Nobody likes to wait for results, and that's certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant to eliminate threats faster by outsourcing threat hunting to third-party specialists. But to accomplish their goal, MDR services require up to 90 days to baseline typical network operation.
Which is odd if you think about it. Malware dwell time already exceeds 200 days. Why invest in an MDR service if it'll be another three months before your organization realizes any results?
Cato has a better way. The new release of Cato MDR announced this week eliminates the startup window by tapping cross-organizational baselines developed using the Cato system. Let's take a closer look.
What's Behind the Cato MDR Service
As part of the broader Cato service, Cato MDR has deep visibility into enterprise traffic patterns. We've developed a simply massive data warehouse storing the metadata for every IP address, session, and flow crossing the Cato global backbone. We do that over time, so we can see the historical and current traffic patterns across thousands of enterprises and hundreds of thousands of remote users worldwide.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt?utm_source=blog&utm_medium=upper_cta&utm_campaign=5_things_ebook"] Download eBook – 5 things SASE covers that SD-WAN doesn't [/boxlink]
This incredible data repository gives us the basis for our Cato Threat Hunting System (CTHS), a set of multidimensional machine learning algorithms and procedures developed by Cato Research Labs that continuously analyze customer traffic for the network attributes indicative of threats. More specifically, CTHS has the following capabilities:
Full Visibility, No Sensors: Cato sees all WAN and Internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or Internet resource. Optional SSL decryption further expands available data for threat mining. CTHS uses its deep visibility to determine the client application communicating on the network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS.
Deep Threat Mining: Data aggregation and machine learning algorithms mine the full network context over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique "popularity" indicator modeled on access patterns observed throughout the customer base. Combining client and target contexts yields a minimal number of suspicious events for investigation.
Human Threat Verification: Cato's world-class Security Operations Center (SOC) validates the events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato's prevention layers to detect and stop malicious activities on the network.
Rapid Threat Containment: For any endpoint, specific enterprise network, or the entire Cato customers base, the SOC can deploy policies to contain any exposed endpoint, both fixed and mobile, in a matter of minutes.
CTHS creates a deep, threat-hunting foundation that powers all Cato security services without requiring customers to deploy data collection infrastructure or analyze mountains of raw data. At the same time, CTHS adheres to privacy regulatory frameworks such as GDPR. With CTHS and Cato Cloud, enterprises of all sizes continue their journey to streamline and simplify network and security.
Cato MDR 2.0 Gains Automated 70-Point Checklist
Beyond faster time-to-value, Cato has also introduced automatic security assessment to the MDR service. Instantly, customers learn how their network security compares against the checks and best practices implemented by enterprises worldwide. Items inspected include proper network segmentation, firewall rules, and security controls, like IPS and anti-malware. The 70-point checklist is derived from the practices of the "best" enterprises across Cato — and avoids the biggest mistakes of the worst enterprises.
"Much of what we're highlighting in our 70-point checklist is probably common sense to any security-minded professional. But all too often, those practices have not been found in one actionable resource," says Elad Menahem, director of security at Cato Networks.
And to further enhance the support given to Cato MDR customers, we've designated security engineers for each customer. The DSEC becomes the customer's single point of contact and security advisor. The DSEC can also tweak threat hunting queries to enhance detection specific to the customer environment, such as gathering specific network information to protect specific valuable assets.
The DSEC is part of the large SOC team, sitting between the Security Analysts and the Security Research. Coupled with CTHS and Cato's unique data warehouse, Cato MDR brings the best of human intelligence and machine intelligence for the highest degree of protection.
Overall, Cato underscores yet another aspect of the value of a global, cloud-native SASE platform. To learn more about Cato MDR, visit https://www.catonetworks.com/services#managed-threat-detection-and-response.
[caption id="attachment_16724" align="alignleft" width="654"] The Cato automatic assessment identifies misconfiguration against 70 security best practices, returning a security posture score and a detailed report for easy action.[/caption]
During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant...
5G: A Step Beyond the Last Mile? During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant was solving the last mile, a challenge that has vexed organizations for decades. The telecom industry, which coined the last mile phrase decades ago, claims to be on the verge of solving the last mile for its customers, with the promise of 5G.
Having spent years waiting for fiber rollouts to make it to their office building, news of multigigabit connectivity without wiring is welcome indeed. As exciting as this news is for CIOs, though, the question they should be asking is whether their legacy enterprise networks can take advantage of 5G’s goodness. And the answer to that question is far from certain.
Powerful Benefits for Enterprises
A fully operational 5G is a gamechanger for enterprises. The delays and limited data transfer capacity that plague today’s connectivity will quickly become a thing of the past. Businesses will be inoculated against outages, and experience full, continuous high-speed availability.
If promises can be believed, enterprises will no longer have to wait months for fiber installations or be limited due to line availability. Rural offices, construction sites, and even offshore oil rigs won’t be limited by a carrier’s unwillingness to invest in high-cost infrastructure expenses that only serve a small number of businesses and fails to deliver a high ROI.
[boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Download eBook: The Future SASE – Today and Tomorrow [/boxlink]
In addition to easier provisioning, data rates on 5G are lightning-fast. Designed to deliver peak data rates of up to 20Gbps, it is 20 times faster than 4G. For enterprises involved with the Internet of Things (IoT), 5G will be able to provide more than 100Mbps average data transmission to over a million IoT devices within a square kilometer radius.
Behaving like the Infinite Middle
The high speeds and elimination of last-mile slowdowns are what enterprises need today. 5G will address surges in capacity driven by the growing demand for video conferencing, increased data storage, and businesses operating from multiple locations. Removing last-mile bottlenecks means there is no need to step down capacity as data approaches the end user.
Multi-gig connections can carry high-speed data across the globe and down to the end-user at great speed and lower latency than current solutions. This combination opens the door to greater innovation in many areas. Automation will grow in manufacturing plants through the use of IoT-enabled connected devices. Supply chains will able to share data more efficiently, enabling smoother operation. And expect to see improvements in logistics and deliveries as commercial vehicles take advantage of smart traffic efficiencies created by 5G. Improved traffic flow, decreased journey times, and car-to-car communication will improve the business’s bottom line.
Virtual reality (VR) and augmented reality (AR) become possible, opening new opportunities, particularly for retailers. Personalized digital signage, real-time messaging, and promotions based on real-time consumer behavior become possible with 5G. Innovative tools like smart mirrors could advise consumers on fashion choices or recommend cuts of clothes based on their unique body size and shape.
AI systems will also use the increased real-time data to get even better at analyzing situations and making recommendations. They’ll be more effective, leading to increased adoption of AI technology.
5G and the elimination of last-mile slowdowns are expected to open the door to anything enterprise IT can imagine. It sounds all too perfect — and it is.
The Challenge of Eliminating Last-Mile Slowdowns
There’s no doubt that 5G has the potential to transform business. However, transformation comes with security risks that enterprises can’t afford to ignore. A growing number of entry points, a greater reliance on online data streams, and visibility issues increase an enterprises’ exposure to cyberattacks.
Early 5G adopters will also be exposed to security risks stemming from misconfigurations and security integrations between 5G and 4G networks. Deploying patchwork security solutions that weren’t designed for 5G networks will not only be ineffective as a security tool, but they may create more problems for IT teams by creating more exploitable network entry points.
And enterprises that don’t update their network architectures may find they’re unable to fully benefit from 5G’s performance. That’s because legacy networks backhaul traffic to a central security gateway for inspection and policy enforcement. The latency of that connection, not the last-mile performance, has always been the determinant factor in long-distance connections.
Defending Networks with SASE
A secure access service edge (SASE) addresses enterprise needs for a more secure, better performing 5G network. SASE distribution security inspection and policy enforcement out to points of presence (PoPs) across the globe.
By connecting to the local PoP, all users — whether in the office, on the road, or at home — are protected against network-based threats. And by avoiding traffic backhaul, SASE allows enterprises to take full advantage of 5G’s faster connections without compromising security. Partners can also easily be connected to a company’s SASE network, allowing for secure, high-performance supply chains.
5G is a transformative access technology. SASE is a transformative architectural approach. Together they allow IT to transform the way enterprises operate. To learn more about 5G and how the Cato SASE platform can help your enterprise, contact us here.
Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This...
Poor VPN Scalability Hurts Productivity and Security Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and this forces companies to make tradeoffs between network performance and security.
With growing support for remote work, having an unscalable and unsustainable secure remote access solution is not an option. So how can organizations scalably and securely support their remote workforces? We’ll answer that here.
Why VPNs scale poorly
VPNs are designed to provide privacy, not security. They lack built-in access controls and the ability to inspect traffic for malicious content. As a result, companies commonly use VPNs to backhaul remote workers’ traffic through the corporate LAN for security inspection before sending it on to its destination.
This design means that the organization’s VPN solutions, corporate network infrastructure, and perimeter-based security stack are all potential bottlenecks for a VPN-based secure remote access solution. As a result, effectively scaling VPN infrastructure requires investment in a number of areas, including:
VPN Infrastructure: As VPN utilization increases, a company’s VPN terminus needs to be able to support more parallel connections. Accomplishing this often requires deploying additional VPN infrastructure to meet current demands.
Last Mile Network Links: Network links on the corporate LAN must be capable of supporting the load caused by backhauling all network traffic for security inspection. For all traffic with destinations outside of the corporate LAN, traffic will traverse the network twice - both entering and leaving after security inspection - and network links must have the bandwidth to support this.
Security Systems: The use of VPN infrastructure to backhaul business traffic is designed to allow it to undergo security inspection and policy enforcement. Perimeter-based security solutions must have the capacity to process all traffic at line speeds.
System Redundancy: With a remote workforce, secure remote access solutions become “critical infrastructure” with high availability requirements. All systems (VPN, networking, security, etc.) must be designed with adequate redundancy and resiliency.
Acquiring, deploying, and maintaining adequate infrastructure to meet companies’ remote access needs is expensive. The limited feature set and poor scalability of VPNs contribute to a number of problems that are holding businesses back.
An unsustainable and insecure approach
The disadvantages of VPNs for businesses contribute to a number of factors that impair the usability and security of these systems, such as:
Degraded Performance: Because VPNs have no built-in security functionality, sending traffic through a standalone security stack is essential. This means that many organizations backhaul traffic through corporate LANs for inspection, which creates significant network latency.
Appliance Sprawl: The poor scalability and high availability requirements of VPN infrastructure means that organizations need to deploy multiple appliances to meet the needs of a remote workforce. This is expensive and adds complexity to the process of deploying, configuring, and maintaining these appliances.
Security Workarounds: The poor scalability of VPNs drives many organizations to make tradeoffs between network performance and security. A common example is backhauling traffic to the corporate network for security inspection, which incurs significant latency.
Network-Level Access: VPNs provide authorized users with unlimited access to the corporate network. This enables legitimate users to misuse their access and dramatically increases the risks associated with a compromised user account.
The use of enterprise VPN solutions is an unsustainable and insecure approach to implementing secure remote access. As companies plan extended or permanent support for remote work, a better solution is needed.
SASE is a scalable alternative for secure remote access
With the growth of remote work and cloud computing, companies need a secure remote access solution that is designed for the modern enterprise network. While VPNs cannot effectively scale to meet demand, the same is not true of secure access service edge (SASE).
Many of VPNs’ issues arise from two main factors: location and security. VPNs are designed to provide a secure connection to a single terminus, and they lack built-in security so that location needs to host a standalone security stack.
SASE eliminates both of these considerations. Instead of a single VPN terminus, SASE is implemented as a worldwide network of points of presence (PoPs). With so many PoPs, business traffic can enter and leave the corporate WAN at convenient locations.
SASE also incorporates a full security stack, enabling any SASE PoP to perform security inspection and policy enforcement for the traffic passing through it. This eliminates the need to deploy standalone security stacks at each terminus or backhaul to a central location for inspection, simplifying security and eliminating unnecessary latency.
This security stack includes zero trust network access (ZTNA) - also known as software-defined perimeter (SDP) - for secure remote access. Unlike VPNs, ZTNA/SDP implements zero trust security principles, providing access to resources on a case-by-case basis. This minimizes the risk posed by a compromised user account or malicious user.
These two features make SASE a much more scalable secure remote access solution than VPNs. The decentralized nature of the SASE network means that no one location needs to carry the full load of the remote workforce’s network traffic. The network also has built-in redundancy and the ability to easily scale or expand simply by deploying a new virtualized appliance at the desired location.
Cato offers secure, scalable remote access for the distributed enterprise
Modern businesses need secure remote access solutions that protect their remote workforces without compromising security. Cato Cloud makes it easy for employees to connect securely from anywhere to anywhere. To learn more about how to deploy high-performance secure remote access, download our free Work from Anywhere for Everyone eBook.
If you have questions about the benefits of SASE over VPNs or how Cato Cloud can work with your environment, feel free to contact us. Also, don’t hesitate to request a free demo to see Cato Cloud’s secure remote access capabilities for yourself.
Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts...
What is a Cloud Firewall? Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age.
The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead, many companies are adopting Firewall-as-a-Service (FWaaS) solutions. But will FWaaS go far enough? Let’s find out.
What is a Cloud Firewall Used For?
Physical firewalls, aka firewall appliances, have been a fixture in the network stack populating datacenters and branch offices everywhere. But as enterprises shifted data and applications to the cloud, they needed to secure them as well. Deploying a physical firewall in the cloud was impractical at best and frequently impossible.
Enter cloud firewalls. These offerings bring the protective ability of firewall appliances to the cloud. Cloud firewalls run as virtual instances within the cloud provider network. As such, cloud firewalls bring several significant advantages over firewall appliances.
We’ve already discussed one; they’re easy to deploy. Cloud firewalls are also easier to scale than physical firewalls. Need more memory or compute? Just add as you would to any workload in the cloud. Cloud firewalls are also often easier to make highly available. Yes, you’ll need to configure redundant instances appropriately. But the datacenters are already equipped with redundant power sources, HVAC systems, automated backup systems, and more needed to support an HA implementation.
The Limitations of Cloud Firewalls
At the same time, cloud firewalls come with key limitations. With each cloud environment requiring its cloud firewall for protection, security becomes more complex in a multicloud strategy, which is increasingly common among enterprises. What’s more, where cloud firewall instances exist out-of-region, traffic must be backhauled, adding latency to application sessions.
And while cloud firewalls might be easier to maintain than physical appliances, they still need plenty of care. IT teams still need to configure, deploy, and manage the cloud firewall. They still need to apply patches and deploy the latest signatures to protect against zero-day threats. Finally, resource sharing among cloud firewalls becomes challenging at scale. Cloud firewalls function as virtual appliances, requiring their memory and compute. They can’t pool them easily with other cloud firewall instances.
For many IT teams, the question “What is a cloud firewall” is being replaced by “What security tool can we use instead of a cloud firewall.”
Why FWaaS is Replacing Virtual Firewalls
And the answer to that question is quickly becoming FWaaS. FWaaS offerings are independent cloud services that provide companies with their own firewall instances to manage and run. Unlike firewalls, FWaaS provide customers their own logical firewall instances running on the provider’s multitenant firewall platform.
FWaaS platforms are genuine cloud services. They’re multitenant, elastic, and highly scalable, allowing the individual firewalls to consume compute resources more efficiently than individual cloud firewalls. FWaaS providers also assume the burden of ensuring firewall performance doesn’t suffer as traffic loads grow. And since compute resources and operating costs are spread across all customers, FWaaS platforms are often more cost-effective than cloud firewalls.
In short, by using FWaaS, organizations retain the scalability, availability, and extensibility of a cloud deployment. At the same time, they enjoy the low-cost cloud option and improved line-rate network performance.
Does FWaaS Go Far Enough?
FWaaS might seem to answer the security problems facing enterprises, but what they miss is the global network. Most enterprises have at least some resources in private datacenters. Users require optimized access to those resources and the cloud. FWaaS offerings, though, rely on the unpredictable global Internet for transport. Performance to corporate datacenters is far too unpredictable and sluggish for enterprises used to the MPLS and private backbones.
FWaaS offerings also often target HTTP-based applications. Other applications based around legacy protocols may not be supported or require purchasing additional products.
Since FWaaS offerings can’t cover the complete enterprise, they must be integrated with existing networking and security tools. This creates greater operational complexity for IT and leads to fragmented network visibility, complicating the detection of the network traffic patterns indicating malware infections.
In short, FWaaS steps in the right direction but without the underlying network remains a partial solution. For most enterprises, FWaaS doesn’t go far enough.
Moving from Cloud Firewall to SASE
Secure Access Service Edge (SASE) expands on FWaaS, converging security with a global, optimized network. The Cato SASE platform, for example, includes the Cato Global Private Backbone, a global, geographically distributed, SLA-backed network of 60+ PoPs interconnected by multiple tier-1 carriers. Within those PoPs, a complete suite of security services — NGFW, IPS, URLF, anti-malware, and more — operate on all traffic. The traffic is then sent onto the Internet or across the Cato global private backbone to other edges — branch offices, datatcenters, remote users, and cloud resources — connected to Cato PoPs.
The Cato network includes built-in WAN optimization, route optimization, dynamic carrier selection, and cloud optimization to deliver far better performance than the global Internet or legacy infrastructure. During customer testing, for example, file transfer performance improved by 20x with Cato when compared against MPLS. Other customers have seen similar, if not better results, when comparing Cato against the global Internet.
The convergence of security and networking also provides Cato with unprecedented visibility into enterprise traffic flows. Using this unique insight, a team of dedicated networking and security experts seamlessly and continuously update Cato defenses. They offload the burden from enterprises of ensuring maximum service availability, optimal network performance, and the highest level of protection against emerging threats.
It’s Time to Upgrade your Cloud Firewall with SASE
Cato is the world’s first SASE platform. It enables customers to easily connect physical locations, cloud resources, and mobile users to Cato and provides IT teams with a single, self-service console to manage security services.
Learn more on our blogs, contact our team of security experts, or schedule a demo to see how SASE can protect your network environment.
Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become...
Remote Access Security: The Dangers of VPN Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access?
Aside from enabling easy connectivity, enterprises also must consider the security of VPNs and whether their extensive use poses risks to the organization. (Spoiler alert: they do.) Long-term use alternatives must be considered due to VPNs’ failures where remote access security is concerned. One prominent alternative is Secure Access Service Edge (SASE) platforms with embedded Zero Trust Network Access (ZTNA) that alleviate the security dangers and other disadvantages of VPN.
VPNs Put Remote Access Security at High Risk
In general, VPNs provide minimal security with traffic encryption and simple user authentication. Without inherent strong security measures, they present numerous risk areas:
VPN users have excessive permissions –
VPNs do not provide granular user access to specific resources. When working remotely via VPN, users access the network via a common pool of VPN-assigned IP addresses. This leads to users being able to “see” unauthorized resources on the network, putting them only a password away from being able to access them.
Simple authentication isn’t enough–
VPNs do provide simple user authentication, but stronger authentication of users and their devices is essential. Without extra authentication safeguards – for example, multi-factor authentication, or verification against an enterprise directory system or a RADIUS authentication server – an attacker can use stolen credentials and gain broad access to the network.
Insecure endpoints can spread malware to the network –
There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.
The full security stack doesn’t reach users’ homes–
Enterprises have built a full stack of security solutions in their central and branch offices. This security doesn’t extend into workers’ homes. Thus, to maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load.
VPN appliances are a single point of failure –
For enterprises that support a large remote workforce connecting via VPN, there is high risk of business interruption if a VPN fails or is incapacitated, such as through a DoS attack. No appliance means no access for anyone who would connect to it.
Some VPNs have known vulnerabilities –
Enterprises are responsible for monitoring for vulnerabilities and updating and patching devices as needed. Serious flaws that go unpatched can put organizations at risk. For example, in March 2020, it was reported that Iranian hackers were leveraging VPN vulnerabilities to install backdoors in corporate and government networks. The attack campaign targeted several high-profile brands of VPNs.
VPNs add to overall network complexity –
Adding one or more VPNs to the data center to manage and configure adds to the overall complexity of network management, which could ultimately lead to greater security vulnerabilities.
Network managers have limited visibility into VPN connections –
The IT department has no visibility into what is happening over these appliances. The user experience suffers when problems occur, and no one knows the root cause.
Split tunneling provides opportunity for attack –
To alleviate VPN capacity constraints, organizations sometimes utilize split tunneling. This is a network architecture configuration where traffic is directed from a VPN client to the corporate network and also through a gateway to link with the Internet. The Internet and corporate network can be accessed at the same time. This provides an opportunity for attackers on the shared public network to compromise the remote computer and use it to gain network access to the internal network.
VPNs Have Other Drawbacks
In addition to the security issues, VPNs have other drawbacks that make them unsuitable for long-term remote access connectivity. For example, an appliance has capacity to support a limited number of simultaneous users. Ordinarily this isn’t a problem when companies have 10% or less of their employees working remotely, but when a much higher percentage of workers need simultaneous and continuous access, VPN capacity can be quickly exceeded. This requires the deployment of more and/or larger appliances, driving costs and management requirements up considerably. Companies use workarounds like split tunneling to address lack of scalability, which can degrade traffic visibility and security.
A Better Long-term Solution for Secure Remote Access
VPNs are no longer the only (or best) choice for enterprise remote access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.
The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.
But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection before proceeding to its destination. This is where having ZTNA fully integrated into a Secure Access Service Edge (SASE) solution is most beneficial.
SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. The Cato SASE solution provides all this in a cloud-native platform.
Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications, via secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s security services protect remote users against threats and enforces application access control.
In short, the Cato SASE platform makes it quick and easy to give optimized and highly secure access to any and all remote workers. For more information on how to support your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.
In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the...
What is a UTM Firewall and What Is Beyond It? In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the making, putting IT on a vicious and costly lifecycle of appliance upgrades.
How can you take the UTM’s benefits and avoid the scalability problem? Let’s take a look to find out what’s beyond the UTM and the future of network security.
Firewalls Evolve Over the Years
Before the UTM, there was the basic firewall. It was a physical appliance installed at a location such as a datacenter or a branch office. All traffic passed through the firewall for basic inspection of security policies based on network information such as the type of protocol or the source/destination addresses.
Traditionally, port 80 of the firewall bore extra scrutiny because this is where web traffic came in. But as applications and networking evolved, firewalls needed to look beyond port 80 to make a determination whether or not a packet flow was malicious.
As the industry started to adopt applications and services that shared common TCP ports, simply looking at the source or destination address and the TCP information wasn’t sufficient to detect malicious traffic. This led to the development of next generation firewalls (NGFWs) that look into the application layer to determine whether or not a flow is malicious.
UTMs Converge Security into One Appliance
While firewalls are essential, companies need more than just a firewall in their security quiver. They also want malware inspection, intrusion detection and prevention, content filtering, and other security measures. These functions could all be separate appliances, or they could all be brought together into a single converged appliance. This new all-in-one security device is what became known as the UTM.
The concept of UTM is good—the execution, not so much. As enterprises enable more security functions and as traffic levels grow, the appliances require more processing power. Ultimately, this forces an appliance upgrade with all of the additional costs and complexity involved. Failing to do that leads to a trade-off between implementing the necessary security functions and reducing processing load to improve performance.
What’s more, placing NGFWs and UTMs in the headquarters or branch doesn’t reflect the needs of today’s business. Users operate anywhere and everywhere but they still must send all of their traffic back to these appliances for inspection, which is inefficient. The same can be said on the application side. With more users accessing resources in the cloud, first sending traffic back to a private datacenter for security inspection by the NGFW makes little sense and can damage the usability of SaaS applications.
The Future of Enterprise Security is in the Cloud
There is a new and revolutionary way of delivering NGFW and other network security capabilities as a cloud service. Firewall-as-a-Service (FWaaS) truly eliminates the appliance form factor, making a full stack of network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. A single, logical global firewall with a unified application-aware security policy connects the entire enterprise — all sites, remote users, and cloud resources. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.
FWAS is an integral component of a Secure Access Service Edge (SASE) networking platform. SASE converges the functions of network and security point solutions into a unified, global cloud-native service.
Cato Has a Full Security Stack in Every PoP
Cato’s cloud-native SASE architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. Customers easily connect physical locations, cloud resources, and mobile and remote users to Cato Cloud.
Cato uses a full enterprise-grade network security stack natively built into the Cato SASE Cloud to inspect all WAN and Internet traffic. Security layers include an application-aware FWaaS, secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is an integral part of the platform, tying security access policy back to user identity in and out of the office.
All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. Security policies and events are managed centrally using the self-service Cato Management Application.
The Cato SASE platform spans more than 60 global Points of Presence (PoPs) located in nearly every region of the world. Each PoP has a full security stack, ensuring that security is conveniently applied to all traffic at the PoP before going to its final destination.
The future of security is in the cloud, and it goes well beyond UTM. Cato’s SASE platform delivers that future now.
Related content: Read our guide What Is a Network Firewall?
If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing...
New Forrester Report: Merging Network and Security in the Age of Covid If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing the Zero Trust Model for Security and Network Services by analysts David Holmes and Andre Kindness.
Even if you’ve already digested Gartner’s SASE reports (and our numerous blogs), this one is worth a read. Forrester analysts tackle the impact of the post Covid-19 enterprise where some 50 percent of employees are expected to work from home. The report also includes some keen insights on a new network and security model for the Internet of Things (IoT), in addition to mobile and cloud computing.
Forrester has coined its own acronym for the future of the enterprise, the Zero Trust Edge (ZTE). The opener doesn’t pull any punches, stating that enterprise need to “Merge Security and Networking or Sunset Your Business.” The report goes on to outline the challenges on the way to ZTE.
According to Forrester, the Zero Trust Edge model aspires to be a cloud- or edge-hosted full security stack and network solution. Says Forrester, “A Zero Trust edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.” ZTE solutions must merge all those disparate security appliances and functions formerly in data centers and branch offices into the cloud where configurations can be altered, added, and deleted based on a single configuration management solution and benefit from cloud-based monitoring and analysis. A single security and network solution reduces both configuration errors and operating inefficiencies compared to multiple on-premises security appliances.
Cato is mentioned prominently as the only example in the report of a cloud-delivered ZTE service. The report notes that the Cato approach “offers all the value that organizations can get from software-as-a-service solutions,” and will “fit the needs of many organizations.” It helps that Cato not only brings its unique network and security solution to branch offices, cloud services, IoT, and datacenters but to mobile and home users as well, as Forrester predicts that securing remote workers is the most compelling initial use case for ZTE.
Download a free copy of the new Forrester report here.
Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have...
Cato Offers a Free Certification Program to Help Customers and Channel Partners Learn the Fundamentals of SASE Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have sought out high-quality education to attain a baseline level of knowledge of this new approach to networking and security…and for good reason.
Since SASE's introduction, Gartner has cautioned about the misinformation surrounding the architecture. As Gartner noted in its Hype Cycle for Network Security, 2020 report: "There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters."
As more vendors announce their service offerings in the SASE arena, enterprise IT professionals and channel partners have grown confused over what constitutes a true SASE platform and how it compares to legacy technologies. Some traditional network vendors have added a security element to their hardware appliances, put them in the cloud, and call it “SASE”—but is it really SASE?
Answering those questions isn’t merely an academic exercise. Understanding if the product fulfills the vision of SASE goes a long way to understanding if the product brings the benefits of SASE.
SASE eliminates the legacy appliances that have made IT so complex. Instead, SASE converges networking and security processing into a global cloud-native platform. As cloud services, SASE architectures are easier to operate, save money, reduce risk, and improve IT agility.
Cato Certification Addresses Market Confusion, Advances Professionals’ Knowledge of SASE
The certification course content explores those architectural differences and provides enterprises and channel partners with a solid basis for understanding the SASE revolution. Curriculum highlights include:
A detailed explanation of why enterprises need SASE today
A close look at how Gartner explains the SASE architecture
How SASE compares with legacy technologies
Benefits and drawbacks of SASE for channel partners and enterprises
What constitutes a true SASE platform
Cato's certification program is for IT leaders of all levels. Recent graduates include enterprise network engineers, C-level executives, and channel partners looking to grasp SASE fundamentals. Participants learn sufficient baseline information to understand the advantages and rationale for SASE for their own company or their clients.
The certification is available online for free. Participants take the courses at their own pace from anywhere in the world. To learn more about the SASE Expert certification program, visit https://www.catonetworks.com/sase/sase-expert-level-1/
The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay...
Remote Access Network Architecture and Security Considerations The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay safe, but they needed to keep working as best as possible. Enterprises responded to this sudden need for extensive remote network access by focusing on getting people connected—but connectivity often came at the expense of security.
As WFH (or telework) becomes a long-term model for many organizations, it’s time to rethink the remote access network architecture with security as a priority, not just a “nice to have” consideration. Zero Trust Network Access (ZTNA) must be part of the long-term solution, and Secure Access Service Edge (SASE) can deliver ZTNA with ease.
Long-term Telework Is Becoming the Norm
The pandemic forced people out of their office and onto the dining room table with barely any notice to the IT teams who had to enable and support remote access. The immediate priority was to give people access to their work environment by any means available so they could maintain productivity. VPNs were the connectivity solution of choice for most harried IT teams.
A year into the pandemic, many workers are still connecting to corporate resources from remote locations. What’s more, several large organizations have announced that WFH will be a permanent option for employees at least some of the time. Capital One, Facebook, Amazon, Gartner, Mastercard, Microsoft, Salesforce, PayPal, Siemens—these are just some of the companies that have adopted long-term remote work as the norm.
VPNs are Giving Way to Zero Trust Security
While VPNs provide traffic encryption and user authentication, they still present a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. To maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, VPNs are a challenge – an expensive one at that – when it comes to remote access security.
Enterprises are turning to a much more secure user access model known as Zero Trust Network Access (ZTNA). The premise of ZTNA is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.
The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.
But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection en route to its destination. This is where having ZTNA fully integrated into a SASE solution is most beneficial.
SASE is a Secure Remote Access Solution Designed for the Modern Enterprise
SASE converges Zero Trust Network Access, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The Cato SASE solution provides all this in a cloud-native platform.
A key component of the Cato SASE platform is a series of more than 50 global Points of Presence (PoPs) located in virtually every region of the world. These PoPs house integrated security stacks comprised of Next-generation firewalls, secure web gateways, anti-malware, intrusion prevention systems, and of course, the ZTNA technologies.
The PoPs are where all traffic from an organization’s corporate offices, branch offices, and remote and mobile users connect to their network. Thus, security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, remote user, SaaS application, cloud platform, or the Internet.
The PoPs themselves are interconnected by a private, high performance network. This network utilizes routing algorithms that factor in latency, packet loss, and jitter to get traffic to and from its destination optimally, favoring performance over the cost of transmission. To further enhance security, the connections between PoPs are completely encrypted.
Cato’s SASE Platform Simplifies Secure Remote Access for WFH
What does this mean for the remote access worker? The Cato SASE platform makes it very quick and easy to give optimized and highly secure access to any and all workers. For users in the office, access can be limited only to designated resources, complying with zero-trust principles.
For remote and mobile users, Cato provides the flexibility to choose how best to securely connect them to resources and applications. Cato Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the Cato SASE Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an application portal, which is globally available from all of Cato’s 60+ PoPs, authenticates with the configured SSO, and are instantly presented with a portal of their approved applications. Both client-based and clientless approaches also use comply ZTNA to secure access to specific network resources.
A zero-trust approach is essential for a secure remote workforce, and Cato’s solution allows an easy and effective implementation of ZTNA.
For more information on how to secure your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.
Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized...
Network Security Solutions to Support Remote Workers and Digital Transformation Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized user can try to enter the network to execute a malicious intent, such as stealing data or disrupting operations.
A basic security measure is to keep the attack surface as small as possible. That’s a tall order as organizations undertake the simultaneous processes of digital transformation and network evolution. In addition to legacy data centers, enterprises now have extensive assets in the cloud as well as in branch and remote offices and, increasingly, in workers’ own homes. Such expansions have grown the attack surface exponentially.
The way to shrink it back to a manageable size is with effective network security solutions, which in their own right require an evolution from legacy security appliances to a secure access service edge (SASE) architecture. By converging networking and security in the cloud, SASE provides enterprises with the means to monitor all traffic in real-time and apply strong defense mechanisms at every point of the attack surface, thus minimizing an attacker’s ability to succeed in his nefarious mission.
SASE Solutions Converge Network and Security While Working with Legacy Architectures
Digital transformation is high on every executive’s to-do list, and it’s founded on the principles of innovation, business agility, and speed of delivery of products and services. For most organizations, the cloud is a critical piece of their transformation. This has necessitated a rethink of the WAN architecture. The legacy hub-and-spoke architecture is pure kryptonite to cloud application performance. This has led enterprises to adopt SD-WAN technology, which enables them to eschew bringing all traffic back to a central data center and route traffic directly to branches or the cloud, as needed. Direct Internet access (DIA) is enabled as well.
While SD-WAN can enhance application performance through traffic prioritization and steering, it fails to satisfy enterprise needs for strong security. What’s more, since SD-WAN appliances sit atop the underlying network infrastructure, the need for a high-performance and reliable network backbone is left unaddressed as well. Organizations require a WAN that is capable of optimizing traffic flow between any two points – not just to/from the enterprise LAN – without compromising security.
The Cato Cloud, the world’s first SASE platform, enables an organization to achieve this. Cato converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and remote workers and their mobile devices. It is an architectural transformation that will working with existing legacy technologies also allows enterprise IT teams to advance networking and security to provide a holistic, agile, and adaptable service for the entire digital business.
The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All of the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.
The PoPs also are where security is deployed, making it available to all traffic entering the Cato Cloud network. This is far more practical and cost effective than deploying security appliances at the various branch and home office locations.
Native Security is a Core Component of the Cato Cloud
Security has never been an add-on feature for Cato; rather, it’s a core component that has been built-in from the ground up. The networking component and the security component are part of the same code base. As traffic passes through the network, it is evaluated simultaneously for security issues and network routing—and then it is routed over Cato’s private backbone.
Having network and security all on one platform, in a single-pass solution, has the advantage of deep visibility at wire-speed even if the traffic is encrypted. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain. And it’s all delivered as a service, so that customers don’t need to maintain anything.
Among the full stack of security detection tools provided by Cato are:
Next Generation Firewall (NGFW)
The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address or domain.
Secure Web Gateway (SWG)
The SWG provides granular control over Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. There are predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. The SWG is easily managed through Cato’s management portal and covered by a full audit trail.
Next Generation Anti-Malware (NGAV)
Cato’s Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware. Second, Cato has partnered with SentinalOne to leverage machine learning and artificial intelligence to identify and block unknown malware. Unknown malware can come as either zero-day attacks or, more frequently, as polymorphic variants of known threats that are designed to evade signature-based inspection engines. With both signature and machine learning-based protections, customer data remains private and confidential, as Cato does not share anything with cloud-based repositories.
Intrusion Prevention System (IPS)
Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes and maintains context-aware heuristics, both those developed in house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity.
Software Defined Perimeter (SDP)
Also known as Zero Trust Network Access, or ZTNA, a cloud-native software defined perimeter delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure.
All the tools listed above are essential to enterprise security.
Cato also has a service offering of Managed Threat Detection and Response (MDR). Cato’s MDR enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato automatically collects and analyzes all network flows, verifies suspicious activity, and notifies customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes.
Full Network Security Couldn’t Be Easier
All of these network security solutions are delivered as a service, from the cloud, so there is never anything for the customer to install, update or maintain. The software and all its capabilities are fully integrated and always up to date. It is the best approach to keeping the attack surface of an enterprise network as small as possible, all while fully supporting an organization’s digital transformation needs.
For more information, contact Cato and ask for a demo today.
Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define...
February 23, 2021
Why Large Enterprises Moved to Cato in 2020 Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define Cato: over 200 percent bookings growth for the fourth consecutive year, a more than $1B valuation, and an additional $130 million funding round.
But just as significant as the financial facts and figures were the causes propelling that growth. Cato saw significant increases in customer scale and complexity. Multiple, 1000+ site deployments and several Fortune 500 and Global 200 enterprises abandoned telco- and MSP-managed networks for Cato’s cloud-native service.
All of which begs the question, what drove larger enterprises to Cato in 2020?
Platform Agility Allows Large Enterprises to Address Many Challenges, Easily
Large enterprises — and enterprises of all sizes — come to Cato for many reasons. In some cases, they come looking for MPLS migration to SD-WAN or Secure Branch Internet Access, in other cases it’s for Cloud Acceleration and Control and Remote Access Security and Optimization. But regardless of why they came to Cato, the overwhelming majority of Cato customers end up using Cato for networking and security. They may replace MPLS with Cato’s affordable backbone but they also use Cato to secure the branch. They come to Cato for SD-WAN but they also connect and secure branch offices and mobile users.
This ability to address a wide range of networking and security use cases with a single, coherent platform has long drawn midsize enterprises but in 2020 has shown to be equally attractive to large deployments. And why not? Simplifying the network leads to cost savings, greater agility, better uptime, reduced attacked surface that attackers can exploit and more. Every IT leader wants those benefits.
During 2020, one Fortune 500 grocery chain came to Cato to replace MPLS connecting its 500+ stores. Today, the company also relies on Cato to protect users with Cato IPS and NextGen anti-malware security services, while leveraging Cato’s Hands-Free Management service for easy administration.
Similarly, avoiding MPLS costs motivated a major car rental company to shift to Cato. The company connected 1,000+ locations across Cato’s global private backbone and protected them with Cato security services.
A leading construction company had 1200+ locations connected by legacy networking services. It replaced those services with Cato while also securing all sites with Cato IPS, NextGen Anti-Malware, and relying on Cato’s Hands-Free Management service for easy administration.
To be clear, enterprises don’t have to use Cato security services. Companies typically migrate gracefully to Cato, often deploying Cato alongside legacy technologies. But it’s this technical agility, the ability to easily and cost-effectively meet a broad range of requirements that allows large enterprises to meet the scope of their challenges.
Service Agility Allows Cato To Accommodate Enterprise Needs
The second part of agility is in the service. With Cato having written the code for its SASE platform, features can be introduced far faster than if the service had been dependent on third-party appliances.
When a global automotive parts manufacturer with 40,000 employees had that rare opportunity to start from a clean slate and build a modern network from scratch, the enterprise rigorously evaluated many networking and security architectures, eventually choosing Cato to connect and secure its 76 locations and 15,000 remote users.
Part of why they selected Cato was the agility to meet their unique requirements. “I don’t know of another company I have worked with, in a very long time that can make the changes you have as quickly as you have,” remarked the network engineer at the enterprise.
Partners had a similar reaction. Last fall, Cato announced the Cato Cloud API for automating provisioning and monitoring from SIEMs and other third-party platforms. The team at CDW, an early adopter of the Cato Cloud API, was also impressed by Cato’s agility. “What struck us most was how fast Cato was able to produce the API. There wasn't even any back-and-forth. It was usable as soon as we got it,” says Mark Hurley, Product Manager of Enterprise Networking Services Research and Design at CDW. During 2020, Cato saw channel-led customer bookings grow by 240%.
Overall, Cato added 136 new features and 2725 enhancements in 2020. Along with Cato Cloud API, other new capabilities included support for:
2 Gbps secure tunnels, exceeding all competing SASE offerings for locations and end-users.
Remote user connectivity without end-point software using Clientless Remote Access extending Cato’s SDP offering.
Near perfect threat detection by eliminating IPS false positives using Cato’s new built-to-purpose reputation assessment system that combines threat intelligence feeds and real-time network information.
During 2020, Cato expanded Cato’s geographic footprint, adding eight new points of presence (PoPs). With more than 60 PoPs worldwide, Cato can connect enterprises offices, remote/mobile users, and cloud resources whether they’re located near Casablanca, Morrocco; Dubai, UAE; Lima, Peru or near dozens of other locations.
Cato SASE Platform: The Agile Solution for Today’s Digital Enterprise
It’s this combination — an agile technology platform with an agile service culture — that’s so appealing to so many of our customers. It gives them the confidence that they’ll be able to address the challenges of today and be prepared for those of tomorrow. Large enterprises might have “discovered” Cato in 2020 but wait till you see what’s in store for 2021.
To find out more about SASE adoption in your enterprise with Cato, contact us here.
For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central...
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.
Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network.
Enterprises Need a Distributed Network Architecture
Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers.
This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office.
SD-WAN Is a Step in the Right Direction
SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud. SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone.
In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions. Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch. What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software.
Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in.
SASE Is the Future of Secure Enterprise Networking
SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business.
The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.
Cato uses a full enterprise-grade network security stack natively built into the Cato Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS). Cato can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because Cato runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection.
Importantly, in this age of work-from-home, Cato’s SASE solution easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry.
For SASE, It Has to Be Cloud-Native Security
It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE.
For more information, contact us or ask for a demo. Get the free e-book Secure Access Service Edge for Dummies.
Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next...
Why Remote Workforce and Legacy Security Architectures Don’t Mix Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for next year, and what they think about secure access service edge (SASE).
When the dust settled and the results tallied, we found an optimistic group of IT leaders, confident in their networks but concerned about securing and managing their remote workforce.
Make no mistake about it, work-from-home (WFH) and the remote workforce aren’t going away any time soon. Only 7%of respondents indicated that everyone will move back to the office. More than half (80%) indicated their companies will continue with a remote workforce in whole or in part.
With users working remotely, IT organizations still need the same level of security controls and visibility. But delivering those capabilities can’t be done by compromising application performance. And that’s a problem for legacy security architectures as they add latency, crippling application performance, and lack the optimization techniques for improving the remote experience.
It’s no surprise then that boosting remote access performance was the most popular primary focus for IT leaders over the next 12 months (47% of respondents). At the same time, when asked to cite the primary security challenges facing their IT organizations, 58% of respondents pointed to “enforcing corporate security policies on remote users” making it second to only “Defending against emerging threats like malware/ransomware” (66% of respondents).
But the problems of securing the remote workforce don’t stand on their own. They’re compounded by all of the legacy security challenges facing IT teams. More than half (57% of respondents) indicated that they lacked sufficient time and resources to implement security best practices. And those best practices can be as mundane as patching software and systems shortly after vendors release patches (32% of respondents).
Astounding. In the 21st century with networks that have seen throughput jump ten thousand-fold over the past 30 years and we still have patching problems?
IT managers shouldn’t blame themselves, though. It’s clear where the problem lies — in the architecture. As Cato security engineer, Peter Lee, noted in this blog when documenting the vulnerability and subsequent patches issued for VPN servers:
“Patching has become so common that we just assume that’s the way it has to be. “Patch Tuesday” has us expecting fixes to problems every week. In reality, patching is an artifact of the way all appliances are built. If we eliminate the appliance architecture, we can eliminate the overhead and risk of patches.”
Eliminating appliances will not only eliminate patching problems, it will also eliminate the performance and visibility challenges introduced by legacy security architectures. Of course, this assumes enterprises can replace legacy security architectures with an approach that will:
Simplify today’s security stack
Eliminate the patching headaches
Deliver secure access everywhere, at scale, without compromising performance
Give visibility and control into all traffics flows
What architecture will do that? According to respondents — SASE.
More than 91% of respondents expect SASE to simplify management and security. Of those who’ve already adopted SASE, 86% of respondents experienced increased security, 70% indicated time savings in management and maintenance, 55% indicated overall cost saving and greater agility, 36% saw fewer complaints from remote users, and 36% realized all these benefits. No wonder that more than half of the respondents indicated that SASE would be very or extremely important to their business post COVID-19.
Isn’t it time you considered SASE? To learn more about Cato’s SASE platform, contact us here.
As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work...
SD-WAN or SASE: The Power is in the Platform As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office.
What’s the alternative? Buy more VPN servers? That’s short-term thinking, and only effective until enterprises need to change again, and users move back to the office. Then IT’s left with an infrastructure investment sitting underutilized.
No, to support the new requirements of the post-pandemic era, enterprises need a new strategy, one that addresses the needs of an uncertain working environment.
A Platform Rather than a Product
The biggest challenge for this new strategy is that it’s not clear as to what those needs will be. Yes, we need to have large scale, high performance remote access today but that was a problem for IT back in January and March. What are tomorrow’s challenges? That’s harder to foresee. And since you don’t yet know what problems will arise, you can’t possibly buy a product to prepare for tomorrow – unless, of course, you’re prepared to gamble with your budget.
What you can do, though, is put in place a solution that has ALL the capabilities you’ll need but only activate those needed today. When new work conditions present themselves, the right platform can adapt quickly. Such a platform should be agnostic of the last-mile technologies. It should be lean enough to run anywhere on any device, connecting any kind of location – a branch, datacenter, or cloud resource. And it should have the geographical footprint, security capabilities, and optimization technologies to securely connect users across the globe without comprising the user experience.
A decade ago, such a comprehensive, global platform wasn’t possible. Today, though, the necessary networking and security technologies have matured to the point that they can be converged together. The Internet is everywhere. Processing resources are ubiquitous in the cloud. And 90 percent of the capabilities of routers, firewalls, and now, SD-WAN are common across vendors. The real value then comes not in any one product but in the convergence of those capabilities together.
Yes, SD-WAN is one of the capabilities in such a platform, but SD-WAN alone is not the answer. SD-WAN appliances are products aimed at addressing a very particular problem – the limitations of MPLS and legacy networks. They won’t connect your mobile users or solve your long-term remote access challenges because SD-WAN solutions are built for the branch. They also don’t secure users or sites against malware. SD-WAN solutions also fail to provide the backbone for predictable, global performance. To address these and other gaps, you’ll need yet more hardware or software limiting IT agility, fragmenting visibility, and increasing costs.
Comprehensive Visibility and Management Remain Critical
As we tackle new challenges with point solutions, we risk creating greater management problems for ourselves. Add a new security solution – new type of firewall, a SWG, or IPS – and you have yet another product to manage and maintain. Your visibility into the network becomes fragmented if you have one console for SD-WAN and another for the firewall, or global backbone provider. And once your view is fragmented, troubleshooting becomes dramatically more complex.
Having all technologies in one platform allows for a single-pane-of-glass. IT managers can see networking and security events in one interface for all users – at home or in the office – accessing any resource – in the cloud or in a private datacenter. Such holistic insight improves all facets of network and security operations from planning to provisioning new resources to troubleshooting.
And management delivery should be flexible enough to meet enterprise requirements. With self-service, enterprises configure and troubleshoot the networks themselves, doing in seconds what otherwise required hours or days with legacy telcos. For additional assistance, co-management should be available allowing customers to rely on ongoing support from the provider or its partners without relinquishing control for overall management. Fully managed offloads responsibility for moves, adds, and changes onto provider.
Support Well, Run Fast
A company’s network is critical infrastructure. It is the lifeblood of the organization’s communications and, quite often, its operations. Therefore, the customer/provider relationship should be viewed by both sides as a true partnership where each one can only succeed with full support from the other.
Such a partnership can be hard to establish when a vendor just wants to sell a product and move on to the next opportunity. It requires companies to not only support customers well but also innovate fast. By owning the platform, providers can deliver new features independent of any supplier. It’s the kind of innovation we’ve seen in cloud services but not telcos and legacy carriers. It’s up to you, though, to find providers that live up to this vision.
Making the Technology Transition to SASE
SD-WAN is a sophisticated technology, but it’s meant for meeting the challenges of yesterday not to tomorrow. The Secure Access Service Edge (SASE) is a comprehensive platform that blends SD-WAN with security and remote access many other capabilities to meet whatever challenges you face today and, tomorrow. For more information about selecting SASE and the right partner for WAN transformation, watch the on-demand webinar -- The Dark side of SD-WAN.
Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work...
Types of Remote Access Technologies for Enterprises Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work remotely. Whether it was salespeople on the road, or telecommuters working from home a few days per week, some small percentage of employees needed access to their corporate resources from some remote location.
Then it seemed that overnight, millions of workers worldwide were told to isolate and work from home as best as they could. Businesses were suddenly forced to enable remote access for hundreds or thousands of users, all at once, from anywhere across the globe. Many companies that already offered VPN services to a small group of remote workers scurried to extend those capabilities to the much larger workforce sequestering at home. It was a decision made in haste out of necessity, but now it’s time to consider, is VPN the best remote access technology for the enterprise, or can other technologies provide a better long-term solution?
Long-term Remote Access Could Be the Norm for Some Time
Some knowledge workers are trickling back to their actual offices, but many more are still at home and will be for some time. Global Workplace Analytics estimates that 25-30% of the workforce will still be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good.
Consequently, enterprises need to find a remote access solution that gives home-based workers a similar experience as they would have in the office, including ease of use, good performance, and a fully secure network access experience. What’s more, the solution must be cost effective and easy to administer without the need to add more technical staff members.
VPNs are certainly one option, but not the only one. Other choices include appliance-based SD-WAN and SASE. Let’s have a look at each approach.
VPNs Weren’t Designed to Support an Entire Workforce
While VPNs are a useful remote access solution for a small portion of the workforce, they are an inefficient technology for giving remote access to a very large number of workers. VPNs are designed for point-to-point connectivity, so each secure connection between two points – presumably a remote worker and a network access server (NAS) in a datacenter – requires its own VPN link. Each NAS has a finite capacity for simultaneous users, so for a large remote user base, some serious infrastructure may be needed in the datacenter.
Performance can be an issue. With a VPN, all communication between the user and the VPN is encrypted. The encryption process takes time, and depending on the type of encryption used, this may add noticeable latency to Internet communications. More important, however, is the latency added when a remote user needs access to IaaS and SaaS applications and services. The traffic path is convoluted because it must travel between the end user and the NAS before then going out to the cloud, and vice versa on the way back.
An important issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. Stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks. What’s more, there is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network via insecure user devices.
SD-WAN Brings Intelligence into Routing Remote Users’ Traffic
Another option for providing remote access for home-based workers is appliance-based SD-WAN. It brings a level of intelligence to the connectivity that VPNs don’t have. Lee Doyle, principal analyst with Doyle Research, outlines the benefits of using SD-WAN to connect home office users to their enterprise network:
Prioritization for mission-critical and latency-sensitive applications
Accelerated access to cloud-based services
Enhanced security via encryption, VPNs, firewalls and integration with cloud-based security
Centralized management tools for IT administrators
One thing to consider about appliance-based SD-WAN is that it’s primarily designed for branch office connectivity—though it can accommodate individual users at home as well. However, if a company isn’t already using SD-WAN, this isn’t a technology that is easy to implement and setup for hundreds or thousands of home-based users. What’s more, a significant investment must be made in the various communication and security appliances.
SASE Provides a Simpler, More Secure, Easily Scalable Solution
Cato’s Secure Access Service Edge (or SASE) platform provides a great alternative to VPN for remote access by many simultaneous workers. The platform offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access.
Companies that enable WFH using Cato’s platform can scale quickly to any number of remote users with ease. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) maintained by Cato to deliver a wide range of security and networking services close to all locations and users. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.
Cato’s SASE platform employs Zero Trust Network Access in granting users access to the specific resources and applications they need to use. This granular-level security is part of the identity-driven approach to network access that SASE demands. Since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied to traffic from remote users. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies. This eliminates the “trombone effect” associated with forcing traffic to specific security choke points on a network. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.
SASE Supports WFH in the Short-term and Long-term
While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.
At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of...
Cato Engineers Review Favorite SASE Features At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of its management tools. Cato’s cloud-based interface puts a lot of granular configuration power in the hands of the customers, rather than forcing them to wait hours or days for the provider to make each configuration change. Cato also provides unparalleled visibility into WAN traffic and security.
In Cato’s Sales Engineers Demo and Interview Video Series, our sales engineers show you their Cato favorites. Dive in with them as they demonstrate how to set bidirectional quality of service, utilize Cato’s Zero Trust Network Access (ZTNA) capabilities, and deep dive into bandwidth management and analytics.
How to Configure and Monitor ZTNA with Cato in Minutes - by Jerry Young:
In 10 minutes, learn how to configure Cato’s Zero Trust Network Access (ZTNA) and then track and monitor access events. Jerry shows how easy it is when you use the right DNS settings, making sure that access is enforced correctly, unaffected by IP address changes. Watch as he defines ZTNA to specific hosts, applications, and users and demonstrates how access events are recorded and audited.
How a SASE with a Private Backbone Optimizes Access to Cloud Applications - by Nick Gagliardi:
Nick shows how to optimize WAN traffic to specific cloud applications by keeping it on Cato’s global private backbone rather than public Internet. He demonstrates how simple it is to set an egress rule that keeps a specific cloud application’s network traffic on the Cato global private backbone, where it benefits from all the optimization and security of Cato’s SASE platform and performs as well as private applications hosted on private datacenters. Keep watching until the end to see what’s #1 on Netflix in Germany….even if you’re in the US.
What Modern, SASE-based Network Monitoring Should Look Like - by Mark Bayne:
Cato’s Senior Director of Worldwide Sales Engineering, Mark Bayne, takes you through the many layers of Cato’s SASE monitoring tools. He starts with the basic connectivity metrics, then proceeds into configuring individual application usage leveraging Cato’s application awareness technology and demonstrates Cato’s unique real-time views of live application prioritization, routing, and user access.
Bi-directional QoS, Advanced Bandwidth Management, and Real-Time Application Analytics - by Jack Dolan:
Experience the power of Cato’s bi-directional QoS, advanced bandwidth management, and real-time application analytics. Jack explains Cato’s Cloud SASE architecture in detail, including how network traffic is routed, managed, and optimized. Moving through the management console, he demonstrates how to set network rules to control traffic priorities, and how Cato’s advanced and real-time analytics give IT leaders an unprecedented view into their WAN.
How to Configure VoIP and ERP Optimization for 3,000 Global Employees Across the World in Minutes - by Sylvain Chareyre:
Experience Cato agility with Sylvan as he shows how an IT manager can make enterprise-wide network changes instantly. In less than 10 minutes, Sylvain demonstrates how to deploy worldwide unified communications as a service (UCaaS) for 3,000 users, optimize access to an on-premises ERP system, and prepare the network for cloud migration.
Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those...
December 28, 2020
The Best Networking Memes of 2020 Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those memes and sharing the very best. Big thanks to Cato’s Daniel Avron, Jerry Young, Oded Engel, and Oren David for their scouring the Internet efforts. And without further ado…
#10 The Best Quote of 2020
#9 The Biggest Threat of the Year
#8 The Best Depiction of Work Life Under Covid-19
#7 The Best Label for a LAN cable
#6 The Best Depiction of Dual Factor Authentication
#5 The Best Example of Worthwhile Remote Work
#4 The Best Example of COVID-19’s Impact on Networking
#3 The Best Explanation of an Always On/Never Off Feature
#2 The Best Explanation of Application Developers vs. Application Testers
#1 The Best Consequence of Privacy Laws
And just in case you haven’t had enough...….
Best Contribution COVID-19 Has Made to Society
Best Usability Lesson
It’s likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked...
December 21, 2020
Stopping Sunburst: The Second-Best Argument for a SASE Platform It's likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked undetected in enterprise networks. Some 18,000 SolarWinds customers may have downloaded the trojanized Orion software, and not one reported the threat. (To better understand why this threat went undetected, check out this blog from Shay Siksik, Cato's Security Analyst Manager. )
And these weren't small, unprofessional organizations. More than 425 of the US Fortune 500 companies use SolarWinds products. These are enterprises who likely invested in all manners of preventive security measures. They've made heavy investments in NGFW appliances, antimalware, endpoint detection and response (EDR), and more. And still, it didn't matter. If you ever needed a lesson that security prevention isn't enough, Sunburst was it.
But there was a second, equally important lesson to consider from this outbreak: What do you do post-infection? For appliance-studded enterprises, post-infection looks like a race against time. They need to update infrastructure against the trojan, and hunt for the trojan on their networks before any further damage can be done.
In this, the real-world, security appliance vendors priding themselves on how quickly they released a Sunburst signature is only half the story. Enterprises must still download, test, and deploy those signatures across all appliances for all vendors — an enormous headache. They must then hunt for Sunburst lurking in their organization — an impossible task without months of traffic already logged for analysis. No security appliance vendor is going to help on that score.
Contrast that with the experience of Cato SASE customers. Within a few minutes of identifying Sunburst's IoCs, our security team updated all Cato detection and prevention engines. Instantly, all Cato customers were protected against the trojan. No patches needed to be downloaded; no updates applied. Customers or partners —no further action was needed. Period.
But that was only a start. Cato's security team mined months of data stored in our massive data warehouse built from all customers' traffic flows. Through this process, the security team could identify network flows from those enterprises exhibiting Sunburst IoCs. The team alerted the relevant customers and helped them with remediation. The team will continue monitoring all Cato customer traffic for Sunburst moving forward.
And how long did this entire process take the Cato team? Few hours. In just a few hours, Cato was able to protect all customers against this threat, and identify and alert those already infected by Sunburst.
Let's be clear. There's no substitute for stopping threats before they penetrate defenses. We all know that. But the reality is that given the complexity of today's networks, the first-mover advantage of attackers, and the enormous resources available to threat actors, perfect prevention is impossible. Enterprises must prepare themselves for what happens after learning about a threat.
How do you discover and hunt for threats in your organizations? In legacy enterprises, such an effort would have required enormous expenditures. Aggregation tools deployed to gather the data and storage purchased and maintained to store months of traffic. Data mining and analysis tools are needed to investigate the data. And, most of all, hiring of specialized talent for hunting threats.
More likely, companies would rely on an MSSP. Even then, the MSSP would still have to race against time, manually updating appliances and struggling to look for threats. But for customers of a true SASE platform, like Cato Cloud, automatic updates to all components and threat hunting are already part of the service.
Sunburst: Yet Another Argument for SASE
2020 has been an auspicious year for security and networking teams. We began by learning about the fundamental shift in networking and network security called secure access service edge (SASE).
Quickly, we saw the biggest argument for SASE — the need to shift to large-scale, work-from-home. Whereas legacy enterprise spent weeks and months deploying large scale, work-from-home solutions, Cato SASE customers converted to remote access in minutes and hours. How appropriate then that we should close the year with another case for SASE — quick and instant response to Sunburst.
To learn more about how Cato's SASE platform can help you ready your network for whatever comes next, contact us here.
If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until...
December 13, 2020
MPLS Upgrade for the Modern Enterprise If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until you’ve had time to consider if it’s the right technology to carry your business forward. Modern enterprises now have alternatives to MPLS that are more flexible and just as reliable for building a WAN.
Not only is MPLS expensive and inflexible but it’s also poorly suited for meeting the needs of organizations that embrace cloud computing, SaaS applications, and a mobile/remote workforce. If it’s been a while since you’ve shopped around for network connectivity, you need to know that you can switch your dedicated and expensive MPLS network to a cloud-based network and still sustain the service levels your business needs, maintain security, cut costs, and improve overall agility and flexibility.
MPLS Can’t Adapt to Changing Traffic Patterns, and Other Drawbacks
Every enterprise has a need for secure, high-performance, and reliable networking. For decades now, organizations have built their WANs using MPLS circuits to connect branch offices back to the corporate home office. Until recently, MPLS circuits were not only the logical choice but the only choice for high-performance branch connectivity.
The advent of cloud computing and high adoption rates for SaaS applications are real disruptors for WANs built on an MPLS-based hub-and-spoke architecture. MPLS is optimized for point-to-point connectivity only. Workers in branch offices have no direct means of reaching the Internet for cloud or SaaS applications. Their traffic can only be backhauled to headquarters over the MPLS lines and then sent out to the cloud.
This “hair pinning” of traffic just adds latency and creates performance issues. It certainly fails to meet today’s needs when a large percentage of traffic is cloud bound. Consider that Microsoft 365 is the world’s most widely used cloud service – 56% of organizations around the world use it – but 365 isn’t designed to work over a legacy MPLS WAN.
There are other shortcomings of MPLS for modern enterprises. For example, security can be an issue. An MPLS network doesn’t offer built-in data protection, and if incorrectly implemented, it can open the network to vulnerabilities. Cost can be an issue too, especially when compared to alternatives that use the Internet as a transport mechanism. In that comparison, MPLS has a much higher per-megabit price. What’s more, MPLS offers no mechanism to support individual users who work remotely or who must be highly mobile.
For enterprises with a global or multi-national footprint, it can take a long time – perhaps as long as half a year – to deploy MPLS in different countries. There is no single global provider of MPLS, and so an enterprise must work through a broker or accept that it must manage numerous service providers. But perhaps the biggest drawback is a lack of control over the network. The service provider(s) has an outsized role in managing the network.
Is SD-WAN the Alternative to an MPLS Upgrade?
For several years now, pundits have touted SD-WAN as an alternative – or at least a complement – to MPLS. Certainly, SD-WAN has been looking to address the challenges of MPLS, like cost, capacity, rigidity, and manageability.
An SD-WAN edge can dynamically route traffic over multiple data services (cable, xDSL, 4G/LTE, and even MPLS) based on the type of traffic and the quality of the underlying service. An enterprise can easily increase capacity available for production by adding inexpensive data services to an existing MPLS-based network. Zero-touch provisioning allows the edge to configure its connection to the WAN using the available mix of services at each location. This means that new sites can be brought on quickly with a single or dual Internet service or 4G/LTE.
SD-WAN offers many desirable features, but on its own, it’s not a full-fledged replacement for MPLS. In many cases, and especially for branch offices, an MPLS circuit is still needed to carry latency-sensitive traffic. Also, SD-WAN routers don’t address security needs. Enterprises need to extend their security architectures using edge firewalls or cloud security services, which adds to the cost and complexity of an SD-WAN deployment.
Moreover, SD-WAN solutions weren’t designed with cloud resources and mobile users in mind. Vendors have since come up with ways – albeit inelegant – to route traffic to the cloud, but mobile users are left in the lurch with SD-WAN.
SASE Extends SD-WAN as a Real Alternative to MPLS
Cato Networks’ SASE solution addresses the shortcomings of pure SD-WAN to offer a genuine alternative to MPLS-based networking. SD-WAN is actually just one part of Cato’s network offering. SD-WAN appliances deliver important networking functionality while SASE goes further by converging SD-WAN with other network and security services to create a holistic WAN connectivity and security fabric.
The Cato Cloud provides an SLA-backed global backbone of points of presence (PoPs) that form an affordable alternative to MPLS-based networking. This single, global network connects and secures all enterprise edges – sites, cloud resources, and mobile/remote users – without compromising on the cost savings, agility, or reach of the Internet or the predictability, reliability, and performance of MPLS. This SASE solution also builds security into the underlying cloud-native architecture to eliminate the need for a patchwork of security appliances.
SASE is a truly transformational approach to the WAN. By combining SD-WAN and other networking functionality with advanced security features, SASE can legitimately address most WAN network and security requirements at scale, and certainly, be a legitimate replacement for an MPLS-based network.
Cato purpose-built the world’s first true SASE platform and has been recognized as a leader in the space. If you’d like to learn more about what SASE can do for your enterprise, please contact us today, sign up for a demo, or download our “How to Migrate from MPLS to SD-WAN” eBook.
Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a...
50,000 Fortinet VPNs Breached Via Vulnerability Fixed 18 Months Ago. Here’s What You Can Do. Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a hacker had leaked the credentials for 50,000 Fortinet VPNs. The victims include high street banks, telecoms, and government organizations from around the world. The stolen data includes usernames, passwords, access level (such as 'full access'), and the original unmasked IP address of the user connected to the VPN. The data is spreading across the Dark Web.
The vulnerability exploited to obtain the data is CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
This is not its first known exploitation. Back in July 2020, the UK's National Cyber Security Center (NCSC) and Canada's Communications Establishment (CSE) published information on the use of this vulnerability by APT29 -- also known as 'Cozy Bear', and believed to be a Russian state-backed group involved in hacking the DNC prior to the 2016 U.S. elections. In this instance, the target via the Fortinet VPNs was thought to be information about COVID-19 vaccines.
In October 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned that the Russian state-backed hacking group often known as Energetic Bear used the same vulnerability in attacks against the networks of various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks -- ahead of the 2020 elections.
None of this should have been possible. Fortinet patched the vulnerability back in Spring 2019 -- well over a year before these incidents. After the latest incidents, Fortinet told Bleeping Computer, "In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade."
Patching. That’s the Real Problem
So, the real problem here is a patch problem. Fortinet VPN users -- thousands of major corporations and government entities -- simply failed to patch a critical vulnerability despite repeated warnings.
The need for a robust patching regime has been known and urged for decades. But still companies fail to patch their systems efficiently or sufficiently. The result can be disastrous. The infamous Equifax breach of 2017 was ultimately a failure in patching. The ultimate cost to Equifax could be several billion dollars, combining settlements to affected users (potentially up to $2 billion) and a further $1 billion for agreed security upgrades. There are many other examples of costly breaches caused by a failure to patch.
The basic problem remains -- organizations find patching very difficult, and this same issue of unpatched systems being compromised will continue. According to a Ponemon/ServiceNow report in October 2019,
60% of breach victims were breached due to an unpatched known vulnerability where the patch was not applied
62% were unaware that their organizations were vulnerable prior to the data breach
52% of respondents say their organizations are at a disadvantage in responding to vulnerabilities because they use manual processes.
There are many reasons for companies' failure to patch. Not enough staff. Insufficient resources to adequately test the possible downstream effect of patches. And connections to operational technology, where the inbred philosophy is not to touch something that is currently working. Indeed, Dark Reading has stated that nearly three-fourths of organizations worry that software updates and patches could 'break' their systems when applied. Then there are the usual challenges of any downtime, legacy system patching, and compatibilities with existing applications and operating systems.
Patching Doesn’t Have to Be A Problem
But there is a solution to the patch problem that is simple and effective and not dependent on in-house resources -- the use of firewall as a service (FWaaS), such as what’s provided into Cato’s SASE platform. Without the cloud, security must be installed appliance by appliance in location by location. It is incumbent on the overworked and under resourced security or IT team to update and manage those appliances; this is where patching fails.
Cloud services, however, do not rely on their users' own staff resources. Whenever Cato becomes aware of a new fix or patch, we automatically pushed it out to all our customers. Cloud service users receive a robust patch regime without having to worry about patching and a repeat of the Fortinet VPN incidents and the Equifax patch failure.
Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services...
How Cato Cloud Resiliency Overcomes Regional and National Outages Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services worldwide like Autodesk, Roku, and Shipt. Although only 1 of 23 AWS geographic regions (US-East-1) experienced issues at the time, the global echo was significant for any company dependent on AWS cloud services.
It’s incredibly important to look “under the covers” of all cloud-based offerings, especially those claiming to be SASE services. Simply spinning up a virtual appliance in the cloud or hosting physical appliances and calling it a “cloud-based service” is a far cry from providing an enterprise-grade service that’s designed to work 24x7x365. What happens when the appliance fails? How does the cloud-hosted appliance deal with failures in the cloud provider’s infrastructure? If SASE is to become the networking and security solution, it must be enterprise-grade. This is very much a case where architecture matters.
Cato Cloud: A Self-Healing Architecture
Cato has spent years developing a cloud-native, self-healing platform that can recover from failures at all levels of its architecture. Today, Cato runs a stateless, single-pass cloud-native engine that handles the routing, optimizing, and securing of all WAN and Internet traffic.
Processing is distributed across a cloud-scale, global network of points of presence (PoPs). The controller functionality is a smart, distributed data plane at the processing engine level, not a single controller, eliminating a potential single point of failure. With most processing in the cloud, edge devices and clients accessing Cato are radically simplified, further reducing the likelihood of edge outages.
Every Cato Cloud tunnel and resource has automated failover capabilities inside the PoP, across PoPs, and the entire cloud for a fully self-healing architecture.
Self-Healing of the Cloud Network
Rather than the unpredictable global Internet, Cato Cloud is built on our global private backbone. It’s a global, geographically distributed, SLA-backed network of 60+ PoPs, interconnected by multiple tier-1 carriers. This cloud network is engineered to deliver predictable transport with zero packet loss, minimum latency, and global optimization for maximum performance.
Self-Healing Between PoPs
Upon a failure or degradation in a tier-1 carrier connecting to a Cato PoP, any PoP can automatically switch to an alternate tier-1 carrier in the global backbone to maintain Internet access. If needed, PoPs will connect to the nearest Internet Exchange (IX) for enhanced redundancy.
If any global POP becomes unreachable or disrupted due to maintenance, all tunnels connected to the PoP automatically move to the nearest available PoP. Special rules for failover, regulations, and more are included in the automatic decision-making for tradeoffs. IP ranges associated with failed PoPs are also moved to ensure service continuity.
Self-Healing Within PoPs
All Cato’s PoPs contain redundant servers, each running identical copies of Cato’s software. These compute nodes are available as needed to serve any edge tunnel connected to that PoP. Each
compute node can serve any edge tunnel connected to the PoP. If a compute node fails, the disconnected tunnels will reconnect to an available compute node inside the PoP, as it remains the closest PoP to the disconnected edges. In most cases, user sessions will not be affected.
And in the unlikely event of total Cato Cloud loss, Cato Sockets can establish direct connectivity to enable branch and Internet connectivity using the public Internet without security or backbone.
Self-Healing at the Edge
Cato edge appliances are thin edge SD-WAN devices with sufficient logic to move traffic into Cato Cloud for networking and security processing. The thin-edge design makes redundant devices affordable. Cato also provides Sockets with redundant components.
Several high availability branch (HA) design options are available:
Affordable cold spares with automatic provisioning in the cloud,
Warm standby for automatic take over as part of self-healing architecture, and
Transport overlay across multiple last-mile transports in either active/passive or active/active configurations.
Sites automatically reconnect to the optimum PoP upon any outage or degradation. In addition, if the Cato Cloud is temporarily unreachable for any reason, branches communicate directly with one another, automatically reconnecting back to the Cato cloud upon availability.
The same seamless HA is available for remote users. If a remote user’s device loses tunnel connectivity or the user roams, Cato Clients automatically reconnect to the nearest PoP with dynamic tunnel failover inside a PoP or dynamic tunnel failover across PoPs to continue all services.
Built-in Self-Healing for Peace of Mind
As the recent AWS outage reminds us, the public cloud, for all its uptime, alone does not guarantee uptime. In today’s cloud-first digital world, fragmented networking point solutions add HA complexity and cost.
With Cato’s self-healing architecture, all failure detection, failover, and fallback are automatic, with no need to manually update networking, security, or optimization policies. Cato’s cloud-native, SASE platform enables global enterprises to meet or even surpass uptime requirements with the best mix of cost, resilience, and enterprise-grade redundancy superior to the unpredictable public Internet and more affordable than global MPLS and other legacy backbones.
Read more about how Cato helps global and regional enterprises in digital transformation
Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of...
November 16, 2020
Top 15 Network Security Websites Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of any size, industry, or location needs to keep up with all these responsibilities to maintain a strong security posture. So we gathered a list of 15 websites (listed alphabetically) to help you stay informed with the latest trends and innovations in the network security arena.
CIS is a forward-thinking nonprofit with a mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” The resources section offers a wide range of materials including whitepapers, blogs, and webinars. A recent blog post provides cyber defense tips for staying secure both in the office and at home.
2. Dark Reading
Dark Reading is one of the most respected online magazines for security professionals, offering both news and in-depth opinion pieces on the latest developments within the industry. It has some excellent articles, offering the latest information in cybersecurity management to keep you in-the-know. A great example is this article explaining what SASE is, why it’s here, and how to use it.
3. Data Breach Today
Data Breach Today offers a wealth of information on security, from training and compliance guides to industry events and latest news. There’s an extensive section on network and perimeter security issues, including webinars and whitepapers. One interesting webinar looks at how enterprises are investing in bug bounty competitions to find network vulnerabilities.
Not a network security blog per se, Hackaday nonetheless deserves a special mention. This cheeky website is all about the community built around the idea of hacking, which is defined as “an art form that uses something in a way in which it was not originally intended”. The website gathers hacking stories that are primarily intended for entertainment.
[boxlink link="https://go.catonetworks.com/First-100-Days-as-CIO-5-Steps-to-Success.html?utm_source=blog&utm_medium=blog_top_cta&utm_campaign=cio_ebook"] Download eBook – First 100 Days as CIO [/boxlink]
5. Help Net Security
Help Net Security covers technical security challenges and management concerns. Contributors include an impressive roster of industry leaders, who discuss everything from cultivating a sustainable workforce during COVID-19 to tech trends and risks shaping organizations’ data protection strategy. Make sure to check out the whitepaper archives for more in-depth content.
IDG is a worldwide leading tech media company with a community of the most influential technology and security executives. Some of IDG’s premium brands include CIO®, Computerworld®, CSO®, and Network World®. A great visual summary of IT response, six months into the pandemic, is available here.
Infosec has been fighting cybercrime since 2004, offering the most advanced and comprehensive education and training platforms. Infosec is recognized as a security awareness and training leader by both Gartner and Forrester. Some of their helpful resources include topics like General Security, Wireless Security, and Threat Hunting.
8. Infosecurity Magazine
Infosecurity Magazine is the go-to resource for the latest news on all subjects related to information security. It has over ten years of experience providing knowledge and insights, focusing on hot topics and trends, in-depth news analysis, and opinion columns from industry experts. Check out the Network Security section, which includes topics such as access rights management, endpoint security, firewalls, intrusion prevention/detection, and more.
9. Sans Institute
Established in 1989, Sans Institute specializes in information security, cybersecurity training, and certification in over 90 cities across the globe. Their website includes a large repository of materials on network security. They offer an interesting course, which gives an in-depth look at intrusion detection and provides whitepapers on network security.
10. SC Media
SC Media has been sharing industry expert guidance and insight, in-depth features and timely news, and independent product reviews for 30 years. The magazine also runs annual awards for organizations that apply innovative solutions to security issues. Check out the resource library for featured assets and reports.
11. Security Magazine
Security Magazine looks at network security issues from the point of view of C-level management. The column Security Talk offers insights into the issues C-level executives face today. A recent publication discusses the cybersecurity threats that require security leaders to ensure constant control enforcement across newly expanded footprints.
TechRepublic is a great source for breaking IT news, best practices, advice, and how-tos delivered by a global team of tech journalists, industry analysts, and real-world IT professionals. A recent article reviews the five, must-know, emerging tech terms from Gartner's 25th Hype Cycle report.
13. The Hacker News
Established in 2010, The Hacker News is a dedicated cybersecurity and hacking news platform that attracts over 8 million readers. It’s considered one of the most significant information security channels for topics such as data breaches, cyber attacks, vulnerabilities, and malware. It includes a rich Security Research Librarya> and featured articles on industry innovations, such as “Gartner Says the Future of Network Security Lies with SASE” and product reviews on secure remote access (ZTNA/SDP), managed threat detection and response (MDR), and lots more.
14. The Register
The Register is a leading, reliable global online enterprise technology news publication, reaching ~40 million readers worldwide. Known for its opinionated and sometimes controversial opinion pieces, The Register offers networking professionals a valuable collection of interesting content written by industry peers. The website includes a prominent section on security.
Threatpost is an independent leading news site for IT and business security, covering topics like vulnerabilities, malware and cloud security. Threatposts’s award-winning editorial team provides a rich selection of content, including podcasts, featured articles, videos, and slide shows, alongside expert commentary on breaking industry news.
Can you think of any other resource that should be on this list? Follow us on LinkedIn, Facebook, or Twitter , and let us know!
*This blog was updated and republished in November 2020
When the Apple iPhone hit the market in 2007, it was described as “revolutionary.” The monumental success of the iPhone – and countless imitators from...
November 10, 2020
SASE: It’s the iPhone of Networking When the Apple iPhone hit the market in 2007, it was described as "revolutionary." The monumental success of the iPhone – and countless imitators from other smartphone vendors – has proven the term to be correct. But why? What’s the big innovation of the smartphone? After all, the components in a smartphone predated this type of device by years. We had our PDAs for our contact lists and appointments, digital cameras to take photos, mobile phones to place calls, handheld GPS to find our way to places, and portable media players for music.
The innovation of the smartphone was, of course, that it converged all these functions (and more) together. Convergence. That is the innovation of SASE.
When Gartner defined the market for the Secure Access Service Edge (SASE) last year, we had already seen all its networking and security functions on the market. We already had firewalls and UTMs. We had mobile access solutions. We had SD-WAN and networking. But we had them as separate solutions coming from different vendors, which made their deployment quite complex. What’s more, with the functions being separate components, taking advantage of capabilities across the functions required heavy integration and multi-vendor coordination.
Like the smartphone, SASE’s first innovation is that it brought all those disparate components together into one converged and convenient platform. This makes deployment and delivery much simpler.
Convergence Is More Than Convenience
Packaging multiple functions into a smartphone did more than save pocket space. It created a platform that could be used for unlimited applications. Sensors and software and other capabilities all built into the smartphone resulted in several benefits. First, things work together seamlessly, so no integration is needed. Second, app developers don’t have to create functions for themselves because they can simply use what the platform already offers. But most importantly, a robust platform with lots of capabilities is a force multiplier to spur even more innovation and new kinds of solutions that might otherwise be impractical or even impossible to build.
For example, the language translation app Google Translate builds on some of the inherent features of the smartphone in a very innovative way. This app delivers a language conversion engine that lets you translate a sign written in a foreign language in real-time. It uses the smartphone’s camera to capture an image of the sign, embedded OCR to convert the image into text, and then Google’s own language engine to translate the foreign text to the target language. Google used some of the capabilities of the smartphone, coupled with its own technology, to create a unique and high value application. Delivery of Google Translate’s capabilities wouldn’t be possible without convergence of functions on the device.
A SASE Platform Enables Capabilities that Were Previously Impractical, If Not Impossible
The same is true of SASE. Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. It allows for combining data and capabilities in different ways to develop new solutions that otherwise might have been impossible to deliver. Let’s explore some examples of the benefits of convergence in the Cato SASE platform:
ZTNA and Remote Access -VPNs have traditionally been the dominant point solution to provide remote access to a network. However, VPNs bring risk to an enterprise due to the lack of granular control over network access. Software-defined perimeter (SDP), also called Zero Trust Network Access (ZTNA), enables tighter overall network security for remote access users. SASE converges ZTNA, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage Cato’s SASE architecture receive the benefits of ZTNA along with a full suite of converged network and security solutions that is both simple to manage and highly scalable.
High-Performance FWaaS - Firewall as a service is a multifunction security gateway delivered as a cloud-based service. It is often intended to protect mobile users and small branch offices that have no dependency on the central datacenter for applications. Standalone FWaaS offerings often incur poor site-to-site performance because of their few PoPs and dependency on the unpredictable, global Internet. With integrated FWaaS, Cato’s SASE architecture, though, addresses these shortcomings to deliver high-performance FWaaS.
Threat Prevention - The Cato SASE platform detects and prevents threats not only based on signatures and security feeds but also on network characteristics. This latter information wouldn’t be available if Cato’s security services had been built on a security-only platform. Instead, Cato captures the network metadata of all flows from all users at all customers in massive data warehouse and enriched with threat-intelligence feeds and other security-specific information. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks. It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time.
Event Correlation - Last year, Cato introduced SIEM capabilities called Instant*Insight, offered with the Cato platform at no added cost to customers. Instant*Insight organizes the millions of networking and security events tracked by Cato into a “queryable” timeline through a single-pane-of-glass. This service tracks issues for all sites, mobile users, and cloud resources. IT teams can quickly drill down into and correlate these events to arrive at the root cause of issues.
For years, organizations have looked for such a platform but delivering it was impractical before SASE convergence. Network appliances typically share log data – not raw event data – with SIEMs. Even then the right APIs need to be written, the data needs to be normalized, and only then can it be stored in a common datastore. It’s a massive undertaking when networking and security are separate functions. But Cato was able to develop Instant*Insight in a matter of months precisely because we were able to leverage the power of convergence. The data has already been gathered and the base tool sets were available.
In short, a true SASE platform does more than make deployment easier. It converges capabilities together to form a platform that provides the basis of new capabilities. Integration can’t give you that—only smartphone-like convergence can.
The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly –...
Rethinking Enterprise VPN Solutions: Designing Scalable VPN Connectivity The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.
Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential.
Enterprise VPN Solutions are Not Designed for Distributed Workforces
VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances.
Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites.
Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.
Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.
Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.
Related content: read our blog on Moving Beyond Remote Access VPNs
SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions
In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE). Cato Networks is recognized as offering the world’s first global SASE platform.
Cato’s SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources.
It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that Cato’s SASE platform outperforms a traditional VPN solution.
First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users.
Second, availability is inherently designed into Cato’s SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning.
Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network.
Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies.
And lastly, Cato’s SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands.
SASE is Well-Suited to Remote Work
Enterprises that enable WFH using the Cato Networks SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.
Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.
WFH Employees Have Secure and Productive Access to the Corporate Network
While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.
As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The...
Why SASE Must Support ALL Edges, ALL Traffic, and ALL Applications As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The Future of Network Security Is in the Cloud, Gartner saw SASE (Secure Access Service Edge) as creating a single network for the complete enterprise, connecting and securing all edges everywhere.
Of late, though, some network providers want to selectively deliver only part of those capabilities, such as only providing secure access to the Internet. It’s really “sleight of marketing” to call implementing select capabilities “SASE,” as this doesn’t meet Gartner’s original definition of the term [bold emphasis added]:
The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.
SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.
In further describing SASE, the Gartner analysts wrote:
What security and risk professionals in a digital enterprise need is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to.
In short, SASE is meant to be one holistic platform for the complete network, covering all edges, all traffic, and all applications, i.e., the “entities” in the definition above.
The Legacy Network Can’t Be Overlooked
This complete network includes an enterprise’s legacy network. While enterprises are moving many applications and workloads to the cloud, as well as embracing mobility, there continues to be legacy infrastructure that still performs important functions. Workers in branch offices still need to access files in private datacenters. People in sales offices still need to use legacy applications left in private datacenters that are too sensitive or simply unsuitable to be moved to the cloud. Both scenarios, and many others, continue to require predictable, low-latency network performance between locations.
To deliver on those expectations, you’re going to need the right networking features. These include the route optimization to calculate the best path for each packet, the QoS in the last mile, and the dynamic path selection to move traffic to the optimum path. The global Internet is too unpredictable with too much latency to deliver high performance connections day in and day out. You’ll need the lower latency of a global private backbone and a fix for packet loss. Basically, it’s all the “networking stuff” that we take for granted today when building an enterprise WAN.
Site-to-Site Security a Must
And when traffic is sent between sites, it must be secured. It means ensuring that NGFW is in place to restrict access to resources, that anti-malware is used to prevent the lateral movement of malware across the organization, that DLP ensures that data isn’t being syphoned off in a breach.
Relying on separate products to address site-to-site traffic means that enterprises have to face the challenges of a multiplicity of systems (and maybe even vendors). IT ends up juggling multiple management consoles, each populated with siloed information, which makes operations more much more challenging. Visibility into the network is fragmented as data collection is spread across two (or more) solutions.
And because visibility is obscured, so is the ability to detect trends spanning site-to-site and Internet communications. For example, malicious content may bypass detection and be downloaded from the Internet. The malware might exfiltrate data to its C&C server or infect other WAN-based resources, such a file server. Such an approach might be missed if you weren’t looking at the networking and security domains for both Internet-based communications and site-to-site traffic.
SASE Sees It All
SASE spans all edges, applications, and traffic flows. Only a true SASE architecture has complete visibility and control over both network and security because they are converged into a single software stack. As noted in the recent Hype Cycle report, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” Thus, data flows are inspected one time (called a single-pass architecture) to determine networking and security needs. For example, which way to steer the packets, how to prioritize data flows, how to impose security policies, whether there is malware present, etc.
Because all such evaluations are done in a single pass of the traffic – where the data flow is decrypted once, inspected, then re-encrypted – performance is truly enhanced. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected and re-encrypted multiple times. This adds unnecessary latency to the network. It’s called “stitching together” a SASE-like solution, but hardly True SASE.
Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone,...
September 14, 2020
Why I Hate Multivendor SASE Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone, and perhaps a third-will deliver remote access. But is that what SASE is all about?
As the article points out, Gartner analysts defined SASE as a single, vendor cloud-native platform. In their August 2019 report “The Future of Network Security Is in the Cloud,” they wrote: “This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge and it is primarily delivered as a cloud-based service.”
In Gartner’s Hype Cycle for Network Security, 2020, the analyst firm does give a nod to “dual vendor deployments that have deep cross-vendor integration” as a form of SASE. However, I would argue that an “integrated” solution still has its faults.
The keyword in the original description of SASE is “converges.” There’s a difference between convergence and integration. Convergence conveys that network and security have been brought together onto one platform best developed by a single provider, whereas integration conveys that multiple services or appliances from two or more suppliers are tied together through APIs or other means.
Gartner calls this integrated approach a “SASE alternative” that approximates the offerings of a true SASE solution. The industry is more broadly calling it “multivendor SASE,” a solution in which customers stitch together networking and security functions from different vendors through integration.
SASE Was Defined to Address All of an Enterprise’s Requirements
As pointed out in the report, traditional enterprise network design, where the enterprise datacenter is the focal point for access, is increasingly ineffective and cumbersome in a world of cloud and mobile. Backhauling branch and mobile traffic for inspection no longer makes sense when most traffic needs to go directly to the cloud. Secure access services need to be everywhere.
By spanning all edges, applications, and traffic flows, SASE provides:
Support for existing east-west traffic (such as WAN, site-to-site, VoIP, RDP, to on-premise apps, etc.), which is still present and will be for some time, and
Support for both current and future traffic flows with full optimization and security.
Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. With all traffic consolidated into one converged platform, SASE provides complete visibility that enhances security and control.
How Multivendor SASE Falls Short
Multivendor SASE, which involves taking components from various vendors and integrating them together, falls short of a truly converged solution in several ways. First is the challenge of deploying multiple devices, especially if the security stack is repeated in each branch. That’s a lot of appliances to deploy, configure and maintain.
Next is the major effort to integrate the different services and devices into a somewhat cohesive solution. The main solution provider – maybe an MSP or a telco – will take care of much of the integration, but some effort might still be on the customer’s plate. Integration is a daunting task, as the separate pieces are likely to be on different development or update cycles. Each time a patch is applied or an OS is updated, testing is needed to ensure there are no problems with the APIs or other aspects of the integration. This cycle of “update and test” adds time and cost to the solution each time one of the components changes.
Network and security management can be a challenge in a multivendor SASE solution. When there are distinct devices from different vendors, they each run their own management consoles and store data in separate formats and places. Perhaps one dominant management console is chosen to present the relevant data. However, important detail data from the individual services or devices might not be made available through that console. Moreover, alerting may be less efficient, as separate tools each want to provide their own alerts. Even if a SIEM is present to correlate the alerts, significant work is required to tune and maintain the SIEM’s correlation engine.
With the security stack being separate from the network, there is a loss of, call it data fidelity, where network security is concerned. The security tools are working from logs and not actual network flows, and so they aren’t seeing everything in full context and thus might miss indications of threats.
The Advantages of Converged, Single Vendor SASE
When all networking and security components converged into one platform, great synergies can be achieved.
All traffic on the network needs to be inspected by various devices to know how to treat that traffic. The WAN needs to know how to route the traffic. The firewall needs to know how to process the traffic based on numerous policies. Different security devices need to know if the traffic harbors threats, or if sensitive data is being exfiltrated. Each of these functions need to inspect traffic that is not encrypted. With Cato, the network and security are converged, so the traffic can be decrypted one time, inspected by all necessary functions, and then re-encrypted. Contrast this to a multivendor SASE that decrypts/re-encrypts traffic multiple times as it passes through each individual service or device. The converged SASE approach is much more efficient and doesn’t impact overall performance.
Having network and security all on one platform, in the same data flow, has the advantage of deep visibility when it comes to threat detection. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain.
As for integration, there is none. Cato’s entire SASE code base is one stack. It allows us to be very agile when it comes to updates, enhancements, and introducing new features. We don’t depend on third parties’ development lifecycles as a multivendor SASE solution must do.
Multivendor SASE Isn’t SASE At All—It’s Merely an Alternative
When it comes down to it, what the industry is calling “multivendor SASE” isn’t really SASE at all. It’s simply a way to allow traditional network or security vendors to bolt onto their current solutions to provide services that are similar but far short of true SASE.
Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing...
September 7, 2020
What is Zero Trust Architecture? Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing fluff from the real value. Fortunately, unlike many buzzwords, there is plenty of substance around zero trust.
So, what exactly is the substance behind zero trust and how can you identify solutions that meet your enterprise’s needs? Let’s take a look.
What is Zero Trust Architecture? A crash course
In simple terms, zero trust is based on these principles: apply granular access controls and do not trust any endpoints unless they are explicitly granted access to a given resource. Zero Trust Architecture is simply a network design that implements zero trust principles.
Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security.
In other words, traditional solutions trusted everything on the internal network by default. Unfortunately, that model doesn’t hold up well for the modern digital business. The reason zero trust has become necessary is enterprise networks have changed drastically over the last decade, and even more so over the last six months.
Remote work is now the norm, critical data flows to and from multiple public clouds, Bring Your Own Device (BYOD) is common practice, and WAN perimeters are more dynamic than ever. This means enterprise networks that have a broader attack surface are strongly incentivized to both prevent breaches and limit dwell time and lateral movement in the event a breach occurs. Zero Trust Architecture enables micro-segmentation and the creation of micro-perimeters around devices to achieve these goals.
How Zero Trust Architecture works
While the specific tools used to implement Zero Trust Architecture may vary, the National Cybersecurity Center of Excellence’s ‘Implementing a Zero Trust Architecture’ project calls out four key functions:
Identify. Involves inventory and categorization of systems, software, and other resources. Enables baselines to be set for anomaly detection.
Protect. Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities zero trust is based upon as well as integrity checking for software, firmware, and hardware.
Detect. The detect function deals with identifying anomalies and other network events. The key here is continuous real-time monitoring to proactively detect potential threats.
Respond. This function handles the containment and mitigation of threats once they are detected.
Zero Trust Architecture couples these functions with granular application-level access policies set to default-deny.
The result is a workflow that looks something like this in practice:
Users authenticate using MFA (multi-factor authentication) over a secure channel
Access is granted to specific applications and network resources based upon the user’s identity
The session is continuously monitored for anomalies or malicious activity
Threat response occurs in real-time when potentially malicious activity is detected
The same general model is applied to all users and resources within the enterprise, creating an environment where true micro-segmentation is possible.
How SDP and SASE enable Zero Trust Architecture
SDP (software-defined perimeter) which is also referred to as ZTNA (Zero Trust Network Access) is a software-defined approach to secure remote access. SDP is based on strong user authentication, application-level access rights, and continuous risk assessment throughout user sessions. With that description alone, it becomes easy to see how SDP makes it possible to implement Zero Trust Architecture.
When SDP is part of a larger SASE (Secure Access Service Edge) platform, enterprises gain additional security and performance benefits as well. SDP with SASE eliminates the complexity of deploying appliances at each location and the unpredictability that comes from depending on the public Internet as a network backbone. Additionally, with SASE, advanced security features are baked-in to the underlying network infrastructure. In short, SDP as a part of SASE enables Zero Trust Architecture to reach its full potential.
For example, the Cato SASE platform implements zero trust and delivers:
Integrated client-based or clientless browser-based remote access
Authentication via secure MFA
Authorization based upon application-level access policies based on user identities
DPI (deep packet inspection) and an intelligent anti-malware engine for continuous protection against threats
Advanced security features such as NGFW (next-generation firewall), IPS (intrusion prevention system), and SWG (secure web gateway)
Optimized end-to-end performance for on-premises and cloud resources
A globally distributed cloud-scale platform accessible from all network edges
A network backbone supported by 50+ PoPs (points of presence) and a 99.999% uptime SLA
Interested in learning more about SDP, SASE, and Zero Trust Architecture?
If you’d like to learn more about SDP, SASE, or Zero Trust Architecture, please contact us today or sign up to demo the Cato SASE platform. If you’d like to learn more about how to take a secure and modern approach to remote work for the enterprise, download our eBook Work from Anywhere for Everyone.
Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most...
A Modern Approach to Enterprise Remote Access Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most knowledge workers believe remote-work-friendly policies will continue after the pandemic as well.
At the same time this unprecedented shift to remote work is occurring, businesses are realizing traditional enterprise remote access solutions, like Internet-based VPN, often aren’t capable of addressing all the needs of large-scale work from home. As a result, user experience and productivity can suffer. That’s why many enterprises are turning to more modern and scalable remote access solutions like SDP (software-defined perimeter) and SASE (Secure Access Service Edge) that can deliver enterprise-grade performance and security at scale.
But what exactly do enterprises need from a remote access solution and why are SDP solutions capable of meeting those needs better than traditional solutions? Let’s take a look.
What businesses need from enterprise remote access solutions
To remain productive when working from home, employees need access to the same data and applications they used in the office. Additionally, the importance of collaboration tools like Slack and Microsoft Teams increases dramatically. Enterprise IT needs to provide access to these resources, which are often scattered across the public cloud and corporate datacenters, in a way that allows employees to remain productive without sacrificing security.
Therefore, enterprise remote access solutions need to:
Deliver high quality user experience. When everyone is working from home, there is a direct relationship between network connectivity and productivity. If a user cannot attend a teleconference due to latency or business applications become unusable or inaccessible, productivity comes to a screeching halt. Simply put, the network cannot become a productivity bottleneck.
Provide predictable and reliable performance. Predictable and reliable performance go hand-in-hand with user experience. Latency, packet loss, and network outages can all wreak havoc on remote workforce. This means enterprises need enterprise remote access solutions that are both reliable and fault tolerant.
Provide enterprise-grade security. Remote work makes it even harder to address the challenges of enterprise network security. Endpoints are now effectively deployed at every employees’ home, expanding attack surfaces and adding to the risk posed by phishing attacks and malware. As a result, enterprises need remote access solutions that can enforce granular security policies, rapidly detect and mitigate threats, and reduce lateral movement in the event a breach occurs.
Scale easily. Capacity constraints and network complexity can become major bottlenecks as a remote workforce scales. Enterprise remote access solutions need to be able to scale easily without adding significant complexity to the network.
The problems with traditional enterprise remote access solutions
Point solutions like Internet-based VPN aren’t entirely without a use case. For small-scale and affordable connectivity between a few sites, a point solution may be the right answer. However, the continuous use and scale of organization-wide work from home isn’t a use case that traditional point solutions can effectively address. Issues that enterprises using these solutions to enable large-scale remote work have encountered include:
Latency and poor user experience. VPN servers have a limited amount of capacity, as more users connect, the server can become overworked and performance degradation occurs. As a result, user experience suffers.
Unreliable performance. Point solutions that depend on the Internet are also subject to all the problems with Internet routing. When an enterprise remote access solution is entirely dependent on the Internet, that means unpredictable performance can become the norm.
Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.
Difficult to scale. The client/server architecture of point solutions simply isn’t scalable. To increase capacity for a network based on point solutions, IT needs to either deploy new appliances or upgrade existing ones. Further, addressing security and performance optimization challenges requires additional appliances to be deployed and integrated, which increases network complexity.
How SDP and SASE solves these issues
SDP, also known as ZTNA (Zero Trust Network Access), is a software-defined approach to application access. It is based on three core functionalities:
Strong user authentication
Application-level access based on user profiles
Continuous risk assessment during sessions
This software-defined approach that enables delivers application-level security policies helps to address several of the security and scalability challenges enterprises face. While SDP alone is useful, when it is when used as a part of a broader SASE platform that enterprises derive the most value from an optimized and secure remote access solution.
SASE includes WAN optimizations and network security functions like NGFW (next-generation firewall), and IPS (intrusion prevention system) that help eliminate the need for complex deployments with multiple appliances while improving security and performance. Further, because SASE is cloud-based, enterprises benefit from the hyper-scalability of the cloud in their remote access solution.
For example, businesses that use Cato’s SASE platform benefit from an enterprise remote access solution that:
Optimizes performance for all applications and improves user experience. Traffic is optimally routed over a global private backbone that eliminates the performance issues of VPN servers that depend on the Internet. Additionally, WAN optimizations increase throughput for use cases like video conferences and sharing large files. Further, with client-based or clientless access options and integrations for authentication services like Azure Active Directory, users benefit from a simple and secure SSO (single-sign-on) experience with MFA (multifactor authentication).
Provides predictable performance and a 99.999% uptime SLA. Cato’s network backbone consists of over 50 PoPs (points of presence) across the globe and is backed by a 99.999% uptime SLA. This gives enterprises a level of performance reliability and fault tolerance point solutions cannot.
Enforces granular security policies and continuously monitors for threats - SDP coupled with NGFW, IPS, and threat detection deliver enterprise-grade security in a single, easy-to-manage platform.
Brings the scalability of the cloud to remote access. The cloud approach of SASE delivers scalability point solutions simply cannot match. The underlying appliances and infrastructure are abstracted away from the enterprise, reducing complexity and allowing IT to focus on core business functions.
Interested in learning more about SDP, SASE, and enterprise remote access solutions?
As we have seen, SDP and SASE provide a modern approach to enterprise remote access and enable digital businesses to effectively support large scale remote work. If you’d like to learn more about SDP, SASE, or enterprise remote access solutions, contact us today or download this Work from Anywhere for Everyone eBook. If you’d like to see the world’s first SASE platform in action, we invite you to sign up for a demo.
Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then...
SASE Convergence or Integration? It’s Not the Same Thing Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then bolt on security to protect data and devices. The widespread adoption of Gartner's secure access service edge (SASE) architecture all but debunked that notion, and today it's widely accepted that networking and security must come together.
For Cato, of course, this is nothing new. We’ve always viewed networking and security as two sides of the same coin. The Cato software converges security and networking functions together and into one cloud-native platform. The same software running QoS and path selection of SD-WAN, WAN optimization, and other networking functions is also the same software doing security inspection and policy enforcement.
But for those vendors rushing to join SASE, solution integration has become the answer. Using service chaining or some other method, vendors will connect their networking and security point solutions or with those of third parties. Such an approach, though, is fraught with problems. Deployment involves rolling out multiple appliances or solutions. IT is left juggling multiple management consoles, which complicates troubleshooting. The disparate policy frameworks remain another hurdle.
Let's take a closer look at the differences between convergence and integration during the deployment, operation, and management phases of the network.
Simplified Deployment of Secure SD-WAN
Opening new offices become much simpler and quicker because convergence allows for the deployment of a very, thin edge. With most functionalities converged into the cloud, the connecting software or device can be very light, running as an SD-WAN device, a virtual appliance, or even a small piece of software, like a mobile client. All “edges” of the enterprise are interconnected by one, predictable global backbone.
By contrast, integrating security and networking solutions, enterprises have to deploy and install separate solutions, such as SD-WAN and firewall appliances. Rolling out security appliances at all the branches is cumbersome and expensive—and sometimes even impossible. Additional solutions are needed for remote access and reliable, high-performance, global connectivity further complicating deployment (and fragmenting visibility, as we’ll discuss).
Rapid Network Expansion Enabled by Software-only Deployment
Convergence also enables providers to expand their network's geographic footprint very rapidly without compromising on the services offered at a location. There are no proprietary appliances to wait on, configure, and ship to a distant location. As such, within a few short years, Cato's network has surged to more than 50 PoPs worldwide, nearly doubling the coverage density of service providers twice its age.
[caption id="attachment_11218" align="aligncenter" width="960"] With its cloud-native software platform, Cato has been able to rapidly expand its network, reaching 50+ PoPs in a few short years, the most of any independent, cloud-native backbone.[/caption]
Improved Performance with Single-pass Processing
Having converged networking and security enables Cato to decrypt and inspect the packet once, performing all security and networking processing in parallel. As such, traffic, even encrypted traffic, can be inspected at wire speed regardless of the needed security policies or optimizations. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected, and re-encrypted multiple times. It adds unnecessary latency to the network.
Holistic Intelligence Deepens and Broadens Security Capabilities
Once traffic enters the Cato PoP, Cato captures, stores and analyzes the network metadata of those packets. The metadata is further enriched with threat-intelligence feeds and other security-specific information. More than 1 TB of traffic metadata across hundreds of customer networks is captured every day. The metadata is stored in a cloud-scale, big data architecture. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks.
It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time.
By contrast, with separate security and networking appliances, data is stored in different databases in different formats. The result is a fragmented view of the environment and then often only for one customer. Adding a SIEM doesn't help much because it's only processing logs and missing out on the raw metadata that provides such deep insight, particularly for security analytics.
[caption id="attachment_11223" align="aligncenter" width="1200"] Cato Managed Detection and Response (MDR) Service[/caption]
Converging Management Makes Network Planning More Accurate, Simplifies Routine Work, Eliminates Errors
Convergence also makes network and security management simpler, more effective with less investment. The most obvious example is the management interface. From one platform, enterprises can monitor, report on, and manage their networking, remote access, and security infrastructure. Accounting for all traffic leads to a more accurate understanding of what’s happening on your network everywhere. Network planning becomes more accurate.
Convergence also makes day-to-day interactions easier, more painless. The objects, such as users and sites, created in one domain, are available in the other, shortening configuration times and reducing the number of configuration errors. All too often it’s those errors that increase the attack surface and create the vulnerabilities attackers can exploit to penetrate an organization.
[caption id="attachment_11220" align="aligncenter" width="1506"] From a single console, Cato customers can monitor and manage their sites (1), as well as remote users and security infrastructure (2). They have overall visibility (3) that can be drilled into at a click.[/caption]
Visibility Shortens the Time to Resolve Problems
Convergence also reduces troubleshooting times. Under the hood, all networking and security management data is already stored in a common database. As such, from one interface, IT can correlate network and security events to investigate a problem. It’s a powerful capability long sought after by IT best understood by looking at the alternative.
Take, for example, the case where users across offices periodically complain about call quality. Once you’ve validated the UC/UCaaS system is in order, you start investigating the network.
What might that look like? Well, for one, you'll check last-mile line quality at the user locations. The last-mile jitter and packet loss metrics lines may not be available for past events, though. You'll probably need to capture the data and wait till the next time the event occurs. But, for the purposes of this discussion, let’s assume you have the data right now.
So, you jump to your provider’s monitoring console and extract the relevant information. It’s not available from the provider? Maybe you can connect to each edge device to pull the data. Another console will be needed to check your backbone’s performance as well. Still, another console might be needed to ensure QoS and bandwidth rules aren't throttling the line. And a fourth interface will need to be consulted to be sure a misconfigured firewall rule isn’t blocking access for some users.
Your IT team has had to juggle four or five consoles, already. With each one, they had to master the product set and interface nuances to extract the needed information but there’s more.
For complex problems, you'll want to correlate event data across the platform. This means exporting the data, assuming that’s possible, into a common platform for analysis. You’ll need a tool that can ingest the various data sources, store the data into a data warehouse, normalize the data into a common format, graph the events out onto a timeline, and then give you the tools to filter and query appropriately.
Or you can just use Cato Instant*Insight, a feature of the Cato management console, and available to all Cato customers. With Cato Instant*Insight security, routing, connectivity, system, and device management event data for the past year (and longer, if required) is available, correlated, and mapped onto a time frame for analysis. From a simple Kibana-like interface, customers can drill down to analyze problems from across their network (see figure below).
[caption id="attachment_11219" align="aligncenter" width="1199"] By converging security and networking data into a common database, Cato was able to quickly introduce Cato Instant*Insight. This SIEM-like capability allows users to see all routing, security, routing, connectivity, system, and device management events (1). They can even drill down into a site to see network health events, such as packet loss metrics (2).[/caption]
The Strategic Advantages of Convergence
We’ve identified the benefits convergence brings across the network and security lifecycle. Faster and simpler deployment and rapid network expansion. Better network performance and deeper network visibility. Easier routine management and faster troubleshooting. These are all important, of course, but convergence has even greater, strategic implications as well.
For too long, the sheer complexity of the enterprise networks has burdened IT with hidden costs at every level. Capital costs, for example, remain high. They’re dictated, in part, by the licensing fees companies pay to their suppliers. And although networking solutions will share some functionality, such as packet processing, (de)encryption, and deep packet inspection (DPI), each must redevelop the technology for itself, failing to pass potential savings onto the customer.
Operational costs also increase in every part of the lifecycle with each new solution. For every new product adopted, IT must learn about the markets, evaluate their options, and then deploy, integrate, and maintain solutions. The whole process consumes precious staff resources.
Staffing requirements remain high. IT must find individuals who have first mastered the arcane commands needed to extract the necessary data from their various IT solutions. This leads to IT teams that are built based on vendor and appliance expertise, rather than on broad network and security administration and leadership skills. It’s like requiring people to master car mechanics before receiving their driver's license. Is it any wonder IT faces a staffing problem?
And each solution increases the risk to the company. Attackers are no longer only targeting government or the largest of companies. They’re going after everyone and none can afford to leave infrastructure unprotected. Yet with each new solution deployed, there comes another opportunity for penetration. IT must spend more time and effort of highly-skilled, and expensive, technical experts to ensure infrastructure is patched and kept current. Too often that’s not the case, which had led to attacks through VPN servers, routers, and, yes, third-party SD-WAN appliances.
Convergence changes the IT operations paradigm. With one set of code, one data repository for all event data, a seamless interface becomes possible for the entire network. It presents IT with the tools to do what they need to do best and not sweat the grunt work.
Trying to achieve that by piecing together existing devices and solution is impractical if not impossible. The technical problems are immense but don’t discount the business disincentives. The management console is too important for vendors to expect them to give up on their interface. It’s a major tool for differentiation from the competition. Which is one major reason why, beyond any technical challenges, forming a single-pane-of-glass into networking and security has been so challenging for so long.
Only a platform built for convergence can deliver the benefits of convergence.
The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over...
The disadvantages of VPNs for Enterprises The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over 200% in a matter of weeks. In many cases, remote access VPNs enabled enterprises to get work from home initiatives off the ground quickly and keep their business running, despite offices being closed.
However, as they settle into the new normal, many enterprises are also learning that there are several VPN disadvantages as well. Scalability, performance, and security can all become challenges with remote access VPN. SDP (software-defined perimeter) provides enterprises with a solution to the disadvantages of VPN. By taking a software-defined approach to remote access and network security, SDP (sometimes referred to as ZTNA or Zero Trust Network Access) helps address these challenges in a way that is more sustainable long-term.
But what exactly sets SDP apart from traditional remote access VPN? Let’s find out.
Of course, VPN isn’t without its upside
Remote access VPNs provide enterprises with a means to enable remote work. A virtual or physical appliance within the WAN, the public Internet, and client software on employee PCs is often sufficient to support work from home initiatives. In many cases, this exact sort of remote access VPN configuration helped businesses keep the lights on when the pandemic hit.
[boxlink link="https://catonetworks.easywebinar.live/registration-85?utm_source=blog&utm_medium=top_cta&utm_campaign=Using_SASE_For_ZTNA_webinar"] Watch the episode - Using SASE For ZTNA: The Future of Post-Covid 19 IT Architecture [/boxlink]
While it is true remote access VPN saved the day for some businesses, it’s also true that the increased usage has further magnified some of the biggest VPN disadvantages.
#1: Not designed for continuous use
The use case for remote access VPN was never to connect an entire enterprise to the WAN. Traditionally, enterprises purchased VPN solutions to connect a small percentage of the workforce for short periods of time. With a shift to large-scale work from home, existing VPN infrastructure is forced to support a continuous workload it wasn’t intended for. This creates an environment where VPN servers are subject to excessive loads that can negatively affect performance and user experience.
#2: Complexity impedes scalability
Enterprises may try to address the issue of VPN overload with additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Similarly, configuring VPN appliances for HA (high availability) adds more cost and requires more complex configuration.Further, because VPN servers provide remote access, but not enterprise-grade security and monitoring, they must be complemented by management solutions and security tools. These additional appliances and applications lead to even more configuration and maintenance. As each additional solution is layered in, the network becomes more complex and more difficult to scale.
#3: Lack of granular security
VPN appliances are a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet. For some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.To add granular security controls to remote access VPN, enterprises often have to deploy additional security point-solutions, but this adds additional cost and complexity while leaving plenty of room for misconfiguration and human error.
#4: Unpredictable performance
VPN connections occur over the public Internet, which means network performance is directly tied to public Internet performance. The jitter and packet loss common to the Internet can wreak havoc on mission critical apps and user experience. Additionally, enterprises with a global footprint know that there are significant latency challenges when attempting to send Internet traffic across the globe, before we even take into account the additional overhead VPN tunneling adds.
#5: Unreliable availability
Beyond unpredictable performance, enterprises that depend on the public Internet for remote access get no availability guarantees. When public Internet outages mean lost productivity for your entire organization, the risk of depending solely on the public Internet can outweigh the rewards significantly.
How SDP addresses remote access VPN disadvantages
SDP, when used as part of a holistic Secure Access Service Edge (or SASE) platform, directly addresses VPN’s disadvantages and provides enterprises with a scalable and reliable remote network access solution.
SASE is a category of enterprise networking that converges network and security functionality into a unified cloud-native service. SDP, which is an important part of the SASE framework, is a modern approach to remote application access that has global performance optimization, threat protection, and granular access controls built in.
The idea behind SDP is simple:
√ Users securely authenticate (e.g. using MFA and encrypted network protocols)
√ Access rights are assigned based on profiles and specific applications
√ Risk assessment occurs continuously during each user session
Using Cato’s SASE platform as an example, with SASE and SDP, enterprises gain a remote access solution that:
Is built for continuous access. Cato’s globally distributed cloud-native platform is purpose built for continuous access. Enterprises don’t have to worry about overloading a single VPN appliance with cloud-native infrastructure. Additionally, performance optimization and HA are built into Cato’s global private backbone, eliminating many of the performance issues that created VPN’s dependence on the public Internet.Delivers hyper-scalability. Enterprises don’t need to add more appliances to scale. SDP and SASE bring the hyper-scalability of the cloud to remote access.Provides granular access control. SDP allows enterprises to design access controls at the application-level and based on user profiles. This leads to a significant reduction in risk compared to VPN’s network-level approach.Proactively protects against threats. With SDP, network traffic goes through end-to-end packet inspection using a robust cloud-based security stack designed to detect and prevent malicious behavior. This occurs without the need to deploy and maintain additional security solutions.Is backed by a 99.999% uptime SLA. Cato’s global private backbone consists of more than 50 PoPs interconnected by Tier-1 Internet Service Providers and backed by a 99.999% uptime SLA. In a time where entire workforces are remote, this guarantee of availability can make a world of difference.
All this comes together to make SASE and SDP an ideal remote access VPN alternative.
Want to learn more about remote work, SDP, and SASE?
Enterprises are learning remote access VPN may not be the right long-term solution as we adjust to the new normal. Many are also learning that SASE and SDP are ideal for enabling secure, reliable, and high-performance remote work that can scale.
If you’d like to learn more about how SDP and SASE can address the challenges of legacy VPN, download our eBook Work from Anywhere for Everyone. If you’d like to see the Cato SASE platform in action for yourself, contact us or sign up for a demo today.
For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the...
Cloud Native, COVID-19, and True Secure Access Service Edge – What The 2020 Gartner Hype Cycles Taught Us For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the Gartner Hype Cycle for Enterprise Networking, 2020.1 Cato was also recognized as Sample Vendor in three other categories including SD-WAN, Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA) in the Hype Cycle for Network Security 2020.2
In our opinion, it's unique for a vendor to be acknowledged for the same platform — not multiple, discrete products sold by the same vendor. The report also taught us quite a bit more about SASE since its introduction nearly a year ago. Here are some of the key highlights and insights.
SASE in, SD-WAN Out
What was an anomaly a year ago has become a phenomenon. In under a year, SASE has become widely accepted across the industry. Today, it’s understood that SD-WAN and security must come together. The days of standalone SD-WAN (without any stated security strategy) are past. The embracement of SASE is the best indicator of this trend.
Writes Gartner, “While the term originated in 2019, the architecture has been deployed by early adopters as early as 2017. By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018. By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA, and branch FWaaS capabilities from the same vendor, up from less than 5% in 2019.”1
SASE adoption reflects the shift towards a workforce that works from anywhere, accessing resources that are no longer confined to private datacenters. Writes Gartner, “Although the term is relatively new, the architectural approach (cloud if you can, on-premises if you must) has been deployed for at least two years. The inversion of networking and network security patterns as users, devices, and services leave the traditional enterprise perimeter will transform the competitive landscape for network and network security as a service over the next decade, although the winners and losers will be apparent by 2022."
One of the major motivations for SASE has been the shift to work-from-home. Writes Gartner, “COVID-19 has highlighted the need for business continuity plans that include flexible, anywhere, anytime, secure remote access, at scale, even from untrusted devices. SASE's cloud-delivered set of services, including zero trust network access, is driving rapid adoption of SASE.”1
As such, enterprises are encouraged to look at one, converged solution for branch offices and remote access. Writes Gartner, “Combine branch office and secure remote access in a single implementation, even if the transition will occur over an extended period.”1
Architecture Matters: True SASE Services Are Cloud Native
More so than evaluating specific features, SASE offerings should be evaluated on their architecture. Delivering a cloud-native architecture for security and networking capabilities is critical. Writes Gartner, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” 1
Simply linking together discrete appliances does not meet this need. Writes Gartner, “Avoid vendors that propose to deliver the broad set of services by linking a large number of products via virtual machine service chaining.”1
The Shift to a Cloud-Native Architecture Threatens Incumbents
The emphasis on the cloud will be disruptive for many. Writes Gartner, “There have been more than a dozen SASE announcements over the past 12 months by vendors seeking to stake out their position in this extremely competitive market. There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters.”1
Adopt SASE Through Network Transformation
The shift to SASE can occur through the natural migration and development of the network. Gartner encourages enterprise IT to “Leverage a WAN refresh, firewall refresh, VPN refresh or SD-WAN deployment to drive the redesign of your network and network security architectures.” Enterprises are told to “Use cost-cutting initiatives in 2020 from MPLS offload to fund branch office and workforce transformation via the adoption of SASE.”1
Cato Delivers True SASE Not SASE Hype
Cato converges security and networking into a global, cloud-native platform that interconnects all edges — sites, users, applications, and cloud resources. At the core of the Cato Cloud is a global private backbone spanning 58 PoPs that extends the full range of Cato’s networking and security capabilities to every location and user worldwide.
As the SASE market matures, the importance of a cloud-native architecture is becoming ever more critical. As we noted earlier, Gartner writes, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.”2 In our opinion, this SASE definition breaks away from the appliance-centric, and service chained model of legacy architectures.
Today, Cato has more than 600 SASE customers worldwide, connecting thousands of locations, and nearly 200,000 mobile users. Cato has been delivering its SASE architecture since 2017 to enterprises of all sizes.
To learn more, read
the Gartner Hype Cycle for Network Security, 2020, for a limited time.
the text of the SASE category from the two recent Hype Cycle reports.
the press release about Cato’s recognition in these two recent Hype Cycle reports.
about Cato’s SASE offering, visit https://www.catonetworks.com/SASE
Visit our blog to learn more about SASE from these two recent Gartner Hype Cycle reports.
To read the press release about Cato’s recognition within these two recent Hype Cycle reports visit here.
To see the complete SASE text from the Hype Cycle, download The Gartner Hype Cycle for Network Security 2020.
To read the press release about Cato’s recognition within the Hype Cycle, visit https://www.catonetworks.com/news/cato-in-the-gartner-hype-cycle-for-network-security-2020
To learn more about Cato’s SASE offering, visit https://www.catonetworks.com/SASE
1 Gartner, "Hype Cycle for Enterprise Networking, 2020” Andrew Lerner, Danellie Young, July 8, 2020.
2 Gartner, "Hype Cycle for Network Security, 2020” Pete Shoard, June 30, 2020.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened...
How to Prepare for Long-term Remote Work, Post-Pandemic Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened their restrictions and allowed some workers to return to their places of employment, there are indications that WFH could be long-lasting or even permanent for some.
In a March 30 survey of 317 CFOs and business finance leaders conducted by Gartner, nearly 75 percent of those surveyed expect that at least 5 percent of their workforce who previously worked in company offices will become permanent WFH employees after the pandemic ends.
This shift to remote work has big implications for enterprise networks. Network managers who had to quickly put the resources in place to support a temporary WFH mandate will need to rethink how to sustain remote work for the long-term. There are three areas, in particular, that we believe are critically important in supporting a remote workforce: network access, security, and enterprise communications.
Remote Workers Need Network Access Comparable to In-Office Workers
To accommodate the sudden surge of home-based workers, network managers might have ordered a slew of new VPN licenses, and maybe even a larger firewall or VPN appliance, to connect people to the corporate network. However, access via VPN can be notoriously slow, especially as traffic is backhauled back across the Internet to the VPN server. VPNs also can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.
For these reasons, VPNs should not be viewed as a permanent solution for remote workers. Rather, people working from home on a full-time basis need network access that is comparable to in-office workers—reliable, good performance, easy to use, and secure.
As the world's first global Secure Access Service Edge (SASE) platform, Cato includes remote access with SD-WAN in one single platform. Enterprises can choose how to securely connect remote and mobile users to their enterprise resources and applications. Cato Client is a lightweight application that can be set up on a user’s device in minutes. It automatically connects the remote user to the Cato Cloud and from there they can access the same resources and applications they could access from any branch office. Cato’s clientless access solution allows optimized and secure access to select applications through a browser. Users navigate to an Application Portal, which is globally available from all of Cato’s 50+ PoPs, authenticate with the configured SSO, and are instantly presented with their approved applications.
[caption id="attachment_10102" align="aligncenter" width="1564"] With Cato’s clientless option, users are presented with a dashboard of approved applications. Clicking on an icon launches them directly into the application.[/caption]
Security is Essential to Enable Working From Home
Remote work often puts the employee outside the network defense perimeter. Therefore, any WFH practices have to consider two aspects of security, those being network access control and protecting the home-based worker from cyber-attack.
A VPN establishes a secure, encrypted connection so that a remote user’s traffic can travel over a public, unsecured, unencrypted network privately and safely. Other than encrypting the traffic in transit, a VPN has little else to offer in terms of securing the user’s ability to access the enterprise network and providing functions such as threat detection and mitigation.
Security, overall, is where Cato really shines because security is inherent in the network. It begins with the user login to the enterprise network. Cato is integrated with identity providers to provide strong authentication and a single-sign-on (SSO) experience. Using authentication services, like Microsoft 365 or Azure AD, as the remote access SSO will ensure that users securely authenticate through interfaces they are already familiar with. And, enabling multi-factor authentication at the identity provider will automatically enforce it to the remote access user’s authentication, further strengthening remote access security.
The remote user’s traffic is fully inspected by Cato’s security stack, ensuring enterprise-grade protection to users everywhere. Cato’s access controls (Next Generation Firewall, Secure Web Gateway), Advanced Threat Protection (IPS, next generation anti-malware) and managed threat detection and response (MDR) capabilities are enforced globally, ensuring that remote users benefit from the same protection as office users.
Unified Communications Help All Workers Collaborate, No Matter Where They Are
Many organizations have adopted Unified Communications (UC) or UC-as-a-Service (UCaaS) to promote collaboration across the enterprise. All workers need consistent and reliable access to services such as voice, video, web conferencing, email, voice mail, messaging, screen and document sharing, and scheduled meetings. It’s critical that remote/WFH workers have these same tools to maintain virtual presence, if not physical presence, with their colleagues in the office. And while Cato doesn’t offer UCaaS as part of the Cato Cloud network, our network is optimized in several ways to support this type of service.
UCaaS quickly becomes a critical application for many organizations, which makes securing UCaaS against disruption particularly important. Cato addresses this problem by converging security services into the network. Next-generation firewall (NGFW), intrusion prevention service (IPS), advanced threat protection, and network forensics are converged into Cato Cloud, protecting UCaaS and all traffic from Internet-borne threats.
Cato minimizes packet loss and latency – the enemy of call quality – through loss correction, and by eliminating backhaul and avoiding the unpredictable public Internet. Backhaul is eliminated by sending UCaaS traffic directly across the Cato network to the Cato PoP closest to the UCaaS destination. And as Cato and UCaaS providers like RingCentral often share the same physical datacenters, public Internet latency is minimized.
Cato overcomes congestion and last-mile packet loss that often degrade UCaaS service quality. Sophisticated upstream and downstream Quality of Service (QoS) ensure UCaaS traffic receives the necessary bandwidth. Policy-based Routing (PBR) along with real-time, optimum path selection across Cato Network minimizes packet loss.
And finally, Cato overcomes last-mile availability problems by sending traffic across multiple last-mile links (active/active mode; other options, such as active/passive and active/active/passive are also available). In the event of a brownout or blackout, UCaaS sessions automatically failover to the secondary connection fast enough to preserve a call. Brownouts are also mitigated by various Packet Loss Mitigation techniques.
Making the Remote Office a Safe Haven for Work
The coronavirus pandemic is changing business and work life in many ways. Employees who have receded to the safe recesses of their homes may never venture to the office again. Network managers need to consider how to keep WFH employees as effective and productive as if they were still in a corporate office, and this includes network access, security and collaborative communications.
The business environment is in a state of continuous change. So, too, are the supporting technologies that enable a business to rapidly shift priorities to...
The Path of a Packet in Cato’s SASE Architecture The business environment is in a state of continuous change. So, too, are the supporting technologies that enable a business to rapidly shift priorities to adapt to new market conditions and customer trends. In particular, the emergence of cloud computing and user mobility have increased business agility, allowing rapid response to new opportunities.
The network of old needs to change to accommodate the phenomenal growth of cloud and mobility. It’s impractical to centralize a network around an on-premise datacenter when data and applications increasingly are in the cloud and users are wherever they need to be—on the road, at home, at a customer site, in a branch office.
Incorporating the Internet into the enterprise network reduces costs and lets companies connect resources anywhere, but security is paramount. Security must be an inherent part of the network, which is why Gartner expects networking and security to converge. They’ve dubbed this converged architecture SASE, or secure access service edge. SASE moves security out of the legacy datacenter and closer to where users, data and applications reside today. In this way, security comes to the traffic, rather than the traffic going to security.
Just what does it all mean in terms of how a data packet flows through this converged architecture to get from Point A to Point B? Let’s break it down to the various network stages to discuss how Cato applies security services and various optimizations along the way.
The Last Mile: Just Enough Smarts to Bring Packets to the Cato PoP
Start with the traffic being sent from a user in an office across “last mile” or what some might call the “first mile.” (Cato connects remote users and cloud resources as well, but we’ll focus on site connectivity in this example.) The user’s traffic is sent to Cato’s SD-WAN edge device, the Cato Socket, sitting on the local network.
The Cato Socket provides just enough intelligence to get the packet to the Cato point of presence (PoP), which is where the real magic happens. The Cato Socket addresses issues that can impact delivering the packet across the last mile to the nearest Cato PoP.
The Socket classifies and dynamically routes traffic based on application type and real-time link quality (packet loss, latency, utilization). Robust application-prioritization capabilities allow enterprises to align last-mile usage with business needs by prioritizing and allocating bandwidth by application. Latency sensitive applications, such as voice, can be prioritized over other applications, such as email. Enterprises also can prioritize bandwidth usage within applications using Cato’s identity-aware routing capabilities. In this way, for example, sales VoIP traffic can be prioritized above generic voice traffic. And Cato overcomes ISP packet loss and congestion in the mile by sending duplicate packets over multiple links.
The Middle Mile: Improving the Network While Protecting Users
When the packet arrives at the Cato PoP, it’s decrypted and then Cato applies its suite of network and security optimizations on the packet. Cato independently optimizes the middle mile. Every one of our 50+ PoPs are interconnected with one another in a full mesh by multiple tier-1 carriers with SLAs on loss and latency.
When traffic is to be sent from one PoP, Cato software calculates multiple routes for each packet to identify the shortest path across the mesh. Cato also consistently measures latency and packet loss of the tier-1 carriers connecting the PoPs. Traffic is placed on the best path available and routed across that provider’s network end-to-end. Direct routing to the destination is often the right choice, but in some cases traversing an intermediary PoP or two is the more expedient route.
Routing across a global private backbone end-to-end also reduces packet loss that often occurs at the handoff between carriers. Next, each Cato PoP acts as TCP proxy to maximize the transmission rate of clients, increasing total throughput dramatically. Our customers frequently report 10x-30x improvement in file download speeds.
In addition to network improvements, Cato also provides a fully managed suite of enterprise-grade and agile network security capabilities directly built into the Cato Global Private Backbone. Current services include a next-gen firewall/VPN, Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and a Managed Threat Detection and Response (MDR) service.
Unlike other SASE vendors that treat network and security deep packet inspections as serial activities, Cato puts all packets through a process of inspection for network optimization and security—thus providing a real boost to performance.
Cato uses a single DPI engine for both network routing and security decisions. The packet is decrypted and all security policy enforcements and network optimizations are done in parallel. The security policy enforcement refers to the security capabilities of Cato—NGFW to permit/prevent communication with a location/user/IP address; URL filtering to permit/prevent communication with Internet resources anti-malware (advanced and regular) inspection; and network-based threat prevention. This allows for maximum efficiency of packet processing.
The Last, Last Mile: Reaching from Cato to Destination
Packets are directed across the Cato private backbone to the PoP closest to the destination. The packet egresses from the PoP and is sent to the destination. For cloud applications, we set egress points on our global network to get internet traffic for specific apps to exit at the Cato PoP closest to the customer application instance (like Office 365).
For cloud data centers, the Cato PoPs collocate in datacenters directly connected to the Internet Exchange Points (IXP) as the leading IaaS providers, such as Amazon AWS, and Microsoft Azure. This means that we are dropping the traffic right in the cloud’s data center in the same way premium connections (like Direct Connect and Express Route) work. These are no longer needed when using Cato.
Enterprises today need a network with the capabilities and flexibility to meet their business challenges. By adding security into the network stack, as Cato’s SASE architecture does, the network can be more efficient in helping the enterprise achieve its business goals.
With Cato’s SASE platform, branches send data along encrypted tunnels across Internet last miles to the nearest PoP. Cato’s one-pass architecture applies all security inspections and network optimizations in parallel to the packet. The packet is then sent across Cato’s optimized middle mile to the datacenter.
Often, when speaking with network managers responsible for infrastructure within a multinational or global enterprise, I hear first-hand accounts of the impact of sluggish network...
How Can Organizations Improve Network Performance? Often, when speaking with network managers responsible for infrastructure within a multinational or global enterprise, I hear first-hand accounts of the impact of sluggish network performance. For example, videoconferences between engineers and product managers on separate contents can be brought to a standstill because of packet loss or latency. Similarly, slow networks can lead to painfully slow file transfers for large media files or CAD (computer-aided design). Further, poor network speeds can limit an enterprise’s ability to use cloud platforms to their full potential.
These conversations invariably wind up in the same place: how can the modern digital business improve network speed? And what does that look like in practice? Here, we’ll explore just that.
Top Five Ways to Improve Network Performance
Reduce latency, add capacity, and/or compensate for jitter and loss are obvious high-level answers to most WAN optimization challenges, but doing so effectively is where the real challenge lies. For the modern WAN, just throwing money at the problem and buying more capacity or more expensive network gear isn’t always the right answer. That means understanding the underlying problem (beyond “the network is slow”) and solving for that.
#1. Improve Middle Mile Performance
When MPLS (multiprotocol label switching) was the de facto WAN connectivity standard, enterprises often had a reliable, albeit expensive and inflexible, middle mile connection they could count on for enterprise-grade connectivity. However, as cloud and mobile grew in popularity, the inflexibility and cost of MPLS began to drive enterprises away. For example, the trombone effect (the inefficient backhauling of cloud bound traffic through a specific network endpoint) often meant MPLS connectivity to cloud assets was worse than standard Internet connections.
As a result, businesses turned to SD-WAN and Internet-based VPN solutions as an alternative. Unfortunately, because of the well-known problems with the public Internet, this meant an increase in latency across the middle mile.
The solution? An approach that provides the reliability of MPLS across a private backbone while also offering optimized connectivity for cloud and mobile. This is exactly what Cato Cloud was purpose-built to do. With a global private backbone supported by a “five nines” (99.999%) uptime SLA and strategically placed PoPs (Points of Presence) around the world (many sharing a datacenter footprint with major cloud service providers), Cato can provide reliable, low-latency middle mile connectivity without sacrificing the flexibility of SD-WAN.
#2. Optimize Cloud Connectivity
The cloud is ubiquitous within modern digital businesses. With more and more critical workloads being shifted to the cloud every day, the importance of fast and reliable network connectivity is growing. We’ve already alluded to the challenges MPLS and the public Internet pose to the WAN in general, and they become further magnified when you take public cloud services into account. In many cases, enterprises are turning to expensive premium solutions like Azure ExpressRoute or AWS Direct Connect to optimize cloud connectivity. The idea is simple: a direct connection to the cloud data center overcomes many of the network challenges related to accessing cloud assets. However, many platform-specific solutions cannot account for all the cloud workloads within an enterprise. Email, CRM (customer relationship management) software, and collaboration tools may all come from different cloud service providers.
This is why a solution that bakes cloud optimization into the underlying network infrastructure is important. For example, with Cato Cloud, enterprises can eliminate the need for costly premium solutions and provide an agentless integration to connect to cloud datacenters in a matter of minutes. Further, the converged approach Cato takes simplifies security and network visibility. Again, this is because the solution, in this case a full network security stack, is built into the cloud native infrastructure.
#3. Eliminate Packet Loss
Packet loss can wreak havoc on collaboration solutions such as VoIP and UCaaS (Unified Communications as a Service). Lost packets can be the difference between a productive business call or one where both ends become incoherent to one another.
The challenge in the underlying causes of packet loss can be anything from overworked routers to network congestion to software bugs. Cato’s cloud native infrastructure helps solve the packet loss problem using multiple built-in features including: business process QoS, dynamic path selection, active-active link usage, packet duplication, and fast packet recovery.
While roughly 1% packet loss can cause VoIP call issues under normal circumstances, RingCentral testing has shown Cato can deliver high-quality voice calls while experiencing more than 15% packet loss.
#4. Proxy TCP Connections
Fundamentally, TCP (Transmission Control Protocol) connections inherently add more overhead than their UDP (User Datagram Protocol) counterparts. At scale, this leads to scenarios where TCP connections can significantly contribute to network congestion and reduce throughput.
Cato PoPs help enterprises address this issue by proxying TCP connections to make clients and servers “think” they are closer together and allow for larger TCP windows. Further, TCP congestion control functionality enables optimization of bandwidth utilization.
#5. Aggregate Last Mile Connections
Blackouts and brownouts in the last mile of WAN connections continue to be one of the most difficult network performance challenges to solve. This is because the issues that can occur in the last mile and the infrastructure quality across the globe vary greatly. Aggregating last mile connections, ideally in an active/active configuration, allows enterprises to protect against the challenges of the last mile and improve network performance. Cato Cloud takes connection aggregation a step further and proactively monitors for both blackouts and brownouts and enables automatic failover when appropriate. Additionally, Policy-based Routing (PbR) helps ensure the optimum path is used every time.
Convergence is Key
Improving network performance given any particular network problem is one thing, but providing enterprise-grade connectivity at scale requires a holistic approach. This is where the converged approach of Cato’s SASE (Secure Access Service Edge) model shines. Optimizations and security features are inherently part of the network, simplifying deployment and management while also solving real-world network performance challenges. In fact, the simplified and streamlined approach is one of the things Yoni Cohen, CTO of CIAL Dun & Bradstreet, found most valuable about his Cato rollout: “I love what Cato is doing. They take an area that is complicated and make it easy,” says Cohen. “What we have done with them so far has made a meaningful impact on our ability to have a smooth transition to a unified company network and allowed this to be one thing that we’re not worried about.”
If you’d like to learn more about how Cato Cloud can help your enterprise, take a look at a demonstration or contact us today.
Since the release of Gartner’s Market Guide for Zero Trust Network Access (ZTNA) last April, ZTNA has been one of the biggest buzzwords in network...
Advanced Network Security Technologies Since the release of Gartner’s Market Guide for Zero Trust Network Access (ZTNA) last April, ZTNA has been one of the biggest buzzwords in network security, and for good reason. A policy of zero trust helps enterprises limit exposure to the myriad of threats facing the modern network. However, ZTNA alone isn’t enough to maintain a strong security posture. Enterprises also need intelligent, flexible, and robust security technologies capable of enforcing the granular security policies ZTNA demands and proactively detecting and preventing threats to the network.
This means enterprises need to do away with the “castle and moat” approach to security and adopt modern security solutions. But what does that look like in practice? Let’s find out.
Castle and moat alone doesn’t cut it anymore
In the early 2000s, most mission critical data within a WAN flowed between corporate data centers and offices. Mobile users and cloud computing weren’t the norm like they are today. This made the “castle and moat” approach to security viable. The idea behind the castle and moat approach is straightforward: if you fortify the network perimeter well enough, using security policies, firewalls, proxies and the like, your internal network will remain safe. As a result, security practices within a network didn’t necessarily have to be as strict.
However, not only have modern threats poked holes in this approach, cloud and mobile have shifted the paradigm. Network perimeters are no longer clearly defined and static. They also extend beyond the walls of corporate offices and datacenters out to cloud datacenters and anywhere an employee has a smart device with Internet access. This change not only drove a shift away from MPLS (Multiprotocol Label Switching), it changed how security is implemented within enterprise networks.
To account for the new dynamic nature of modern networks, enterprises are adopting Zero Trust Network Access (ZTNA) approaches to security sometimes referred to as Software Defined Perimeter (SDP). The idea behind ZTNA is simple: by default, trust no one (internal or external) and grant only the minimum required access for business functions. Cato Cloud’s approach to ZTNA makes it easy to implement at a global scale because policies are implemented using the cloud-native technologies baked into the underlying network.
Network security technologies for the modern digital business
Of course, there is more to securing a network than just ZTNA. Modern security technologies are required to detect, prevent, and mitigate threats and breaches across a network. Specific network security technologies that help meet these requirements include:
Next-generation Firewall (NGFW)
NGFWs are application-aware firewalls that enable in-depth packet inspection of inbound and outbound network traffic to ensure enforcement of security policies. NGFWs can drill down beyond IP addresses, TCP/UDP ports, and network protocols to enforce policies based on packet content.
Secure Web Gateway (SWG)
Web-borne malware is one of the biggest threats facing enterprise networks today. SWGs focus on inbound and outbound Layer 7 packet inspection to protect against phishing attacks and malware from the Internet.
Anti-malware engines use both signature and heuristic-based techniques to identify and block malware within a network. Intelligent anti-malware engines are an important safeguard against zero-day threats or modifications of malware designed to avoid detection based on signature alone.
Intrusion Prevention System (IPS)
IPS protection engines help to detect and prevent threats to the network perimeter. The Cato Cloud IPS Protection Engine is a fully-managed, context-aware, and machine learning enabled solution.
The cloud-native advantage
While each of these network security technologies alone can enhance a network’s security posture, integrating them to the underlying network fabric, as is the case with Cato Cloud, goes a step further. When security technology is a part of the network fabric, you can avoid blind spots and endpoints that go unprotected. For example, while providing enterprise-grade security and SWG functionality for mobile users can be difficult or impossible with other solutions, every user (including mobile) connected to the WAN is protected with Cato Cloud.
Additionally, you can eliminate many of the headaches of appliance-sprawl. Scaling, upgrades, and maintenance are simple because the cloud model abstracts away the complexities and simply provides enterprises with the solutions.
The benefits of managed threat detection and response
Of course, even with modern network security technologies in place, detecting, containing, and remediating breaches (which can still happen despite your best efforts), requires a certain amount of skill and expertise. This is where managed threat detection and response (MDR) can make a real difference for enterprises. For example, by using Cato’s MDR enterprises can benefit from:
Automated threat hunting
Intelligent algorithms search for network anomalies based on billions of datapoints in Cato’s data warehouse.
Reduced false positives
Potential threats are reviewed by security researchers that only alert based on actual security threats.
Faster containment of threats
Once a live threat is verified, automatic containment actions such as disconnecting affected endpoints and blocking malicious domains or IP addresses.
Rapid guided remediation
If a breach is identified, Cato’s Security Operations Center (SOC) provides advice detailing risk level recommended ways to remediate the situation. Further, the SOC will continue to follow up until the threat has been completely removed from the network.
All this comes together to provide enterprises with a solution that can reduce dwell time and strain on IT resources.
Just how effective is Cato MDR? Consider the Andrew Thompson’s, Director of IT Systems and Services at the fast-growing BioIVT, experience with Cato MDR: “Cato MDR has already discovered several pieces of malware missed by our antivirus system,” says Thomson, “We removed them more quickly because of Cato. Now I need to know why the antivirus system missed them.”
Modern networks require modern network security technologies
There’s no magic bullet when it comes to network security. Hackers will continue to come up with new ways to breach networks, and enterprises must remain diligent to avoid falling victim to an attack. By adopting security technologies that are converged and purpose-built for the modern digital business, you can help strengthen your enterprise’s security posture and lower your risk.
Network latency costs money. This is a simple concept most IT professionals understand. However, when I discuss latency reduction and WAN acceleration with network managers...
The WAN Accelerator and Modern Network Optimization Network latency costs money. This is a simple concept most IT professionals understand. However, when I discuss latency reduction and WAN acceleration with network managers and CIOs, one of the key takeaways is that getting network optimization right has changed significantly over the last decade. While WAN optimization and acceleration are still important, increased bandwidth availability, cloud, and mobile have significantly shifted the paradigm. So, what exactly are WAN accelerators and what is WAN acceleration in 2020? Here, we’ll answer those questions.
What is a WAN accelerator
Simply put, a WAN accelerator is any hardware or software appliance that provides bandwidth optimization across a WAN. There are a variety of different techniques that different WAN accelerators, also known as WAN Optimization Controllers (WOCs) use, and these include:
Compression that reduces the amount of data sent across the network. Compression, in the context of WAN acceleration, typically operates at the byte-level and works in a similar fashion to file compression but applies to data in transit.
Deduplication is similar to compression but operates on larger amounts of data, typically at the block level. Its goal, like compression, is to maximize the available bandwidth.
Caching is another technique focused on reducing bandwidth usage. Caching stores frequently accessed data locally, eliminating the need to retransmit the data across the network.
Protocol acceleration techniques improve protocol operation across the network, particularly in terms of reducing the latency introduced by inefficient protocol operation. Local flow control, selective acknowledgment, and window scaling are techniques that help enhance TCP connections.
Application-specific acceleration techniques boost the efficiency of applications. While protocol acceleration improves the operation of the underlying network and specifically the TCP-layer, application-specific optimizations address the chattiness of application-layer protocols.
Packet loss correction techniques, such as packet duplication, for overcoming packet loss particularly in the last mile.
Generally, WAN acceleration appliances were deployed at locations across a WAN to achieve WAN optimization objectives.
SD-WAN: The WAN accelerators for the modern digital enterprise?
As we can see, in the past WAN acceleration was heavily focused on reducing bandwidth consumption between sites. This made sense when applications resided in the private datacenters and were accessed from branch offices across narrow, expensive MPLS circuits. However, today, applications and data have shifted to the cloud and accessed as much by mobile and remote users as those in the office, rendering appliances obsolete. And with Internet capacity far more readily available and more affordable than MPLS, conserving bandwidth is no longer nearly as critical.
What is necessary is the ability to leverage Internet capacity in a way that can meet enterprise requirements. SD-WAN edge appliances run affordable, last mile public Internet services in active/active configuration. Not only does this give companies incredible agility in combining bandwidth capacity but also adds last mile resilience. In the event of a brownout or blackout, SD-WAN devices can switch traffic to the alternate service. And by including packet loss correction techniques, particularly packet duplication, SD-WAN devices can overcome last-mile connectivity problems.
At the same time, edge-based SD-WAN continues to fall victim to the same limitations as any appliance. The short history of SD-WAN shows that an appliance-based approach works for site-to-site connections but continues to be a poor fit for the cloud and irrelevant to mobile devices. Additionally, the shift from MPLS to a public-Internet core, on which edge-based SD-WAN depends for its cost savings, introduces a myriad of challenges endemic to the modern Internet infrastructure that can negatively impact the performance of latency-sensitive applications, such as VoIP (Voice over IP) and UCaaS (Unified Communications as a Service).
This creates a situation where the modern digital enterprise needs an approach to WAN optimization that keeps bandwidth costs low, resolves the reliability and latency challenges of the public Internet, and accounts for cloud & mobile use cases. The cloud-native approach to WAN optimization directly addresses all of these challenges.
The cloud-native approach to WAN acceleration
Instead of hosting WAN acceleration in appliances at edge, the capabilities are increasingly being moved into the cloud. Making WAN acceleration part of a global, cloud-native platform, like Cato Cloud, eliminates the appliance form-factor that was so difficult to deploy in the cloud and irrelevant to mobile users. Instead, Cato and other cloud-native platforms let organizations use the optimum solution to connect their “edges” — a simple SD-WAN device for sites, native cloud connectivity for cloud resources, and client-based or clientless connectivity for mobile and remote users.
Regardless traffic is sent to the nearest PoP where the cloud-native software accelerates traffic and delivers it across the Cato backbone to the respective edge. The PoPs of Cato Cloud are collocated in the same physical datacenters as the IXPs of the leading cloud datacenter providers. With a few clicks on a management console, cloud traffic can be sent across Cato’s accelerated backbone and dropped at the footstep of the cloud datacenter provider or at the PoP closest to the cloud application provider. Additionally, by segmenting connections in a last-mile, middle-mile (a global private backbone), last-mile paradigm Cato Cloud is able to recover from packet loss faster than SD-WAN appliances.
As a result, Cato Cloud users benefit from:
Optimized global connectivity. Cato’s global private backbone consists of 50+ PoPs supported by multiple Tier-1 Internet Service Providers and is backed by a 99.999% uptime SLA. This helps enterprises address the reliability and performance challenges of the public Internet across the middle mile without sacrificing flexibility for cloud and mobile applications.
Network Optimization. Cato boosts end-to-end throughput by minimizing the effects of latency on traffic flow. Bandwidth-heavy tasks such as file uploads and downloads can improve by 20x or more.
Cloud application acceleration. Cato routes traffic from cloud applications, such as UCaaS and Office 365, along the optimum path to the PoP closest to the customer’s instance in the cloud. Traffic is dropped off at the doorstep of the cloud application provider. In this way, Cato minimizes latency in cloud application sessions and by applying its WAN optimizations, further reduces the effects of latency.
Cloud acceleration and control. Cato routes traffic from all WAN edges to the Cato Point of Presence (PoP) nearest to the cloud service provider’s datacenter. As Cato shares a datacenter footprint with many popular cloud service providers, latency from the Cato PoP to the provider is near zero. Further, Cato provides this functionality without the need for cloud appliances and without the additional cost of services such as AWS Direct Connect or Azure ExpressRoute.
Mobile access optimization. Using clientless browser access with mobile or with the Cato Client application, enterprises eliminate the need for inefficient backhauling and remote users automatically connect to the closest Cato PoP and receive the same enterprise-grade optimization and protection as on-premises users.
Just how much of a difference can Cato Cloud make in the real world? Looking at Salcomp’s experience Cato Cloud was able to provide a better than 40x throughput for Sharepoint file transfers.
Modern WAN acceleration requires a modern approach
WOCs were built to solve a specific set of problems that existed when bandwidth costs and availability were the primary WAN acceleration and optimization challenges. Today, cloud and mobile use cases coupled with reduced bandwidth costs have changed how enterprises need to approach optimization. Cato Cloud offers enterprises an approach to acceleration made for the digital business, one that optimizes traffic of all tenants of the new enterprise, not just locations. If you’d like to learn more about what Cato can do for you, contact us today or start a trial to put Cato Cloud to the test.
It’s a challenge not to think of a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and...
The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers It’s a challenge not to think of a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and dodging a nearby cough. As the current crisis develops, enterprise business continuity planning and risk management will lead to millions of enterprise users working full time from home. Already we’ve seen the number of active remote or mobile users of the Cato Cloud rise 75 percent since early January, growing from about 10,000 users to 17,500 users.
In fact, as this Bloomberg article highlights, we’re probably about to embark on the largest global work-at-home experiment in history. What does that mean for your business continuity planning and remote work strategy? Consider four categories: connectivity, performance, security, and management. Here’s a summary of each.
Connectivity and Architecture
IT has been supporting remote and mobile users for years, but a sudden spike in staff working from home full time is a whole new ballgame. Most won’t be connecting occasionally to check email or do some quick catchup at the airport, between meetings or after hours at the hotel. They’ll be on the network every workday for hours accessing enterprise applications, files, and data. Your current remote access infrastructure was likely never sized to cope with such a large, constant load, which means you’ll probably have to add or upgrade remote concentrators. In the best of times, this can take days or weeks, but hundreds or thousands of companies will also need similar upgrades.
Aside from the corporate datacenter, most enterprise users will be accessing infrastructure and applications in cloud datacenters, which adds connectivity complexity, as we discuss in this eBook, Mobile Access Optimization and Security for the Cloud Era, and below. For security reasons, most organizations choose to route cloud traffic through datacenter security infrastructure first, then out to cloud datacenters many miles away, which adds latency to the home user’s cloud user experience.
Datacenter network congestion is also an issue, one that Adroll, a company offering a marketing platform for personalized advertising campaigns, had to grapple with. Not only did backhauling remote user cloud traffic add latency to Adroll’s cloud user experience, but it also saturated the San Francisco Internet connection and created availability problems, as the San Francisco firewall had no geo-redundancy. “It puts a lot of stuff in one basket,” says Adroll’s Global Director of IT, Adrian Dunne. “Once the VPN on our primary firewall rebooted. Suddenly 100 engineers couldn’t work anymore.”
Performance and User Experience
Mobile and home VPN users often complain about remote access performance even when infrastructure is sized appropriately, thanks to the unpredictability, latency and packet loss inherent in the public Internet core. When accessing the cloud, the mobile experience can get so sluggish that users often abandon the corporate backhauling solution to access the cloud directly, opening significant security gaps. Many newer users also find themselves struggling with unfamiliar VPN client software, passwords, and connections to multiple cloud services.
To make working at home a success, IT will have to find ways to simplify and speed up the user experience so it’s more like working at the office. This may mean considering alternatives to backhauling and running traditional VPN’s, which we discuss below.
As more and more users work from home, security risks are bound to increase. More remote users mean more opportunities for threat actors to penetrate security defenses. Unfortunately, traditional VPN’s authenticate remote users to the entire enterprise network, allowing them to PING or “see” all network resources. Hackers have been known to exploit this opportunity, as they did with the infamous Home Depot and Target breaches of a few years ago, which took advantage of stolen VPN credentials. Once inside the network, a hacker is only one administrator password away from access to sensitive applications and data. That’s a big reason why IT security has been moving away from network-centric security towards software defined Zero Trust Network Access, which grants users access only to what they need when they need it.
Enforcing security policies for many more remote users can also add latency and slow down performance. The alternative is to let mobile users connect directly to the cloud and deploy new cloud-based security solutions, such as secure Web gateways or secure access security brokers (CASB), that intercept connections before they reach the cloud. Users will still be contending with public Internet performance, however.
Deploying client VPN software on thousands of new home users’ systems can take considerable resources and time that organizations may not have during a crisis.
AdRoll found VPN onboarding of new users a very cumbersome process, especially for contractors. “Using the Mac’s management software to push out VPN configurations to users was a pain,” says Dunne. Dunne also had to send instructions for configuring the VPN client to each user. Once these users are onboard, IT also needs appropriate tools for managing and monitoring all those remote users, much as it does for its branch offices and other sites. Shifting to cloud-based Web gateways and CASB’s has its own overhead as well.
Cato’s SASE Solution Provides Access Needed for Remote Workers
There is a solution that can solve many of these connectivity, security, performance and management issues: a cloud-native network such as the Cato Cloud. Built on the principles of Gartner’s secure access service edge (SASE), Cato connects mobile and remote workers to the same network, secured by the same security policy set, as those in the office.
Rather than connecting to the corporate datacenter, then out to cloud applications, home users connect to their nearby cloud native network point of presence (PoP). From there they become part of a virtual enterprise WAN that the datacenter and branch offices access through their local PoPs as well. Cato locates its PoP infrastructure in some of the same datacenters as major cloud providers, including AWS and Microsoft Azure, allowing for fast direct connections to cloud services.
Connectivity isn’t an issue. Cato’s cloud architecture is designed for massive scalability to support any number of new users regardless of session duration or frequency. They can work at home or in the office all day, every day and the Cato architecture will accommodate the load transparently. “Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket,” says Stuart Gall then the infrastructure architect in the network and systems group at Paysafe. “If my global network goes down, I can be like Batman and whip this thing out.”
“If my global network goes down, I can be like Batman and whip this thing out.”
Performance improves by eliminating backhaul and inspecting traffic in the PoP rather than the datacenter. Home and mobile users bypass the unpredictable Internet middle mile and instead use the Cato backbone with its optimized routing and built-in WAN optimization to dramatically reduce latency and improve data throughput.
The user experience improves in other ways. Users connect to all their applications and resources, whether spread across multiple clouds or in the private datacenters, with a single login. Getting users connected is easy. “The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device.
"The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device.”
Most of the security and network management is handled by the cloud provider, rather than enterprise IT. Cato’s Security as a Service provides a fully managed suite of agile, enterprise-grade network security capabilities, built directly into the Cato Global Private Backbone, including a next-generation firewall/VPN, a Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and Managed Threat Detection and Response (MDR).
Cato simplifies security management in other ways. “With firewall appliances, you install certificates from your firewall and only then you realize that when your user goes to another site, you again need to install another SSL certificate at that appliance,” says the IT manager at a leading EduTech provider, “With Cato, we were able to install a single certificate globally so we can do SSL decryption and re-encryption."
Adding new home users to a cloud native network is a quick process that doesn’t require expensive, time consuming appliance upgrades. “With Cato, we just sent a user an invite to install the client,” says Dunne. “It’s very much like a consumer application, which makes it easy for users to install.” Adroll’s San Francisco chokepoint was eliminated, and Cato gave Dunne more granular control over permissions for mobile users.
The current crisis will likely require a lot of quick action from IT to get users connected and working from home fast and securely. A cloud-native, SASE network can make the job faster and easier while giving all those home-based-workers a satisfying user experience.
The way we do business is changing. As critical business applications migrate to the cloud, and the mobile workforce continues to grow, networking and security...
From MPLS to SD-WAN to SASE: An Evolution of Enterprise Networking The way we do business is changing. As critical business applications migrate to the cloud, and the mobile workforce continues to grow, networking and security solutions need to evolve in order to meet the changing business needs. Gartner believes (and we agree) that the future of networking lies with SASE (Secure Access Service Edge) – the convergence of networking and security into one cloud service. Here’s why.
1990s - 2000s: MPLS and the Era of Clear Network Boundaries?
Back in the day, networking models were hardware-centric and manually configured. Applications, data, and services lived within private datacenters and relied on remote access solutions to connect remote workers. Dedicated network connectivity, known as MPLS, was the preferred approach for connecting remote locations.
MPLS provides predictable performance, low latency and packet loss, and central management. However, MPLS is expensive, capacity constrained, and provisioning of new links takes a long time. Alongside MPLS, Internet links co-existed as a lower quality and inexpensive alternative, which didn’t come with the performance and uptime guarantees of dedicated connectivity. Many organizations ended up integrating both into their networking environments in an active (MPLS), and passive backup (Internet).
Regardless, the WAN became complex, costly and the epitome of lack of agility. Operational costs grew as administrators had to manually configure and deploy routers and appliances needed in the branch offices: WAN optimizers for overcoming bandwidth limitations, stacks of security appliances for defending the Internet perimeter, packet capture and analysis appliances for visibility and more. Maintaining such a setup was becoming increasingly difficult.
2000s – 2010s: Moving to Software-Defined WAN
Next came the attempt to fill the gaps created by the limitations of MPLS and the public Internet with SD-WAN. SD-WAN automates the use of multiple links (MPLS, xDSL, Fiber, Cable, and 4G) to increase overall network capacity, improve agility to speed up site provisioning, automatically adjust to changing network conditions, and reduce overall cost per megabit.
SD-WAN offers a cost-efficient and flexible alternative to MPLS, but SD-WAN alone can’t provide a complete WAN transformation. It fails to deliver the security, cloud readiness and mobility required to support the digital business. As a result, IT teams find themselves dealing with technological silos, built upon point products that are loosely integrated and separately managed.
Today: Network and Security Delivered from the Cloud (SASE)
In the digital age we all live in, enterprise networks must extend to the cloud, remote locations, and mobile users. This is easier said than done. IT traditionally responds to new business needs with point products. For example, SD-WAN is used to address the high cost and capacity constraints of MPLS; cloud acceleration and security appliances are deployed to support cloud migration; branch security and WAN optimization are needed for distributed locations; and VPN enables remote users to access business applications.
This type of network architecture, built on a pile of point products and appliances, increases complexity and cost for IT, and is hard pressed to support the needs of the digital business for optimization, security and efficiency. As Gartner notes, “In essence, complexity is the enemy of availability, security and agility” *. There must be a simpler way. There is, and it’s called SASE.
SASE is a new infrastructure category introduced by Gartner in 2019. It converges multiple point solutions such as SD-WAN, Next-gen firewalls, secure web gateway, Software defined perimeter (SDP), and more into a unified, global cloud-native service. SASE enables IT to provide a holistic, agile and adaptable service to the digital business.
According to Gartner, “Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete.” **
This is why Gartner considers SASE to be transformational, providing enterprises with an agile, scalable and elastic platform to support their digital business needs today, and into the future.
* Gartner, “Avoid These 'Bottom 10' Networking Worst Practices,” Vivek Bhalla, Bill Menezes, Danellie Young, Andrew Lerner, 04 December 2017
** Gartner, “Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge,” Joe Skorupa and Neil MacDonald, 29 July 2019
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Today we announced our 2019 business results, and those results were nothing short of stellar. We saw massive growth in our customer base, explosion of...
2019: A Year of Innovation and Validation for the Cato Vision Today we announced our 2019 business results, and those results were nothing short of stellar. We saw massive growth in our customer base, explosion of channel interest and…. planetary alignment. Yes, the stars shifted in 2019, as the industry adoption of Cato’s revolutionary approach to networking and security came in the form of Gartner’s Secure Access Service Edge (SASE) architecture.
By the end of 2019, more than 450 enterprises worldwide were relying on Cato Cloud to connect tens of thousands of locations and mobile users quickly and securely with the datacenter, the cloud, the network edge and each other. Customers chose the Cato SASE solution, integrating SD-WAN, security, mobility and a converged backbone for maximum performance, protection and agility.
“We founded Cato five years ago on the premise that enterprise networking and security had to converge into the cloud and last year’s results are the clearest validation of that vision,” says Cato CEO Shlomo Kramer.
Here’s an overview of some of last year’s highlights.
SASE Makes Cato’s Convergence of Networking and Security into the Industry Standard
In mid-2019, the Cato vision became part of a Gartner trend. The definition of SASE crystalized much of what Cato’s been saying since its inception. We have several blogs and a Web page devoted to SASE so I won’t go into it too much here, but Gartner analysts Neil McDonald and Joe Skorupa first introduced the term SASE in a July 9 Gartner Hype Cycle for Enterprise Networking, then dug into it more deeply in a July 29, 2019 Market Trends Report, How to Win as WAN Edge and Security Converge into the Secure Access Service Edge and an August 30, 2019 Gartner report, The Future of Network Security is in the Cloud. All these reports highlight the growing enterprise IT trends -- adoption of cloud-based services, global mobility and operational simplicity and agility -- we’ve been touting for five years.
Gartner defines SASE as a unified cloud native service that integrates Wide Area Networking, network security functions and equal support for physical locations, cloud datacenters, branches, and mobile users. Sound familiar? Indeed, Gartner labelled Cato Networks a Sample SASE vendor. Cato is the first company to offer a fully functional global SASE platform. “Today, Cato is the industry standard for SASE,” says Shlomo.
Our Customers and Channel Partners Get It
Riding a Gartner trend has its benefits and we’ve certainly reaped them in the past year. “We’ve seen massive business growth, incredible customer traction and widespread industry endorsement of the Cato approach in the form of Gartner’s SASE framework,” says Shlomo.
Indeed, we saw customer bookings grow by a massive 220 percent, doubling across all industries, and channel-led business also double. However, sheer growth is only a small part of the story. The real validation of the Cato vision: With the choice of adopting Cato SD-WAN alone or Cato’s full SASE solution, most chose SASE. More specifically, 70 percent of our customers chose SD-WAN with built-in advanced security delivered as a single integrated cloud service.
Approximately half of our customers replaced their legacy MPLS service with Cato’s SD-WAN and converged global backbone, and Cato more than doubled the number of VPN licenses sold with SD-WAN. Most Cato customers have or will take advantage of our cloud optimization. Cato locates its PoPs in the same physical datacenters as leading cloud providers such as AWS and Microsoft Azure, minimizing latency between Cato and the cloud.
Automotive industry manufacturer Komax is a great example of a company that reaped the benefits of the Cato vision by transitioning from managed appliance-based UTMs with SD-WAN to Cato. “As an IT organization, we were well familiar with the benefits of the cloud and wanted the same for our network infrastructure,” says Tobias Rölz, Komax VP of Global IT and Digital Business.
“Cato allowed us to move intelligence and computation away from the edge SD-WAN appliance into the Cato Cloud. As a result, deploying branch SD-WAN became simpler, faster, with less operational costs than we experienced with a managed service running security processing on SD-WAN appliances.” Our customers certainly get it.
The channel gets it too. Our channel partners reaped the value of leveraging the Cato SASE solution for new customer services, enhanced profits and customer value, and strong differentiation as evidenced by a 387 percent increase in upsell opportunities to existing customers. More than 200 certified partners have joined Cato’s Global Partner Program with Accelerated ROI since its launch mid last year.
New Capabilities and Upgrades
2019 was also a year of solution enhancements. Cato added global Points of Presence (PoPs), now totaling more than 50, and more than 100 new features, notably,
Managed Threat Detection and Response (MDR), with zero-footprint detection of endpoint malware and persistent threats via advanced machine learning and human anomaly verification. Once a threat is identified, Cato experts can guide customers through the remediation process.
Instant Insight, offering advanced SIEM (Security Information and Event Management) capabilities without the usual complexity, investment and steep learning curve.
Hands-Free Management, allowing customers to offload some or all security configuration and change management to Cato or one of its partners.
Next Generation Anti-Malware, including zero-day threats, in partnership with SentinelOne.
Beefing up our robust information security is important to customers, who wrestle with the increasing sophistication of today’s hackers and data breaches. However, security isn’t the whole story; they also have to prove compliance with strict government and industry regulations for protecting customer and corporate data.
Cato already simplifies this challenge by proving compliance with ISO27001 and the European Union’s GDPR. This year we added compliance with another standard. The SOC 2 security standard was developed by the American Institute OF CPA’s (AICPA), defining requirements for protecting and managing customer data. Cato complies with SOC 2 audit requirements via annual audits by Ernst & Young based on AICPA’s Trust Services criteria.
The past five years have been exciting for Cato as it grew, developed and promoted its vision of converged enterprise networking and security. As a year of validation, 2019 was the most exciting yet, with growth and innovation that set the stage for even bigger things in 2020 and the years ahead.
Forbes’ recent cybersecurity predictions for 2020 cited an old quote from Cato Network’s co-founder Shlomo Kramer. Back in 2005, Kramer compared cybersecurity to Alice in...
February 26, 2020
Where is Network Security headed in 2020? Forbes’ recent cybersecurity predictions for 2020 cited an old quote from Cato Network’s co-founder Shlomo Kramer. Back in 2005, Kramer compared cybersecurity to Alice in Wonderland: you run as fast as you can just to stay in place. Almost 15 years later, the comparison applies perfectly to the state of network security. Despite the diligent effort of infosec professionals, new threats are emerging every day and news of breaches has become commonplace.
So, after all the running we’ve done in the 2010s, where is network security headed in 2020? What WAN security solutions do enterprises need to protect their networks as we kick off the decade? Here, we’ll answer those questions, explain how Zero Trust Network Access (ZTNA) helps enterprises strengthen their security posture for more than just mobile users, and explore the benefits of managed threat detection and response (MDR).
The Zero-Trust Approach
Network security refers to the technology, policies, procedures, and strategies used to protect the data and assets within a network. In the late 1990s and early 2000s, the ”castle-and-moat” approach to cybersecurity was common. The premise is intuitive enough: if you secure the perimeter strongly enough, the entire network is secure.
However, the dynamic nature of cloud computing, the security challenges posed by mobile users, and IoT (Internet of Things) have blurred the lines that define network perimeters and created new attack surfaces. Today, enterprises must be prepared to address a wide variety of attacks including social engineering attacks, Internet-borne malware, and ransomware across all the different attack vectors that exist within modern networks.
As a result, many infosec experts now advocate for a zero-trust approach to network security. The idea behind zero trust is simple: don’t trust anything by default and only allow the minimum required access to network resources. Of course, implementing the zero-trust requires full network visibility and the ability to enforce granular policies across the WAN. Doing so effectively requires a network security system with the right tools and an agile Software Defined Perimeter (SDP).
Network and Security Solutions to Address Modern Threats
The tools required to secure a WAN can be implemented as hardware or software appliances or using a cloud-based security as a service model. With security as a service, enterprises can minimize the complexity of managing multiple appliances at scale as well as reduce capex. Further, with the cloud-native WAN infrastructure that supports the Cato Cloud, enterprises get security solutions baked-in to the underlying network.
Network security tools that are part of Cato’s network infrastructure include:
NGFW allows granular rules to be implemented that can control access based on network entities, traffic type, and time. Additionally, a Deep Packet Inspection (DPI) engine enables contextualization of traffic. NGFW also supports the creation of custom application definitions to enable identification of specific apps based on TCP/UDP port, IP address, or domain.
Secure Web Gateway
SWG helps mitigate social engineering attacks like phishing and protects against Internet-borne malware. SWG focuses on layer 7 traffic exclusively and inspects inbound and outbound flows. URL filtering prevents users from accessing restricted sites while connected to the WAN, which adds an additional layer of protection in the event a user is tricked into clicking a malicious link.
The Cato Cloud uses signature and heuristic-based inspection engines to detect malware and protect against known threats. Further, Cato’s partnership with endpoint protection solutions provider SentinelOne brought industry-leading AI-based anti-malware technology to the Cato Cloud. What is unique about the SentinelOne solution is its ability to identify threats without a signature, making it highly effective against zero-day malware.
Intrusion Prevention System
IPS is a fully-managed cloud based solution supported by Cato’s Security Operations Center (SOC). The IPS protection engine is contextually aware and fine-tuned to avoid false positives and deliver protection without sacrificing performance. Cato’s IPS uses metadata from network traffic flows and third-party data feeds in conjunction with machine learning algorithms to detect suspicious network activity. As a result, it can block malicious IP addresses based on reputation, validate packet protocol conformance, protect against known vulnerabilities, adapt to new vulnerabilities, prevent outbound traffic to command and control servers, and detect bot activity.
The importance of ZTNA
In order to effectively implement zero-trust policies, enterprises need to be able to restrict network access at a granular level. ZTNA allows enterprises to do just that. However, there are multiple approaches to Zero Trust Network Access. ZTNA point solutions often require specialized cloud gateways or additional software and services. Additionally, they generally require mobile users to connect to resources across the public Internet, which can significantly impact performance. Cato’s ZTNA addresses these issues because it's integrated into the underlying network. No additional software or hardware is required, and mobile traffic is optimized across Cato’s global private backbone.
How MDR Compliments a Network Security System
Even with a robust network security system in place, some enterprises prefer to offload the skill-dependent and resource-intensive process of detecting compromised nodes to a trusted provider. With Cato’s Managed Detection and Response services, enterprises benefit from the expertise of the Cato SOC when detecting and responding to breaches. With Cato MDR, enterprises gain expert threat verification, remediation assistance, and quarterly reporting and tracking in addition to automated threat hunting and containment features. This allows enterprises to free up resources to focus on core business activities instead of complex infosec tasks.
Network security for digital businesses requires a holistic approach
There is no silver bullet when it comes to network security. To build and maintain a strong security posture, enterprises need to take a converged approach to networking and security. This means being proactive, implementing zero-trust across the network, and leveraging modern security solutions like NGFW, IPS, and SWG.
To learn more about how Cato converges network and security infrastructure, read the Advanced Security Services whitepaper or contact our team of experts today.
Most enterprise WANs have historically used MPLS, but with the proliferation of cloud resources and mobile users, organizations are realizing the need to facilitate more...
SD-WAN vs Hybrid WAN Most enterprise WANs have historically used MPLS, but with the proliferation of cloud resources and mobile users, organizations are realizing the need to facilitate more flexible connectivity. They are faced with many options when making this decision, but one of the first that must be considered is whether to go with a hybrid WAN or SD-WAN.
With a hybrid WAN, two different types of network services connect locations. Usually, one network service is MPLS while the other is typically an Internet connection. While some enterprises will have an active MPLS connection with an Internet/VPN connection for failover, hybrid WAN actively uses both connections.
Hybrid WAN – Pros and Cons
Pros of Hybrid WAN
Hybrid WAN configurations allow for easy increase in bandwidth by inserting Internet connections alongside an existing MPLS network. Offloading traffic from MPLS allows for reductions in monthly bandwidth costs and to turn up new installations faster by leveraging indigenous Internet access link. Regulatory constraints mandating MPLS can continue to be met.
Hybrid WAN takes advantage of the reliability, security, and SLA-backed performance of MPLS connections, yet limits the expense of these connections by augmenting connectivity with Internet connections that are cheaper and more versatile. In some cases, these Internet links can help improve performance for traffic that is not destined for the datacenter as it can reduce the number of hops that can occur when backhauling through the datacenter.
Cons of Hybrid WAN
The question is whether organizations can ever eliminate MPLS costs with Hybrid WANs. The public Internet is too erratic for global deployments requiring the continued use of costly, international MPLS connections. Companies are still left with having to wait months to provision new MPLS circuits. In addition, maintaining distinctly separate WAN connection transports adds an administrative burden and can create appliance sprawl. Finally, Hybrid WANs aren’t designed with Cloud and mobile communications in mind, requiring additional strategies for securing and integrating these connections into the enterprise.
SD-WAN – Pros and Cons
Pros of SD-WAN
By replacing an MPLS network with SD-WAN, there can be a significant cost saving while still maintaining the performance required for today’s applications. Unlike MPLS, with SD-WAN customers can easily add new circuits or increase the bandwidth of existing circuits with little impact on the network configuration. By utilizing multiple low-cost, high-bandwidth circuits, SD-WAN can meet the performance and reliability organizations require. Organizations can select transport types that provide the best value for each location and still connect seamlessly to the rest of the WAN. In addition, because SD-WAN is compatible with multiple transport types, provisioning of new or additional services is much faster than MPLS.
Cons of SD-WAN
Out of the gate, SD-WAN has several challenges that involve security, global locations, and mobile user connectivity. Because public Internet connections are used for SD-WAN, and there is no need to backhaul to the secured datacenter, the traffic is no longer secured. For connectivity to some global locations, routing and response times can be unpredictable. However, oftentimes locations that have difficulties getting reliable Internet have less than ideal MPLS connectivity. For many organizations, connectivity for mobile users and to the cloud is a driving force for change in the WAN infrastructure. But to have access to the cloud with SD-WAN, a separate cloud connection point is required, and mobile users are not addressed in a standard SD-WAN solution
Making the Choice
There are SD-WAN providers that have taken the best of both worlds by combining the advantages of SD-WAN while overcoming the challenges of a vanilla SD-WAN solution. That means the predictability and performance like MPLS while also offering an integrated firewall-as-a-service that makes firewall services available to all locations. In this case, the entire WAN is connected to a single, logical firewall with an application-aware security policy that allows for a unified security policy and a holistic view of the entire WAN. The other challenges such as cloud and mobile are also resolved with SD-WAN-as-a-service offerings.
When comparing hybrid WAN to SD-WAN, the decision for most organizations comes down to whether they feel MPLS can be replaced. With the dramatic improvement of Internet performance, unless there are specific locations that have poor Internet connectivity, an enterprise should feel confident that an SD-WAN solution can meet the demands while also providing cost and agility advantages over MPLS or hybrid WAN. If a business has a scenario where they feel MPLS is a must, then a hybrid WAN solution can be employed.
A recent conversation with a WAN engineer got me thinking about how network optimization techniques have changed over the years. Optimization has always been about...
December 24, 2019
Network Optimization Techniques for the Modern WAN A recent conversation with a WAN engineer got me thinking about how network optimization techniques have changed over the years. Optimization has always been about overcoming latency, jitter, packet loss, and bandwidth limitations. However, in recent years bandwidth has become much less of an issue for most enterprises. Lower dollar-per-bit costs of bandwidth and apps that incorporate data duplication and compression are big drivers of this shift.
Edge computing is growing in popularity and the real WAN optimization challenges enterprises face relate to reducing RTT (round trip time), packet loss, and jitter to ensure high QoE (Quality of Experience) for services like UCaaS (Unified Communications as a Service). At a high-level, this means overcoming latency across the middle mile and addressing jitter and packet loss in the last mile.
Traditional WAN optimization tools do little to help address these challenges, as they’re simply designed to reduce bandwidth consumption. Fortunately, Cato Cloud offers enterprises a suite of network optimization tools that can.
But how do these network optimization techniques work and what can they do for your WAN? We’ll answer those questions here.
Middle-Mile Network Optimization Techniques: Reducing Latency
In the past, MPLS provided enterprises with low-latency, albeit expensive, connectivity between sites. As such, sites were often connected by the minimal amount of necessary capacity. WAN optimization appliances emerged to solve that problem, providing the means to extract the maximum usage out of available MPLS capacity.
However, the shift to a cloud-first, mobile-centric enterprise undermined the value of WAN optimization appliances. With more assets in the cloud, branch offices were required to send traffic back to the secure Internet gateway in the datacenter. The so-called trombone effect meant that latencies across MPLS network to the cloud were often worse than accessing the same cloud assets directly over inexpensive DSL lines.
WAN optimization appliances couldn’t fix that trombone problem. Furthermore, their ability to extract value out of every bit of capacity became less relevant when with Internet prices offices could have 20x more capacity than they did with MPLS.
Finally, the form factor — a physical appliance — was increasingly incompatible where users worked out of the office and the data lived in cloud, two places where installing an appliance was difficult if not impossible.
Appliance-based SD-WAN and Internet-based VPN provided an alternative to MPLS, but there were tradeoffs. For example because of the problems with the public Internet, they couldn’t reliably provide the same low latency performance as MPLS. They too faced the “form factor” problem.
Cato Cloud solves these problems by providing a “best of both worlds” approach to WAN optimization. The converged nature of Cato’s Secure Access Service Edge (SASE) model makes cloud connectivity and mobile support possible without inefficient backhauling. Further, Cato provides a global private backbone with a 99.999% uptime SLA that delivers performance that meets or exceeds MPLS for most use cases.
This backbone consists of 50+ Points of Presence (PoPs) interconnected by multiple, Tier-1 providers. Traffic is optimally routed across these providers to ensure low-latency WAN connectivity across the globe. End-to-end route optimization and self-healing are built into the underlying cloud-native network to deliver high-performance connectivity in the middle mile. Additionally, Cato’s cloud-native network stack leverages network optimization techniques and tools like TCP proxies and advanced congestion management algorithms to improve WAN throughput.
Just how effective is Cato Cloud at optimizing the middle mile? Stuart Gall, Infrastructure Architect at Paysafe, can speak to that: “During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS”. You can read more about how Paysafe replaced MPLS and Internet VPN with Cato here.
Last Mile Network Optimization Techniques: Compensating for Packet Loss and Jitter
While latency is primarily a middle-mile problem, link availability, packet loss, and jitter are common WAN performance challenges in the last mile. Cato Cloud enables WANs to mitigate these last mile problems using several network optimization techniques, including:
Packet Loss Mitigation
By breaking the connection into segments, Cato reduces the time to detect and recover lost packets. Where connections are too unstable Cato duplicates packets across active active connections for all or some applications.
Active/active link usage
Cato’s SD-WAN connects and manages multiple Internet links, routing traffic on both links in parallel. Using active-active, customers can aggregate capacity for production use instead of having idle backup links.
In case packet loss jumps, Cato automatically detects the change and switches traffic to the alternate link. When packet loss rates improve to meet predefined thresholds, traffic is automatically returned to primary links.
TCP Proxy with Advanced Congestion Control
Each Cato PoP acts as TCP proxy server, “tricking” the TCP clients and servers into “thinking” their destinations are closer than they really are, allowing them to set larger TCP windows. In addition, an advanced version of TCP congestion control allows endpoints connected to the Cato Cloud to send and receive more data and better utilize the available bandwidth. This increases the total throughput and reduces the time needed to remediate errors.
Dynamic Path Selection and Policy-Based Routing (PBR)
Cato classifies and dynamically allocates traffic in real-time to the appropriate link based on predefined application policies and real-time link quality metrics.
Just how effective are these features in the real world? RingCentral testing has shown Cato Cloud can deliver high-quality voice connectivity across Internet links with up to 15% packet loss.
Cloud Network Optimization Techniques: Optimal Egress & Shared Datacenter Footprint
With so many workloads residing in the cloud, low latency connectivity to cloud service provides has become a major part of network optimization for the modern enterprise. Often, this entails purchasing expensive premium connections like AWS DirectConnect or Azure ExpressRoute.
With Cato, premium connectivity is built into Cato Cloud. Cato PoPs are often in the same physical datacenters as the entrance points to cloud datacenter services, such as AWS and Azure. The latency from Cato to the cloud datacenter is often a matter of just hopping across the local network. Latency to the designated PoP is minimized by Cato’s intelligent routing. Further, by using advanced congestion management algorithms and TCP proxies, Cato optimizes throughput for bandwidth-intensive operations such as large file transfers.
But how much of a difference can Cato actually make? Cato’s cloud acceleration can improve end-to-end throughput to cloud services by up to 20 times and more.
Cato Cloud Modernizes WAN Optimization
As we’ve seen, Cato Cloud’s multi-segment WAN optimization approach enables enterprises to address the challenges facing network engineers today. By taking a holistic approach to optimization, enterprises can improve QoE for cloud, mobile, and on-premises regardless of WAN size.
To see the benefits of Cato Cloud in action, hear how Cato improves voice quality by checking out our SD-WAN & UCaaS- Better Together webinar or try this SD-WAN Demo. If you have questions about how to best optimize your WAN, contact us today.
Edge computing and the distributed cloud both cracked Gartner’s Top 10 Strategic Technology Trends for 2020, reminding me of a recent discussion on the challenges...
December 17, 2019
Network & Firewall Security for the Modern Enterprise Edge computing and the distributed cloud both cracked Gartner’s Top 10 Strategic Technology Trends for 2020, reminding me of a recent discussion on the challenges enterprises face when securing the modern WAN. Traditional firewall security simply can’t keep up with the challenges created by these new network paradigms. As a result, when I discuss firewall security with enterprises today, there are three reoccurring themes: visibility, scalability, and convergence.
Next-Generation Firewall (NGFW) appliances help solve these problems, but deploying multiple appliances adds significant complexity and creates operational and security challenges of its own. Fortunately, when converged with the larger network infrastructure, cloud-based firewalls, or Firewall-as-a-Service (FWaaS), can address these challenges.
So, how exactly can enterprises seamlessly integrate security to their networks without adding unnecessary complexity? Let’s find out.
The Basics of Firewalls
Before we dive into the challenges of appliance-based firewalls and benefits of FWaaS, let’s look at some of the basics of modern firewalls. Traditionally, firewalls were used to block or allow network traffic based on predefined rules. They could effectively block ports, isolate network segments, and enable basic enforcement of security policies. This same basic premise holds true for firewalls today, but the dynamic nature of modern enterprise networks has created a need for more flexible, granular, and intelligent firewall security.
Three Main Types of Firewall Software and Appliances
So, what sort of firewall software and appliances exist to meet these demands? In addition to the software-based endpoint firewalls that can run on network endpoints, there are three main firewall appliance types enterprises can deploy.
Traditional firewalls that block traffic at the protocol, port, or IP address levels.
Like packet-filtering firewalls with the added benefit of analyzing end-to-end traffic flows.
Next-Generation Firewalls (NGFWs)
Offer all the functionality of stateful firewalls plus features such as deep-packet inspection (DPI), Intrusion Detection System/Intrusion Prevention System (IPS/IDS), anti-virus, and website filtering.
Given the sophistication of modern security threats, NGFW appliances are commonplace within modern WANs, and for good reason. They’re able to detect malicious behavior and provide protection legacy firewall security solutions can’t. However, there are still several pain points enterprises face with physical and virtual firewall appliances.
The Shortcomings of Firewall Appliances
The problem with firewall appliances stems from the fact that appliances inherently require distributed deployments across sites. NGFWs are just one of a number of network appliances that enterprises must maintain, and integrating them at scale comes with challenges including:
Blind spots & reduced visibility
Since appliances are tied to a single location, they can only inspect data flows that go through them. This leads to one of two suboptimal outcomes: appliance sprawl or inefficient backhauling to have traffic routed through specific appliances for auditing. Further, since appliances are scattered throughout the network, as opposed to integrated with it, blind spots can become a real challenge.
NGFWs and UTMs have a limited amount of capacity to run engines for anti-malware, IPS, and secure web gateway (SWG). These resource constraints can lead to some functionality being sacrificed, create bottlenecks, or require additional appliances to be deployed.
Silos & disjointed security policies
Multiple appliances and security solutions for cloud, mobile, and on-premises lead to communications silos between teams, limit visibility, and prevent the implementation of consistent security policies across the network.
Complex and resource-intensive maintenance
Maintaining and patching a network of firewall appliances leads to a significant IT workload that doesn’t drive core business forward. Installations, configurations, upgrades, integrations, and patch management take time and divert resources from activities that could add business-specific value.
Integrating Firewall Security: Firewall as a Service and the Secure Access Service Edge
Cato solves this problem by providing FWaaS, with all the functionality of an enterprise-grade application-aware NGFW, as a part of a broader holistic approach to networking and security known as Secure Access Service Edge (SASE). Because Cato’s SASE platform integrates the networking and security functionality that used to require multiple different appliances into a multitenant cloud-native infrastructure, the fundamental problem associated with NGFW appliances goes away. As a result, enterprises can implement network & firewall security that provides:
As all WAN traffic on the Cato Cloud traverses the cloud-native infrastructure, there are no blind spots and no need for backhauling. Multiple security engines and DPI are baked-in to the network.
The Cato Cloud provides the unrestricted scalability of a cloud service to the WAN. Not only does this eliminate capex and ensure security isn’t sacrificed due to limited capacity, it means deployments that may have otherwise taken days or weeks can occur in minutes or hours.
Enterprise-wide policy enforcement
A converged software stack and mobile clients ensure that all users benefit from the same level of security and policies span the entire network.
Simple maintenance and management
Because the entire security stack is integrated into a single solution, maintenance and management are a fraction of what they were with firewall appliances. This leads to reduced costs and more resources to dedicate to business-specific tasks that can positively impact the bottom line.
Cato’s SASE Platform Integrates Networking and Security at Scale
In short, the Cato SASE platform delivers firewall security in a scalable, holistic, and future-proof manner. Not only does the Cato cloud solve the challenge of securing the distributed cloud and edge computing deployments common to the modern digital business, it does so while enabling IT to focus less on busy work and more on core business functions. Case in point: according to Todd Park, Vice President, W&W-AFCO Steel, “Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach” after W&W-AFCO Steel replaced Internet-based VPN and firewall appliances with Cato Cloud.
You can learn more about securing modern enterprise networks in our Advanced Security Services whitepaper. Additionally, be sure to subscribe to our blog for the latest on SD-WAN, networking, and IT security. If you’d like to discuss the Cato platform with one of our experts or schedule a demonstration, don’t hesitate to contact us.
Virtual Private Networks (VPNs) have become one of the cornerstones of secure communications over the internet. However, there has been a lot of confusion around...
What are VPN Tunnels and How do They Work Virtual Private Networks (VPNs) have become one of the cornerstones of secure communications over the internet. However, there has been a lot of confusion around what VPNs can and cannot do. That confusion has led many technologists to choose a VPN solution that may not be well suited for their particular environment. However, that confusion can be quickly eliminated with a little bit of education, especially when it comes to VPN Tunnels. One major concern around VPNs is the issue of how secure they are. In other words, can VPNs fully protect the privacy and content of the data being transmitted?
Related content: read our blog on moving beyond remote access VPNs.
What is a VPN Tunnel?
Before one can fully grasp the concept of a VPN Tunnel, they have to know what exactly what a VPN is. VPNs are a connection method used to add security and privacy to data transmitted between two systems. VPNs encapsulate data and encrypt the data using an algorithm contained within the transmission protocol. VPN traffic is encrypted and decrypted at the transmission and receiving ends of the connection.
Today’s VPNs primarily use one of the three major protocols, each of which has its advantages and disadvantages:
PPTP is one of the oldest protocols and came into existence back in the days of Windows 95. PPTP proves to be one of the easiest protocols to deploy and is natively supported by most major operating systems. However, PPTP uses what is known as GRE (Generic Routing Encapsulation), which has been found to have vulnerabilities. In other words, PPTP may be easy to set up, but it’s security is the weakest of the common VPN protocols.
VPNs can also be set up using L2TP/IPsec protocols, which proves to have much stronger encryption than PPTP. L2TP/IPsec are actually a combination of two secure protocols that work in concert to establish a secure connection and then encrypt the traffic. L2TP/IPsec is a little more difficult to setup than PPTP, and can add some latency to a connection.
Another protocol that is gaining favor is OpenVPN, which is based upon SSL (Secure Sockets Layer) for it’s encryption protocol. OpenVPN is open source and freely available. However, OpenVPN requires a certificate, which means users of the protocol may have to purchase a certificate from a certificate authority.
Regardless of which protocol you choose, VPNs need to “Tunnel” the data between the two devices. So, in essence, a VPN Tunnel is the actual connection mechanism, it is the data link that surrounds the encrypted traffic and establishes a secure connection.
Why Use a VPN Tunnel?
VPNs have become an established method to ensure privacy, protect data, and are becoming very popular among internet users. Many organizations are now offering VPNs for private use, with the primary goal of protecting Internet users’ privacy. The way these services work is by offering a VPN host, which the end user connects to via a piece of client software on their device. All of the traffic between the device and the host is encrypted and protected from snooping. In other words, ISPs, broadband service providers, and any other entity that exists between the client and the host can not see the data that is in the VPN Tunnel, which preserves privacy.
While personal privacy is naturally a major concern, businesses and organizations should also be focused on privacy and protecting data. Organizations that have multiple offices or remote workers should also be encrypting and protecting data. Today’s businesses are transmitting proprietary information, intellectual property, and perhaps even customer data across the internet. Many businesses are also bound by compliance regulations, directing those businesses to protect customer privacy, as well as other data.
However, VPNs may not be the best solution for all businesses. Simply put, VPN Tunnels are still subject to man in the middle attacks and the interception of data. While encryption may be very hard to break, it is not completely impossible. What’s more, in the not-too-distant future, Quantum Computers may be able to crack any of the existing encryption methodologies in a matter of minutes. That means those concerned with keeping data secure will have to look beyond the VPN Tunnel.
Establishing Security Beyond VPN Tunnels:
Arguably, the best way to prevent data from being intercepted over the internet is not to use the internet at all. However, for the majority of organizations that is simply not feasible. The internet has become the connective tissue between businesses sites and is a necessity for transmitting email, data files, and even web traffic.
However, enterprises can still secure their data communications and encrypt critical data without the risk of interception by using SD-WAN technology. A Software Defined Wide Area Network can be used to establish connection privacy between sites. SD-WANs bring forth concepts such as VLANs (Virtual Local Area Networks) that can communicate across an SD-WAN platform to establish secure connections. What’s more, SD-WANs can incorporate a full security stack, meaning that all traffic is examined for malware, intrusion attempts, and any other malicious activity. SD-WANs also prove easier to manage than multiple VPN clients and servers and offer the flexibility to adapt to changing business needs.
SD-WAN: The Future of Secure Connectivity
SD-WAN technology allows users to manage and optimize their wide area networks, reducing costs and creating a virtual overlay on top of many different transport mechanisms. SD-WAN technology, as offered by Cato Networks supports multiple transport protocols, such as cable broadband, DSL, fiber, 4G, 5G, satellite and any other TCP/IP transport mechanism. The Cato implementation of SD-WAN eliminates the need for multiple point solutions, dedicated hardware firewalls and so on. Cato’s offering also eliminates the need for traditional, dedicated VPN solutions, by replacing the VPN with a secure SD-WAN.
To learn more about Cato Networks, please feel free to contact us and to learn more about SD-WAN solutions, please download the Cato Networks WhitePaper.
Nick Dell is an IT manager who recently led a network transformation initiative at his company, moving from MPLS to SD-WAN. Dell shared why he...
November 26, 2019
SD-WAN Confessions: How One Company Migrated from MPLS to SD-WAN Nick Dell is an IT manager who recently led a network transformation initiative at his company, moving from MPLS to SD-WAN. Dell shared why he made that transition and the lessons he learned along the way in the webinar SD-WAN Confessions: How I migrated from MPLS to SD-WAN. We’ve also summarized his experiences here.
The company Dell works for is a leading manufacturer in the automotive industry and has nine locations and more than 2000 employees. The company has critical ERP and VoIP applications that run in the cloud.
When Dell started with the company, there was an MPLS network where the provider placed three cloud firewalls at different datacenters. “We were promised, if one firewall goes down, the system will failover to the other, and each location will have LTE wireless backup,” says Dell. “The provider also committed to managing everything on our behalf.”
Issues arose about a year into the MPLS contract. One problem stemmed from overuse of the bandwidth at certain peak times, prompting the need for more bandwidth. A more serious issue was the planned failover processes weren’t working as expected, causing system outages. “We were supposed to be connected to the Internet at all times and this just wasn’t the case,” laments Dell. “People couldn't record production; they couldn't ship trucks. It was a big problem affecting our business.”
And the problems began to mount. “We needed connectivity to our OEMs, and our vendor could not get a simple VPN tunnel from the cloud firewalls to our customer. We got so frustrated, we just abandoned it,” says Dell. “We couldn't even get fiber at some locations when we needed more bandwidth. It made us realize that not all carriers can get everything you need in certain areas."
Mobility was another issue. “We were getting blocked switching from wired to wireless, and they couldn't fix it without an additional investment in new software plus agents on our laptops,” he says. That’s when they began looking for an alternative to their existing WAN.
Considering the Options for SD-WAN
Dell’s team spent six months to a year looking at their options for SD-WAN. They considered a carrier-managed SD-WAN solution with their current provider, using SD-WAN appliances that Dell’s company would own. “We quickly eliminated this option because that provider couldn’t deliver on the connectivity solution we already had from them. I couldn’t trust them to manage the SD-WAN,” says Dell.
Next they considered self-managed SD-WAN, where Dell’s company owned and managed the equipment purchased from their same MPLS vendor. This approach had a lot of up-front costs, and the cost to assure high availability (HA) was unreasonable.
A third option was to get a cloud solution from an MSP. “We wouldn't have the direct SD-WAN solution, and some of the features for security were not built in. I'd have to go out to third parties for Internet filtering. And again, there was a limited HA discount, and I couldn't get guaranteed four-hour response time,” says Dell.
The same poorly managed service
Ticket takers, not problem solvers
Limited HA discount
Device replacement took too long
Full security not built-in
Limited HA discount
Device replacement took too long
SD-WAN Cloud (MSP)
SD-WAN not their core business
Not direct with SD-WAN
Full security not built-in
Limited HA discount
Device replacement took too long
The Company Chooses Cato SD-WAN
Next, the company considered Cato’s cloud-based SD-WAN. “There’s a lot of functionality there that really helps our business,” says Dell. “It was one of the best IT decisions we've made. It really changed the way that we do things. Cato really has the vision for the next generation of networking and security.”
Cato Cloud SD-WAN
All network resources on a single network
Full stack of built-in, cloud-based security services
Global network of PoPs interconnected by multiple tier one carriers
Traffic optimization across the network
Support for cloud and mobility
Full network visibility
Unified security policy
Fully managed, co-managed, self-managed service
“With Cato, we are able to go out to any ISP that we want to use. We aren’t locked into who the telco has relationships with, as with the MPLS,” says Dell. “I was able to get fiber at all our locations, and in some cases, at a third of the cost, by going with another provider. We have five to 20 times the bandwidth, and we now have robust, redundant Internet. We actually have a hot spare at each location. QoS actually works, we don't get calls about being blocked from the Internet anymore, and failover works like it is supposed to.”
“As for deployment, the cutover was easy. We did one site over a 30-minute lunch break—that’s how easy it was,” says Dell. “They worked with us to resolve an issue we initially had with user authentication and they had it fixed within a few weeks.”
Cato makes HA affordable. “They weren't trying to cash in on another device or get double their monthly fee. They are the only ones that I felt weren’t trying to make a ton of money off HA,” Dell says.
Benefits Abound with Cato
Dell says Cato support is amazing. “They are always there to answer our questions. I can get support via a webpage, I can call them, I can email them, and when I get ahold of a technician, they don’t take out a ticket and pass this up to tier two or tier three. 95 percent of the time they're on the phone, they're helping me, they're seeing a problem or fixing it or just solving the problem right then and there.
Dell’s team collected some network performance metrics. “Even with our best MPLS circuit, we had peak response times of 106 msec. On our worst MPLS circuit, response time peaked at 302 msec. With Cato it averaged about 26 msec. Our users immediately saw the difference when working with the ERP system. They told us, ‘Whatever you did was amazing.’"
Dell says the voice quality for the VoIP service has been great. “Cato, with the quality of service, has really brought us to the next level.”
Cato also improved the company’s ability to do full backups during the day because there is sufficient bandwidth to do this and not impact end users at all.
ROI was basically immediate, according to Dell. “We were able to cutover all our circuits within 60 days, and that cost savings was seen on day one. I would say it was less than six months to break even, and then we were saving money after that. I look at my monthly saving of over $2,000-$3,000 and the 5 to 20 times the bandwidth that we increased everywhere. The performance increase was huge and the ROI was pretty much instantaneous.
Dell provides an FAQ document that illustrates the important questions to ask yourself to help you decide on the right SD-WAN solution for you.
For more details about this SD-WAN migration effort, watch the webinar here.
AdRoll’s Global Director of IT Adrian Dunne faced several challenges when attempting to scale the company’s Internet-based VPNs. Network performance, security, and redundancy all became...
November 19, 2019
Why is SD-WAN Considered a Top Choice Among VPN Alternatives? AdRoll’s Global Director of IT Adrian Dunne faced several challenges when attempting to scale the company’s Internet-based VPNs. Network performance, security, and redundancy all became major issues as AdRoll grew, prompting Dunne to search for a VPN alternative.
What struck me most about AdRoll’s use case was that it was a microcosm for the issues so many enterprises face with VPN. Often, VPNs makes sense at a small scale or for one-off applications. However, as enterprises grow and networks become more complex, VPN’s shortcomings far outweigh the benefits. Like AdRoll, many modern enterprises are learning that the scalability, security, and reliability of cloud-based SD-WAN make it an ideal VPN alternative.
So, what makes SD-WAN such an attractive VPN replacement?
Use Cases for VPN
Before we dive into the shortcomings of VPN, let’s review what makes it attractive to some enterprises in the first place. Internet-based VPN gained popularity over the last decade in part as a lower-cost, albeit flawed, alternative to MPLS (Multiprotocol Label Switching). Site-to-site VPNs enable enterprises to securely connect physical locations over the public Internet by creating an encrypted connection between two on-premises appliances. The upside here was simple: public Internet bandwidth is significantly cheaper than MPLS bandwidth. For the mobile workforce, remote-access VPNs allow employees to access WAN resources from home-offices, hotels, and mobile devices using VPN client software.
Where VPN Comes Up Short
So, if VPNs can connect multiple locations securely and at a lower cost than MPLS, what are the downsides that lead to so many enterprises searching for VPN alternatives? There are quite a few, including:
With Internet-based VPN, physical or virtual appliances must be installed at each location. Not only does this increase opex, but it also adds significant complexity to network infrastructure and creates bottlenecks when provisioning new sites. Further, appliance refreshes erode the initial cost savings VPN solutions promise.
Complexity increases as you grow
Related to the issue with appliance sprawl, is the complexity of configuring tunnels at new location. As you add more locations to your network, tunnels need to be defined to each existing location. Very quickly the sheer complexity of setting up the VPN becomes too time consuming for many IT professionals.
Increased attack surface
While it is true that VPN uses secure protocols like IPsec (IP Security) and TLS (Transport Layer Security) to tunnel traffic, a lack of granular security controls can lead to unnecessary risk. For example, AdRoll users who only required access to web applications could use SSH to connect to the company’s routers.
Remote-access VPNs require client devices to connect to on-premises UTM (Unified Threat Management), firewall, or VPN appliances. Doing so can add significant latency and impact the performance of applications such as VoIP, telepresence, and video streaming. VPN appliances themselves also have limited bandwidth, which can lead to these appliances becoming WAN bottlenecks. Additionally, traffic that must traverse large geographical distances over the public Internet often experiences unacceptable latency levels.
Limited network visibility
With VPN, enterprises are often left in the dark when it comes to a large chunk of their data flows. With mobile workforces, this becomes an even bigger challenge. Often, mobile users connect directly to services like Office 365, limiting corporate oversight and auditing capabilities.
Unpredictable and unreliable service
Internet-based VPN is inherently reliant on the public Internet. With the lack of SLAs and underlying fundamental problems with Internet routing, this means enterprises that choose Internet-based VPN must sacrifice some level of service reliability.
How Cloud-Based SD-WAN Addresses VPN Challenges
With the rapid evolution of enterprise networking, enterprises are realizing that the tradeoffs associated with VPN simply aren’t worth it. A shift towards SaaS-based architectures, mobile workforces, and latency sensitive applications like UCaaS (Unified Communications as a Service) make scalable, agile, and secure WAN connectivity a must. Cato’s cloud-based SD-WAN meets these demands and addresses the shortcomings of VPN. With Cato Cloud, enterprises get:
Scalable, cloud-native infrastructure
With a converged, cloud-native network infrastructure, Cato Cloud enables enterprises to provision new sites in minutes as opposed to days and eliminates the need for the majority of on-premises appliances. Nor do IT pros need to configure tunnels between locations. All of which reduces operational expenses (opex) and brings the hyper-scalability of the cloud to the WAN.
Granular policy enforcement
A full cloud-native security stack with features like NGFW (Next-generation firewall) enables granular policy enforcement for all users and applications. Enterprises can enforce policies down to the application and user level.
Optimized WAN performance
Cato’s global private backbone addresses latency in the middle-mile. Features like active/active failover, Intelligent Last Mile Management (ILMM), and dynamic path selection help optimize WAN performance in the last-mile as well. Further, Cato’s mobile client eliminates the need for the inefficient backhauling associated with remote-access VPN. Additionally, the scalability of the cloud eliminates the issue of on-premises appliances creating a bottleneck. The result? WAN performance that far outstrips VPN. Case in point: Cato customer Paysafe found that Cato Cloud had 45% less latency than Internet-based VPN.
In-depth network visibility
The cloud-native security stack built-in to the Cato cloud enables application and user-level visibility to network data flows. This holds true for mobile users and cloud applications as well. In fact, Adrian Dunne and the AdRoll team gained deeper insight into cloud usage with Cato. According to Dunne, “Now we can see who’s connecting when and how much traffic is being sent, information that was unavailable with our previous VPN provider…correct oversight and monitoring of logs ties directly into the bigger security conversation.”
Reliable, SLA-backed performance
Cato’s private backbone is connected by multiple Tier-1 ISPs (Internet Service Providers) and backed by a 99.999% uptime guarantee. With 45+ PoPs (Points of Presence) across the globe, Cato’s backbone delivers reliable and predictable performance on a global scale. Additionally, a shared datacenter footprint with major cloud service providers enables optimal egress for cloud traffic eliminating the need for services like AWS Direct Connect.
SD-WAN Provides Enterprises with a Modern VPN Alternative
While VPN can address select small-scale WAN use cases, it simply isn’t designed to meet the demands of the modern digital business. By taking a converged, scalable, and secure approach to WAN connectivity, cloud-based SD-WAN serves as the ideal VPN alternative and enables enterprises to get the most out of their networks.
If you’d like to learn more about how to modernize and optimize your WAN, contact us. If you’d like to see Cato Cloud in action, you’re welcome to sign up for a demo.
When I read that less than 20% of IT professionals indicated their organizations can properly monitor public cloud infrastructure, it reminded me of the reoccurring...
November 19, 2019
What is Network Visibility? When I read that less than 20% of IT professionals indicated their organizations can properly monitor public cloud infrastructure, it reminded me of the reoccurring network visibility conversations I have with network managers from around the globe. The dynamic and distributed nature of cloud workloads coupled with a mobile workforce make avoiding shadow IT and achieving granular visibility of network flows challenging for many enterprises.
Traditional VPN solutions enable connectivity for mobile and remote employees but do little to enable the same visibility and control possible on-premises. Routing traffic back through corporate headquarters for auditing isn’t a practical solution. Doing so hamstrings performance and limits the benefits cloud and mobile bring in the first place. Fortunately for enterprises, cloud-based SD-WAN solves this problem by making secure, monitored, and policy-enforced WAN connectivity possible across the globe, on-prem and in the cloud, without sacrificing performance.
But what exactly makes cloud-based SD-WAN different? Before we answer that, let’s take a closer look at network visibility and explore the challenges cloud and mobile create.
Network Visibility Defined
Network visibility is the collection and analysis of traffic flows within and throughout a network. At the most granular, enterprises may strive to achieve visibility down to the packet, user, and application level. Worded differently, network visibility is what enterprises generally aim to gain from network and security monitoring tools.
Granular network visibility brings several benefits to the enterprise. With in-depth network visibility, organizations can improve security through stricter policy enforcement, rapid detection of malicious behavior, and reduction in shadow IT. Additionally, network visibility can improve network analytics and application profiling. This, in turn, enables better reporting, more informed decision making, and improved capacity planning.
Network Visibility Challenges Created by Cloud and Mobile
One of the biggest challenges enterprises face with network visibility is addressing blindspots created by cloud and mobile. It is easy for an enterprise to fall into a false sense of security because they can view all the traffic traversing MPLS links. The problem is today enterprise WANs are a mix of MPLS, Internet-based VPNs, mobile users, and cloud services. Under those circumstances, traditional monitoring tools simply aren’t able to provide visibility across the entirety of the WAN.
Traditionally, network visibility within the WAN has been made possible by SIEM (security information and event management) solutions and network management systems that aggregate packet flow data from multiple security and network monitoring tools such as security appliances, firewalls, and endpoint sensors. While these tools can be made to work effectively when traffic is restricted to the WAN, they begin to fall apart when cloud and mobile come into play.
For example, endpoint sensors generally can’t run on mobile devices. Similarly, capturing application-level visibility on traffic to and from cloud datacenters becomes a major challenge. This is because each cloud platform often comes with its own set of security policies and protocols creating silos and blindspots within the network. The fact that traditional monitoring tools, like SNMP (Simple Network Management Protocol) and many agent-based solutions, simply don’t work in the cloud makes things worse. Further, because they can obscure the data from network sensors, Network Address Translation (NAT) and encryption reduce the usefulness of the sensors and can stifle packet inspection efforts.
Another downside to the traditional approach to network visibility and packet inspection is that it is tied to physical or virtual site-specific devices such as Next-generation Firewalls (NGFWs), Secure Web Gateways (SWGs), and Unified Threat Management (UTM) appliances. Each location within the WAN requires its own set of appliances that must be sourced, provisioned, and maintained. The alternative is to backhaul all traffic to a central location on the WAN for inspection, which creates latency and impacts performance.
As a result, the appliance-based approach to network visibility and security scales poorly. The more appliances an enterprise has, the more complex the network becomes. Appliances also inherently have capacity constraints that limit how much traffic can be inspected and analyzed without a hardware upgrade. Additionally, not only do appliances have to be provisioned and deployed, they have to be maintained, patched, and eventually replaced. As the enterprise grows, this can become a patchwork of applications with varying configurations, firmware revisions, and policies. The result is limited network visibility and potential security vulnerabilities created by oversight or policy deviations between sites.
However, the best way to conceptualize the network visibility challenges facing the modern enterprise may be to consider the task of securely connecting mobile users to resources in the cloud. In this scenario, if enterprises wish to gain some level of visibility over the data flows, mobile users traditionally must connect via a VPN back to on-premises appliances for auditing and inspection. The traffic is then routed on to a local Internet access point or across the WAN to a centralized and secure Internet access point before making its way to its destination in the cloud. This approach creates significant impact on performance, making it unattractive to most enterprises.
This is one of the reasons over half of the enterprises we surveyed reported they let mobile users connect directly to the cloud. Unsurprisingly, over half of the respondents also indicated that “lack of visibility and control” was their biggest challenge when it comes to providing mobile users access to business applications.
How Cloud-Based SD-WAN Enables Complete Network Visibility
As we can see, the traditional appliance-based approach left enterprises facing an unattractive tradeoff: sacrifice performance for some level of security and visibility or sacrifice network visibility in the name of performance. Cato’s cloud-based SD-WAN solves this problem by shifting the paradigm away from an appliance-based approach that is bound to physical locations.
The reason Cato Cloud is different stems from its global SLA-backed private backbone and cloud-native network infrastructure that bakes security and monitoring into the network. The backbone consists of 45+ Point of Presences (PoPs) across the globe and Cato strives to have a PoP within 25 milliseconds of any Cato user. Within the Cato Cloud, the cloud-native network infrastructure provides the network security and monitoring features that used to require discrete on-premises appliances.
As opposed to having network traffic routed through an on-premises appliance, mobile users can connect to the Cato Cloud using Cato’s mobile client. This enables secure and optimized mobile connectivity to cloud applications and WAN resources. Mobile users get the same protection and performance as they would on-premises.
IT also benefits with this cloud-based approach to WAN connectivity. With Cato Cloud, network complexity is reduced while network visibility is increased, streamlining operations while enhancing security. Features that make this possible include:
Next-generation Firewall (NGFW)
Cato’s built-in NGFW functionality enables application-level awareness of network traffic without deploying multiple appliances. Unlike on-premises appliances, Cato’s NGFW provides enterprises the benefit of unlimited scalability and full traffic inspection without forced upgrades.
In addition to enabling the business process, QoS (Quality of Service) and high-level policy abstraction, Cato’s revolutionary identity aware routing engine makes business-centric network visibility possible. IT can view activity and network flows at the site, group, host, and user levels to improve network planning.
Managed Threat Detection and Response (MDR)
Cato’s MDR offers enterprises zero-footprint network visibility by gathering complete metadata for all WAN and Internet flows without deploying any network probes.
Cato Helps Enterprises Gain the Network Visibility Modern Enterprises Demand
The takeaway here is simple: because Cato provides a converged WAN platform, it can provide granular network visibility in a simple and scalable manner. By shifting away from an appliance-based approach to WAN management, Cato brings the benefits of the cloud to the WAN. As a result, Cato customers are seeing benefits in the real world and improving network visibility and performance by making the switch to Cato Cloud. For example, after choosing Cato over appliance-based SD-WAN and MPLS, Nathan Trevor, IT Director at Sanne Group, was quoted as saying: “Now I can open a Web browser and see the state of connectivity for every single site globally. I can even see down to a single person and how much bandwidth (s)he is using. Cato is powerful beyond belief.”
You can read more about Sanne Group’s use case in this case study. If you’d like to learn more about Cato Cloud or see it in action for yourself, contact us or schedule a demo today.
Network packets, the protocol data units (PDUs) of the network layer, are often taken for granted by network pros. We all get the concept: to...
With the Issues Packet Loss Can Create on the WAN, Mitigation is a Priority Network packets, the protocol data units (PDUs) of the network layer, are often taken for granted by network pros. We all get the concept: to transmit data over a TCP/IP network like the Internet requires the data be broken down into small packets (usually less than 1500 bytes) containing the relevant application data (“payload”) and headers. Routers forward these packets from source to destination and data encapsulation enables the data to traverse the TCP/IP stack.
The problem arises when this process fails, and packet loss occurs. Packet loss is, intuitively, when some packets fail to reach their destination.
Left unchecked, packets not reaching their destination can quickly become a major problem in an enterprise. When apps demand real-time data streams, even a relatively small amount of loss can create major problems. For example, Skype for Business connections MUST keep packet loss under 10% for any 200-millisecond interval and under 1% for any 15-second interval. That’s not much room for error, and similar requirements exist for other mission-critical VoIP (Voice over Internet Protocol) and telepresence app, making packet loss mitigation an enterprise priority.
Let’s explore packet loss in more depth and explain how Cato can reduce it on the enterprise WAN.
How Much is Too Much?
When discussing WAN optimization, the question of “what is an acceptable level of packet loss?” comes up quite a bit. I’m not a big fan of labeling any level of packet loss as “acceptable”, although a dropped packet here or there isn’t a major concern. As a rule of thumb, random packet loss exceeding about 1% can noticeably degrade the quality of VoIP or video calls. As packet loss increases, calls get choppy and robotic, video cuts in and out, and eventually connections are lost.
The surge in UCaaS (Unified Communications as a Service) popularity adds another wrinkle to the problem of packet loss. With voice and video services residing in the cloud, enterprises need a predictable low-latency connection to UCaaS providers like RingCentral, 8x8, and Telstra. In many cases, the public Internet is too unreliable for the job and MPLS (Multiprotocol Label Switching) is too inflexible and expensive. In addition to packet loss - latency, jitter, and security also become a concern with UCaaS. We deep dive on this topic in 4 Ways Cato is Perfect for UCaaS.
Detecting Packet Loss
Packet loss is calculated by measuring the ratio of lost packets to total packets sent. For example, in the ping output below, we see 1/5 of our packets did not make it to catonetworks.com, for a total of 20% packet loss.
ping catonetworks.com -t
Pinging catonetworks.com [203.0.113.2] with 32 bytes of data:
Reply from 203.0.113.2: bytes=32 time=105ms TTL=56
Reply from 203.0.113.2: bytes=32 time=136ms TTL=56
Reply from 203.0.113.2: bytes=32 time=789ms TTL=56
Reply from 203.0.113.2: bytes=32 time=410ms TTL=56
Request timed out.
Ping statistics for 203.0.113.2:
Packets: Sent = 5, Received = 4, Lost = 1 (20% loss),
Approximate round trip times in milli-seconds:
Minimum = 105ms, Maximum = 789ms, Average = 360ms
Tools commonly used to detect packet loss include:
ping. This is the simplest tool to detect packet loss and can be effective for ad-hoc troubleshooting. However, since many firewalls block ICMP (Internet Control Message Protocol) and it has a low priority, ping isn’t always enough.
tracert/traceroute. tracert (Windows) and traceroute (*nix) help identify the specific hop where packet loss begins.
Network monitoring software. Software applications like SolarWinds Network Performance Monitor, PRTG, Nagios, and Zabbix can all help monitor for packet loss at scale. For enterprise WAN, Cato Cloud’s Intelligent Last-Mile Management (ILMM) continuously measures packet loss in the last-mile.
Causes of Packet Loss
Detecting packet loss is one thing, but knowing how to identify the root cause is another. Common causes of packet loss include:
Routers with heavy CPU load. Routers have a finite amount of compute capacity, if the CPU load gets too heavy, packets can be dropped.
Security breaches. Malware or Denial of Service (DoS) attacks can consume a significant amount of bandwidth and resources, leading to packet loss.
Misconfigurations. Oftentimes, the cause of network outages is human error. The same holds true for packet loss. Misconfigured switches, routers, servers, or firewalls can lead to dropped packets. A textbook example is using half-duplex where full-duplex is needed or vice-versa.
Network congestion. The more traffic there is on a network, the more likely packets are to be dropped before reaching their destination.
Faulty hardware. Bad cables, routers, servers, and switches can all lead to packet loss and intermittent connectivity.
Software bugs. Packet loss can be related to a bug in a given software or firmware and updating may fix the problem.
How Cato Cloud Mitigates Packet Loss for The Enterprise WAN (with proof!)
With all the potential causes of packet loss and the Quality of Experience (QOE) issues it can create on the WAN, mitigating it is a priority. Cato Cloud has a number of built-in features that makes the WAN resilient against packet loss, such as:
Forward Error Correction (FEC). Enables the correction of packet loss predictively without the need for retransmission, reducing network congestion.
Identity-aware Quality of Service (QoS). Identity-aware routing and business process QoS take standard QoS to the next level by allowing critical data (e.g. an executive call) to be prioritized over standard traffic.
Dynamic Path Selection and Policy-based Routing (PbR). By proactively working around brownouts and blackouts, the Cato network automatically ensures packets are routed over an optimal path every time.
Active-active link usage. Ensures performance degradation in a single last-mile link can be overcome.
Packet duplication and Fast Packet Recovery. Help ensure rapid and reliable delivery of packets to reduce last-mile packet loss.
Just how effective is Cato at mitigating the effects of packet loss? RingCentral conducted testing that demonstrated Cato delivers high-quality voice connectivity across connections with packet loss up to 15%. If you find it hard to believe, check out this webinar and hear it for yourself.
Many Cato users have already experienced these benefits first hand. For example, according to Alewijnse ICT Manager Willem-Jan Herckenrath, when comparing Cato to MPLS, “Latency and packet loss are low. Even the users outside of Europe have the same or better user experience with our HD video conferencing and our CAD system (which runs over Citrix)”.
If you’re interested in learning more about how Cato can reduce packet loss on the enterprise WAN, contact us today.
Every few weeks, yet another survey confirms enterprise interest in SD-WAN. To help inform enterprises how best to make the transition to SD-WAN, I’ve been...
Talking WAN Transformation and Managed Services with Virgin’s Network and Security Architect Frankie Stroud Every few weeks, yet another survey confirms enterprise interest in SD-WAN. To help inform enterprises how best to make the transition to SD-WAN, I’ve been speaking with independent engineers and network architects around the industry for their insights and suggestions. The following is the first of these interviews, with Frankie Stroud, network and security architect for the Virgin Australia Group. Think you could add to the conversation or have someone you think I should speak with? Give me a shout and let me know.
Dave Greenfield (DG): Frankie, let’s start with you. Who is Frankie?
Frankie Stroud (FS): I’m a contractor in the Brisbane [Australia] area, currently at Virgin Australia [VA], where I’ve been for about eighteen months. Before VA I was with Optus and a few other domestic telecommunications companies. I’ve also worked with network integrators.
I mainly act as a system guide for organizations. I look at the viability of technologies, at proofs of concept, and pilot setups for the customer in order for them to assess technology.
DG: So what exactly are your responsibilities at Virgin?
FS: VA is going toward a digital cloud transformation. They have a managed service environment, sort of constrained by the approach that the service provider takes. There’s no real automation in place, no scripts, nothing to really drive efficiencies out of the network. That was one of the key reasons we started to look at technologies which would simplify those things. For instance, we changed VA’s WiFi environment to [Cisco] Meraki, a solution based on the principles of cloud-based controllers and simplified, template-based configuration. As SD-WAN is starting to mature and gain some traction in the market, we’re starting to look at that more seriously.
DG: Do carriers perceive SD-WAN differently than their customers?
FS: Yeah. We see a lot of the providers here in Australia trying to push NBN [national broadband network]-type services as their business grade A-type service, and what we see is there’s next to no difference between those services running on SD-WAN versus ones supposedly providing quality of service or a best-effort-type service. That, I suppose, is not a good sign for some of the telcos trying to add value within their particular environments, but it’s certainly of benefit to the enterprise customers who are just looking to pick up some bandwidth here and there.
DG: Should a customer care about which SD-WAN platform a provider is delivering?
FS: I certainly think so, especially nowadays when organizations want to make changes rapidly and not just through the virtual server or virtual storage environment. Devices can be spun up reasonably fast. The network has started to become the bottleneck, and we want to remove that, not have it keep us from meeting our business objective because of a longer SLA process.
DG: What about QoS? Walk me through what happens when a customer calls and says they want to change the QoS setting. Does that happen frequently?
FS: It would probably happen more frequently if it was a simpler process. I think people put up with a lot of pain around QoS. We’ve had a few times [at VA] when we’ve tried to avoid making changes to QoS because we have to get the network and the CPE sides of the telco involved. Those are typically two separate functions within the telco environment. Marrying up those two parts of the organization in order to make a change is a process in itself.
DG: You mentioned the CPE nodes. There’s been a lot of conversation about white box hardware. What are your thoughts?
FS: I actually quite like the idea. I don’t think it extends the life of the environment, because it’s still hardware, regardless if it is a white box or an appliance provided by the vendor. But it certainly gives you choices to extend virtualization and to virtualize different elements.
DG: Having been on both enterprise and telco sides of the industry, if a corporate customer said, “Frankie, I am interested in purchasing a managed service,” what advice would you give them?
FS: Well, I would ask what they want to achieve. There’s a lot of communication now around a co-managed environment, where the provider takes a level of responsibility for the platform and the customer takes on all policy or templates or just monitoring. But you’ve got to question whether you have the resources to take this in house. What are you going to gain?
DG: What are the skills an organization needs to run SD-WAN in house?
FS: Those skills are certainly a lot lower than in the past. You would certainly need someone who understands the concepts, the protocols, but not necessarily how the platform goes about driving changes throughout the environment. You need people who can maybe understand more on the visual side — the analytics, the monitoring — by looking at the information that’s presented. They will just interpret and understand that rather than memorizing lots of different commands.
DG: What’s the biggest risk enterprises face when migrating from MPLS to SD-WAN?
FS: One of the biggest problems is when you don’t want to make the full transition and insist on having both networks coexist. So they have an SD-WAN environment plus one which is driven by BGP protocol routes. Depending on the platform, you may end up not utilizing the most efficient path to a destination, so in order to join the two environments, you have to go through another, different set of hub points. If you are geographically spread, that may be problematic. I think the migration between the two environments requires an overlay technology or, in the case of Cato, moving to a cloud platform, a location.
DG: Is WAN transformation only about replacing MPLS for you?
FS: Well, I think architecturally there’s a big difference [between MPLS and SD-WAN]. Organizations on that journey to AWS, Azure, Google, you name it, or ones looking at more SaaS-type applications, can benefit from not backhauling through a datacenter environment before reaching out to those provider environments. There are architectural efficiencies that come out of placing a bit more control in the hands of the user, allowing them to select and steer applications based on business policy.
DG: What are the security implications of moving away from MPLS? For example, with local Internet breakout?
FS: Definitely, if an organization has opened up their environment to an Internet feed of some sort, then security does play a part, whether you’re encrypting over a tunnel to a centralized platform to protect the local site from a DDoS point of view, or if you’re just dropping traffic straight out to the Internet. You’ve got to consider the direction that traffic is taking. How do you protect against DLP and ensure data is not leaking from your environment? How do you ensure that stuff coming back into the environment via that location hasn’t got some sort of malware in it at some point? So having that control has to be taken into consideration.
DG: Okay, here’s probably the most important question I have today: What’s your favorite movie you’ve seen in the past six months?
FS: I suppose Avengers: Endgame. That was good.
August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone,...
Solving the Challenges of SD-WAN Security with Cloud-Native August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST - The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks.
As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago.
These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service.
But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out.
WAN Security and the Challenges Facing the Enterprise
A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.
MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge.
For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including:
Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors.
Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast.
Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint.
Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer
The cloud-native network infrastructure supporting the Cato Cloud takes SD-WAN security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, Cato’s cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management.
Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on Cato’s global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with Cato’s Software Defined Perimeter, support for mobile users becomes simple and scalable.
In short, by shifting security functions to the cloud, Cato’s delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security.
Enterprise-Grade Cloud-Based SD-WAN Security Features
Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set Cato Cloud apart.
NGFW. Cato’s NGFW inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement.
Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN.
Anti-malware. To deliver enterprise-grade anti-malware functionality, the Cato Cloud takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, Cato has partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks.
IPS. Cato’s Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the Cato network in the form of a more robust IPS. Cato Research Labs use big data to optimize IPS performance and reduce false positives and false negatives.
Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to Cato’s security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, Cato’s SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)).
Cato Offers Modern and Scalable SD-WAN Security
As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable Cato to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective.
This point is driven home by Cato customer Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look at Cato. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality Cato Networks has to offer, it will bring significant financial, functional and IT management benefits.”
If you’d like to learn more about how Cato is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, contact us. If you’re still not convinced and would like to see Cato Cloud in action, you’re welcome to schedule a demo to see it live.
In its recent Hype Cycle for Enterprise Networking, 2019, Gartner recognized Cato Networks as a “Sample Vendor” in the Secure Access Service Edge (SASE) category....
The Secure Access Service Edge (SASE) as Described in Gartner’s Hype Cycle for Enterprise Networking, 2019 In its recent Hype Cycle for Enterprise Networking, 2019, Gartner recognized Cato Networks as a “Sample Vendor” in the Secure Access Service Edge (SASE) category. Below is the verbatim text of the SASE section from the Gartner report.
To better understand SASE, check out this summary on Secure Access Service Edge (SASE) or read this whitepaper on why The Network for the Digital Business Starts with the Secure Access Service Edge (SASE) to understand how Cato meets SASE requirements.
Secure Access Service Edge
"Analysis By: Joe Skorupa; Neil MacDonald
Definition: The secure access service edge (SASE) are emerging converged offerings combining WAN capabilities with network security functions (such as secure web gateway, CASB and SDP) to support the needs of digital enterprises. These needs are radically changing due to the adoption of cloud-based services and edge computing. These capabilities are delivered as a service based upon the identity of the entity, real time context and security/compliance policies. Identities can be associated with people, devices, IoT or edge computing locations.
Position and Adoption Speed Justification: SASE (pronounced “sassy”) is in the early stages of development. Its evolution and demand are being driven by the needs of digital business transformation due to the adoption of cloud-based services by distributed and mobile workforces and the adoption of edge computing. The legacy data center should no longer be considered the center of network architectures. Users, sensitive data, applications and access requirements will be everywhere. The new center of secure access networking design is the identity — of the user, device, IoT/OT systems and edge computing locations and their needs for secure access services to cloud-based services directly including an enterprise’s applications running in IaaS. This inversion of networking and network security patterns will transform the competitive landscape over the next decade and create significant opportunities for enterprises to reduce complexity and allow their IT staff to eliminate mundane aspects of the network and network security operations.
Multiple incumbent vendors from the networking and network security are developing new cloud-based offerings or are enhancing existing cloud delivery based. The breadth of services required to fulfill the broad use cases means very few vendors will offer a complete solution in 2019, although many already deliver a broad set of capabilities. SASE services will converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, software defined perimeter (zero trust network access), DNS protection and firewall as a service. It isn’t sufficient to offer a SASE service built solely on a hyperscale provider’s limited number of points of presence. To compete effectively and meet requirements for low latency, significant investments in geographically disperse points of presence will be necessary. Some agent-based capabilities will be necessary for policy-based access for user-facing devices and some on-premises based capabilities will be required for networking functions such as QoS and path selection. However, these will be centrally managed from a cloud-based service. SASE offerings that rely on an on-premises, box-oriented delivery model or that rely on a limited number of cloud points of presence will be unable to meet the requirements of an increasingly mobile workforce and emerging latency sensitive applications. This will drive a new wave of consolidation as vendors struggle to invest to compete in this highly disruptive, rapidly evolving landscape.
User Advice: Gartner expects a number of SASE announcements over the next several months as vendors merge or partner to compete in this emerging market. Most SASE offerings will be purpose built for scale-out, cloud-native and cloud-based delivery and optimized to deliver very low latency services. Keep in mind that in the early days of this transition there will be a great deal of slide-ware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery model from distributed POPs. This is a case where software architecture and implementation matters. Additionally, be wary of vendors that propose to deliver the broad sent of required services by linking a large number of products via virtual machine service chaining, especially when the products come from a number of acquisitions. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency.
In many cases, branch office SASE adoption will be driven by network and network security equipment refresh cycles and associated MPLS offload projects. However, other use cases will drive earlier adoption. I&O leaders should identify use cases where SASE capabilities will drive measurable business value. Mobile workforce, contractor access and edge computing applications that are latency sensitive are three likely opportunities. For example, secure access consolidation across CASB, SWG and software defined perimeter solutions, providing a unified way for users to connect to SaaS applications, internet websites and private applications (whether hosted on-premises or in public cloud IaaS) based on context and policy.
Because the technology transition to SASE cuts across traditional organizational boundaries, it is important to involve your CISO and lead network architect when evaluating offerings and roadmaps from incumbent and emerging vendors. Expect resistance from team members that are wedded to appliance-based deployments.
Business Impact: SASE will enable I&O and security teams to deliver the rich set of secure networking and security services in a consistent and integrated manner to support the needs of digital business transformation, edge computing and workforce mobility. This will enable new digital business use cases (such as digital ecosystem and mobile workforce enablement) with increased ease of use, while at the same time reducing costs and complexity via vendor consolidation and dedicated circuit offload.
Benefit Rating: Transformational
Market Penetration: Less than 1% of target audience
SASE Hype Cycle Phases, Benefit Rating and Maturity Levels According to Gartner
Hype Cycle Phase
Gartner describes Secure Access Service Edge as being in the “Innovation Trigger” phrase of the Hype Cycle. This is the initial phase of a technology, which Gartner defines as “A breakthrough, public demonstration, product launch or other event generates significant press and industry interest.” Technologies proceed through four additional phases until being removed from the Hype Cycle.
By way of comparison, SD-WAN is in the “Slope of Enlightenment,” the second to final phase of the Hype Cycle. Gartner describes this technology “Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the technology’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process.”
Gartner identifies SASE as having a Benefit Rating of “Transformational.” Gartner defines a transformational benefit rating as a technology that “Enables new ways of doing business across industries that will result in major shifts in industry dynamics.”
Gartner defines SASE as having a maturity level of “Emerging.” Gartner defines emerging as markets where there’s “Commercialization by vendors” and ”Pilots and deployments by industry leaders.”
* “Hype Cycle for Enterprise Networking, 2019,” Andrew Lerner and Danellie Young, 9 July 2019
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
A recent Tech Research Asia study found that on average, “network problems” lead to 71 hours of productivity loss. This stat struck a chord with...
September 18, 2019
Cloud-based SD-WAN: The optimal approach to WAN latency A recent Tech Research Asia study found that on average, “network problems” lead to 71 hours of productivity loss. This stat struck a chord with me as it helps to quantify a common problem the Cato team works with customers to solve: reducing WAN latency. With the growing popularity of cloud services like Unified Communications-as-a-Service (UCaaS) and the surge in mobile users thanks to Bring Your Own Device (BYOD) and the ubiquity of smartphones, low latency has become more important than ever.
However, keeping WAN latency in check while using traditional solutions, like MPLS or VPN, with cloud services has become impractical. As a result, many enterprises, like Centrient Pharmaceuticals, are turning to cloud-based SD-WAN providers to deliver WAN connectivity and WAN optimization that meets the demands of modern networks.
But why is it that cloud-based SD-WAN is so much more effective at addressing the WAN latency problem? We’ll answer that here.
Understanding WAN Latency
Before we explore the solution, let’s review the problem. At a high-level, we’re all familiar with what latency is: the time data takes to traverse a network. Traditionally, the main drivers of WAN latency have been: distance, routing issues, hardware limitations, and network congestion. The higher the latency, the worse application performance will be.
For serving web pages, latency measured in milliseconds (ms) generally isn’t an issue. Real-time applications like Voice over IP (VoIP) and videoconferencing are where latency can make or break performance and productivity. At what levels can you expect to see performance degradation? In this blog post, Phil Edholm pointed out that the natural pause in human voice conversations is about 250-300 ms. If the round-trip latency (a.k.a. Round Trip Time or RTT) is longer than that, call quality degrades. For many UCaaS services, performance demands are even higher. For example, Skype for Business requires latency of 100 ms or less.
Addressing WAN latency: why legacy WAN solutions come up short
Apart from cloud-based SD-WAN, enterprises have 3 main options for WAN connectivity: appliance-based Do-It-Yourself (DIY) SD-WAN, VPN, and MPLS (for a crash course on the differences, see SD-WAN vs. MPLS vs. Public Internet). All 3 come up short in tackling the WAN latency problem for several reasons.
Both DIY SD-WAN and VPN have proven inadequate in keeping latency at acceptable levels for a simple reason: neither offer a private network backbone and the public Internet doesn’t make for a reliable WAN backbone. As this SD-WAN Experts report demonstrated, WAN latency is very much a middle-mile problem. The study showed that while the last-mile is significantly more erratic, the middle-mile was the main driver of network latency.
On the surface, MPLS seems to solve this problem. It eliminates the public Internet from the equation and provides a low-latency backbone. However, MPLS creates challenges for enterprises because it is notoriously expensive and inefficient at meeting the demands of cloud and mobile.
As bandwidth demands increase, MPLS costs will become more and more prohibitive. However, agility may be a larger problem with MPLS. It was designed to reliably transport data between a few static locations, but WAN traffic is becoming increasingly more dynamic. Cloud and mobile is now the norm.
When the paradigm changed, enterprises using MPLS encountered the trombone routing problem. By forcing enterprises to inefficiently backhaul Internet-bound traffic through corporate datacenters for inspection, trombone routing leads to additional WAN latency and degraded performance real-time applications.
How cloud-based SD-WAN solves the WAN latency problem
Cato’s cloud-based SD-WAN is able to efficiently solve WAN latency because of its affordable, private, SLA-backed, and global WAN backbone, intelligent and agile routing, optimized mobile and cloud connectivity, and the ability to provide affordable WAN connectivity.
As opposed to relying on the public Internet, Cato provides customers access to its private backbone consisting of over 45 Points of Presence (PoPs) across the globe. This means Cato bypasses the latency and congestion common to the public Internet core.
Dynamic path selection and end-to-end route optimization for WAN and cloud traffic complement the inherent advantages of a private backbone, further reducing WAN latency. Cato PoPs monitor the network for latency, jitter, and packet loss, routing packets across the optimum path.
Furthermore, PoPs on the Cato backbone collocate in the same physical datacenters as the IXPs of the leading cloud providers, such as AWS. The result: low-latency connections comparable to private cloud datacenter connection services, such as AWS Direct Connect. For a deeper dive on how Cato helps optimize cloud connectivity, see How To Best Design Your WAN for Accessing AWS, Azure, and the Cloud.
Proving the concept: the real-world WAN latency benefits of Cato Cloud
Conceptually, understanding why cloud-based SD-WAN provides an optimal approach to addressing WAN latency is important. But proving the benefits in the real-world is what matters. Cato customers have done just that.
For example, after switching from MPLS to Cato Cloud, Matthieu Cijsouw Global IT Manager at Centrient Pharmaceuticals touted the cost and performance benefits by saying: “The voice quality of Skype for Business over Cato Cloud has been about the same as with MPLS but, of course, at a fraction of the cost. In fact, if we measure it, the packet loss and latency figures appear to be even better.” Similarly, performance testing between Singapore and Virginia demonstrated Cato’s ability to reduce latency by 10%. While a 10% reduction may not sound like a lot, it can be the difference between a productive VoIP call and an incomprehensible one.
Cato solves WAN latency for the modern enterprise
Cloud-based SD-WAN is uniquely equipped to address the WAN latency challenges. Solutions that depend on the public Internet simply aren’t reliable enough, and MPLS isn’t cost-effective or agile enough to make business sense.
An affordable private backbone enables Cato to deliver performance that meets or exceeds MPLS in the middle-mile, with significantly lower cost and greater agility. As a result, enterprises using Cato Cloud can reduce WAN latency and enhance performance and reliability while also realizing significant cost savings. If you’d like to discuss how Cato can modernize your WAN, contact us today.
In 2019, it has become clear that SD-WAN has secured its position as the way forward for enterprise WAN connectivity. Market adoption is growing rapidly,...
September 12, 2019
The Way Forward: How SD-WAN Benefits the Modern Enterprise In 2019, it has become clear that SD-WAN has secured its position as the way forward for enterprise WAN connectivity. Market adoption is growing rapidly, and industry experts have declared a winner in the SD-WAN vs MPLS debate. For example, Network World called 2018 the year of SD-WAN, and before the end of Q3 2018 Gartner declared SD-WAN is killing MPLS. What’s driving all the excitement around SD-WAN? It effectively comes down to this: SD-WAN is more cost-effective and operationally agile than MPLS. SD-WAN reduces capex and opex while also simplifying WAN management and scalability.
However, if you don’t drill down beyond high-level conclusions, it can be hard to quantify how SD-WAN will matter for your business. Here, we’ll dive into the top 5 SD-WAN benefits and explain why IT professionals and industry experts alike see SD-WAN as the way forward for enterprises.
Reduced WAN Costs
MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage.
Just how big of a cost difference is there between MPLS and SD-WAN? The specifics of your network will be the real driver here. Expecting savings of at least 25% is certainly reasonable, and for many enterprises it can go well beyond that. For one Cato customer, MPLS was 4 times the cost of cloud-based SD-WAN despite MPLS only providing a quarter of the bandwidth.
For a real world example of how Nick Dell, an IT manager at a major auto manufacturer, optimized his WAN spending by ditching MPLS and moving to SD-WAN, check out this webinar.
Enhanced WAN Performance
MPLS was the top dog in enterprise WAN before cloud-computing and mobile smart devices exploded in popularity. Once cloud and mobile became mainstream, a fundamental flaw in MPLS was exposed. Simply put: MPLS is very good at reliably routing traffic between two static locations, but it isn’t good at meeting the demands of cloud and mobile.
With MPLS, enterprises have to deal with the “trombone effect”. Essentially, an MPLS-based WAN has to inefficiently backhaul Internet-bound traffic to a corporate datacenter. The same Internet-bound traffic is then routed back through the corporate datacenter. This places a drag on network performance and can really hurt modern services like UCaaS and videoconferencing.
As SD-WAN enables policy-based routing (PbR) and allows enterprises to leverage the best transport method (e.g. xDSL, cable, 5G, etc.) for the job, this means no more trombone effect and improved performance for mobile users and cloud services.
In addition to solving the trombone routing problem, SD-WAN is a game changer when it comes to last-mile performance. The same ability to leverage different transport methods enables a more advanced approach to link-bonding that can significantly improve last-mile resilience and availability.
Improved WAN Agility
MPLS wasn’t designed with agility in mind. SD-WAN on the other hand is designed to enable maximum agility and flexibility. By abstracting away the underlying complexities of multiple transport methods and enabling PbR, SD-WAN allows enterprises to meet the varying demands of cloud workloads and scale up or down with ease.
For example, onboarding a new office with MPLS can take anywhere from a few weeks to a few months. With Cato’s cloud-based SD-WAN, new sites can be onboarded in a matter of hours or days. Case in point: Pet Lovers Center was able to deploy two to three sites per day during their Cato Cloud rollout.
Similarly, adding bandwidth can take over a month in many MPLS applications, while SD-WAN enables rapid bandwidth provisioning at existing sites.
Simplified WAN Management
As we’ve mentioned, the long provisioning times with MPLS can create significant bottlenecks, but MPLS management issues go well beyond that. The larger an enterprise scales, the more complex WAN management becomes. Multiple appliances used for security and WAN optimization become a maintenance and management burden as an enterprise grows.. Further, gaining granular visibility into the network can be a challenge, which leads to monitoring and mean time to recover issues. Cloud-based SD-WAN adds value here by providing an integrated and centralized view of the network that can be easily managed at scale.
Increased WAN Availability
When it comes to uptime, redundancy and failover are the name of the game. While MPLS has a solid reputation for reliability, it isn’t perfect and can fail. Redundancy at the MPLS provider level is expensive and can be a pain to implement. SD-WAN makes leveraging different transport methods easy, thereby enabling high-availability configurations that help reduce single points of failure. If your fiber link from one ISP is down, you can failover to a link from another provider. Further, the self-healing features of cloud-based SD-WAN make achieving high-availability (HA) significantly easier than before.
The Cloud-Based Advantage
We’ve already mentioned a few ways cloud-based SD-WAN helps magnify SD-WAN benefits, but it is also important to note that cloud-based SD-WAN overcomes one of the major SD-WAN objections MPLS proponents have put forth. In the past, it could have been argued that the lack of SLAs meant SD-WAN solutions were not ready for showtime at the enterprise-level. However, with cloud-based SD-WAN from Cato, enterprises get all the benefits of SD-WAN, an integrated security stack, and an SLA-backed private backbone supported by Tier-1 ISPs across the globe.
Furthermore, this private backbone solves another problem other SD-WAN solutions cannot: latency across the globe. For international enterprises that must send traffic halfway across the world, routing WAN over the public Internet alone can lead to significant latency. In the past, this would mean dealing with the operational and dollar costs of MPLS to become worth it. However, cloud-based SD-WAN offers a more cost effective and operationally-efficient alternative. Cato’s global, private backbone has PoPs (Points of Presence) across the world that enable traffic to be reliably routed across at speeds that meet or exceed MPLS-level performance.
SD-WAN outstrips MPLS for the modern enterprise
While there is no one-size-fits-all answer to every WAN challenge, it’s clear that the majority of modern enterprises can benefit from SD-WAN. We can expect to see MPLS hold a niche in the market for years to come, but SD-WAN is better suited for most modern use-cases. In particular, cloud-based SD-WAN gives businesses a reliable, secure, and modern MPLS alternative that offers the agility of SD-WAN without sacrificing reliability or the peace of mind SLAs provide.
To learn more about what cloud-based SD-WAN can do for your business, join our upcoming Dark Side of SD-WAN webinar or contact us today.
It’s no secret the public cloud is growing. According to Gartner, the global public cloud market is expected to grow 17.3 % this year. And...
September 9, 2019
Will cloud-based networking be your next WAN? It’s no secret the public cloud is growing. According to Gartner, the global public cloud market is expected to grow 17.3 % this year. And it’s also no secret that as more applications move to the cloud, significant changes are hosted onto the WAN.
With the cloud, most traffic is bound for the Internet, making backhauling to a centralized location for security inspection less practical. And with the cloud, users access applications in and outside of the office. All of which means security enforcement must adapt to these changes, providing secure, direct Internet access from the branch as well as protecting mobile users. SD-WAN appliances are ill-suited to address these changes.
But what if instead of appliances, we used the cloud to solve the problem of the cloud? You’d have access from anywhere and security everywhere. You’d have one solution for mobile and fixed users, infinitely scalable as all good clouds are.
Sounds like a good idea, but practically how’s that done? Let’s find out.
Benefits of cloud-based networking
There are a few simple reasons that appliance-based SD-WAN solutions aren’t “good enough” for the modern WAN: they become too complex and inefficient at scale and they struggle to meet the demands of cloud and mobile.
For example, most appliance-based SD-WAN require enterprises to layer security in themselves. The problem is the integration of enterprise-grade security appliances is complex and often requires costly proprietary hardware. Similarly, optimizing the performance of cloud services or providing support for mobile users can prove to be complex with appliance-based SD-WAN.
Cloud-based networking makes it simple to address these challenges in a secure and scalable fashion. For example, as opposed to buying a next-generation firewall (NGFW) appliance, NGFW functionality can be provided using cloud-based, software-defined services from a cloud service provider.
If you understand the standard cloud delivery model and how different network appliances work, understanding the cloud-based networking concept is simple. Service providers aggregate resources and provide them, usually in a multi-tenant model, to consumers. This creates economies of scale that create a win/win for consumers and providers.
The benefits to enterprises in the cloud-based networking model are elasticity, velocity, flexibility, fewer resources dedicated to the installation and management of network hardware, and the elimination of upfront costs.
Simply put, cloud-based networking allows enterprises to offload the complexity of maintaining network infrastructure to a service provider. When you consider the staff and expertise needed to configure routers, switches, and firewall appliances at the enterprise-level, the upside becomes clear. Additionally, cloud-based networking makes it possible to access and manage network resources from effectively anywhere with an Internet connection.
Cloud-based networking and SD-WAN
SD-WAN is one of the services commonly enabled by cloud-based networking. For example, Cato Cloud is built using a cloud-native architecture. This means that users benefit from SD-WAN features like dynamic path selection, QoS, active-active link usage as well as an underlying network infrastructure purpose-built for the cloud.
Appliance-based SD-WAN requires the management and integration of proprietary appliances to add security & mobile support, and expensive premium cloud connectivity solutions like AWS Direct Connect for optimized cloud connectivity. With Cato Cloud, all of those benefits are built-in to the underlying cloud-based network.
From a security perspective, the Cato network includes an application-aware NGFW, anti-malware functionality, secure web gateway, and IPS built-in. As all these features are included in the underlying cloud-based network, they’re inherently more scalable and easier to manage than the old, appliance-based paradigm. As opposed to provisioning discrete appliances at each site or routing all WAN traffic back through a single location for auditing, enterprises have the security they need baked-in to the WAN. Not only does this make configuration and management much easier, it reduces the chances for a misconfiguration or oversight to create vulnerabilities in the network.
Mobile integrations are another major pain point for appliance-based SD-WAN. Often, enterprises are left with two choices when it comes to mobile integrations: enable users to connect via a cloud access security broker (CASB), which increases cost and complexity, or force them to connect through a specific endpoint (often dramatically impacting performance). Increased cost or extremely reduced performance is never an attractive tradeoff for a CIO. This is another area where cloud-native shines. The Cato Mobile Client ensures that mobile users are able to securely connect to the WAN and all physical and cloud resources. No need to sacrifice usability for performance (or vice versa) with cloud-native.
Additionally, intelligent cloud-native software that is part of our cloud-based network helps deliver the uptime enterprises demand. Features like self-healing help address service blackouts and brownouts. On the topic of uptime: the Cato Cloud includes an SLA-backed private backbone consisting of PoPs (Points of Presence) around the world. Multiple Tier-1 ISPs support the backbone, and if a given carrier fails, monitoring software helps ensure traffic is sent over a different ISP or even through another PoP. This robust backbone coupled with advanced software monitoring and self-healing allow us to provide the consistency and reliability enterprises demand on a global scale.
Cloud integrations are another area where cloud networking with the Cato Cloud outstrips appliance-based SD-WAN. With appliance-based SD-WAN, users are often dependent upon public Internet connections. The public Internet is notoriously unreliable, and when data needs to traverse long distances to reach a cloud service provider, latency can create real performance issues. As services like UCaaS and high-definition video streaming become more popular, these problems are exacerbated further. With Cato Cloud, PoPs are often in the same physical datacenters as major cloud service providers. This means that network traffic can egress at the PoP nearest to the provider, reducing latency to trivial levels.
Converged cloud networking matters
The reason cloud-native is able to consistently outperform solutions like appliance-based SD-WAN (the model most telco-managed solutions use) is simple: converged infrastructure is more efficient. Cloud-native solutions provide enterprises with a holistic, robust approach to the WAN. Security, high availability (HA), routing, mobile integrations, and SD-WAN functionality are delivered under one roof. With an appliance-based approach, complex integrations are required to achieve similar functionality which leads to increased costs and difficulty scaling. In an area where agility is more important than ever, this makes cloud networking and converged infrastructure much more attractive than an appliance-based approach.
If you’re interested in learning more about cloud-based networking or SD-WAN, contact us today. As Gartner-described “visionaries” in WAN Edge Infrastructure, we’re uniquely capable of helping you identify solutions for your enterprise. If you’d like to explore the benefits of cloud-native SD-WAN further, check out our Promise of SD-WAN as A Service white paper.
According to a recent Uptime Institute report, network failures trail only power outages as a cause of downtime. The data also suggests that full “2N”...
SD WAN redundancy vs. MPLS redundancy According to a recent Uptime Institute report, network failures trail only power outages as a cause of downtime. The data also suggests that full “2N” redundancy is also an excellent way to mitigate the risk of downtime. This got me thinking about a reoccurring conversation about SDWAN redundancy I have with IT managers. In one form or another the question: “how can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?” comes up. My response? SD-WAN + public Internet alone can’t. You have to have a private backbone.
Cato’s cloud-native approach to SD-WAN not only matches MPLS reliability across the middle-mile, it offers better redundancy in the last-mile. Why? MPLS provides limited active-passive redundancy in the last-mile while Cato delivers active-active redundancy and intelligent last-mile management (ILLM).
Here, we’ll compare MPLS redundancy to SD WAN redundancy and explain why active-active redundancy and ILLM are so important.
MPLS redundancy: a reliable middle-mile with limited last-mile options
MPLS has a well-deserved reputation for reliability in the middle-mile. MPLS providers have a robust infrastructure capable of delivering the reliability enterprises demand from their WAN. In fact, reliability is often used as justification for the high price of MPLS bandwidth.
However, practically, the cost of MPLS circuits makes delivering the same level of reliability in the last-mile challenging. For many enterprises, the cost of MPLS connectivity simply puts redundant circuits out of reach. And without redundant circuits, sites are susceptible to last-mile outages. Tales of construction crews cutting through wires and causing downtime are well-known.
Even with redundant circuits, sites remain susceptible to carrier outages, as evidenced by last year’s CenturyLink outage. The disruption was caused by a single faulty network card. Protection against those types of failures and failures in the last mile all but requires dual-homing connections across diversely routed paths to separate providers.
Cato SD-WAN redundancy: a robust global backbone and intelligent last mile management
Cato meets enterprise-grade uptime requirements without MPLS’s high costs. Across the middle mile, our global private backbone comes with a 99.999% uptime SLA. Every Cato PoP is interconnected by multiple tier-1 carrier networks. Cato’s proprietary software stack monitors the real-time performance of every carrier, selecting the optimum path for every packet. In this way, the Cato backbone can deliver better uptime than any one of the underlying carrier networks.
Across the last-miles, Cato Sockets automatically connect to the nearest PoPs. The Sockets are designed with Affordable HA for local, inexpensive redundancy and connect across any last-mile service provider. This allows enterprises to layer in inexpensive Internet connections for resiliency affordable enough for even small locations. As opposed to being tied down to select providers or technologies, enterprises can choose the carriers and transport methods (5G, xDSL, etc.) that provide them the best mix of cost, resilience, and redundancy.
Cato’s intelligent last mile management features also enable rapid detection of network brownouts and blackouts, ensuring rapid responses and failover. Further, as Cato controls the entire global network of PoPs and the customer has self-service management capabilities, troubleshooting and responding to issues with agility is never a problem.
Active-passive redundancy vs active-active redundancy in the last-mile
What truly sets Cato’s SD-WAN redundancy apart from traditional MPLS redundancy is Cato’s ability to provide built-in active-active redundancy.
MPLS doesn’t provide active-active redundancy per se. At best, you’d configure dual paths and add a load-balancer to distribute traffic loads. Practically, MPLS last-mile redundancy has been active-passive with failover between circuits is based on route or DNS convergence. This means failover takes too long to sustain active sessions for many services like VoIP, teleconferencing, and video streaming. The result? Some level of downtime.
With Cato Cloud, active-passive redundancy is an option, but active-active redundancy is also possible. This is because our cloud-native SD-WAN software enables load-balancing for active-active link usage. As a result, last-mile “failover” is seamless. Since both transport methods are in use, packets can immediately be routed over one or the other in the event of a failure. The end result is reduced downtime and optimized application performance.
Further, Cato’s approach to active-active redundancy is also able to account for IP address changes. Select applications and policies can stop functioning. Cato’s Network Address Translation functionality obtains IP addresses from a Cato PoP as opposed to an ISP. This means that failing over between ISPs in the last-mile won’t compromise network functionality.
Cato enables true SD-WAN redundancy in the last-mile
The Uptime Institute’s data demonstrated the importance of “2N” redundancy to uptime, and Cato’s active-active redundancy brings 2N to the WAN. By coupling active-active redundancy in the last-mile with an SLA-backed private backbone, Cato Cloud is able to deliver the uptime enterprises demand.
If you’d like to learn more about how Cato’s approach to SD-WAN can improve throughput by five times and optimize WAN connectivity for brick-and-mortar locations, the cloud, and mobile users download our free WAN Optimization and Cloud Connectivity eBook. If you have specific questions about Cato’s cloud-native SD-WAN, don’t hesitate to contact us today.
According to a recent forecast, the global NaaS (Network as a Service) market is expected to grow at a CAGR of 38.3% from 2018 to...
NaaS Meets SD-WAN: What is NaaS anyway and How Will It Impact Your SaaS, PaaS, and Cloud Strategy? According to a recent forecast, the global NaaS (Network as a Service) market is expected to grow at a CAGR of 38.3% from 2018 to 2023. The forecast cites reduced costs, increased security, and enhanced agility as growth drivers for the NaaS market. With such bullish projections and potential for business impact, It's no wonder that NaaS technologies are garnering so much attention.
However, not all NaaS solutions are created equal. NaaS is simply the delivery of virtualized network infrastructure and services following the standard cloud subscription business model popularized by SaaS, IaaS, and PaaS. That means NaaS solutions come in a variety of shapes and sizes, many like NFV offering more sizzle than substance. Further, coupling services from multiple discrete service providers can lead to silos, scalability issues, and enhanced complexity. Fortunately, cloud-native SD-WAN platforms, like Cato Cloud, enable enterprises to leverage Network as a Service to its full potential.
Here, we’ll explore the basics of NaaS and explain how the Cato Cloud platform provides enterprises with the most effective form of Network as a Service.
Network as a Service: A crash course
With NaaS, many WAN complexities can be abstracted away. Third- party services deliver network functionalities such as VPN, Content Delivery Networks (CDNs), and Bandwidth on Demand (BoD). As a result, enterprises benefit from providers’ economies of scale and shift capex to opex. At a high level, everybody wins. This helps explain why the Network as a Service market is projected to grow to over $21 billion by 2023.
Taking WAN functions and moving them to the cloud inherently allows enterprises to do a better job of remaining agile and secure in a world where cloud and mobile computing are the norm. Gone are the days where enterprises had clearly defined network perimeters that served as demarc points for what needed to be secured and what was on the other side of the moat. By shifting network infrastructure to the cloud, security is not only baked-in, but the network also gains significant agility. It is much easier to leverage cloud services to enable for cloud apps and mobile users than it is to route everything through on-prem hardware.
Another benefit of NaaS is the reduction in appliance costs. Not only does eliminating on-premises hardware reduce capex, it reduces network complexity and network management costs. Coupled with an SD-WAN appliance some may argue that NaaS can go a long way in replacing MPLS. The SD-WAN appliance enables dynamic path selection and Policy-based Routing (PbR), and the NaaS solutions abstract away the network infrastructure.
However, it is in this packaging of discrete solutions that some of the difficulties of getting Network as a Service right become clear. The challenge with ensuring a given NaaS solution delivers on this promise is coming up with a bundle of services that provide enterprise functionality, without adding too much complexity.
In many cases, effectively meeting the demands of a modern enterprise WAN can lead to requirements that entail a mixed bag of solutions from different providers. This patchwork of solutions then increases complexity, and often leads to sacrifices in the form of limited functionality, reduced network visibility (which impedes WAN monitoring and management), and decreased performance. This in turn reduces the upside of NaaS.
How cloud-based SD-WAN adds advanced security, simplicity, and scalability to NaaS
So, how can the benefits of NaaS be delivered without overcomplicating the WAN and diminishing the benefits of the as a service model? By taking all the major WAN networking and security functions and aggregating them into the cloud
This is where cloud-based SD-WAN comes in. Cato Socket SD-WAN devices enable enterprises to choose a transport method (e.g. LTE, fiber, cable, etc.) to connect their physical locations to the closest Cato Point of Presence (PoP). As a result, enterprises gain advanced WAN management features and functionality. Sockets are zero-touch and minimize the manpower and risk associated with network changes. Additionally, all Cato Sockets can be configured for active-active failover, helping enhance uptime and simplify network management, and affordable High-Availability (HA) mode. Active-active failover further improves WAN performance by enabling Cato to route traffic around both blackouts (complete network outages) and brownouts (a reduction in network performance) to help improve last-mile performance.
The global backbone that supports the Cato Network is one of the most important aspects of the platform. The backbone includes over 45 PoPs across the globe interconnected via multiple SLA-backed ISPs (Internet Service Providers). Monitoring software at the PoPs help improve WAN routing by checking for latency, jitter, and packet loss in real time, again simplifying management and improving performance.
The cloud-based, multitenant, and global nature of the Cato Network allows enterprises to benefit from advanced WAN security at scale as well. The Cato Cloud has a built-in network security stack that includes:
Next-Generation Firewall. Cato delivers advanced NGFW capabilities using FWaaS to enable network-wide visibility, granular policy enforcement, simple scalability, and streamlined life cycle management.
Advanced Threat Protection. Cato’s Intrusion Prevention System is contextually aware and able to intelligently respond to threats while limiting false positives.
Secure Web Gateway. End users are one of the most common network attack vectors. Cato SWGs inspect inbound and outbound Layer 7 web traffic.
Managed Threat Detection and Response. Responding to threats as rapidly as possible is vital to maintaining a sound security posture. Cato’s MDR leverages intelligent algorithms and human verification to help keep networks secure and guide customers through remediation in the event a node is compromised.
These features enhance WAN security while also reducing complexity. With Cato Cloud, the entire solution is converged “under one roof”. The complexities of appliance management, patching, maintenance, and network monitoring are abstracted away.
Just how important is it to take a holistic approach that integrates security into a NaaS? Centrient Pharmaceuticals, a leading antibiotics manufacturer, was able to cut costs roughly in half while quadrupling network capacity and adding security services to the WAN with Cato.
The Cato Cloud: The converged approach to Network as a Service
As we have seen, the Cato approach to Network as a Service fulfills the full potential of the NaaS model. By providing a converged global WAN infrastructure, the Cato Cloud enables enterprises to enjoy the upside of NaaS while eliminating the complexity created by bundling multiple solutions from different vendors.
If you’re interested in learning more about how Cato can help you improve your WAN performance while reducing your WAN costs, please contact us today. If you’d like to take a deeper dive on the topic of cloud-based SD-WAN, check out our Promise of SD-WAN as A Service whitepaper.
One complaint I often hear is how the WAN can be a bottleneck to productivity. MPLS circuits can take weeks even months to provision depending...
How to connect multiple offices quickly and affordably with Cato Cloud One complaint I often hear is how the WAN can be a bottleneck to productivity. MPLS circuits can take weeks even months to provision depending on location. All too often, IT directors have told me they need to explain why MPLS circuit delivery is a holdup for branch office going live. At a time where agility is more important than ever to business outcomes, this is an unenviable situation to say the least.
This then begs the question: how do you connect multiple offices rapidly and affordably without sacrificing performance? Cloud-native SD-WAN provides a way to do just that.
Challenges when connecting multiple offices
There are a few common requirements when it comes to connecting multiple offices to the WAN. The connection must be secure, reliable, affordable, and capable of delivering the performance enterprises demand. The competitive nature of modern business also dictates that any solution is agile and scalable enough to meet the needs of an increasingly mobile workforce and allow for rapid onboarding of new sites.
VPN has proven to be a popular solution for site-to-site connectivity. However, as demonstrated in this case study of a software security company expanding to Europe, VPN has a number of downsides that limit its practical applications.
VPN requires onsite IT staff to manage local firewalls, not always practical in the era of WeWork and mobile employees. Complexity also grows with the size of the network, limiting scalability. Mobile VPN clients are either non-existent or too clunky to enable optimized connection for mobile workers. Further, the time it takes to get a physical appliance to a branch office in a foreign country can make VPN impractical for time-sensitive projects. In other cases, teams are so small or mobile that a physical appliance is simply overkill. However, what often makes VPN unusable for the enterprise is the notorious unreliability of the public Internet.
The desire for reliability is why many enterprises have looked to MPLS to connect multiple offices in the past. The problem is that MPLS simply isn’t agile or fast enough for deployments that require rapid onboarding.
In the aforementioned case study, it would’ve taken about 6 weeks to deliver an MPLS circuit, an obvious deal-breaker for a 5-week project. Further, MPLS bandwidth is significantly more expensive than Internet bandwidth, making connecting multiple offices with MPLS expensive. This also makes providing connectivity to small offices impractical. Finally, like VPN, MPLS struggles to provide optimized performance for cloud and mobile users (e.g. the trombone effect).
How to connect multiple offices with Cato
Cato’s cloud-native SD-WAN is able to solve all these problems elegantly. With Cato, the complexity of VPN and lengthy MPLS provisioning times are a thing of the past. Just how much of an improvement is Cato? Check out this video that demonstrates how to connect and provision a Cato Socket in 3 minutes. From there, the “how to connect multiple offices” process is simply rinse-and-repeat.
Not only is this process faster and more scalable than the alternatives, the resulting WAN connectivity performs better and is more secure. Our global private backbone is backed by a 99.999% uptime SLA, includes an integrated security stack, provides end-to-end route optimization for cloud traffic, and delivers WAN connectivity that meets (and often exceeds) MPLS reliability at significantly lower costs.
But what about those sites where an appliance of any kind is impractical? This ADB SAFEGATE case study provides a real-world example of how Cato’s mobile client handled the challenge of deploying all 26 company sites within two months. According to Lars Norling, director of IT operations at ADB SAFEGATE, “the possibility to include everyone within the solution, including all of our traveling colleagues and all of our small offices using the Cato mobile client, has been extremely important to us”.
By creating a software-defined perimeter (SDP), Cato makes it easy to securely connect even a single mobile user via clientless browser access. As SDP is built-in to the Cato Cloud, mobile users are protected by the same policies and packet inspections as on-prem employees and benefit from the same WAN optimization features.
Cato eliminates WAN bottlenecks and makes connecting multiple offices simple
As we have seen, Cato Cloud makes connecting multiple offices simple, fast, and affordable. This enables enterprise WANs to keep up with the speed of modern business, and no longer act as a bottleneck or impediment to progress. If you’d like a demo of the nuts and bolts of the “how to connect multiple offices” process, you’re welcome to contact us today.
For more examples of successful MPLS to SD-WAN migrations, download our free 4 Global Companies who Migrated Away from MPLS eBook. To learn more about the WAN optimization benefits of cloud-native SD-WAN, check out our WAN Optimization and Cloud Connectivity whitepaper.
Many enterprise networks are straining under the pressure of massive changes brought on by computing trends that are shifting traditional traffic patterns as well as...
Making a Strategic Plan for the Future of Networking Many enterprise networks are straining under the pressure of massive changes brought on by computing trends that are shifting traditional traffic patterns as well as by digital transformations of the underlying business. Companies are shifting workloads to the cloud, increasing their use of voice and video applications, and adding thousands or even millions of new connections to support IoT devices. All these changes have a severe impact on networks that haven’t yet been re-architected to support the new traffic volumes and patterns and cloud-based applications.
To help organizations plan for and execute the necessary changes to their networking infrastructure, Gartner developed a guide published as the 2019 Strategic Roadmap for Networking. This guide provides recommendations on:
Transforming the workforce, skills and culture of the networking organization,
Deploying SD-WAN to enable greater network agility, simplicity and performance,
Leveraging Wi-Fi and cellular connectivity across the campus network,
Implementing automation, orchestration and intent-based networking (IBN) solutions, and
Optimizing the vendor sourcing approach.
Network managers are being asked to deliver more services and make changes at an increasing pace, with fewer errors and at a lower cost. Gartner says that network budgets are essentially flat, and organizations need to do more with less. “Areas that will be in focus are reducing reliance on MPLS in favor of internet access, automation, different business models/sourcing options and taking advantage of open standards where possible.”
The Gap between “Future State” and “Current State”
Gartner lays out what it believes the future state of networking should be and compares that to the current state of networking for most enterprises today. The gap between the two states is wide but not insurmountable, thus presenting challenges (and opportunities) in the migration plan:
“Premium products instead of premium people”
Today’s style of networking requires a large staff of people whose skills are focused on keeping the network operating and performing well. Network practitioners have vendor certifications that are focused on a particular vendor silo, such as Cisco, Microsoft or VMware. They are intimately familiar with their silo’s command line interface (CLI). The knowledge is different from product to product and so the people are pigeon-holed in their specialty areas.
In the future state of networking, people will need to have far different kinds of skills and knowledge, such as DevOps development and AI and machine learning. Business acumen will be the premium skill, rather than knowing how to program a router. Any networking migration plan needs to include reskilling the workforce.
“From MPLS to Internet and routers to SD-WAN”
The network of the future will reduce its reliance on MPLS in favor of Internet with SD-WAN. This will increase agility and reduce costs. Gartner recommends that network leaders focus on solutions that simplify the deployment and operation of the network, using capabilities such as zero-touch configuration, orchestration with APIs, business-policy-based configurations, IBN solutions, automation and virtualization. Gartner stresses the importance to “automate wherever possible.”
“Data-center-centric to hybrid cloud”
There is a surge in business initiatives leveraging cloud-based IT delivery. According to Gartner, there is now more traffic to public clouds than to on-premise data centers, more applications delivered as a service than from on-premise data centers, and more sensitive data in clouds than in on-premise data centers. However, public cloud and data center networks are not integrated today, and enterprise WANs are not optimized for hybrid cloud. The two environments are operated today as separate silos, with different tools, products and features. Every organization needs to reevaluate its WAN strategy and re-architect the network to adapt to hybrid cloud computing.
“From manual CLI to automation and APIs”
Too many networking tasks today are performed manually, often by a skilled network engineer interacting with a single network device through a command line interface. This process is expensive and time-consuming, and it doesn’t scale. Enterprises can increase their reach and agility by adopting orchestration and automation tools